Privacy Policy
Last updated: April 2026 · Effective: April 2026
1. Who we are
Insound Music Ltd (“Insound”, “we”, “us”, “our”) is the data controller responsible for your personal data. We are a company registered in England and Wales (Company Number: 17179694).
| Registered name | Insound Music Ltd |
| Company number | 17179694 |
| Contact email | privacy@getinsound.com |
| Website | getinsound.com |
This policy applies to all visitors, fans, and artists who use the Insound website and platform. It explains what personal data we collect, why, how long we keep it, who we share it with, and your rights under UK data protection law (UK GDPR and the Data Protection Act 2018).
2. What data we collect and why
We collect different data depending on how you use Insound. We only collect what is necessary for each purpose.
2.1 Artists
| Data | Purpose |
|---|---|
| Name | Display name on your artist profile and releases |
| Email address | Account login, transactional notifications (sales, payouts), and optional marketing |
| Stripe Connect details | To process and route payments to your Stripe account. Card data is handled entirely by Stripe — we never see or store it |
| Uploaded files (audio, artwork) | To host and deliver your music to buyers |
| Independence confirmation (boolean + timestamp) | To verify eligibility — Insound is restricted to independent and unsigned artists. We record that you confirmed this and when |
| Sales analytics (amounts, timestamps, buyer count) | To provide your dashboard earnings data and generate aggregate platform statistics |
2.2 Fans
| Data | Purpose |
|---|---|
| Email address (collected at purchase) | To deliver download links, purchase receipts, and optional marketing if you opt in |
| Purchase history (releases bought, amounts, dates) | To provide your library, re-download access, and generate artist sales reports |
| Pay-what-you-want amounts | To process the transaction at the price you chose |
2.3 All users
| Data | Purpose |
|---|---|
| IP address, browser type, device info | Automatically collected by Cloudflare for security, DDoS protection, and basic analytics. We do not use this to identify individuals |
| localStorage values | To remember view preferences and authentication state. These are not cookies and are not shared with third parties |
3. Legal basis for processing
Under UK GDPR Article 6(1), we rely on the following legal bases:
| Basis | Applies to |
|---|---|
| Consent — Art. 6(1)(a) | Marketing emails. You can withdraw consent at any time via the unsubscribe link in any email or by contacting us |
| Contract — Art. 6(1)(b) | Processing artist and fan data necessary to provide the platform: account creation, file hosting, payment processing, download delivery |
| Legitimate interest — Art. 6(1)(f) | Basic analytics, fraud prevention, platform security, and improving the service |
| Legal obligation — Art. 6(1)(c) | Retaining transaction records as required by UK tax and accounting law (HMRC) |
4. How long we keep your data
| Data type | Retention period |
|---|---|
| Artist account data | Duration of your account plus 6 years after deletion (UK tax record-keeping) |
| Fan purchase history | Duration of your account plus 6 years (UK tax/accounting obligations) |
| Uploaded audio files & artwork | Deleted within 30 days of an artist removing a release or closing their account |
| Stripe Connect details | Managed by Stripe under their retention policy. We store only the Stripe account ID |
| Server logs (IP, device info) | Automatically purged by Cloudflare (typically 72 hours) |
5. Third-party processors
We share personal data only with processors who are necessary to operate the platform.
| Processor | Purpose | Data shared |
|---|---|---|
| Supabase | Database, authentication, file storage | All account data, uploaded files, purchase records |
| Stripe | Payment processing (Stripe Connect) | Artist payout details, fan payment data. Card data goes directly to Stripe |
| Resend | Transactional and marketing email | Email addresses, names |
| Cloudflare | Hosting, CDN, DNS, DDoS protection | IP addresses, request metadata |
We do not sell your personal data to anyone. We do not share data with advertisers. We do not use third-party tracking pixels or advertising networks.
6. International data transfers
Some of our processors may process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place:
- UK adequacy decisions for the destination country, or
- Standard Contractual Clauses (SCCs) approved by the ICO, or
- The processor's binding corporate rules
7. Your rights
Under UK GDPR, you have the following rights. To exercise any of them, email privacy@getinsound.com. We will respond within 30 days.
- Right of access (Art. 15) — Request a copy of all personal data we hold about you.
- Right to rectification (Art. 16) — Ask us to correct inaccurate data.
- Right to erasure (Art. 17) — Ask us to delete your data (“right to be forgotten”).
- Right to restrict processing (Art. 18) — Ask us to limit how we use your data while a dispute is resolved.
- Right to data portability (Art. 20) — Request your data in a structured, machine-readable format (JSON or CSV).
- Right to object (Art. 21) — Object to processing based on legitimate interest.
- Right to withdraw consent — Withdraw consent for marketing at any time via unsubscribe links or by contacting us.
We do not carry out automated decision-making or profiling that produces legal effects.
8. Cookies & local storage
Insound does not use traditional tracking cookies. Here is what we do use:
8.1 localStorage (browser)
| Key | Purpose | Duration |
|---|---|---|
insound_view_mode | Remembers your compact/expanded view preference | Persistent until cleared |
localStorage values are stored entirely in your browser. They are not sent to our servers, not shared with third parties, and can be cleared at any time via your browser settings.
8.2 Supabase authentication
When you create an account, Supabase stores authentication tokens in localStorage to maintain your session. Strictly necessary for the platform to function.
8.3 Stripe
Stripe may set cookies on its own domain during checkout. These are governed by Stripe's cookie policy and are strictly necessary for payment security.
8.4 Cloudflare
Cloudflare may set a __cf_bm cookie for bot detection. This is a strictly necessary security cookie exempt from consent requirements under UK PECR.
We do not use Google Analytics, Facebook Pixel, or any third-party advertising or tracking technology.
9. Children's privacy
Insound is not directed at children under 13. We do not knowingly collect personal data from anyone under 13. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
10. Changes to this policy
If we make material changes to this policy, we will:
- Update the “last updated” date at the top of this page
- Notify existing users by email where the change affects how their data is processed
- Not retroactively reduce your rights without explicit consent
11. How to contact us or complain
If you have questions about this policy or want to exercise your rights:
Email: privacy@getinsound.com
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
| Website | ico.org.uk/make-a-complaint |
| Helpline | 0303 123 1113 |
| Post | Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF |