Legal

Privacy Policy

What we collect, where it lives, and what you can ask us to delete.

Last updated · 2026-06-11

1. What we collect

  • Account data — email, username, role (producer / artist), password hash (handled by Supabase Auth, never stored in plaintext).
  • Profile data — display name, bio, avatar URL (only what you fill in).
  • Beat files — audio you upload, cover art, metadata (title, BPM, key, tags).
  • Purchases — beat ID, license tier, amount, Stripe session ID. We do not store card details — Stripe handles those.
  • Payout info — your Stripe Connect account ID. Bank details live with Stripe, not us.
  • Usage — beat plays (anonymous counter) and basic Vercel analytics (page views, no individual tracking).

2. Where it lives

  • Account + database — Supabase (Postgres, EU-West region by default).
  • Audio files + cover art — Supabase Storage.
  • Payments + payouts — Stripe.
  • App hosting + logs — Vercel.

These are our sub-processors. Each has their own privacy policy and each is SOC 2 / GDPR compliant.

3. What we use it for

  • Running the marketplace — authenticating you, displaying your beats, processing purchases.
  • Generating license PDFs for purchases.
  • Showing producer stats and artist library.
  • Anti-fraud — detecting fake accounts, chargeback abuse, copyright issues.
  • Service emails — confirmations, receipts, password resets. No marketing emails without opt-in.

4. What we don't do

  • We don't sell your data to third parties.
  • We don't run ad-network tracking pixels or third-party trackers.
  • We don't read your emails, DMs, or any audio content beyond the metadata you set.

5. Your rights

Whatever jurisdiction you're in, you can request:

  • A copy of all data we hold about you.
  • Correction of inaccurate data.
  • Deletion of your account and associated data (subject to record-keeping requirements for completed transactions — usually 7 years for tax / audit purposes).
  • Withdrawal of consent for any optional processing.

Email privacy@grimoire.app. We aim to respond within 30 days.

6. Cookies

We use first-party session cookies set by Supabase Auth so you stay signed in. No third-party advertising cookies. Vercel may set functional cookies for routing.

7. Children

Grimoire Beats isn't for under-16s. If we learn a minor has signed up without guardian consent, we delete the account.

8. Changes

We'll update this page when our practices change and bump the "Last updated" date. Material changes get an in-app notification.

9. Contact

Data controller: Grimoire Beats.
privacy@grimoire.app

Fee BreakdownTermsPrivacy