1. Who we are (the "controller")
For the purposes of the UK GDPR and the Data Protection Act 2018, the controller of your personal data is BANDVOLT LTD (a private limited company registered in England and Wales, company number 17249811), whose registered office is at 82A James Carter Road, Mildenhall IP28 7DE, England ("we", "us", "our"). We are registered with the UK Information Commissioner's Office (the "ICO") under registration number ZC160392.
You can reach us about anything in this policy at [email protected] or by post at the address above. For data-protection enquiries, please mark them "FAO the Data Protection Lead".
2. Scope of this policy
This policy applies to personal data we process about: (a) visitors to our website at https://bandvolt.com; (b) registered users of the BandVolt service (the "Service"); (c) Band Members, Collaborators and people invited to a Band or song; (d) recipients of Public Share links; and (e) people who contact us. It does not cover websites or services operated by anyone else, even where we link to them.
In some cases your band acts as the "controller" of certain data it uploads about other people (for example, financial entries that name an individual, or session-musician contact details stored in a band file). Where that is the case, we act as a "processor" on the band's behalf under our Data Processing Addendum (incorporated into our Terms of Service); the band is responsible for ensuring there is a lawful basis for that processing. For most Service data we are the controller; your band may act as a joint controller with its Members for in-band workspace content.
3. The personal data we collect
We collect the categories of personal data set out below. Some categories are provided directly by you; others are generated by your use of the Service or received from third parties acting on our behalf.
| Category | Examples | Source |
|---|---|---|
| Identity & contact | Username (@handle), email address, optional profile picture, and country (where collected for tax/billing). We do not ask for your legal name at registration. | You; Clerk (email and sign-in); we store username and avatar in our database. |
| Account & authentication | Account identifier, sign-in method (email and, if you use them, social or single sign-on options enabled in Clerk), session tokens, security events (sign-ins; password changes are handled by Clerk), terms-acceptance timestamp. | You; Clerk. We never see or store your password. |
| User Content | Audio files (mixes, stems), waveform peaks, lyrics, artwork, comments, notes, file names, financial entries, receipts, event details, setlists, and any metadata or messages you submit. | You and the people you collaborate with. |
| Band & collaboration data | Bands you belong to, your role, invites you have sent or received, collaborator relationships, activity-timeline entries. | You and other Members/Owners of the Band. |
| Billing data | Subscription plan, billing cycle, paying-member identifier, Stripe customer and subscription IDs, invoice metadata, one-time Volt pack purchase records (Checkout session ID, amount paid, Volts credited, purchasing member), last four digits and card brand of the card on file, billing country, VAT number (if supplied). We do not see or store full payment card numbers — those go directly to Stripe. | You; Stripe. |
| Technical & usage | IP address, browser type and version, device and operating system, referring/exit pages, timestamps, request paths and status codes, error diagnostics, rate-limit counters, feature usage and limits (e.g. Volts spent on AI Mix Summary or Mix Health checks used in a month), session and WebSocket connection events. | Automatically when you use the Service. |
| Support & communications | Messages and metadata when you contact us via the contact form on our website, email, or other channels; the contents of in-product notifications and transactional emails (invites, billing receipts, activity alerts). | You; our mailer and contact-form providers. |
| AI feature inputs and outputs | For the AI Mix Summary: the text of discussion comments on a mix and associated metadata (timestamps, vote counts), plus the resulting summary text. Available on all tiers when you have sufficient Volts. See section 6. | You (by triggering the feature); our AI sub-processor. |
| Mix Health analysis | For Mix Health: mix audio you choose to analyse, derived technical metrics (such as loudness, peak, and related measurements), and the resulting score, breakdown, and guidance. Available on all tiers when you have sufficient Volts. Processed on our servers only — not sent to our AI sub-processor. | You (by triggering a health check). |
We do not intentionally collect special-category personal data (for example, health, religion, sexual orientation, or biometric data). Please do not upload special-category data to free-text fields or files unless absolutely necessary. Audio and lyrics may incidentally contain such information; you are responsible for any decision to upload it.
4. How we use your data and our lawful bases
We may only process your personal data where we have a lawful basis under the UK GDPR. The table below sets out the purposes for which we process data and the lawful basis we rely on for each.
| Purpose | Categories used | Lawful basis |
|---|---|---|
| Creating and managing your Account, providing the Service to you and your Band, storing your User Content, enabling collaboration. | Identity, Account, User Content, Band & collaboration. | Performance of our contract with you (Art. 6(1)(b) UK GDPR); legitimate interests in enabling Bands to share data with the people they invite (Art. 6(1)(f)). |
| Processing payments, applying entitlements, sending billing notifications, maintaining tax and accounting records. | Identity, Billing. | Performance of contract (Art. 6(1)(b)); compliance with legal obligations such as tax, VAT and accounting law (Art. 6(1)(c)). |
| Operating the Service securely: authentication, fraud and abuse prevention, rate limiting, debugging, error monitoring, capacity planning. | Technical & usage, Account, Identity. | Legitimate interests in keeping the Service available, secure and sustainable (Art. 6(1)(f)); compliance with legal obligations where relevant (Art. 6(1)(c)). |
| Sending invitation emails when you or your Band invite someone to join a band or collaborate on a song. | Identity, Band & collaboration. | Performance of contract (Art. 6(1)(b)); legitimate interests in enabling the collaboration you requested (Art. 6(1)(f)). |
| Generating AI Mix Summaries on the comments you and your collaborators have written (triggered manually; spends Volts from your Band balance). | User Content (specifically: mix comments and associated metadata such as timestamps and vote counts). | Performance of contract (Art. 6(1)(b)) — we provide the feature you have asked us to provide. |
| Performing Mix Health analysis on mix audio you choose to check (triggered manually; spends Volts from your Band balance). | User Content (mix audio) and Mix Health analysis results stored with your Band. | Performance of contract (Art. 6(1)(b)) — we provide the feature you have asked us to provide. |
| Responding to your support enquiries, contact-form submissions and feedback. | Identity, Support & communications. | Legitimate interests in providing support and improving the Service (Art. 6(1)(f)); performance of contract where the enquiry relates to your Subscription (Art. 6(1)(b)). |
| Enforcing our Terms and Acceptable Use Policy; investigating reports; defending and bringing legal claims; complying with court orders, lawful requests, and regulatory obligations. | All categories as necessary. | Legitimate interests in protecting our service, users, and rights (Art. 6(1)(f)); compliance with legal obligation (Art. 6(1)(c)); establishment, exercise or defence of legal claims (Art. 9(2)(f) where special-category data is involved). |
| Aggregating and anonymising data to understand how the Service is used so we can improve it. | Technical & usage. | Legitimate interests (Art. 6(1)(f)). Once anonymised, the data is no longer personal data. |
Where we rely on legitimate interests, we have carried out (and can produce on request) a balancing test to make sure our interests are not overridden by your rights and freedoms. You have the right to object — see section 9.
We do not use your personal data or your User Content to train generative AI models. We do not sell your personal data or your User Content.
5. Who we share your data with
We share personal data only with people and organisations that need it to operate the Service or where we are required to do so by law.
Other users. Personal data and User Content you share inside a Band is visible to that Band's other Members, to song Collaborators where relevant, and (for content you Publicly Share) to anyone with the share link. Your username, optional profile picture, activity-timeline events, comments, financial entries, and similar workspace metadata are visible to people you collaborate with.
Service providers (processors). We use the following providers to operate the Service. They are bound by written data-processing agreements, may only process your personal data on our documented instructions, and must apply appropriate security measures.
| Provider | Role | Location of processing |
|---|---|---|
| Clerk, Inc. | Authentication, user identity, session management. | United States (with safeguards — see section 7). |
| Stripe Payments Europe Ltd / Stripe, Inc. | Payment processing, subscription billing, customer portal, tax handling, fraud prevention. Stripe is an independent controller for payment data. | Ireland, United Kingdom, United States. |
| Cloudflare, Inc. (R2 and CDN) | Object storage for User Content (audio, stems, artwork, receipts, event files) and content delivery / DDoS protection. | United Kingdom / European data region where supported; global edge. |
| Railway (or our successor hosting provider) | Hosting the API, database, and supporting services. | European Union / United States data region as configured. |
| OpenAI, L.L.C. | Generating AI Mix Summaries on comments you submit. Inputs and outputs are not used to train OpenAI's general-purpose models under our contractual terms with OpenAI. | United States. |
| Transactional email provider (our mailer service) | Sending account, invite, billing, and notification emails. | European Union / United States depending on provider configuration. |
| Formspree, Inc. (or successor contact-form provider) | Receiving and forwarding submissions from our public contact form. | United States. |
Other recipients. We may also share personal data with: our professional advisers (lawyers, accountants, auditors) under a duty of confidentiality; regulators, courts, and law-enforcement authorities where we are legally required or where it is necessary to establish, exercise or defend legal claims; and a successor in interest in the event of a sale, merger, financing, reorganisation, or insolvency affecting our business (subject to appropriate confidentiality safeguards).
A current list of sub-processors is published on our Sub-processors page. We will give reasonable notice of material changes to our sub-processors and you may object to a change by closing your Account.
6. AI and Mix Health processing
Mix Health is a feature you trigger manually when your Band has sufficient Volts. When you run a health check, the Service analyses the relevant mix audio on our servers to compute technical metrics and a rule-based quality score. That audio is not sent to our AI sub-processor and Mix Health does not use generative AI. We store the resulting score, breakdown, and guidance with your Band and display them to people who have access to that Band.
AI Mix Summary is a separate feature you trigger manually when your Band has sufficient Volts. When triggered, the Service sends the text of discussion comments on the relevant mix, plus associated metadata (timestamps and vote counts), to our AI sub-processor (currently OpenAI). The sub-processor generates a summary which we store with your Band and display to the people who have access to that Band. AI Mix Summary is a limited-risk AI feature under the EU AI Act; outputs are labelled as AI-generated in the product.
Our contract with the AI sub-processor prohibits it from using your inputs or outputs to train its general-purpose models. The sub-processor may retain inputs and outputs for a short period for abuse-monitoring purposes in line with its own published terms.
We do not subject you to decisions with legal or similarly significant effects based solely on automated processing (Art. 22 UK GDPR).
7. International transfers
We are based in the United Kingdom. Some of our service providers are based in, or process data in, countries outside the UK and EEA, including the United States. Where personal data is transferred outside the UK we rely on lawful transfer mechanisms recognised under the UK GDPR, in particular:
- the UK Government's adequacy regulations and the UK Extension to the EU-US Data Privacy Framework (where the recipient is certified);
- the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, in each case with supplementary measures (such as encryption in transit and at rest, and access controls) where appropriate;
- any other transfer mechanism permitted under Article 46 of the UK GDPR.
8. How long we keep your data
We keep your personal data only for as long as we need it for the purposes described in this policy. The main retention periods are:
- Account data: for the life of your Account. If you close your Account we will delete or anonymise your personal data within approximately 30 days, except as described below.
- User Content: until you (or another authorised Member of the Band) deletes it. Soft-deleted content sits in the recycle bin for approximately 30 days before permanent deletion.
- Billing and tax records: at least six (6) years after the end of the financial year to which they relate, in line with UK tax-law retention requirements (HMRC).
- Security logs and abuse-prevention data: typically up to twelve (12) months, longer where necessary to investigate an incident or defend a legal claim.
- Support correspondence: up to three (3) years after the last contact, longer where necessary to handle an ongoing matter.
- Product marketing lists (if we use them in future): until you unsubscribe or withdraw consent, plus a short period to record that withdrawal (suppression list). We do not maintain marketing lists today.
- Backups: deleted data may persist in encrypted backups until those backups are overwritten in the ordinary course.
Where we are legally obliged to keep data for longer (for example, to comply with a court order, a regulatory request, or an applicable limitation period for bringing a legal claim), we will do so for the period required and no longer.
9. Your rights
Under the UK GDPR you have the following rights in relation to your personal data. We will respond to a verifiable request within one month (extendable by up to two further months for complex requests, in which case we will tell you). Exercising these rights is free unless your request is manifestly unfounded or excessive.
- Right of access — to obtain a copy of the personal data we hold about you, and information about how we process it.
- Right to rectification — to correct inaccurate or incomplete personal data. You can update your username and profile picture in the Service. Your email address and sign-in security settings are managed through Clerk (our authentication provider).
- Right to erasure ("right to be forgotten") — to ask us to delete your personal data in certain circumstances. Note that deleting your Account does not automatically delete content uploaded by other Members of a Band you have left; see section 18 of our Terms.
- Right to restrict processing — to ask us to pause processing in certain circumstances (for example, while a rectification request is being resolved).
- Right to data portability — to receive certain personal data you have provided to us in a structured, commonly used and machine-readable format, and to ask us to transmit it to another controller where technically feasible.
- Right to object — to object to processing based on legitimate interests, including profiling, and to object to direct marketing at any time.
- Right to withdraw consent — where we rely on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
- Rights relating to automated decision-making — we do not make decisions about you with legal or similarly significant effect based solely on automated processing.
To exercise any of these rights, email [email protected]. We may ask you to verify your identity before we act on your request.
Some browsers send a “Do Not Track” (DNT) signal. There is no common industry standard for how services should respond to DNT. We do not change our practices based on DNT signals today.
You also have the right to complain to a supervisory authority. In the UK, that is the Information Commissioner's Office ( ico.org.uk , 0303 123 1113, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF). If you live in the EEA, you may complain to the data-protection authority of your country of residence. We would, however, appreciate the chance to address your concerns first.
10. How we keep your data secure
We apply technical and organisational measures designed to protect personal data against unauthorised or unlawful processing, accidental loss, destruction or damage. These include:
- encryption in transit (TLS); our object-storage provider encrypts stored User Content at rest; our database is hosted on encrypted cloud infrastructure;
- authentication using short-lived RS256-signed JSON Web Tokens issued by our authentication provider, with JWKS verification on every request;
- per-Band access controls and least-privilege database roles so that data is isolated to the people authorised to access it;
- presigned, time-limited URLs for upload and download of object storage so that audio and similar files are not publicly addressable by default;
- per-IP and per-user rate limiting, security HTTP headers (HSTS, X-Frame- Options, X-Content-Type-Options) and routine dependency patching;
- logging of significant actions for audit and abuse-investigation purposes;
- vetting of sub-processors and binding data-processing agreements with them.
No system is perfectly secure. If we become aware of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the ICO without undue delay (and where feasible within 72 hours of becoming aware of it) and, where the risk is high, we will notify affected users.
You are responsible for choosing a strong sign-in method, keeping it confidential, and notifying us at [email protected] if you believe your Account has been compromised.
11. Children and minimum age
The Service is not intended for anyone under 16 and must not be used by them. We do not knowingly collect personal data from anyone under that age. If we learn that we have processed such data, we will delete it and close the related Account.
Some users may be aged 16 to 17. We do not target the Service at minors. Privacy-minded defaults apply to all users: bands are private by default; Public Shares are opt-in; we do not profile users for advertising; and we do not send behavioural marketing based on minors' activity.
If you believe someone under 16 has provided us with personal data, please contact us at [email protected].
13. Email and in-product communications
Email today. We send email only where needed to run the Service. That includes band and song invitations, and subscription and billing messages for paying Bands (for example upgrade receipts, renewal confirmations and reminders, payment-failure notices, cancellation confirmations, and storage add-on billing messages). These are transactional or service emails, not advertising. They are sent on the basis of our contract with you and, for billing records, applicable legal obligations. You cannot opt out of essential billing emails while you hold a paid Subscription; you can avoid invitation emails by not using invite features.
Product marketing. We do not send newsletters, promotional mailshots, or other product-marketing email today — whether or not you are on a paid plan. Most other activity (for example comments, mentions, and band updates) is delivered in the app, not by email. You can review and mark notifications read in the app. On your profile you may optionally enable browser desktop alerts when the tab is not visible; we do not offer per-type notification controls today.
If we introduce product-marketing email in future, we will update this policy and comply with UK PECR and GDPR (for example by asking for consent where required, or using the soft opt-in only where it lawfully applies to similar products sold to existing customers, with an unsubscribe link in every message). You may object to direct marketing at any time by emailing [email protected].
14. Information for users outside the UK
Ireland and the wider EEA. We operate from the United Kingdom and are launching the Service in the UK and Ireland. If you are in Ireland or elsewhere in the EEA or Switzerland, you have substantively the same rights as described in this policy under the EU GDPR (and FADP where applicable). The competent supervisory authority is usually the data-protection authority of your country of residence. For any request or question, contact us at [email protected]. We have not appointed a separate EU Article 27 representative at this early stage; if our offering to EEA users changes materially, we will update this policy and appoint a representative where the law requires it.
California users. If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you the right to know what personal information we collect, the right to delete it, the right to correct it, the right to opt out of any "sale" or "sharing" of personal information (we do not sell or share your personal information for cross-context behavioural advertising), and the right not to be discriminated against for exercising these rights. To exercise these rights, contact us at [email protected].
Other jurisdictions. Wherever you live, you can exercise the rights set out in this policy. Some local laws may give you additional rights; contact us at [email protected] if you would like to discuss them.
15. Changes to this policy
We may update this policy from time to time. If we make a material change we will notify you in advance by email and/or in-product. The "Last updated" date at the top of this page always shows when the policy was last revised. Continued use of the Service after a change takes effect constitutes acceptance of the revised policy.
16. Contact us
Questions, requests, or complaints about this policy or our handling of your personal data should be sent to:
- Email: [email protected]
- Post: FAO the Data Protection Lead, BANDVOLT LTD, 82A James Carter Road, Mildenhall IP28 7DE, England
- Supervisory authority: the Information Commissioner's Office — ico.org.uk