This Privacy Policy explains how beatvaults (“we”, “us”) collects, uses, and protects your information when you use our service. beatvaults is operated by the beatvaults team. Questions: privacy@beatvaults.com.

The short version

We collect what we need to run the service: your account details, the beats you upload, and the matches we find for you.
Your beats stay yours. We never sell, license, redistribute, or train public models on your audio. We turn each upload into a one-way fingerprint and compare it against new releases.
We don't run advertising or analytics cookies, and we don't send marketing without your opt-in.
You can delete your account and your audio at any time, and ask us for a copy of your data.

1. Data Controller

beatvaults acts as the data controller for personal data submitted via our service. Contact for data-protection inquiries: privacy@beatvaults.com.

2. What We Collect

Account data: name, email, password (bcrypt-hashed), and your Google account ID if you sign in with Google.
Beat uploads: the audio files you upload, plus derived data we compute from them (duration, BPM, detected key, and audio fingerprints/embeddings used for matching).
Scan results: matches found across third-party platforms, with the public metadata those platforms return (track titles, artist names, popularity counts, album-art URLs).
Claims you file: the platform, target track, your notes, and status updates.
Match feedback: when you mark a result as confirmed, rejected or unsure, we record the verdict and the match signals at that moment to improve accuracy.
Billing data: subscription status and your Stripe customer ID. We never see or store card numbers · Stripe handles payment details directly.
Operational data: IP address and user-agent (for rate-limiting and abuse prevention), request logs, and an audit log of sensitive account actions.

3. Your Beats & Audio

Your uploads are the heart of the service, so we're specific about how we treat them:

You keep all rights. Uploading a beat grants us a narrow licence to process it for one purpose only · fingerprinting it and scanning for matches on your behalf.
Private by default. Your beats are tied to your account. They are not public, not browsable by other users, and not shared with other producers.
No resale, no model training. We never sell, sub-licence, or redistribute your audio, and we never use it to train publicly available AI models.
Fingerprints, not copies, do the work. Matching runs on a one-way fingerprint of your audio. We only retain the original file so you can play it back and use it as proof.
You can delete it. Removing a beat deletes the file and its derived data; deleting your account removes all of it (see §6).

4. Why We Process It

Provide the service (legal basis: contract) · scanning, claim management, billing, and account access.
Improve matching accuracy (legal basis: legitimate interest) · we use match feedback to tune our matching; we never share identifiable data to do it.
Security and fraud prevention (legal basis: legitimate interest) · rate limits, bot detection, audit logs.
Legal compliance (legal basis: legal obligation) · tax records, DMCA notices, lawful requests.
Communications (legal basis: contract or consent) · email verification, password reset, billing receipts, and match alerts you've enabled. We do not send marketing without explicit opt-in.

5. Third-Party Processors

We share data with the following processors only to the extent needed to deliver the service:

Stripe · payment processing (card details go straight to Stripe; we never receive them).
Google · OAuth sign-in, if you choose it.
Resend · transactional email (verification, password reset, alerts).
Hosting & infrastructure · cloud servers and object storage that run the app and hold your data.
Error monitoring · an error-tracking service, with personal data redacted before it is sent.
Public platform APIs (Spotify, Apple Music, YouTube, SoundCloud, Deezer, Audius, AcoustID) · we query them with your beat's fingerprint and audio features to look up matches. We never send your identity or account details to them.

6. Retention & Deletion

Account data: kept until you delete your account.
Uploaded audio & fingerprints: kept until you delete the beat or your account.
Match feedback: up to 730 days (rolling).
Audit logs: up to 365 days (rolling).
Server access logs: 30 days.
Billing records: 7 years, where tax law requires it.

When you delete your account we apply a short grace window, then permanently delete your personal data and uploaded audio. Anonymised, non-identifying statistics may be retained.

7. Security

Data is encrypted in transit (TLS 1.2+) and at rest (database and object-storage encryption). Passwords are bcrypt-hashed. Optional two-factor authentication (authenticator app) is available on every account. Sessions use httpOnly refresh tokens that are stored as hashes and rotate over time · and you can review every active session and sign out any device, or all of them, from your account settings.

8. Your Rights (GDPR / UK GDPR / CCPA)

Access & portability · email privacy@beatvaults.com and we'll send a machine-readable copy of the data we hold for you.
Erasure · delete your account from your account settings, or email us. After a short grace window we hard-delete your personal data and uploaded audio.
Rectification · edit your profile inside the app.
Objection / restriction · email privacy@beatvaults.com.
Do not sell / share · we don't sell or share your personal data, so there's nothing to opt out of · but you're welcome to confirm with us.
Complaint · you may lodge one with your local data-protection authority.

9. International Transfers

Our servers may be located in the EU or US. Where data leaves the EEA, we rely on Standard Contractual Clauses with the receiving processor.

10. Children

beatvaults is not directed at children under 13 (or under 16 in the EEA). We do not knowingly collect data from them. If you believe a child has signed up, email privacy@beatvaults.com and we will delete the account.

11. Cookies

We use only essential cookies · a session refresh token (httpOnly, sameSite=strict) and a CSRF guard. We do not use analytics or advertising cookies, and we do not track you across other sites.

12. Changes

Material changes are announced via email at least 14 days before they take effect. Continued use after the effective date constitutes acceptance.

13. Contact

Privacy questions: privacy@beatvaults.com.
Data deletion / export: use the controls in your account settings or email us.
DMCA / copyright: see our DMCA policy.

Questions?

Our team responds to all data-protection inquiries within 30 days, as required by law.privacy@beatvaults.com

The short version

We collect what we need to run the service: your account details, the beats you upload, and the matches we find for you.

Your beats stay yours. We never sell, license, redistribute, or train public models on your audio. We turn each upload into a one-way fingerprint and compare it against new releases.

We don't run advertising or analytics cookies, and we don't send marketing without your opt-in.

You can delete your account and your audio at any time, and ask us for a copy of your data.

2. What We Collect

Account data: name, email, password (bcrypt-hashed), and your Google account ID if you sign in with Google.

Beat uploads: the audio files you upload, plus derived data we compute from them (duration, BPM, detected key, and audio fingerprints/embeddings used for matching).

Scan results: matches found across third-party platforms, with the public metadata those platforms return (track titles, artist names, popularity counts, album-art URLs).

Claims you file: the platform, target track, your notes, and status updates.

Match feedback: when you mark a result as confirmed, rejected or unsure, we record the verdict and the match signals at that moment to improve accuracy.

Billing data: subscription status and your Stripe customer ID. We never see or store card numbers · Stripe handles payment details directly.

Operational data: IP address and user-agent (for rate-limiting and abuse prevention), request logs, and an audit log of sensitive account actions.

3. Your Beats & Audio

Your uploads are the heart of the service, so we're specific about how we treat them:

You keep all rights. Uploading a beat grants us a narrow licence to process it for one purpose only · fingerprinting it and scanning for matches on your behalf.

Private by default. Your beats are tied to your account. They are not public, not browsable by other users, and not shared with other producers.

No resale, no model training. We never sell, sub-licence, or redistribute your audio, and we never use it to train publicly available AI models.

Fingerprints, not copies, do the work. Matching runs on a one-way fingerprint of your audio. We only retain the original file so you can play it back and use it as proof.

You can delete it. Removing a beat deletes the file and its derived data; deleting your account removes all of it (see §6).

4. Why We Process It

Provide the service (legal basis: contract) · scanning, claim management, billing, and account access.

Improve matching accuracy (legal basis: legitimate interest) · we use match feedback to tune our matching; we never share identifiable data to do it.

Security and fraud prevention (legal basis: legitimate interest) · rate limits, bot detection, audit logs.

Legal compliance (legal basis: legal obligation) · tax records, DMCA notices, lawful requests.

Communications (legal basis: contract or consent) · email verification, password reset, billing receipts, and match alerts you've enabled. We do not send marketing without explicit opt-in.

5. Third-Party Processors

We share data with the following processors only to the extent needed to deliver the service:

Stripe · payment processing (card details go straight to Stripe; we never receive them).

Google · OAuth sign-in, if you choose it.

Resend · transactional email (verification, password reset, alerts).

Hosting & infrastructure · cloud servers and object storage that run the app and hold your data.

Error monitoring · an error-tracking service, with personal data redacted before it is sent.

Public platform APIs (Spotify, Apple Music, YouTube, SoundCloud, Deezer, Audius, AcoustID) · we query them with your beat's fingerprint and audio features to look up matches. We never send your identity or account details to them.

6. Retention & Deletion

Account data: kept until you delete your account.

Uploaded audio & fingerprints: kept until you delete the beat or your account.

Match feedback: up to 730 days (rolling).

Audit logs: up to 365 days (rolling).

Server access logs: 30 days.

Billing records: 7 years, where tax law requires it.

When you delete your account we apply a short grace window, then permanently delete your personal data and uploaded audio. Anonymised, non-identifying statistics may be retained.

7. Security

8. Your Rights (GDPR / UK GDPR / CCPA)

Access & portability · email privacy@beatvaults.com and we'll send a machine-readable copy of the data we hold for you.

Erasure · delete your account from your account settings, or email us. After a short grace window we hard-delete your personal data and uploaded audio.

Rectification · edit your profile inside the app.

Objection / restriction · email privacy@beatvaults.com.

Do not sell / share · we don't sell or share your personal data, so there's nothing to opt out of · but you're welcome to confirm with us.

Complaint · you may lodge one with your local data-protection authority.