Privacy Policy

1. Who we are

This site is operated by Bassline Music ("we", "us", "our"), a sole-trader operation based in the United Kingdom. For the purposes of UK GDPR we are the data controller for the personal data described in this policy. You can reach us at hello@basslinemusic.co.uk.

2. The legal framework

This policy is written to comply with:

• The UK General Data Protection Regulation (UK GDPR)
• The Data Protection Act 2018 (DPA 2018)
• The Privacy and Electronic Communications Regulations 2003 (PECR), for cookies and electronic marketing
• The Online Safety Act 2023, for user-generated content moderation

3. What we collect and why

We hold the minimum data needed to run the service. Specifically:

Account data

• Email address, used to sign you in, send password resets and important service notices. Lawful basis: contract (Article 6(1)(b) UK GDPR).
• Hashed password, we never see or store your raw password; it's hashed by Supabase Auth using bcrypt.
• Display name + avatar choice, shown publicly next to your comments and likes.

Usage data

• Play history, which tracks you played, for how long, and when. Used for "Recently played", "Based on your listening", and aggregate trending charts. Lawful basis: legitimate interests (running and improving the service).
• Likes, comments and playlists, visible to other members per the visibility you choose.

Payment data

• Stripe customer ID + subscription status, we hold these so we can manage your subscription. We do not hold your card number, expiry or CVV, those go directly to Stripe under their own privacy policy.

Technical data

• IP address, user-agent, request timestamps, kept in Cloudflare access logs for up to 30 days for security, fraud prevention and abuse investigation. Lawful basis: legitimate interests.

4. Cookies and similar technologies

We use a small number of strictly-necessary cookies:

• Supabase auth cookies, keep you signed in across page loads. Strictly necessary, no consent required under PECR.
• Stripe checkout cookies, set during the payment flow. Strictly necessary.

We do not use advertising trackers, social-media pixels, or third-party analytics cookies.

5. Notifications

We offer three kinds of notifications. All of them are optional and you can turn any of them on or off at any time from your profile.

• In-app notifications (the bell icon in the top nav), shown when someone follows you, replies to one of your comments, mentions you, or likes/comments on your playlist. Lawful basis: legitimate interests (core service functionality so you can have a conversation on the site).
• Browser / device push notifications, sent to a browser or device only after you explicitly click Enable in your profile and grant your browser's permission prompt. We store the push endpoint your browser gives us (a long anonymous URL) along with the two cryptographic keys your browser generates for it; we do not receive the contents of any notification after it's delivered. You can revoke at any time from your profile or from your browser/device settings. Lawful basis: consent (Article 6(1)(a) UK GDPR + PECR regulation 22).
• Weekly email digest, an opt-in rollup of new tracks in your preferred genre and any activity on your content. Defaults to on for new accounts because it's considered a soft opt-in under PECR regulation 22(3) (existing customer of similar services), but every email contains a one-click unsubscribe and you can disable it from your profile at any time. Lawful basis: legitimate interests / soft opt-in.
• Transactional emails (sign-up confirmation, password reset, contact replies, important service notices), always sent, these are not marketing. Lawful basis: contract (Article 6(1)(b) UK GDPR).

Push notifications are delivered through your browser's push service (Mozilla, Google, Apple or Microsoft depending on the browser). Emails are sent through Resend (see section 6). We do not share your notification preferences or history with anyone else.

6. How long we keep data

• Account data: until you delete your account.
• Play history, likes, comments: until you delete your account or remove the individual item.
• Stripe records: 7 years after the final transaction (UK tax retention obligation under the Companies Act 2006 / HMRC guidance).
• Server access logs: 30 days, then automatically purged.

7. Who we share data with

We use a small number of carefully-chosen processors. None of them sell your data:

• Supabase (database, auth), EU/UK servers, GDPR-compliant.
• Cloudflare (hosting, CDN, R2 object storage), UK-based edge with global delivery; standard contractual clauses where applicable.
• Stripe (payments), see Stripe's UK privacy policy.
• Resend (transactional email), used for account emails, password resets, contact-form replies.

We will only share your data with anyone else if required by law (e.g. a valid court order) or to protect our rights and safety.

8. International transfers

Some of our processors operate globally. Where personal data leaves the UK, we rely on the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or an adequacy decision under section 17A of the DPA 2018, as appropriate.

9. Your rights

Under UK GDPR you have the right to:

• Be informed, that's what this policy is for.
• Access your personal data (a "subject access request").
• Rectification, correct inaccurate or incomplete data.
• Erasure, ask us to delete your data ("right to be forgotten").
• Restrict processing while we resolve a query.
• Data portability, get your data in a portable format.
• Object to processing based on legitimate interests.
• Withdraw consent at any time where we've relied on consent.
• Lodge a complaint with the UK Information Commissioner's Office (ICO). We'd appreciate the chance to put things right first.

Email hello@basslinemusic.co.uk with subject line "GDPR request" to exercise any of these. We respond within 30 days, free of charge in most cases.

10. Security

• All traffic is encrypted with TLS 1.3.
• Passwords are hashed with bcrypt, we never see them in plain text.
• Database access is gated by row-level security; even if our app code had a bug, your private data wouldn't be exposed to other users.
• Payments are handled by Stripe; we never touch your card details.
• Suspicious activity is rate-limited at the network edge by Cloudflare.

11. Children

The service is not intended for children under 13. We do not knowingly collect personal data from anyone under 13. If you believe we hold data on a child, please contact us so we can delete it.

12. Changes to this policy

We may update this policy from time to time. Material changes will be flagged on the homepage and, where you have an account, by email. The "Last updated" date at the top of this page shows the most recent revision.

13. Contact

Questions or complaints: hello@basslinemusic.co.uk, or via the contact form.