Privacy Policy | BeatLink

Data Controller Identity

BeatLink.io is operated by BeatHub, a micro-entreprise registered in France, acting as data controller within the meaning of Article 4(7) of Regulation (EU) 2016/679 (the "GDPR") with respect to the personal data of all Users of the Platform.

Trade nameBeatLink

Legal entityBeatHub

Legal formMicro-entreprise (France)

SIRETRegistration in progress — available from June 2026

Registered officeFrance

Data contactcontact@beatlink.io

This Privacy Policy must be read in conjunction with our Terms and Conditions. By creating an account or using the Service, you acknowledge that you have read and understood this Policy.

Data We Collect

2.1 — Data You Provide Directly

CategoryDataWhen Collected

IdentityUsernameAt registration

ContactEmail addressAt registration

LocationCountry of residenceAt registration

ProfileExperience level, monthly revenue, sales methods, main challenges, discovery sourceDuring onboarding

CommunicationNewsletter opt-in preferenceAt registration

LegalAcceptance of Terms and Privacy Policy (timestamp)At registration

SubscriptionPlan selected (Free, Gold, Platinum)At subscription activation

ContentYouTube URLs submitted for scanningDuring use of the Scanner

2.2 — Data Collected Automatically

CategoryDataPurpose

TechnicalIP addressFraud prevention, multi-account detection

TechnicalBrowser type, operating system, device typeService compatibility and optimization

UsageScan count, lookup count, beats uploaded, artists identifiedService delivery, quota management

SessionAuthentication tokens, session identifiersAccount security and authentication

2.3 — Data Received from Third Parties

Google OAuth: If you register or sign in using Google, we receive your name, email address, and profile picture URL as provided by Google. We do not receive your Google password.

Stripe (payment processor): We receive confirmation of subscription status, payment method type (e.g., "card ending in 4242"), and billing cycle. We do not receive or store your full card number, CVV, or complete banking details. Those are handled exclusively by Stripe, Inc. under its PCI DSS-compliant infrastructure.

IP geolocation: We use a third-party service to detect your approximate country of residence at the point of registration based on your IP address, for the sole purpose of pre-filling the country field.

Legal Bases and Purposes of Processing

We process your personal data only where a valid legal basis exists under Article 6 of the GDPR.

3.1 — Performance of a Contract (Art. 6(1)(b))

The following processing is strictly necessary to provide the Service you have subscribed to:

Creating and managing your account and user profile
Delivering scan results and contact lookup features
Managing your subscription, billing cycle, and usage quota
Sending transactional emails relating to your account (e.g., payment confirmations, quota alerts)
Processing cancellation and account deletion requests

3.2 — Legal Obligation (Art. 6(1)(c))

We process certain data to comply with applicable legal obligations, including:

Retention of billing and transaction records pursuant to French commercial law (Article L123-22 Code de commerce — 10 years)
Responding to lawful requests from courts or competent supervisory authorities

3.3 — Legitimate Interests (Art. 6(1)(f))

We process certain data on the basis of our legitimate interests, having conducted a balancing assessment to verify that those interests are not overridden by your rights and freedoms:

Processing ActivityLegitimate Interest

IP address collection and multi-account detectionPreventing abuse, fraud, and circumvention of the free trial policy

Security logging and access monitoringProtecting the integrity and security of the Platform and its users

Enforcement of Terms and ConditionsProtecting the rights of the Publisher and third parties

You have the right to object at any time to processing based on legitimate interests. See Section 8 for how to exercise this right.

3.4 — Consent (Art. 6(1)(a))

The following processing is based solely on your freely given, specific, and informed consent:

Sending marketing emails, newsletters, tips, and product updates

You may withdraw your consent at any time by clicking the unsubscribe link in any marketing email, or by contacting us at contact@beatlink.io. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

Artist Contact Data Processed Through the Service

This section specifically addresses the personal data of third-party artists that is surfaced through the Contact Lookup feature of BeatLink.io.

4.1 — Nature of the Data

The Service aggregates contact information — including social media profile URLs and publicly disclosed email addresses, Spotify listener data, and YouTube presence — that has been made publicly accessible by the individuals concerned on social platforms, music streaming services, and video-sharing platforms.

4.2 — Legal Basis

The processing of this third-party data by the Publisher, for the purpose of providing the Contact Lookup feature, is based on legitimate interest (Art. 6(1)(f) GDPR): enabling music producers to identify and contact artists in a professional prospecting context, using only data that the artists themselves have voluntarily made public.

A Legitimate Interest Assessment (LIA) has been conducted. Key findings:

The data is strictly limited to professional contact information voluntarily disclosed on public platforms
The processing serves a proportionate, commercially recognized B2B prospecting purpose
The data does not include sensitive categories within the meaning of Article 9 GDPR
Artists retain full control over their public information and may remove it from source platforms at any time

4.3 — User Responsibility as Independent Data Controller

When a User exports, uses, or acts upon artist contact data for their own outreach activities, the User acts as an independent data controller for that downstream processing. BeatLink.io is not a joint controller and bears no responsibility for the User's use of the data. The User is solely responsible for ensuring their outreach has a valid legal basis under applicable law.

4.4 — Rights of Artists Whose Data Appears on the Platform

Any individual whose contact information appears on the Platform may submit a request for erasure, rectification, or objection by contacting us at contact@beatlink.io. We will process such requests within 30 days and will remove or correct data where legally required.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, subject to mandatory legal retention obligations.

Data CategoryRetention PeriodBasis

Account and profile dataDuration of account + 12 months after deletionContractual, legal obligation

Billing and transaction records10 years from transaction dateFrench commercial law (Art. L123-22)

IP addresses (security logs)12 months rollingCNIL guidelines, legitimate interest

Scan and usage logs12 months rollingService delivery, legitimate interest

Newsletter consent recordsDuration of consent + 3 years after unsubscriptionProof of consent (CNIL recommendation)

Support correspondence3 years from last interactionLegitimate interest (legal defense)

Artist contact dataReviewed periodically; deleted upon valid erasure requestLegitimate interest

Upon expiry of the applicable retention period, data is permanently and irreversibly deleted or anonymized such that it can no longer be associated with any identifiable individual.

Third-Party Sub-Processors

We use a limited number of trusted third-party service providers ("sub-processors") to operate the Service. Each sub-processor is engaged under a data processing agreement ensuring an equivalent level of protection to that required by the GDPR.

Sub-ProcessorRoleData TransferredLocation

Supabase, Inc.Database hosting, authenticationAccount data, usage data, profile dataUnited States / EU

Stripe, Inc.Payment processingEmail address, subscription status, payment metadataUnited States

Vercel, Inc.Application hosting and deliveryTechnical and session dataUnited States / EU

Google LLCOAuth authentication (if used)Name, email, profile picture (Google sign-in only)United States

ipapi.coIP geolocation at registrationIP address (one-time, registration only)United States

We do not sell, rent, or share your personal data with third parties for their own marketing or commercial purposes. Our sub-processors access your data solely to the extent necessary to perform the services described above.

International Data Transfers

Some sub-processors listed in Section 6 are located outside the European Economic Area (EEA), including in the United States. Where personal data is transferred to a third country, we ensure an adequate level of protection through one or more of the following mechanisms:

Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914/EU)
Transfers to recipients in countries recognized by the European Commission as providing an adequate level of data protection
Other transfer mechanisms permitted under Chapter V of the GDPR

You may request information about the specific transfer mechanisms applicable to our sub-processors by contacting contact@beatlink.io.

Your Rights Under the GDPR

If you are located in the European Economic Area, you have the following rights with respect to your personal data:

RightDescription

Access (Art. 15)Obtain confirmation of whether we process your data and receive a copy of it

Rectification (Art. 16)Request correction of inaccurate or incomplete personal data

Erasure (Art. 17)Request deletion of your data ("right to be forgotten"), subject to legal retention obligations

Restriction (Art. 18)Request that we limit the processing of your data in certain circumstances

Portability (Art. 20)Receive your data in a structured, machine-readable format and transmit it to another controller

Objection (Art. 21)Object to processing based on legitimate interests, or to direct marketing at any time

Withdrawal of consentWithdraw consent at any time where processing is consent-based, without affecting prior lawful processing

Lodge a complaintFile a complaint with the competent supervisory authority (see below)

How to Exercise Your Rights

Submit your request to: contact@beatlink.io

We will respond within 30 days of receipt. In cases of complexity or volume, we may extend this period by a further 60 days, in which case we will notify you of the extension and the reasons for it. We may ask you to verify your identity before processing your request. We will not charge a fee for reasonable requests.

Right to Lodge a Complaint

You have the right to lodge a complaint with the competent supervisory authority. In France:

CNIL

Commission Nationale de l'Informatique et des Libertés
3, Place de Fontenoy — TSA 80715 — 75334 Paris Cedex 07
www.cnil.fr

Cookies and Tracking Technologies

9.1 — Cookies We Use

TypePurposeRetention

Strictly necessaryAuthentication session tokens and security identifiers — required for the Service to functionSession / up to 7 days

FunctionalRemembering user preferences (e.g., country, language)Up to 12 months

We do not use advertising cookies, third-party tracking pixels, or analytics tools that track individual browsing behavior across the Platform.

9.2 — Managing Cookies

You may control or delete cookies through your browser settings at any time. Please note that disabling strictly necessary cookies will prevent you from accessing authenticated areas of the Service. For guidance on managing cookies, visit allaboutcookies.org.

Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

Encryption of all data in transit using TLS 1.2 or higher
Encryption of data at rest on our hosting infrastructure
Role-based access control — internal access to personal data is limited to those who need it to operate the Service
Password hashing using industry-standard cryptographic algorithms — passwords are never stored in plaintext
Regular security reviews and dependency updates
Strict data minimization — we collect only what is strictly necessary for the purposes described in this Policy

No method of transmission over the internet or electronic storage is completely secure. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the CNIL within 72 hours of becoming aware, and will inform affected individuals without undue delay where required by law.

Children's Privacy

The Service is not directed at individuals under the age of 18 years. We do not knowingly collect personal data from minors. If you become aware that a minor has provided us with personal data without appropriate consent, please contact us immediately at contact@beatlink.io. We will delete such data promptly upon verification.

Third-Party Links

The Service may contain links to third-party websites, platforms, and services — including Spotify, YouTube, and social media platforms. This Privacy Policy does not apply to those third-party services. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party services. We encourage you to review the privacy policy of every service you access through BeatLink.io.

Changes to This Privacy Policy

We reserve the right to update this Privacy Policy at any time to reflect changes in our data practices, legal requirements, or the Service. In the event of a material change, we will notify registered Users by email and update the "Last updated" date at the top of this Policy at least 30 days before the change takes effect.

Continued use of the Service following notification of a material change constitutes acceptance of the revised Policy. If you do not accept the changes, you must cease using the Service and may request deletion of your account.

The current version of this Policy is always accessible at beatlink.io/privacy.

Contact

For any question, request, or complaint relating to this Privacy Policy or the processing of your personal data:

Data & Privacy

contact@beatlink.io

GDPR requests, erasure, objections

General Support

support@beatlink.io

Account, billing, technical issues

Postal address: BeatHub — Micro-entreprise — France (full address available from June 2026)

Response time: Within 30 days of receipt of your request