Legal

Privacy Policy

Effective date: 27 May 2026

playd.me is a UK-based service and this policy is written in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1.Who We Are

playd.me is a beat analytics platform for music producers. It lets producers share beats with artists and A&R contacts via tracked links, and gives producers insight into how those beats are being listened to.

For the purposes of UK GDPR, playd.me acts as the data controller for information collected from producers (people who create an account). For information collected from recipients (people who click a shared link), the producer is the data controller and playd.me acts as a data processor on their behalf.

Contact: hello@playd.me

2.Who This Policy Covers

This policy covers two types of people:

—Producers — people who create a playd.me account to upload beats, create packs, and generate share links.

—Recipients — people who receive a share link from a producer and listen in their browser. Recipients never create an account.

3.Information We Collect About Producers

When you sign up and use playd.me as a producer, we collect the following:

Account information

—Email address

—Password (stored as a secure hash — we never see your actual password)

—Display name

—Plan type (free or pro)

Public profile (optional — you control what you share)

—Bio

—Instagram handle

—Website URL

—Contact link

Notification settings

—Your email notification preferences (e.g. whether to receive link-open alerts and weekly digests)

—Your browser push notification subscription object, if you opt in to push notifications

4.Information We Collect About Recipients

Recipients never create an account and we never ask for their name or email. When a recipient clicks a share link, we collect only the following:

—Playback events — which beats were played, paused, seeked, replayed, and when

—Listen duration — how long a recipient listened to each beat

—Device type — whether they are on mobile, desktop, or tablet (derived from the browser's user-agent string; the raw user-agent string is immediately discarded and never stored)

—Session token — a random ID (UUID) generated for that listening session. This token is stored in our database solely to compile analytics for the producer, but it is not linked to any identity, name, email address, or other personal information. A new token is generated for each visit.

We do not collect

—IP addresses from recipients

—Any cookies on recipients' devices

—Any personally identifiable information unless a producer has entered contact details about them (see Section 5)

5.Producer Contact Notes (CRM Data)

Producers can store notes about their recipients — for example, a recipient's name, email address, Instagram handle, and any personal notes. This is data the producer enters themselves.

As a producer, you are responsible for ensuring you have a lawful basis for storing information about your contacts (for example, their consent or a legitimate business relationship). playd.me stores this data on your behalf as a data processor.

Recipients can contact us at hello@playd.me if they believe a producer has stored information about them without a lawful basis.

6.Cookies and Local Storage

Recipients

We set no cookies and use no persistent local storage on recipients' devices.

Producers

We use authentication cookies provided by Supabase to keep you logged in. These include a short-lived access token (expires after approximately one hour) and a longer-lived refresh token (persists for up to 60 days) that keeps you signed in across browser sessions without requiring you to log in again. We do not use any advertising, tracking, or analytics cookies.

7.How We Use Your Information

We use producer information to

—Create and manage your account

—Send email notifications about link activity (if you have this enabled)

—Send push notifications about link activity (if you have opted in)

—Send weekly digest emails (if you have this enabled)

—Provide and improve the playd.me service

—Communicate with you about your account or our service

We use recipient information to

—Generate analytics for the producer who shared the link

—Calculate engagement scores for beats and packs

8.Our Legal Basis for Processing (UK GDPR)

Producers

—Contract performance — processing your account data is necessary to provide the service you have signed up for.

—Legitimate interests — we may process your data to improve the platform, provided this does not override your rights.

—Consent — where you have opted in to push notifications or non-essential emails, we rely on your consent, which you can withdraw at any time in Settings.

Recipients

—Legitimate interests — collecting anonymous playback analytics enables producers to understand engagement with their music. This data is minimised, does not identify individuals, and is unlikely to impact recipients' rights.

9.Third-Party Services We Use

We share data with the following third-party providers to run playd.me. We do not sell your data to any third party, and we do not use any advertising networks.

Supabase

Database storage and user authentication. All producer account data and analytics events are stored here. Data is held in the European Union.

Vercel

Hosting and serving the playd.me application. Processes web requests and edge routing, using EU edge nodes where possible.

Resend

Sending transactional emails to producers. Processes producer email address and notification content.

10.Data Retention

—Producer accounts — retained for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it by law.

—Analytics data — playback events and engagement data are retained for as long as you have an active account and associated packs and links.

—Contact notes — retained until you delete them or your account is closed.

—Email logs — transactional email records may be retained by Resend for up to 30 days.

11.Your Rights Under UK GDPR

If you are a producer, you have the following rights:

—Right of access — you can ask us for a copy of the personal data we hold about you.

—Right to rectification — you can ask us to correct inaccurate data.

—Right to erasure — you can ask us to delete your data (subject to any legal obligations we have to retain it).

—Right to restrict processing — you can ask us to pause processing of your data in certain circumstances.

—Right to data portability — you can ask for your data in a machine-readable format.

—Right to object — you can object to processing based on legitimate interests.

—Right to withdraw consent — where we process on the basis of consent (e.g. push notifications), you can withdraw it at any time via Settings.

Recipients who believe their information has been stored by a producer can contact us at hello@playd.me to exercise their rights.

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

12.Security

We take reasonable technical and organisational measures to protect your data, including encrypted storage, secure authentication via Supabase, and HTTPS-only access. No system is completely secure, and we cannot guarantee the absolute security of your data.

13.Children

playd.me is not directed at anyone under the age of 13. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

14.Changes to This Policy

We may update this policy from time to time. If we make material changes, we will notify producers by email or via a notice on the platform. The effective date at the top of this document will always reflect the latest version.

15.Contact Us

For any questions or requests relating to this privacy policy, please contact us at:

hello@playd.me