← YourLabel/Privacy Policy
Legal Document

Privacy Policy

Effective: 1 July 2026Last updated: 1 July 2026Jurisdiction: GDPR (EU/EEA), International
Contents
  1. Data Controller
  2. Data We Collect
  3. Lawful Basis for Processing
  4. Purposes of Processing
  5. Third-Party Processors
  6. International Transfers
  7. Retention Periods
  8. Your Rights Under GDPR
  9. Cookies & Tracking
  10. Security Measures
  11. Children
  12. Changes to This Policy
Article 4(7) GDPR

1. Data Controller

The data controller responsible for the processing of your personal data is YourLabel, operating the music distribution platform accessible at yourlabel.app(“Platform”, “Service”, “we”, “us”, or “our”).

For all matters relating to your personal data, including exercising your rights under the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable national data protection legislation, you may contact us at [email protected].

Note: YourLabel does not currently appoint a formal Data Protection Officer (DPO) as it does not meet the thresholds under GDPR Article 37. However, we treat data protection as a core operational responsibility and handle all subject access requests with due diligence.

Articles 13–14 GDPR

2. Personal Data We Collect

We collect and process the following categories of personal data, limited to what is strictly necessary for the provision of the Service (the principle of data minimisation, GDPR Article 5(1)(c)):

CategoryData PointsSource
Account dataEmail address, hashed passwordProvided by you at registration
Identity / KYC dataFirst name, last name, country of residence, scanned government-issued ID document (passport or driving licence)Provided by you in Settings for verification
Artist profileDisplay name / artist name, Spotify/Apple Music artist page URLs (optional)Provided by you
Music content & metadataAudio files, cover artwork, release titles, track titles, lyrics, genre, release dates, UPC/ISRC codes, composer/producer creditsProvided by you on upload
Financial dataCryptocurrency wallet address (USDT TRC-20/ERC-20/BEP-20) or payout methodProvided by you in Settings
Technical / usage dataIP address at login, last login timestamp, browser-generated session tokenAutomatically collected
Smart Link analyticsAnonymised click counts per streaming platform per smart link. No listener personal data is collected.Automatically collected from public pages
Support communicationsContent of support tickets you submit, including any attached imagesProvided by you

We do not collect special category data as defined in GDPR Article 9 (health data, racial or ethnic origin, biometric data for identification, etc.). Identity documents are collected solely for anti-fraud and regulatory compliance verification and are not processed for biometric profiling.


Article 6 GDPR

3. Lawful Basis for Processing

Each processing activity carried out by YourLabel is grounded in one of the lawful bases enumerated in GDPR Article 6(1). We do not process your data without a documented legal basis.

Processing ActivityLawful BasisGDPR Ref.
Account creation and authenticationPerformance of a contractArt. 6(1)(b)
Identity verification (KYC)Compliance with a legal obligation; legitimate interests (fraud prevention)Art. 6(1)(c), 6(1)(f)
Music distribution to storesPerformance of a contractArt. 6(1)(b)
Royalty calculation and payoutPerformance of a contractArt. 6(1)(b)
Transactional emails (release status, verification)Performance of a contract; legitimate interestsArt. 6(1)(b), 6(1)(f)
IP address logging at loginLegitimate interests (security, abuse prevention)Art. 6(1)(f)
Smart link click counting (anonymised)Legitimate interests (service analytics for you)Art. 6(1)(f)
Legitimate interests test: Where we rely on Article 6(1)(f), we have assessed that our legitimate interests (platform security, fraud prevention, service improvement) are not overridden by your fundamental rights and freedoms, given the limited nature and proportionality of the data processed.

Article 5(1)(b) GDPR — Purpose Limitation

4. Purposes of Processing

We process your personal data exclusively for the following purposes:

We will not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects, as prohibited by GDPR Article 22 without explicit consent.


Article 28 GDPR — Processor Agreements

5. Third-Party Processors & Data Recipients

We engage the following third-party data processors under binding Data Processing Agreements (DPAs) as required by GDPR Article 28. Each processor acts only on our documented instructions.

ProcessorRoleData TransferredLocation
SupabaseDatabase & authentication infrastructureAccount data, profile data, release metadata, earnings recordsEU (AWS eu-central-1)
Cloudflare (R2)Object storage & CDNAudio files, cover artwork, identity documentsEU/US (configurable region)
ResendTransactional email deliveryEmail address, email contentUS (SCCs apply)
Digital stores & streaming platforms
(Spotify, Apple Music, YouTube Music, TikTok, Deezer, Tidal, Amazon Music, and others you select)
Distribution recipients (independent controllers for their own platforms)Artist name, release metadata, audio files, cover artwork, UPC/ISRC codesWorldwide

Digital stores and streaming platforms to which we distribute your music act as independent data controllers in respect of your content once delivered to them. Their respective privacy policies govern the use of your data on their platforms.

We do not sell your personal data to any third party, nor do we share it for advertising, marketing analytics, or data brokerage purposes.


Articles 44–49 GDPR — International Transfers

6. International Transfers of Personal Data

Some of our processors are based outside the European Economic Area (EEA). Where personal data is transferred to a third country, we ensure that an appropriate safeguard under GDPR Chapter V is in place:

Distribution of your music to global stores necessarily involves transfer of your artist name and release metadata worldwide. This transfer is strictly necessary for the performance of the contract between us (GDPR Article 49(1)(b)) and is limited to the metadata required by each store.


Article 5(1)(e) GDPR — Storage Limitation

7. Retention Periods

Data CategoryRetention PeriodJustification
Account data (email, password hash)Until account deletion, then 30 daysContractual necessity
Identity / KYC documentsUntil account deletion + 90 daysFraud prevention; legal obligation
Earnings & payout records7 years from the financial year of recordingTax and accounting law compliance
Support ticket content3 years from closureLegitimate interests (dispute resolution)
Login IP address12 months rollingSecurity and abuse detection
Smart link click data24 months rolling, or until smart link deletionService analytics
Music files & metadata on storesUntil takedown request is processed by each store (up to 30 business days)Contractual obligations with distribution partners

Upon expiry of the applicable retention period, personal data is securely deleted or irreversibly anonymised in accordance with GDPR Article 5(1)(e).


Articles 15–22 & 77 GDPR

8. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights. We will respond to all verified requests within 30 calendar days (extendable by a further 60 days in complex cases, with notice to you) as required by GDPR Article 12(3).

Right of Access
Article 15 GDPR
Obtain confirmation of whether we process your personal data and receive a copy of it, along with information about how and why it is processed.
Right to Rectification
Article 16 GDPR
Have inaccurate or incomplete personal data corrected. You can update most data directly in your dashboard Settings.
Right to Erasure
Article 17 GDPR
Request deletion of your personal data where there is no overriding legal basis for continued processing (e.g. statutory retention obligations).
Right to Restriction
Article 18 GDPR
Request that we restrict the processing of your data (e.g. while a dispute is pending), without deleting it.
Right to Portability
Article 20 GDPR
Receive your personal data in a structured, commonly used, machine-readable format, and transfer it to another controller where technically feasible.
Right to Object
Article 21 GDPR
Object to processing based on legitimate interests (Article 6(1)(f)). We will cease processing unless we can demonstrate compelling legitimate grounds.
No Automated Decisions
Article 22 GDPR
Not be subject to decisions based solely on automated processing that produce significant legal effects. We do not use such processes.
Right to Lodge a Complaint
Article 77 GDPR
Lodge a complaint with a supervisory authority in your EU member state if you believe we have infringed your rights under GDPR.
To exercise any of these rights, email [email protected] with your registered email address and the specific right you wish to invoke. We may request additional information to verify your identity before processing the request, in accordance with GDPR Article 12(6).

ePrivacy Directive; GDPR Recital 30

9. Cookies & Local Storage

We use only strictly necessary cookies and browser storage mechanisms. No consent is required for these under the ePrivacy Directive Article 5(3) as they are essential to provide the service you have requested.

Cookie / StoragePurposeDurationType
sb-* (Supabase)Authentication session tokenSession / 7 daysStrictly necessary
YL_LOCALEDashboard language preference1 yearFunctionality

We do not use advertising cookies, third-party tracking cookies, analytics platforms (Google Analytics, Meta Pixel, etc.), or any technology designed to track you across websites.


Article 32 GDPR — Security of Processing

10. Technical & Organisational Security Measures

We implement appropriate technical and organisational measures pursuant to GDPR Article 32 to ensure a level of security appropriate to the risk, including:

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of it (GDPR Article 33), and notify affected data subjects without undue delay where required by GDPR Article 34.


GDPR Recital 38

11. Children

The Service is directed exclusively at individuals aged 18 and over. We do not knowingly collect personal data from persons under the age of 18. If we become aware that we have inadvertently collected personal data from a minor, we will take immediate steps to delete such data.

If you believe that a minor has submitted data to us, please contact [email protected]immediately and we will investigate and remediate within 72 hours.


GDPR Article 13(2)

12. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy at any time to reflect changes in our processing activities, legal obligations, or regulatory guidance. Material changes — i.e. changes that affect your rights or our legal bases — will be communicated to you:

Non-material changes (corrections, clarifications, formatting) may be made without prior notice. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the Service after the effective date of a revised Policy constitutes your acceptance of the changes.


Contact the Data Controller
YourLabel
Data protection enquiries: [email protected]
General support: [email protected]
Website: yourlabel.app

You also have the right to lodge a complaint with your local supervisory authority. In the EU, a list of national DPAs is available at edpb.europa.eu.