The data controller responsible for the processing of your personal data is YourLabel, operating the music distribution platform accessible at yourlabel.app(“Platform”, “Service”, “we”, “us”, or “our”).
For all matters relating to your personal data, including exercising your rights under the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable national data protection legislation, you may contact us at [email protected].
We collect and process the following categories of personal data, limited to what is strictly necessary for the provision of the Service (the principle of data minimisation, GDPR Article 5(1)(c)):
| Category | Data Points | Source |
|---|---|---|
| Account data | Email address, hashed password | Provided by you at registration |
| Identity / KYC data | First name, last name, country of residence, scanned government-issued ID document (passport or driving licence) | Provided by you in Settings for verification |
| Artist profile | Display name / artist name, Spotify/Apple Music artist page URLs (optional) | Provided by you |
| Music content & metadata | Audio files, cover artwork, release titles, track titles, lyrics, genre, release dates, UPC/ISRC codes, composer/producer credits | Provided by you on upload |
| Financial data | Cryptocurrency wallet address (USDT TRC-20/ERC-20/BEP-20) or payout method | Provided by you in Settings |
| Technical / usage data | IP address at login, last login timestamp, browser-generated session token | Automatically collected |
| Smart Link analytics | Anonymised click counts per streaming platform per smart link. No listener personal data is collected. | Automatically collected from public pages |
| Support communications | Content of support tickets you submit, including any attached images | Provided by you |
We do not collect special category data as defined in GDPR Article 9 (health data, racial or ethnic origin, biometric data for identification, etc.). Identity documents are collected solely for anti-fraud and regulatory compliance verification and are not processed for biometric profiling.
Each processing activity carried out by YourLabel is grounded in one of the lawful bases enumerated in GDPR Article 6(1). We do not process your data without a documented legal basis.
| Processing Activity | Lawful Basis | GDPR Ref. |
|---|---|---|
| Account creation and authentication | Performance of a contract | Art. 6(1)(b) |
| Identity verification (KYC) | Compliance with a legal obligation; legitimate interests (fraud prevention) | Art. 6(1)(c), 6(1)(f) |
| Music distribution to stores | Performance of a contract | Art. 6(1)(b) |
| Royalty calculation and payout | Performance of a contract | Art. 6(1)(b) |
| Transactional emails (release status, verification) | Performance of a contract; legitimate interests | Art. 6(1)(b), 6(1)(f) |
| IP address logging at login | Legitimate interests (security, abuse prevention) | Art. 6(1)(f) |
| Smart link click counting (anonymised) | Legitimate interests (service analytics for you) | Art. 6(1)(f) |
We process your personal data exclusively for the following purposes:
We will not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects, as prohibited by GDPR Article 22 without explicit consent.
We engage the following third-party data processors under binding Data Processing Agreements (DPAs) as required by GDPR Article 28. Each processor acts only on our documented instructions.
| Processor | Role | Data Transferred | Location |
|---|---|---|---|
| Supabase | Database & authentication infrastructure | Account data, profile data, release metadata, earnings records | EU (AWS eu-central-1) |
| Cloudflare (R2) | Object storage & CDN | Audio files, cover artwork, identity documents | EU/US (configurable region) |
| Resend | Transactional email delivery | Email address, email content | US (SCCs apply) |
| Digital stores & streaming platforms (Spotify, Apple Music, YouTube Music, TikTok, Deezer, Tidal, Amazon Music, and others you select) | Distribution recipients (independent controllers for their own platforms) | Artist name, release metadata, audio files, cover artwork, UPC/ISRC codes | Worldwide |
Digital stores and streaming platforms to which we distribute your music act as independent data controllers in respect of your content once delivered to them. Their respective privacy policies govern the use of your data on their platforms.
We do not sell your personal data to any third party, nor do we share it for advertising, marketing analytics, or data brokerage purposes.
Some of our processors are based outside the European Economic Area (EEA). Where personal data is transferred to a third country, we ensure that an appropriate safeguard under GDPR Chapter V is in place:
Distribution of your music to global stores necessarily involves transfer of your artist name and release metadata worldwide. This transfer is strictly necessary for the performance of the contract between us (GDPR Article 49(1)(b)) and is limited to the metadata required by each store.
| Data Category | Retention Period | Justification |
|---|---|---|
| Account data (email, password hash) | Until account deletion, then 30 days | Contractual necessity |
| Identity / KYC documents | Until account deletion + 90 days | Fraud prevention; legal obligation |
| Earnings & payout records | 7 years from the financial year of recording | Tax and accounting law compliance |
| Support ticket content | 3 years from closure | Legitimate interests (dispute resolution) |
| Login IP address | 12 months rolling | Security and abuse detection |
| Smart link click data | 24 months rolling, or until smart link deletion | Service analytics |
| Music files & metadata on stores | Until takedown request is processed by each store (up to 30 business days) | Contractual obligations with distribution partners |
Upon expiry of the applicable retention period, personal data is securely deleted or irreversibly anonymised in accordance with GDPR Article 5(1)(e).
As a data subject under GDPR, you have the following rights. We will respond to all verified requests within 30 calendar days (extendable by a further 60 days in complex cases, with notice to you) as required by GDPR Article 12(3).
We use only strictly necessary cookies and browser storage mechanisms. No consent is required for these under the ePrivacy Directive Article 5(3) as they are essential to provide the service you have requested.
| Cookie / Storage | Purpose | Duration | Type |
|---|---|---|---|
sb-* (Supabase) | Authentication session token | Session / 7 days | Strictly necessary |
YL_LOCALE | Dashboard language preference | 1 year | Functionality |
We do not use advertising cookies, third-party tracking cookies, analytics platforms (Google Analytics, Meta Pixel, etc.), or any technology designed to track you across websites.
We implement appropriate technical and organisational measures pursuant to GDPR Article 32 to ensure a level of security appropriate to the risk, including:
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of it (GDPR Article 33), and notify affected data subjects without undue delay where required by GDPR Article 34.
The Service is directed exclusively at individuals aged 18 and over. We do not knowingly collect personal data from persons under the age of 18. If we become aware that we have inadvertently collected personal data from a minor, we will take immediate steps to delete such data.
If you believe that a minor has submitted data to us, please contact [email protected]immediately and we will investigate and remediate within 72 hours.
We reserve the right to update this Privacy Policy at any time to reflect changes in our processing activities, legal obligations, or regulatory guidance. Material changes — i.e. changes that affect your rights or our legal bases — will be communicated to you:
Non-material changes (corrections, clarifications, formatting) may be made without prior notice. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the Service after the effective date of a revised Policy constitutes your acceptance of the changes.