Skip to main content

Privacy Policy

for the bbn.music platform operated by BBN Music GmbH

Last updated: March 2026

Table of Contents

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and other applicable data protection laws is:

BBN Music GmbH
Rosa-Luxemburg-Str. 37
14482 Potsdam, Germany
Phone: +49 171 7525811
Email: support@bbn.music
Website: bbn.music

Managing Directors: Maximilian Arzberger, Gregor Bigalke
Commercial Register: Potsdam Local Court, HRB 39134 P
VAT ID: DE370194161

2. Overview of Data Processing

This privacy policy informs you about what personal data we collect, process and use in connection with the operation of the bbn.music platform. It applies to all areas of the website, including public pages and the protected user area.

Personal data means any information relating to an identified or identifiable natural person, e.g. name, email address or IP address.

3. Legal Bases for Processing

We process personal data based on the following legal grounds:

a
Art. 6(1)(a) GDPR – Consent: When you have given consent, e.g. for the use of analytics cookies.
b
Art. 6(1)(b) GDPR – Contract Performance: When processing is necessary for the performance of a contract, e.g. registration, music distribution, accounting.
c
Art. 6(1)(c) GDPR – Legal Obligation: When processing is necessary for compliance with a legal obligation, e.g. tax retention requirements.
f
Art. 6(1)(f) GDPR – Legitimate Interest: When processing is necessary for our legitimate interests, e.g. platform security and fraud prevention.

4. Collection and Storage of Personal Data

4.1 Server Log Files

Each time you access our website, the following data is automatically collected by the web server:

  • IP address of the requesting device
  • Date and time of access
  • Name and URL of the requested page
  • Amount of data transferred
  • Browser type and version
  • Operating system
  • Referrer URL (previously visited page)

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in ensuring smooth operation and security). Data is deleted after 30 days.

4.2 Registration and User Account

When you create a user account, we collect:

  • Name
  • Email address
  • Password (stored encrypted)
  • Phone number (optional, for notifications)
  • Profile picture (optional)
  • Notification preferences

Legal basis: Art. 6(1)(b) GDPR. Data is stored for the duration of the contractual relationship and thereafter in accordance with statutory retention periods.

4.3 Identity Verification (KYC)

To enable payouts of earnings, identity verification is required. We collect:

  • First and last name
  • Date of birth
  • Country and postal address
  • Business details (company name, registration number, VAT number) for business accounts

Legal basis: Art. 6(1)(b) and (c) GDPR (contract performance and legal obligations, in particular tax reporting requirements). Data is stored for up to 10 years per Section 147 of the German Fiscal Code.

4.4 Music Distribution

In the context of music distribution, we process:

  • Artist name and release metadata
  • Audio files and cover artwork
  • ISRC and UPC codes
  • Revenue and streaming data
  • Payout information (e.g. PayPal email)

As part of distribution, your release data is transmitted to the music platforms you select (e.g. Spotify, Apple Music, YouTube Music, Amazon Music, Deezer). These stores process the data as independent controllers. We recommend reading their respective privacy policies.

Legal basis: Art. 6(1)(b) GDPR.

5. Cookies and Local Storage

5.1 Technically Necessary Storage

The following data is stored without consent as it is strictly necessary for operation (Section 25(2) TDDDG):

NamePurposeStorageDuration
cookie-consentStores your cookie consent choicelocalStorage12 months
access-tokenAuthentication (login session)localStorageSession
refresh-tokenSession renewallocalStorageSession
localeLanguage preferencelocalStoragePersistent

5.2 Analytics Cookies (Consent Required)

The following cookies are only set with your express consent via our cookie banner (Section 25(1) TDDDG, Art. 6(1)(a) GDPR):

NamePurposeStorageDuration
ph_*_posthogPostHog: user identification for analyticsCookie365 days
ph_* (various)PostHog: session data, feature flags, configurationlocalStoragePersistent

You can withdraw your consent at any time via "Cookie Settings" in the footer. Withdrawal does not affect the lawfulness of prior processing.

6. Web Analytics with PostHog

6.1 Description and Scope

We use PostHog, a web analytics service operated on servers within the EU (hedgehog.bbn.music). No personal data is transferred to third countries.

With your consent, PostHog processes: pseudonymous user ID, page views and click behavior, browser type, OS, screen resolution, referrer URL, IP address (for geolocation), and performance metrics.

6.2 Session Recording

With your consent, we record mouse movements, scroll behavior, click events, and DOM snapshots.

Privacy measures

All form inputs are automatically masked (maskAllInputs). Sensitive areas marked with [data-mask] are additionally obscured. No passwords, payment data, or other sensitive inputs are recorded.

6.3 Identification of Logged-in Users

If you are logged in and have consented, we link your analytics data with your user ID, email address, username, and administrator status. Without consent, no identification takes place.

6.4 Legal Basis and Withdrawal

Legal basis: Section 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR. The PostHog SDK is only loaded after your consent. Withdraw at any time via "Cookie Settings" in the footer.

6.5 Data Processing Agreement

We have concluded a data processing agreement (DPA) with PostHog Inc. in accordance with Art. 28 GDPR. PostHog processes data exclusively on our behalf and according to our instructions.

7. Payment Providers

For payment processing, we use Stripe (Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Dublin 2, Ireland).

When you subscribe to a paid plan, your payment data (credit card number, expiration date, CVC) is processed directly by Stripe. We do not have access to your complete payment data.

Legal basis: Art. 6(1)(b) GDPR. More information: Stripe Privacy Policy.

8. Authentication Services (OAuth)

You can register and log in to bbn.music via the following third-party services:

Google (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) – Privacy Policy
Discord (Discord Inc., 444 De Haro Street, Suite 200, San Francisco, CA 94107, USA) – Privacy Policy
Microsoft (Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland) – Privacy Policy

When logging in via OAuth, we receive your email address and name from the respective provider. We do not gain access to your passwords.

Legal basis: Art. 6(1)(b) GDPR or Art. 6(1)(a) GDPR. For Discord and Microsoft, data may be transferred to the USA based on Standard Contractual Clauses (Art. 46(2)(c) GDPR) or the EU-U.S. Data Privacy Framework.

9. Email and Notifications

We send transactional emails (e.g. registration confirmation, password reset, verification codes) necessary for contract performance (Art. 6(1)(b) GDPR).

Marketing notifications (e.g. about new features or promotions) are only sent if you have opted in via your user settings. Available channels are email and WhatsApp. You can opt out at any time in your settings.

Legal basis for marketing: Art. 6(1)(a) GDPR (consent).

10. Hosting

Our website and platform are hosted on servers within the European Union. We have concluded a data processing agreement with our hosting provider in accordance with Art. 28 GDPR.

11. Data Retention

We store personal data only for as long as necessary for the processing purpose or as required by statutory retention obligations:

Contract data: For the duration of the business relationship, thereafter up to 10 years (Section 147 German Fiscal Code, Section 257 Commercial Code).
Billing data: 10 years (tax retention obligation).
Server log files: 30 days.
Analytics data (PostHog): Deleted once no longer required for the analytics purpose.
KYC data: Up to 10 years after end of contract (tax retention obligations, German Fiscal Code).

After expiration of the respective period, data is deleted or anonymized.

12. Data Security

We implement appropriate technical and organizational measures pursuant to Art. 32 GDPR to protect your personal data. These include:

  • Encrypted data transmission (HTTPS/TLS)
  • Encrypted storage of passwords
  • Access control and role-based permissions
  • Regular security updates

13. Your Rights as a Data Subject

Under the GDPR, you have the following rights

Right of Access (Art. 15 GDPR): You may request information about your personal data stored by us.
Right to Rectification (Art. 16 GDPR): You may request correction of inaccurate data.
Right to Erasure (Art. 17 GDPR): You may request deletion of your data, provided no statutory retention obligations apply.
Right to Restriction of Processing (Art. 18 GDPR): You may request restriction of processing of your data.
Right to Data Portability (Art. 20 GDPR): You may request your data in a structured, commonly used, machine-readable format.
Right to Object (Art. 21 GDPR): Where processing is based on Art. 6(1)(f) GDPR, you may object at any time for reasons relating to your particular situation.
Right to Withdraw Consent (Art. 7(3) GDPR): You may withdraw any consent at any time. Prior processing remains lawful.

To exercise your rights, please contact: support@bbn.music

14. Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for us is:

Die Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht Brandenburg
Stahnsdorfer Damm 77
14532 Kleinmachnow, Germany
Phone: +49 33203 356-0
Email: poststelle@lda.brandenburg.de
Website: www.lda.brandenburg.de

15. Protection of Minors

Our services are intended for persons aged 18 and over. We do not knowingly collect personal data from minors. If we become aware that personal data of a minor has been collected, we will delete it immediately.

16. Changes to this Privacy Policy

We reserve the right to update this privacy policy to reflect changes in the law or changes to our service. The current version is always available on this page.

Last updated: March 2026