Skip to main content

Privacy Policy

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and other applicable data protection laws is:

BBN Music GmbH
Rosa-Luxemburg-Str. 37
14482 Potsdam, Germany
Phone: +49 171 7525811
Email: support@bbn.music
Website: bbn.music

Managing Directors: Maximilian Arzberger, Gregor Bigalke
Commercial Register: Potsdam Local Court, HRB 39134 P
VAT ID: DE370194161

2. Overview of Data Processing

This privacy policy informs you about what personal data we collect, process and use in connection with the operation of the bbn.music platform. It applies to all areas of the website, including public pages and the protected user area.

Personal data means any information relating to an identified or identifiable natural person, e.g. name, email address or IP address.

3. Legal Bases for Processing

We process personal data based on the following legal grounds:

  • Art. 6(1)(a) GDPR (Consent) – When you have given consent, e.g. for the use of analytics cookies.
  • Art. 6(1)(b) GDPR (Contract Performance) – When processing is necessary for the performance of a contract or pre-contractual measures, e.g. registration, music distribution, accounting.
  • Art. 6(1)(c) GDPR (Legal Obligation) – When processing is necessary for compliance with a legal obligation, e.g. tax retention requirements.
  • Art. 6(1)(f) GDPR (Legitimate Interest) – When processing is necessary for the purposes of our legitimate interests, e.g. platform security and fraud prevention.

4. Collection and Storage of Personal Data

4.1 When Visiting the Website (Server Log Files)

Each time you access our website, the following data is automatically collected by the web server:

  • IP address of the requesting device
  • Date and time of access
  • Name and URL of the requested page
  • Amount of data transferred
  • Browser type and version
  • Operating system
  • Referrer URL (previously visited page)

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in ensuring smooth operation and security of our website). Data is deleted after 30 days.

4.2 Registration and User Account

When you create a user account, we collect:

  • Name
  • Email address
  • Password (stored encrypted)
  • Phone number (optional, for notifications)
  • Profile picture (optional)
  • Notification preferences

Legal basis: Art. 6(1)(b) GDPR (contract performance). Data is stored for the duration of the contractual relationship and thereafter in accordance with statutory retention periods.

4.3 Identity Verification (KYC)

For payout of earnings, identity verification may be required. We collect:

  • Identity document (passport, ID card or driver's license)
  • Selfie for verification
  • Proof of address
  • Tax information

Legal basis: Art. 6(1)(b) and (c) GDPR (contract performance and legal obligations, in particular tax reporting requirements). Data is stored in accordance with statutory retention periods (up to 10 years per Section 147 of the German Fiscal Code).

4.4 Music Distribution

In the context of music distribution, we process:

  • Artist name and release metadata
  • Audio files and cover artwork
  • ISRC and UPC codes
  • Revenue and streaming data
  • Payout information (e.g. PayPal email)

As part of distribution, your release data (metadata, audio files, cover artwork, artist names, ISRC/UPC codes) is transmitted to the music platforms you select (e.g. Spotify, Apple Music, YouTube Music, Amazon Music, Deezer and others). These stores process the data as independent controllers. We recommend reading their respective privacy policies.

Legal basis: Art. 6(1)(b) GDPR (contract performance).

5. Cookies and Local Storage

Cookies are small text files stored on your device. We use cookies and the browser's local storage (localStorage) for various purposes.

5.1 Technically Necessary Storage

The following data is stored without consent as it is strictly necessary for the operation of the website (Section 25(2) TDDDG):

NamePurposeStorageDuration
cookie-consentStores your cookie consent choicelocalStorage12 months
access-tokenAuthentication (login session)localStorageSession
refresh-tokenSession renewallocalStorageSession
localeLanguage preferencelocalStoragePersistent

5.2 Analytics Cookies (Consent Required)

The following cookies and storage entries are only set if you have expressly consented via our cookie banner (Section 25(1) TDDDG, Art. 6(1)(a) GDPR):

NamePurposeStorageDuration
ph_*_posthogPostHog: user identification for analyticsCookie365 days
ph_* (various entries)PostHog: session data, feature flags, configurationlocalStoragePersistent

You can withdraw your consent at any time by using the "Cookie Settings" link in the footer of our website. Withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal.

6. Web Analytics with PostHog

6.1 Description and Scope

We use PostHog, a web analytics service. The service is operated on servers within the European Union (EU Cloud via hedgehog.bbn.music). No personal data is transferred to third countries.

With your consent, PostHog processes the following data:

  • Pseudonymous user ID (Distinct ID)
  • Page views and click behavior (Autocapture)
  • Browser type, operating system, screen resolution
  • Referrer URL
  • IP address (processed for geolocation)
  • Performance metrics (page load times)

6.2 Session Recording

With your consent, we use PostHog's session recording feature. The following is recorded:

  • Mouse movements and scroll behavior
  • Click events
  • Page content (DOM snapshots)

Privacy measures: All text inputs in form fields are automatically masked (maskAllInputs). Sensitive areas marked with [data-mask] are additionally obscured. No passwords, payment data or other sensitive inputs are recorded.

6.3 Identification of Logged-in Users

If you are logged in and have given your consent, we link your analytics data with the following information:

  • User ID
  • Email address
  • Username
  • Administrator status

This serves to improve our service and support. Without consent, no identification takes place.

6.4 Legal Basis and Withdrawal

Legal basis: Section 25(1) TDDDG (device access) in conjunction with Art. 6(1)(a) GDPR (consent). The PostHog SDK is only loaded after your consent. Without consent, no tracking or data collection by PostHog takes place.

You can withdraw your consent at any time via the "Cookie Settings" in the footer.

6.5 Data Processing Agreement

We have concluded a data processing agreement (DPA) with PostHog Inc. in accordance with Art. 28 GDPR. PostHog processes the data exclusively on our behalf and according to our instructions.

7. Payment Providers

For payment processing, we use Stripe (Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Dublin 2, Ireland).

When you subscribe to a paid plan, your payment data (credit card number, expiration date, CVC) is processed directly by Stripe. We do not have access to your complete payment data.

Legal basis: Art. 6(1)(b) GDPR (contract performance).

More information: Stripe Privacy Policy.

8. Authentication Services (OAuth)

You can register and log in to bbn.music via the following third-party services:

  • Google (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) – Privacy Policy
  • Discord (Discord Inc., 444 De Haro Street, Suite 200, San Francisco, CA 94107, USA) – Privacy Policy
  • Microsoft (Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland) – Privacy Policy

When logging in via OAuth, we receive your email address and name from the respective provider. We do not gain access to your passwords with these services.

Legal basis: Art. 6(1)(b) GDPR (contract performance) or Art. 6(1)(a) GDPR (consent given by initiating the OAuth flow).

For Discord and Microsoft, data may be transferred to the USA. The transfer is based on Standard Contractual Clauses (Art. 46(2)(c) GDPR) or the EU-U.S. Data Privacy Framework.

9. Email and Notifications

We send you transactional emails (e.g. registration confirmation, password reset, verification codes). These are necessary for contract performance (Art. 6(1)(b) GDPR).

Marketing notifications (e.g. about new features or promotions) are only sent if you have opted in via your user settings. Available channels are email and WhatsApp. You can opt out at any time in your settings.

Legal basis for marketing: Art. 6(1)(a) GDPR (consent).

10. Hosting

Our website and platform are hosted on servers within the European Union. We have concluded a data processing agreement with our hosting provider in accordance with Art. 28 GDPR.

11. Data Retention

We store personal data only for as long as necessary for the respective processing purpose or as required by statutory retention obligations:

  • Contract data: For the duration of the business relationship, thereafter in accordance with statutory retention periods (up to 10 years per Section 147 of the German Fiscal Code, Section 257 of the German Commercial Code).
  • Billing data: 10 years (tax retention obligation).
  • Server log files: 30 days.
  • Analytics data (PostHog): Deleted once no longer required for the analytics purpose.
  • KYC data: Up to 10 years after end of contract (tax retention obligations, German Fiscal Code).

After expiration of the respective period, data is deleted or anonymized.

12. Data Security

We implement appropriate technical and organizational measures pursuant to Art. 32 GDPR to protect your personal data. These include:

  • Encrypted data transmission (HTTPS/TLS)
  • Encrypted storage of passwords
  • Access control and role-based permissions
  • Regular security updates

13. Your Rights as a Data Subject

Under the GDPR, you have the following rights:

  • Right of Access (Art. 15 GDPR): You may request information about your personal data stored by us.
  • Right to Rectification (Art. 16 GDPR): You may request the correction of inaccurate data.
  • Right to Erasure (Art. 17 GDPR): You may request the deletion of your data, provided no statutory retention obligations apply.
  • Right to Restriction of Processing (Art. 18 GDPR): You may request the restriction of processing of your data.
  • Right to Data Portability (Art. 20 GDPR): You may request that we provide your data in a structured, commonly used and machine-readable format.
  • Right to Object (Art. 21 GDPR): Where processing is based on Art. 6(1)(f) GDPR (legitimate interest), you have the right to object at any time for reasons relating to your particular situation.
  • Right to Withdraw Consent (Art. 7(3) GDPR): You may withdraw any consent given at any time. The lawfulness of processing carried out prior to the withdrawal remains unaffected.

To exercise your rights, please contact: support@bbn.music

14. Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority about our processing of your personal data. The competent supervisory authority for us is:

Die Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht Brandenburg
Stahnsdorfer Damm 77
14532 Kleinmachnow, Germany
Phone: +49 33203 356-0
Email: poststelle@lda.brandenburg.de
Website: www.lda.brandenburg.de

15. Protection of Minors

Our services are intended for persons aged 18 and over. We do not knowingly collect personal data from minors. If we become aware that personal data of a minor has been collected, we will delete it immediately.

16. Changes to this Privacy Policy

We reserve the right to update this privacy policy to reflect changes in the law or changes to our service. The current version is always available on this page.

Last updated: March 2026