GDPR Compliance
How The Musical Road meets its obligations under the EU and UK General Data Protection Regulation.
Last updated: July 7, 2026
1. Our Commitment
The Musical Road ("we," "us," or "our") is an AI-assisted music promotion platform for independent artists, labels and producers. We are committed to handling personal data in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679) and the UK GDPR. This page summarises how those principles apply to the platform and how you can exercise your rights. It supplements our Privacy Policy and should be read together with our Cookie Policy, Terms of Service and Refund Policy.
2. Roles: Controller and Processor
For the personal data of our account holders (artists), we act as the data controller. When you upload or import your own music-industry contacts and send campaigns to them, you are the controller of that contact data and we act as a processor on your behalf — you are responsible for having a lawful basis to contact those recipients.
3. Lawful Bases for Processing
We rely on the following lawful bases under Article 6 GDPR:
- Performance of a contract: operating your account and delivering the Service — releases, uploads, campaigns, the credit system, billing and analytics.
- Legitimate interests: platform security, fraud and spam prevention, service reliability and product improvement, balanced against your rights and freedoms.
- Consent: non-essential cookies and advertising measurement (the Meta Pixel and its server-side Conversions API), and any optional marketing email. You can withdraw consent at any time.
- Legal obligation: retaining billing and tax records and responding to lawful requests from authorities.
4. Personal Data We Process
- Account & profile: name, email, password (hashed by our authentication provider), and optional artist name, biography, genres, avatar and branding. Google sign-in shares only your name and email.
- Uploaded content: release metadata, audio files and cover artwork you upload, stored in private storage buckets.
- Contacts & recipients: names, email addresses and notes for contacts you add or import.
- Campaign & email-event data: campaign content, send history and delivery events such as sends, deliveries, opens, clicks, bounces and unsubscribes.
- Promo-page analytics: visit, listen, download and feedback events, with technical context and approximate location.
- Billing data: a payment-provider customer reference, plan and subscription status and a credit-transaction ledger. Full card details are handled solely by Stripe.
- Usage & technical data: application logs and error reports used to keep the Service secure and reliable.
5. Purposes of Processing
- Creating, securing and authenticating your account.
- Operating core features: releases, uploads, campaigns, contacts, promo pages, analytics and credits.
- Generating AI-assisted campaign copy and recipient suggestions.
- Processing subscription and credit payments and providing billing history.
- Delivering transactional and (opt-in) marketing email.
- Producing delivery reporting and audience insights.
- Preventing fraud, spam and abuse.
- Measuring advertising performance where you have consented.
- Meeting legal obligations.
6. Data Retention
We keep your account data while your account exists. When you delete your account (Settings → Data & Privacy), your account and associated data — releases, uploads, campaigns, contacts and analytics you own — are permanently and immediately removed. Billing records held by Stripe are retained as required by financial and tax law. Suppression-list entries are kept so recipients who unsubscribed or hard-bounced are not re-contacted. Aggregated analytics that cannot be linked to an individual may be retained to power platform insights.
7. Your Rights Under the GDPR
You have the right to:
- Be informed about how your data is used (this page and our Privacy Policy).
- Access & data portability: export your data yourself at any time from Settings → Data & Privacy (a full account export plus per-table CSV exports of campaigns, contacts and releases), or request a copy.
- Rectification: correct inaccurate data, including in your profile settings.
- Erasure ("right to be forgotten"): delete your account and data yourself; deletion is permanent and immediate.
- Restriction & objection: restrict or object to certain processing, including direct marketing.
- Withdraw consent: change your cookie/advertising consent at any time (see our Cookie Policy).
- Lodge a complaint with your national data protection authority.
8. Third-Party Processors (Subprocessors)
We do not sell personal data. We share it only with the providers needed to operate the platform, each under a data processing agreement:
- Supabase — database, authentication and file storage.
- Stripe — subscription and credit payment processing and the Customer Portal (PCI-DSS compliant; card data never reaches our servers).
- Brevo — delivery of transactional and campaign emails.
- Meta Platforms — advertising measurement via the Meta Pixel and Conversions API, only with your consent and only from our production domain; email addresses are hashed (SHA-256) before transmission.
- AI gateway provider — large language model inference for campaign generation.
9. International Transfers
Some subprocessors (including Stripe, Brevo and Meta) are located in or transfer data to countries outside the EEA, such as the United States. Where this occurs we rely on appropriate safeguards such as the EU Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA).
10. Security Measures
- TLS encryption in transit and encryption at rest.
- Row-Level Security so users can access only their own records, plus least-privilege access for staff and services.
- Passwords hashed by our authentication provider.
- Private storage buckets with access-controlled file delivery.
Two-factor authentication is planned but not yet available. If a personal-data breach is likely to create a risk to your rights, we will notify you and the relevant supervisory authority as required by law.
11. How to Exercise Your Rights
Many rights can be exercised directly in the app: update your profile in Settings, manage cookie/advertising consent from the consent banner, and export or permanently delete your data in Settings → Data & Privacy. For any request you cannot complete in-app, email us at themusicalroad@gmail.com from the address on your account. We aim to respond within one month, as required by the GDPR.
12. Contact
- Email: themusicalroad@gmail.com
- Website: themusicalroad.com