Privacy Policy
We are committed to being transparent about exactly what data The Musical Road collects and how it is used.
Last updated: July 7, 2026
1. Introduction
The Musical Road ("we," "us," or "our") is an AI-assisted music promotion platform that helps independent artists, labels and producers manage releases, run email promo campaigns to music-industry contacts, publish shareable promo pages, and measure engagement. This Privacy Policy explains what personal data we collect, why, how we use and share it, and the rights you have.
It applies to the website at themusicalroad.com and our web application (together, the "Service"). By creating an account or using the Service, you acknowledge you have read this policy. It should be read together with our Terms of Service, Refund Policy and Cookie Policy.
For any privacy question or request, contact us at themusicalroad@gmail.com.
2. Data We Collect
2.1 Account & profile
When you register you provide your full name and email address, and you choose a password. Passwords are handled by our authentication provider and are never stored by us in plain text. If you sign in with Google, we receive only the name and email address Google shares. In your profile you may optionally add an artist/band name, biography, genres, avatar and branding details.
2.2 Music & artwork uploads
When you create a release you provide metadata (such as title, artist name, genre and release details) and may upload audio files and cover artwork. These files are stored in private storage buckets and are not publicly listable. Cover artwork embedded in campaign emails is served through a dedicated image endpoint so it can display in inboxes; audio and other assets are accessed through time-limited, access-controlled links.
2.3 Contacts & recipient management
You can add or import your own music-industry contacts (for example DJs and curators), including their names, email addresses and notes you attach. We store this to let you run your campaigns. We also maintain an internal recipient network used to select relevant recipients for AI-assisted campaigns; this network is a protected internal asset and is never made browsable or exportable to users. You are responsible for having a lawful basis to contact anyone you add (see our Terms).
2.4 Campaigns & AI-generated content
To generate campaign copy and select recipients, we process the inputs you provide (release details, tone and notes) through an AI gateway. We retain campaigns, templates and their send history so you can review and reuse them. Campaign content is private to your account.
2.5 Email delivery & engagement events
Campaign and transactional emails are delivered through our email provider, Brevo. To power delivery reporting and analytics we record events such as sends, deliveries, opens, clicks, bounces and unsubscribes, together with the recipient address and the related campaign. Addresses that hard-bounce, mark mail as spam or unsubscribe are added to a suppression list so they are not contacted again.
2.6 Promo-page visitor & analytics data
Each release can have a shareable promo page. When a visitor (who need not have an account) opens a promo page, plays a preview, submits feedback or downloads a track, we record events such as the visit, listen, download and feedback, along with technical context and approximate location. This feeds the analytics and audience insights shown to the artist who owns the release. Aggregate metrics — not individual visitor identities — are presented to artists.
2.7 Billing data
Subscriptions and credit purchases are processed by Stripe. We do not receive or store full card numbers or security codes — those are handled entirely by Stripe. We store a Stripe customer reference, your plan, subscription status, renewal/cancellation state, and a ledger of credit transactions. Invoices and saved payment methods are managed in the Stripe-hosted Customer Portal.
2.8 Usage & technical data
We collect application logs and error reports (including diagnostic details) to keep the Service secure and reliable and to fix problems.
3. How We Use Your Data
- Create and secure your account and authenticate you.
- Operate core features: releases, uploads, campaigns, contacts, promo pages, analytics and the credit system.
- Generate AI-assisted campaign copy and recipient suggestions.
- Process subscription and credit payments and provide billing history.
- Send transactional email (verification, password reset, campaign and support notifications) and, where you have opted in, product updates.
- Produce delivery reporting and audience insights for your releases.
- Detect and prevent fraud, spam and abuse.
- Measure marketing performance via the Meta Pixel and Conversions API (only in production and only with your cookie consent — see §6).
- Comply with legal obligations.
4. Legal Bases for Processing (GDPR)
Where the EU or UK GDPR applies, we rely on the following legal bases. For a dedicated overview of how we meet our GDPR obligations, see our GDPR Compliance page.
- Contract: to deliver the Service you signed up for (accounts, uploads, campaigns, billing, analytics).
- Legitimate interests: security, fraud prevention, service improvement and product analytics, balanced against your rights.
- Consent: non-essential cookies and marketing/ advertising tracking (Meta Pixel and Conversions API), which you can withdraw at any time.
- Legal obligation: retaining billing records and responding to lawful requests.
5. Data Sharing & Subprocessors
We do not sell your personal data. We share it only with the service providers needed to run the platform:
- Supabase — database, authentication and file storage that host your account, content and uploads.
- Stripe — subscription and credit payment processing and the Customer Portal. Stripe is PCI-DSS compliant; card details never reach our servers.
- Brevo — delivery of transactional and campaign emails, receiving the recipient address and message content.
- Meta Platforms — advertising measurement via the Meta Pixel and Conversions API, only with your consent and only from our production domain. Email addresses sent to Meta are hashed (SHA-256) before transmission.
- AI gateway provider — large language model inference for campaign generation. Inputs you provide may be sent for processing to return results.
We may also disclose data where required by law, court order or a regulator, or to protect the rights, property or safety of The Musical Road, our users or the public.
6. Cookies & Advertising Tracking
We use essential cookies to keep you signed in and remember your preferences, and — only after you consent — analytics/advertising technologies including the Meta Pixel and its server-side Conversions API. Meta tracking is active only on our production domain and is disabled until consent is given. Full details, including how to change your choice, are in our Cookie Policy.
7. International Transfers
Some of our subprocessors (including Stripe, Brevo and Meta) are based in, or transfer data to, countries outside the EEA such as the United States. Where that happens we rely on appropriate safeguards such as the EU Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA).
8. Data Retention
We keep your account data for as long as your account exists. If you delete your account, your account and associated data (releases, uploads, campaigns, contacts and analytics you own) are permanently removed (see §10). Billing records held by Stripe are retained as required by financial and tax law. Suppression-list entries are retained so previously unsubscribed or bounced recipients are not re-contacted. Aggregated analytics that cannot be linked to an individual may be kept to power platform insights.
9. Security
We apply technical and organisational measures including:
- TLS encryption for data in transit and encryption at rest.
- Row-Level Security so users can only access their own records, plus least-privilege access controls for staff and services.
- Passwords hashed by our authentication provider.
- Private storage buckets with access-controlled file delivery.
Note: two-factor authentication is not yet available (it is planned). No system is perfectly secure. If a personal-data breach is likely to create a risk to your rights, we will notify you and the relevant supervisory authority as required by law.
10. Your Rights & Choices
Depending on your jurisdiction you may have the right to:
- Access & portability: you can export your data yourself at any time from Settings → Data & Privacy (a full account export plus per-table CSV exports of campaigns, contacts and releases), or request a copy from us.
- Rectification: correct inaccurate data, including directly in your profile settings.
- Erasure: delete your account and associated data yourself from Settings → Data & Privacy; deletion is permanent and immediate.
- Objection & restriction: object to or restrict certain processing, including direct marketing.
- Withdraw consent: change your cookie/advertising consent at any time.
To exercise rights not available in-app, email themusicalroad@gmail.com. We aim to respond within 30 days. You may also complain to your local data protection authority.
11. Children's Privacy
The Service is not directed at anyone under 16, and we do not knowingly collect data from children under 16. If you believe a minor has given us data, contact themusicalroad@gmail.com and we will delete it.
12. Changes to This Policy
We may update this policy to reflect changes in our practices or the law. When we make material changes we will update the "Last updated" date and, where appropriate, notify you. Continued use after changes means you acknowledge the updated policy.
13. Contact
- Email: themusicalroad@gmail.com
- Website: themusicalroad.com