Privacy Policy
This policy describes how SoundAssist ("we", "us") collects, uses and protects personal data when you use our website (soundassist.online), web app (app.soundassist.online) and desktop Connect app. We are based in the Netherlands and comply with the EU General Data Protection Regulation (GDPR).
If anything here is unclear, email us at info@soundassist.online.
1. Who is the data controller?
Andre Schrama, operating as SoundAssist, is the data controller. We can be reached at info@soundassist.online.
2. What data we collect
2.1 Information you provide
- Account details: email address, name, password (hashed), country.
- Profile content: bio, avatar image, cover image, links to your tracks. Optional and under your control.
- Audio uploads: WAV, FLAC, AIFF, MP3 and similar files you upload (your masters, mixes, voice messages, references).
- Messages: written and voice messages exchanged with your engineer or client inside the platform.
- Booking details: scheduled session times, notes you add to a booking, the service you requested.
- Payment information: card details are entered directly on Stripe — we never see or store them. We retain payment metadata (amount, plan, date, last 4 digits of card) for invoicing and revenue records.
2.2 Information collected automatically
- Usage data: pages visited, features used, timestamps. Used to operate the service and detect abuse.
- Device data: browser type, operating system, language, approximate location derived from IP. Used to render the right UI and for security.
- Error reports: when something crashes we log a stack trace and the URL that triggered it. We deliberately exclude user emails from these reports.
- Session recordings: when you participate in a live mix/master session, the audio of the session is recorded so you and your engineer can refer back to it. Recordings are stored privately per client and never shared.
3. Why we collect it (legal basis)
| Purpose | Legal basis (GDPR) |
|---|---|
| Operate your account + app features | Performance of contract (Art. 6(1)(b)) |
| Process payments + invoices | Performance of contract + legal obligation (Art. 6(1)(b) + (c)) |
| Send service emails (magic links, booking confirms) | Performance of contract |
| Detect abuse + secure the platform | Legitimate interest (Art. 6(1)(f)) |
| Analytics (aggregate page views) | Legitimate interest (Art. 6(1)(f)) |
| Marketing emails (only if you opt in) | Consent (Art. 6(1)(a)) |
4. Who we share data with (processors)
We don't sell your data. We use these subprocessors to operate the service:
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database + authentication | EU (Frankfurt) |
| Vercel | Web hosting + edge network | EU + global |
| Cloudflare R2 | Audio + file storage | Global edge network |
| Cloudflare CDN | Content delivery | Global edge network |
| Stripe | Payments + invoicing | US, EU representative |
| Resend | Transactional email delivery | EU |
| OpenAI | Transcription + session summary (Whisper + GPT) | US |
| LiveKit | Real-time audio/video for live sessions | EU (Frankfurt) |
| Sentry | Error tracking | EU (Frankfurt) |
| Vercel Analytics | Aggregate page-view analytics, no cookies | EU |
Each subprocessor handles only the data it needs and is bound by a Data Processing Agreement (DPA) under GDPR Art. 28.
4.1 International transfers
Some subprocessors (Stripe, OpenAI) are based in the United States. Transfers to the US are protected by the EU-US Data Privacy Framework (where the subprocessor is certified) and/or by Standard Contractual Clauses.
5. How long we keep your data
- Account + profile: as long as your account exists.
- Audio uploads + project files: as long as your account exists. We don't auto-delete files.
- Session recordings + transcripts: as long as your account exists, unless you delete them yourself.
- Payment records + invoices: 7 years (Dutch fiscal law requires this).
- Error reports: 30 days (Sentry default).
- Analytics: 30-90 days depending on the metric (Vercel Analytics retention).
- Backups: 7 days rolling (Supabase + R2).
6. Your rights under GDPR
You have the right to:
- Access your personal data — see what we store about you.
- Rectify incorrect data — update your profile or email us.
- Erase your data — delete your account or request full deletion.
- Restrict processing — ask us to pause certain uses.
- Object to processing based on legitimate interest.
- Data portability — receive your data in a machine-readable format.
- Withdraw consent at any time (for marketing emails, etc.).
- Lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
6.1 How to exercise these rights
Email info@soundassist.online with your request. We respond within 30 days as required by GDPR. For an account deletion you can also delete your account yourself from your settings page; full data export currently goes via email request and is provided as a downloadable ZIP within 14 days.
7. Cookies + analytics
We use essential cookies for authentication (your login session) and CSRF protection. These are required for the app to function.
We use Vercel Analytics for aggregate, anonymous page-view counting. Vercel Analytics is cookieless and GDPR-friendly. No third-party advertising or tracking cookies are used.
If we ever add analytics that require consent, we'll show a banner first.
8. Security
We protect your data with:
- HTTPS-only access (HSTS enforced).
- Passwords stored as bcrypt hashes — we never see your plaintext password.
- 2FA on every operational account (GitHub, Vercel, Stripe, Supabase, Cloudflare, Resend).
- Row-level security (RLS) on the database — each user can only read their own rows.
- Daily database backups (7-day retention).
- Real-time error monitoring (Sentry) so we know about problems within seconds.
No system is perfect. If you spot a security issue, please report it to info@soundassist.online.
9. Children
SoundAssist is not directed at children under 16. If you believe a child has provided us with personal data, contact us and we'll delete it.
10. Changes to this policy
We'll update this page when we make material changes. The "Last updated" date at the top reflects the most recent revision. Significant changes will be announced via email or an in-app banner.