Compliance without the Headache.

We built MusicIntel and our platform Musicata to be privacy-first by design. Here is how we keep you (and your visitors) safe for 2026 and beyond.

Data Isolation

No ad-network sharing. Visitor data stays in dedicated environments. Customers own their data; we are a processor under UK/EU GDPR.

The 30-Day Rule

Raw visitor telemetry is capped at 30 days then aggregated. Security logs up to 90 days. Billing/account data retained per statutory requirements.

No Cross-Site Tracking

No third-party tracking cookies or ad pixels. We only measure on-site behaviour for your properties to calculate attention and momentum.

UK/EU Data Sovereignty

UK company, UK/EU primary hosting. Transfers outside the UK/EU use SCCs/IDTA with risk assessments. Lawful bases: Legitimate Interests for artist promotion; Contract for account services.

Data Subject Rights

Access, rectification, erasure, restriction, objection, portability. Because we do not keep direct identifiers for visitors, we may request IP and timestamp to locate data. Submit requests to legal@musicintel.co.uk.

Subprocessors (2026)

  • IP-API Pro (geolocation)
  • Brandfetch (logo resolution)
  • PDL / People Data Labs (optional enrichment)
  • Revolut (payments)
  • Cloud/CDN (UK/EU-first, SCCs/IDTA for any third countries)

Security Controls

  • TLS 1.2+ in transit; encrypted storage for customer data.
  • Role-based access, least privilege, and key rotation.
  • Rate limiting and bot filtering on ingestion endpoints.
  • Data minimisation by design; no unnecessary identifiers.

DPA & Documentation

We offer a Data Processing Addendum (UK/EU GDPR) with SCCs/IDTA where required. Security overview, subprocessor list, and incident response playbook are available on request.

Third-Party Platform Integrations (OAuth)

Our platform Musicata allows you to optionally connect your own social media and streaming accounts via OAuth 2.0 authentication to aggregate audience metrics. We comply with platform-specific data use policies and apply the following safeguards:

  • Meta (Facebook & Instagram): We request read-only access to page followers and Instagram business insights. We do not access, store, or process posts, messages, or non-public content. Users can disconnect at any time; cached data deleted within 24 hours.
  • Google (YouTube & Search Console): Read-only access to subscriber counts and search performance. No access to private videos or email.
  • Spotify: Public follower/listener counts only via their Web API.

Lawful Basis: Contract (Art. 6(1)(b)) - providing the aggregated dashboard service you requested. Disconnection: Dashboard Settings > Connected Accounts. Data Retention: Aggregate metrics retained while account active; raw tokens encrypted at rest and cleared on disconnect.

Read Privacy Policy → Read Cookie Policy →