Privacy Policy

Effective Date: January 1, 2026

We believe you can have intelligence without being creepy. This policy explains what we collect, why, how long we keep it, and your rights.

1. Who We Are & Contact

MusicIntel Ltd acts as Data Controller for our marketing sites and as Processor for customer sites using our Musicata platform and tracker.

Contact: legal@musicintel.co.uk

2. What We Collect

  • IP-derived signals (company/region; we do not keep raw IPs permanently).
  • User agent & device (browser/OS, mobile/desktop).
  • Referrer & UTM (traffic source, campaign metadata).
  • On-page behaviour (scroll depth, dwell time/heartbeat, pages visited).
  • Optional customer-supplied metadata (e.g., brand logo, industry) when customers enrich their own records.
  • Account data (email, name, company) for users who register to use our services.
  • Payment Information: All payments are processed and managed by Revolut. We do not store or have access to your credit card numbers or full billing bank details.

3. Why We Collect It (Legal Basis)

  • Legitimate Interests (Art. 6(1)(f) GDPR): Artist promotion, fan behaviour tracking, bot filtering, service security.
  • Contract (Art. 6(1)(b)): To deliver the dashboard to paying users.
  • Consent: Where local law requires (e.g., marketing cookies), our customers obtain and pass consent status.

4. What We Do Not Collect

No cross-site tracking cookies, no ad network sharing, no persistent device fingerprinting beyond session telemetry, and no direct personal identifiers for visitors (names/emails/phone) unless you explicitly provide them to us.

5. Retention

  • Raw visitor telemetry: 30 days max, then aggregated.
  • Account/billing records: For the life of the account plus statutory retention (e.g., 6 years for invoices in the UK).
  • Security/event logs: Up to 90 days for abuse detection.

6. Subprocessors

We use vetted providers under DPAs:

  • IP-API Pro (geolocation)
  • Brandfetch (logo resolution, B2B only)
  • PDL / People Data Labs (optional enrichment when enabled by customers)
  • Revolut (payments processing and management)
  • Cloud hosting & CDN providers in the UK/EU (or with adequate safeguards)

7. Third-Party Platform Integrations (OAuth Connections)

Our platform Musicata allows users to connect their own social media and streaming accounts to view aggregated audience metrics in a unified dashboard. These connections are optional and user-initiated.

Meta (Instagram & Facebook)

  • Permissions requested: pages_show_list, pages_read_engagement, instagram_basic, instagram_manage_insights
  • Data accessed: Follower/fan counts, page list, public profile information
  • Purpose: Display your social audience metrics alongside website analytics to help you understand which marketing efforts drive real results
  • Storage: We cache follower counts and profile metadata only; we do not store posts, comments, stories, or private messages
  • Disconnection: You can disconnect Meta accounts at any time via Settings > Connected Accounts in your dashboard. Upon disconnection, cached data is deleted within 24 hours.

Google (YouTube & Search Console)

  • Data accessed: YouTube subscriber count, Search Console impressions and clicks
  • Purpose: Display video audience and search visibility metrics
  • Storage: Aggregate metrics only
  • Disconnection: Settings > Connected Accounts

Spotify

  • Data accessed: Follower count, monthly listener count (public data)
  • Purpose: Display streaming audience metrics for artists
  • Disconnection: Settings > Connected Accounts

How We Use Connected Platform Data

All platform connections use OAuth 2.0 authentication. We request only the minimum scopes needed to read public/profile metrics. We:

  • ✓ Display your follower counts in your dashboard
  • ✓ Track growth trends over time
  • ✓ Correlate with your website traffic and campaign activity
  • ✓ Include in Harmonix AI daily briefings
  • ✗ Never post on your behalf
  • ✗ Never access private messages or content
  • ✗ Never share this data with third parties
  • ✗ Never sell your social data

To exercise your data rights regarding Connected Platform data, contact legal@musicintel.co.uk.

8. International Transfers

We host primarily in the UK/EU. Any transfers outside the UK/EU use appropriate safeguards (e.g. the UK International Data Transfer Addendum or Standard Contractual Clauses) and risk assessments.

9. Security

Encryption in transit (TLS 1.2+), encryption at rest for customer data, least-privilege access, rate limiting, and regular key rotation for production secrets.

10. Your Rights (UK GDPR / GDPR)

You can request access, correction, deletion, restriction, objection, or portability. You also have the right to object to processing based on our legitimate interests. Because we don't keep direct identifiers for visitors, we may ask for the IP and approximate visit time to locate data.

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) in the UK (ico.org.uk). Contact us first at: legal@musicintel.co.uk.

11. Children

Our services are not directed at children under 16.

12. Updates

If we make material changes, we will update the effective date and post a dashboard/website notice.