Privacy Policy
Information under Articles 13 & 14 GDPR
The German version at beatmarker.app/datenschutz is the legally binding reference. This English translation is for convenience.
1. Controller
The controller under the GDPR for the processing on this platform is:
We have not appointed a Data Protection Officer because the conditions of Art. 37 GDPR are not met. Please direct any data-protection requests to the email above.
2. Data we process, and why
a) Providing the website
Every request creates a technical server log with: IP address, date and
time, requested URL, HTTP status, bytes transferred, referrer, user agent.
Purpose: operating the website, IT security.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest
in secure operation).
b) Registration and account
When you sign up we process: email address, display name, password
(stored as a hash only), registration timestamp.
Purpose: authentication, providing the platform features.
Legal basis: Art. 6(1)(b) GDPR (performance of contract).
c) Uploaded audio files and annotations
When you upload audio (rough mixes, bounces) we store the files, their
metadata (file name, duration, BPM, version label, cover art), and
markers, voice notes, and comments left by you or your reviewers. Files
are stored on a server located in Austria and are
accessible only to you and the people you explicitly share with
(share links).
Purpose: providing the core feature (collaborative
audio review).
Legal basis: Art. 6(1)(b) GDPR.
d) Voice-note transcription
Voice notes recorded by you or your reviewers are transmitted to
OpenAI, L.L.C. (USA) for automatic text transcription
(Whisper API). According to OpenAI's
API Data Usage Policies,
audio submitted via the API is not used to train models and is
deleted within at most 30 days.
Purpose: automatic transcription of voice notes.
Legal basis: Art. 6(1)(b) GDPR.
Third-country transfer: see section 4.
e) Payment processing (Stripe)
When you take out a paid subscription, the payment data required is
processed directly by Stripe Payments Europe, Ltd.
(Ireland) and Stripe, Inc. (USA). Card numbers and
banking data never reach our servers — they go directly to Stripe.
We only receive the transaction confirmation and a customer ID.
Purpose: processing the subscription.
Legal basis: Art. 6(1)(b) GDPR.
Stripe privacy policy:
stripe.com/privacy.
f) Contacting us
If you contact us by email, your details (email address, content) are
stored to handle the request.
Legal basis: Art. 6(1)(b) or (f) GDPR.
3. Recipients and processors
We disclose personal data only where necessary to perform the contract, where required by law, or where you have explicitly consented. The following processors are engaged under Art. 28 GDPR:
- OpenAI, L.L.C. (USA) — voice-note transcription.
- Stripe Payments Europe, Ltd. (Ireland) / Stripe, Inc. (USA) — payment processing.
- Google Ireland Ltd. (Ireland) — delivery of the web fonts (Archivo, IBM Plex Mono) via Google Fonts. Your IP address is transmitted to Google when fonts are fetched.
4. International data transfers
When you use features that involve OpenAI (USA) or Stripe (also USA), personal data is transferred to a third country outside the EU/EEA. Both providers are certified under the EU-U.S. Data Privacy Framework; in addition we have entered into the Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR where the certification does not already cover this.
5. Retention periods
- Account data: for as long as your account exists. After account deletion, base data is removed within 30 days, except for records we are required to keep under tax-law retention rules (e.g. § 132 BAO Austria: 7 years for invoice-relevant data).
- Audio files & markers: for as long as you do not delete them or close your account. You can delete tracks individually at any time.
- Server logs: 14 days, then automatically deleted or anonymised. Longer in case of a security incident.
- Voice notes at OpenAI: at most 30 days (per OpenAI's API Data Usage Policies).
- Payment records at Stripe: per Stripe's own retention rules.
6. Cookies, local storage & similar
Beat Marker uses no tracking cookies, no web-analytics tool (no Google Analytics, Matomo, Plausible, etc.), and no advertising pixels. Only strictly necessary storage is used:
- Auth token in localStorage — keeps you signed in until you log out or clear browser storage.
- Theme preference — stores your light/dark/system choice in localStorage.
- Service-worker cache — caches static assets for offline use.
Strictly necessary storage of this kind does not require consent under § 165(3) of the Austrian Telecommunications Act 2021. There is therefore no cookie banner.
7. Your rights
You have the following rights, which you can exercise at any time by emailing contact@beatmarker.app:
- Access to your data (Art. 15 GDPR),
- Rectification of inaccurate data (Art. 16 GDPR),
- Erasure of your data (Art. 17 GDPR),
- Restriction of processing (Art. 18 GDPR),
- Portability in a structured, machine-readable format (Art. 20 GDPR),
- Objection to processing based on legitimate interests (Art. 21 GDPR),
- Complaint to a supervisory authority — in Austria: Austrian Data Protection Authority, Barichgasse 40–42, 1030 Vienna.
8. Changes to this policy
We may update this policy when the legal framework or our processing activities change. The current version is always available at beatmarker.app/privacy.
Last updated: [TO BE FILLED IN: Month YYYY]