Privacy Policy

Last updated: April 28, 2026

1. Who we are

beatsheaven ("we", "us", "our") operates beatsheaven.com — a marketplace where producers sell beats and artists license them. The platform is operated from Canada. This policy explains what personal data we collect, why, how long we keep it, who we share it with, and your rights under PIPEDA (Canada — primary), GDPR/UK-GDPR (Europe), and equivalent laws in your jurisdiction.

2. Data we collect

Account data: name, email, country, producer handle, profile photo, optional bio. Created when you sign up via email/password, magic link, OTP, or Google. From OAuth providers we request only the minimum scopes (email, profile) — never your contacts, calendar, or files.
Payment data: handled by Stripe (USD/global). We store transaction references and last-four card digits for display, never the full PAN.
Payout data (producers only): bank/UPI details collected and held by Stripe Connect or Wise; we store the verification status only.
Content you upload: beats (audio, MP3/WAV preview, optional stems), cover art (still + optional video), beat metadata, license-template configurations.
Engagement data: beat plays, page views, likes, follows, wishlist additions, IP-derived country code (no precise IP retained beyond 90 days), device type, user-agent.
Messages: producer ↔ buyer direct messages, retained until either party deletes the conversation or the account.
Web push subscriptions (optional): the endpoint URL provided by Apple/Google/Mozilla push services so we can send you sale + DM notifications.
Support communications you send to support@beatsheaven.com or via in-app forms.

3. How we use it

Operate the Service — sign-in, browse, license, upload, payouts.
Process payments and issue licenses through our payment processors.
Pay producers and collaborators their share of each sale.
Personalize browsing (the "For you" feed and recommendations).
Send transactional email (receipts, license PDFs, sale alerts, password resets).
Detect and prevent fraud, abuse, DMCA infringement, and policy violations.
Comply with tax, accounting, and regulatory obligations.
With your explicit consent: send marketing emails (you can withdraw any time).

4. Legal bases

We process data under: performance of the contract (our Terms — required to run your account, deliver licenses, pay you out); legal obligation (tax, DMCA, anti-money-laundering); legitimate interest (fraud prevention, product analytics, server logs); and consent (marketing email, optional analytics cookies, web push notifications). You can withdraw consent any time without affecting the lawfulness of prior processing.

5. Sub-processors and third parties

We use the following processors to run the Service. Each is bound by their own privacy policy and by data-processing terms we maintain:

Clerk — authentication, sessions, OAuth flows.
Stripe — payments (USD/INR), subscriptions, Connect payouts. PCI DSS Level 1.
Wise — international payouts to producers when Stripe Connect isn’t supported in their country.
Supabase — file storage (audio, covers, license PDFs) and signed-URL delivery.
Cloudflare — DNS, DDoS protection, and inbound email routing for @beatsheaven.com addresses.
Vercel — application hosting + edge CDN.
Neon — managed Postgres database (Singapore region).
Resend — transactional email delivery.
Upstash Redis — distributed rate limiting (no PII stored, only request counters).
Apple Push / Google FCM / Mozilla Autopush — web push delivery (only if you opt in).
Optional analytics + advertising — Google Analytics 4, PostHog (product analytics + 10% session replay with all inputs masked), Meta Pixel, TikTok Pixel. These load only after you accept the cookie consent banner. Decline is fully supported and breaks no feature.

6. International transfers

Data is processed in Canada, the United States, the European Economic Area, India, and Singapore depending on the processor. Where data leaves your jurisdiction we rely on Standard Contractual Clauses (EU/UK), the UK’s International Data Transfer Addendum, and the provider’s own certifications (SOC 2, ISO 27001) to maintain equivalent protections.

7. Data retention

Active account: while your account exists.
Deleted account: 30 days, then purged from our primary database. Backup snapshots roll out on a 90-day cycle.
Order + payout records: 7 years (statutory tax retention).
Engagement events (plays, views, likes): aggregated to country-level after 90 days, individual events deleted.
License instances: retained as long as the buyer holds the license.
Server logs: 30 days.

8. Your rights

Subject to local law, you have the right to: access your data, correct it, delete it, export it in a portable format, restrict its processing, object to legitimate-interest processing, withdraw consent, and lodge a complaint with a supervisory authority. To exercise any right, email privacy@beatsheaven.com from the address tied to your account. We respond within 30 days, in line with PIPEDA timelines for Canadian residents and GDPR Article 12 timelines for EEA/UK residents.

9. Cookies and tracking

We split cookies into Essential (sessions, cart, region — always on),Functional (UI preferences), Analytics (GA4, PostHog), and Marketing (Meta Pixel, TikTok Pixel). Analytics + Marketing only load after consent. Full per-cookie disclosure is at /legal/cookies. You can change your choice any time by clearing the bh_consent cookie or via your browser’s site settings. We honour Do Not Track as implicit decline of optional cookies.

10. Security

TLS 1.3 in transit. Encryption at rest (AES-256) on database, storage, and backups. Least-privilege role separation. Secrets stored in Vercel encrypted env. Webhook signatures verified with timing-safe HMAC. Production access requires Clerk-mediated SSO with MFA. We will notify affected users within 72 hours of any breach with material impact, in line with PIPEDA breach-notification rules and GDPR Article 33.

11. Children

The Service is intended for users 13 and older (16 in the EEA, and the local age of digital consent where higher). Users under the local age of majority must have verifiable parental or guardian consent. We do not knowingly collect data from children below the applicable threshold. If you believe a minor has created an account, contact privacy@beatsheaven.com for prompt removal.

12. Data export and deletion

You can delete your own account at any time from /settings (Danger zone → Delete account). This begins a 30-day soft-delete window during which you can reverse the deletion by simply signing back in. After 30 days your data is purged from the primary database. Order and payout records survive the 7-year tax retention requirement (anonymised where lawful). Purchased licenses remain valid — the rights you bought are yours to keep.

For a full data export — your account, beats, orders, license instances, messages, and engagement events as a single JSON archive — email privacy@beatsheaven.com from the address on your account. We deliver within 30 days.

13. Permissions we ask for

Web Push — only after you click "Enable notifications". Used for sale alerts and DMs. Revocable in browser site settings.
Geolocation by IP (no precise GPS): used to pick currency (INR vs USD) and route to the nearest payment gateway.
OAuth scopes: only email + profile from Google. Never contacts, calendar, drive, or files.
Storage: localStorage for cart and UI state; sessionStorage for one-time view-throttle tokens.

14. Changes

Material changes will be notified by email and via an in-app banner 30 days in advance. The "Last updated" date at the top of this page always reflects the current version, and prior versions are available on request.

15. Contact + grievance

Privacy Officer (general): privacy@beatsheaven.com

Canadian residents: if we cannot resolve your concern, you may complain to the Office of the Privacy Commissioner of Canada (priv.gc.ca), the federal supervisory authority under PIPEDA.

EU/UK representative: contact us first; we will forward to our appointed Article 27 representative if your matter requires their involvement.

Postal: beatsheaven, Canada. Verified mailing address provided on written request.