ELEMENT/59
Log inStart free →
◆ Legal · privacy

Privacy Policy.

v1.0.0EFFECTIVE 2026-04-27VERSION HISTORY →

This page describes what we collect, why we collect it, how long we keep it, and the rights you have over it. We try to keep this readable rather than legalistic.

Not legal advice. This document was drafted by the founding team and is awaiting review by a UK- and US-qualified privacy attorney. The version number will be bumped (and this notice removed) once that review lands. Email privacy@element59.com with any concern in the meantime.

Section 1 — Who we are

In one sentence: element59 Ltd is the controller of personal data you give us.

1.1 element59 Ltd ("element59", "we", "us") is a private limited company registered in the United Kingdom (company number — pending Companies House confirmation; registered office address pending). We are the data controller for the personal data described in this policy.

1.2 We can be reached at privacy@element59.com for any privacy question, and at the agent address listed in our DMCA Policy for service of legal process.

Section 2 — What we collect

In one sentence: Account, content, payment, analytics, and the messages you send us.

2.1 Account data. Email, hashed password (bcrypt), display handle, plan tier, multi-factor authentication secret (encrypted), AI-disclosure preferences, account creation timestamp, last-login timestamp.

2.2 Content data. The audio masters and cover art you upload, the DDEX 4.3.1 disclosure fields you select at upload, royalty-split configurations, release metadata, and any artist bio you publish.

2.3 Payment data. A Stripe Connect account identifier (we do not see or store your bank details — Stripe holds those). Payout history, monthly statement records, tax-form metadata (W-9 / W-8BEN / DAC7 status — never the form contents themselves).

2.4 Analytics. Vercel Web Analytics (cookieless, aggregated). With your explicit consent, Posthog product analytics (per-event; we do not enable session replay).

2.5 Communications. Messages you send to support / legal / DMCA inboxes; newsletter subscription state; cookie-consent state.

2.6 Inferred data. Anti-fraud signals (IP, browser fingerprint hashes), upload pipeline diagnostics (scan results, audio-feature vectors). We never resell these.

Section 3 — Why we collect it

In one sentence: Performing our contract with you, with consent for analytics, and our legitimate interest in not being defrauded.

3.1 Contract performance — Article 6(1)(b) GDPR / UK GDPR. Account, content, and payment data are necessary to operate the service you signed up for: distributing your tracks, paying you royalties, computing chart positions.

3.2 Consent — Article 6(1)(a). Non-essential analytics, optional newsletter subscription, and any future targeted-content opt-in are processed only with your active opt-in. You can withdraw consent at any time via /legal/cookies or the unsubscribe link in newsletter emails — withdrawal does not affect the lawfulness of processing before withdrawal.

3.3 Legitimate interests — Article 6(1)(f). Fraud prevention, abuse detection, and platform-integrity work (impersonation checks, slop detection, repeat-infringer enforcement). We have weighed these interests against your rights and concluded they don't override your reasonable expectations of a music-distribution platform.

3.4 Legal obligation — Article 6(1)(c). Tax records, anti-money-laundering checks at payout thresholds, and responses to lawful court orders.

Section 4 — Retention

In one sentence: Long enough to do our job, no longer than the law requires.

4.1 Account data. Active account + 6 years after closure (UK Companies Act + HMRC tax record requirements).

4.2 Audio masters. Live + 12 months after takedown / account closure, then deleted from Cloudflare R2. Derivatives (waveform, preview, thumbnail) follow the master.

4.3 Analytics. 25 months rolling. Older analytics are aggregated or deleted.

4.4 Payment records. 7 years after the relevant transaction (PSD2 + UK tax record requirements).

4.5 DMCA notices and counter-notices. 3 years from the date of the last action on the notice (matches industry-standard repeat-infringer policies).

4.6 Cookie-consent records. 24 months rolling.

Section 5 — Who we share it with

In one sentence: Sub-processors who help us run the service, plus law enforcement on a valid order.

5.1 Distribution. SonoSuite (royalty + delivery aggregator) — your release metadata, audio file, and payout target are forwarded for delivery to streaming platforms.

5.2 Payouts. Stripe Connect — your name, country, and Connect account identifier. Stripe is its own controller for the bank-account / KYC data you provide directly to it.

5.3 Email. Resend — your email address and message body for transactional and newsletter mail.

5.4 Storage. Cloudflare R2 — encrypted-at-rest object storage for masters and derivatives.

5.5 Hosting. Vercel (the public marketing site and app) and Railway (Postgres + Redis + worker). Both are processors operating under our DPAs.

5.6 Observability. Sentry (errors), Axiom (structured logs). We scrub email addresses and other identifiers from logs before they reach these processors.

5.7 Legal disclosure. We disclose personal data to law enforcement only on receipt of a valid legal order, and we publish a transparency report annually starting one year after launch.

Section 6 — International transfers

In one sentence: We use the EU-US Data Privacy Framework, Standard Contractual Clauses, and the UK ICO Addendum to keep your data legally portable.

6.1 Some of our sub-processors (notably Stripe, Resend, Sentry, and Vercel) operate compute or storage in the United States. We transfer personal data to those sub-processors under one of: (a) the EU-US Data Privacy Framework where the recipient is DPF-certified; (b) the European Commission's 2021 Standard Contractual Clauses (Module 2 controller-to-processor); and (c) the UK ICO's International Data Transfer Addendum, executed alongside the SCCs.

6.2 We perform a Transfer Impact Assessment on each new US sub-processor and refresh those assessments at least annually. Documentation is available on request from privacy@element59.com.

Section 7 — Your GDPR / UK GDPR rights

In one sentence: Access, correct, delete, restrict, port, or object — we'll act within one calendar month.

7.1 You have the right to: access the personal data we hold about you (right of access / SAR); have inaccurate data corrected; have your data erased subject to retention obligations under Section 4; restrict processing while a dispute is resolved; receive a portable copy of the data you provided; and object to processing carried out under Article 6(1)(f).

7.2 Service-level commitments. We will acknowledge a SAR within 5 working days and substantively respond within one calendar month. We may extend by a further two calendar months for genuinely complex requests, in which case we will tell you within the first month why we need the extension.

7.3 How to exercise rights. Email privacy@element59.com from the address registered to your account. We may ask you to verify identity if the request is unusual (for example, a deletion request that affects a high-revenue account).

Section 8 — California Consumer Privacy Act

In one sentence: California residents have the same access / deletion rights, and we don't sell personal data.

8.1 If you are a California resident, you have the right under the CCPA / CPRA to know what personal information we collect about you, to request deletion, to correct inaccurate information, and to opt out of the sale or sharing of personal information.

8.2 We do not sell or share personal information for cross-context behavioural advertising. The "Do Not Sell or Share My Personal Information" link required by the CCPA is provided here for completeness — clicking it has no operational effect because there is nothing to opt out of: Do Not Sell or Share My Personal Information.

8.3 California "Shine the Light" requests can be sent to privacy@element59.com with subject line Shine the Light Request.

Section 9 — Cookies

In one sentence: Essential cookies are on by default; analytics cookies require your consent.

9.1 We use a small number of first-party cookies. Essential cookies (session, CSRF) are on by default because the service cannot function without them. Analytics cookies are off by default and only set after you select "Accept" in the cookie banner.

9.2 A complete list of cookies — name, duration, purpose, processor — lives at /legal/cookies. You can change your preferences at any time from the link in the page footer.

Section 10 — Security

In one sentence: Bcrypt passwords, JWT sessions, TLS 1.3, encryption at rest, 24-hour breach notification.

10.1 Passwords are stored using bcrypt with cost factor 12. Sessions are JWTs signed with a secret rotated quarterly. TLS 1.3 is required for every connection. Postgres data is encrypted at rest by Railway; R2 objects are encrypted at rest by Cloudflare.

10.2 Two-factor authentication (TOTP) is required for any account with operator privileges and is offered to all users.

10.3 Breach notification. If we learn of a personal-data breach that creates a risk to your rights and freedoms, we will notify the UK ICO within 72 hours and notify affected users without undue delay (within 24 hours where the risk is high).

Section 11 — Children

In one sentence: This service is not intended for under-13s in the US and not for under-16s in the EU/UK without parental consent.

11.1 element59 is not directed at children under 13 (United States) or under 16 (European Economic Area / United Kingdom) without verifiable parental consent. We do not knowingly collect personal data from children below those thresholds.

11.2 If you believe a child has registered an account, contact privacy@element59.com and we will delete the account and any associated personal data within 7 days.

Section 12 — Changes to this policy

In one sentence: Material changes go to /legal/changelog with a diff and an effective date.

12.1 We will log material changes at /legal/changelog with a short "what changed" summary and a link to the previous version. Trivial changes (typo fixes, formatting) may be made without an entry.

12.2 Where a change materially expands the categories of personal data we process or the purposes for which we process it, we will give you at least 30 days' notice by email and re-prompt for consent where the new processing requires it.

Section 13 — Complaints

In one sentence: UK residents complain to the ICO; EU residents to their local supervisory authority; US residents to their state AG or the FTC.

13.1 If you believe we have mishandled your personal data, you can lodge a complaint with the UK Information Commissioner's Office (ico.org.uk, helpline 0303 123 1113). We would appreciate the opportunity to address the concern first via privacy@element59.com, but you do not need to contact us before contacting the ICO.

13.2 EU residents can lodge a complaint with the supervisory authority in the member state where they live, work, or where the alleged infringement occurred. The European Data Protection Board maintains a directory at edpb.europa.eu.

13.3 US residents can complain to their state attorney general (in particular: California, Colorado, Connecticut, Utah, Virginia, where comprehensive privacy laws are in force) and to the Federal Trade Commission at ftc.gov.

Section 14 — Data Protection Officer and contact

In one sentence: Email privacy@element59.com — a real person reads it.

14.1 Privacy enquiries: privacy@element59.com.

14.2 UK GDPR representative: pending appointment. Until appointed, all requests should be sent to the address above.

14.3 EU GDPR representative (Article 27): pending appointment. We will list the representative here once appointed; until then, EU residents can use the contact above and we will route the request internally without delay.