Skip to main content

LEGAL

Privacy Policy

What we collect, why, and how to make us forget.

Last updated · 2026-05-13

Draft — requires legal review.

This page is template copy generated for Dubrate's pre-launch surface. The final wording must be reviewed and signed-off by Dubrate Ltd's solicitors before public launch. Do not rely on this text for any binding obligation.

1. Who we are

Dubrate Ltd is the data controller for personal information collected through the Dubrate marketplace. Registered in Bristol, United Kingdom. Information Commissioner's Office (ICO) registration pending.

Data Protection contact: privacy@dubrate.com

2. What we collect

2.1 Account data

  • Email address — required for authentication and receipts.
  • Display name — optional, visible on public DJ profile pages.
  • Country — derived from IP at signup for VAT calculation.
  • Password — stored as a salted hash by Supabase Auth.

2.2 Transactional data

  • Purchases (track ID, price, date).
  • Wallet balance + transactions (top-ups, debits, refunds, expiry).
  • Subscription tier, status, billing period, rolling credit balance.
  • Stripe Customer ID (you, the buyer) and Stripe Connect Account ID (you, the artist).

2.3 Behavioural data

  • Tracks you wishlisted, followed, played.
  • Crates you created and tracks you added to them.
  • Search queries (retained 30 days).
  • Page-view logs with IP address (retained 90 days, for security + abuse detection).

2.4 Seller-only data

  • KYC information collected and processed by Stripe Connect under Stripe's privacy policy. Dubrate does not store or have access to your KYC documents.
  • Copyright attestation log: timestamp, IP, user-agent, and the exact wording you agreed to at upload time. Retained for the life of the track plus 7 years (HMRC + dispute window).

3. Why we collect it (lawful basis)

Under UK GDPR / Data Protection Act 2018:

  • Contract — to fulfil your purchases, deliver downloads, manage subscriptions, pay sellers.
  • Legitimate interest — to operate the platform, prevent fraud, improve features.
  • Legal obligation — to comply with HMRC tax reporting, anti-money-laundering checks (via Stripe Connect), and DMCA/CDPA notice handling.
  • Consent — for marketing emails (you opt in separately). Cookie consent for non-essential cookies.

4. Who we share it with

  • Supabase (Ireland / EU region) — hosting our database, auth, and storage. Standard Contractual Clauses cover any non-EEA processing.
  • Stripe — payments + Connect platform. Stripe processes your payment data; Dubrate never sees your card number.
  • Apple / Google — receipts for in-app purchases on mobile.
  • Hetzner Cloud (Germany / EU) — hosts the web application servers.
  • Sentry — error reporting. Personal data is scrubbed from error contexts.

We do not sell your personal data. We do not share with advertisers.

5. Retention

  • Financial records (orders, invoices, payouts): 6 years (HMRC requirement).
  • Account data: until you delete your account + 30 days for finalising any pending operations.
  • Search queries: 30 days.
  • Page-view + access logs: 90 days.
  • Copyright attestation log: life of track + 7 years (dispute retention).

6. Your rights

Under UK GDPR you can:

  • Access the personal data we hold about you.
  • Correct anything that's wrong.
  • Erase data we hold (subject to financial-records retention above).
  • Export your data in a portable format.
  • Object to or restrict processing.
  • Withdraw consent (where consent is the lawful basis).

Request any of the above by emailing privacy@dubrate.com. We respond within 30 days as required by UK GDPR Article 12.

If you're not satisfied with our response you have the right to complain to the Information Commissioner's Office (ico.org.uk).

7. Cookies

Dubrate uses these cookies:

  • sb-access-token, sb-refresh-token — essential, Supabase Auth.
  • cart-session — essential, persists your cart across tabs.
  • cookie-consent — essential, remembers your consent choice.
  • Analytics + product-insight cookies — only when you opt in via the consent banner.

8. International transfers

All primary processing happens in EU/UK regions. Where data is transferred to a third-country processor (e.g. Sentry US tier), Standard Contractual Clauses are in place.

9. Children

Dubrate is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have, email privacy@dubrate.com and we'll erase it.

10. Changes

We'll notify you of any material change at least 30 days in advance via email.