Terms · Privacy · Cookies

Privacy Policy

Last updated: 3 June 2026

1. Who we are and what this policy covers

Learn the Music Industry (“we”, “us”, “our”) is an interactive learning platform that teaches how the music industry’s money works. This policy explains what personal information we collect, why we collect it, how we use it, and your rights under UK GDPR and the UK Data Protection Act 2018.

The data controller is Incubate & Innovate Limited (trading as LearnTheMusicBusiness.com), reachable at the address in section 12 below.

2. What information we collect

2a. Anonymous visitors (public learning path)

The public learning path (episodes and the knowledge graph) is fully accessible without creating an account. We collect no personal data from anonymous visitors. Episode progress and quiz answers are stored exclusively in your own browser via localStorage and are never transmitted to our servers.

Vercel (our hosting provider; see section 7) receives standard server logs (IP address, browser type, URL, timestamp) as part of normal HTTP traffic. We do not use this data to identify or profile individuals.

2b. Registered accounts

If you create a Learn the Music Industry account you provide an email address and choose a password. These are managed by Supabase Auth (see section 7). We store the following data in our Supabase Postgres database, with row-level security so each user can only access their own records:

• Profile: user identifier, email address, display name (optional), account creation date.
• Episode progress: which episodes you have completed and when, linked to your user ID.
• Competency attempts: your responses to assessment questions, used to calculate your skill profile.
• Entitlements: your access tier (preview / full), source (e.g. verification, firm seat), and expiry date.
• Verification requests:if you apply for free full access as a musician, you submit a public profile link (e.g. a streaming profile or official biography URL) as evidence. This link is stored and reviewed manually by a member of our team.

2c. Firm / organisation accounts

If your employer purchases firm seats, we also hold:

• Organisation record: firm name, type, number of seats, and (when billing is live) Stripe customer ID.
• Membership record: links your user ID to the organisation with a role (owner or member) and status.

2d. Communications

We plan to use Postmark for transactional emails (account confirmation, password reset, verification outcome). When this feature is live, your email address will be passed to Postmark solely for delivery of that message. We do not send marketing emails without separate consent.

2e. Payments

Firm billing is planned via Stripe. When live, payment card data will be handled entirely by Stripe and never stored on our servers. We will hold only a Stripe customer reference ID.

3. Why we use your information and our legal basis

• Contract performance (Art. 6(1)(b) UK GDPR): providing your account, managing your access tier, and (when live) processing a firm seat purchase or Stripe transaction.
• Legitimate interests (Art. 6(1)(f) UK GDPR): security logging (Vercel server logs), detecting abuse, and improving the platform. We balance these interests against your rights; the anonymous public path minimises data collection by design.
• Legal obligation (Art. 6(1)(c) UK GDPR): retaining billing records as required by UK tax and financial regulations.
• Consent (Art. 6(1)(a) UK GDPR): marketing emails, if and when introduced.

4. Cookies and local storage

The public learning path uses browser localStorage only. No cookies are set for anonymous visitors. Registered accounts use a session cookie maintained by Supabase Auth to keep you signed in.

For full details of cookies and similar technologies used on this site, see our Cookie Policy.

5. Third-party processors

We use the following sub-processors. Each is engaged under a data-processing agreement that meets UK GDPR / GDPR requirements.

• Supabase: database and authentication. Stores all account data, progress, entitlements, and verification requests in a Postgres database with row-level security. Infrastructure is provided by AWS (EU region).
• Vercel:hosting and edge delivery. Processes request logs (IP, browser, URL, timestamp) to serve the site. Data is held on Vercel’s infrastructure, primarily in the US and EU.
• Postmark (planned): transactional email delivery. Your email address is shared only to deliver a specific message you have requested.
• Stripe (planned):payment processing. Handles all payment card data for firm seat purchases. Stripe is certified to PCI DSS Level 1. We receive only a customer reference ID from Stripe.
• Clerk: authentication for internal admin tools only (founder access). End-user accounts are not managed by Clerk.

6. Data retention

• Anonymous visitor data:server logs held by Vercel per their standard retention policy (typically 30 days). Your localStorage data remains on your device until you clear your browser storage.
• Account data:held for as long as your account is active. If you delete your account, we will erase your profile, progress, competency records, and verification data within 30 days, subject to any legal obligation to retain billing records.
• Billing records: retained for seven years as required by UK tax law.
• Verification evidence: profile links submitted for musician verification are retained until a decision is made and, if approved, for the duration of the resulting entitlement.

7. Your rights under UK GDPR

You have the right to:

• Access: request a copy of the personal data we hold about you.
• Rectification: ask us to correct inaccurate or incomplete data.
• Erasure (“right to be forgotten”): ask us to delete your data, subject to legal retention obligations.
• Portability: receive your data in a structured, machine-readable format.
• Restriction: ask us to limit how we use your data while a complaint is being resolved.
• Object: object to processing based on legitimate interests.
• Withdraw consent: where processing is based on consent (e.g. marketing emails), you may withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email us at the address in section 12. We will respond within one calendar month. If you are unhappy with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).

8. International data transfers

Some of our processors (Vercel, Stripe) operate infrastructure in the United States. Transfers outside the UK are made under the UK International Data Transfer Agreement (IDTA) or equivalent adequacy mechanisms. Supabase defaults to AWS EU regions; we will confirm the exact region when the production database is provisioned.

9. Children’s privacy

Learn the Music Industry is not directed at children under the age of 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

10. Security

We apply technical and organisational measures to protect your data, including:

• HTTPS enforced across all routes, with HTTP Strict Transport Security headers.
• Row-level security on all user data in Supabase Postgres, so each user can only query their own rows.
• Secrets (database URLs, API keys) stored in environment variables, never committed to the source repository.
• Admin tooling gated behind a single-founder allowlist enforced at both middleware and application level.
• Regular dependency audits (npm audit) as part of the continuous-integration pipeline.

No system is perfectly secure. If you discover a vulnerability, please report it to us privately at the address in section 12 rather than opening a public issue.

11. Changes to this policy

We may update this policy from time to time, for example when we add new features (such as transactional email or Stripe billing). Material changes will be notified via a notice on the site or by email to registered users. The “last updated” date at the top of this page reflects the most recent revision. Continued use of Learn the Music Industry after a change constitutes acceptance of the revised policy.

12. Contact and data controller

For questions, to exercise your data rights, or to report a security issue, use our contact form (pick the Privacy or Security topic).