← Back to Catalog Manager

Data Processing Agreement

Catalog Manager · Effective Date: April 1, 2026 · Version 1.0 · Pursuant to GDPR Article 28

1. Parties and Scope

This DPA forms part of the Terms of Service and Privacy Policy for Catalog Manager:

This DPA applies globally and is effective automatically when you upload personal data of third parties. By using the Service, you agree to this DPA.

2. Definitions

3. Subject Matter

3.1. Purpose: Processing Personal Data to provide Catalog Manager: hosting, storing, displaying catalog, financial, and rights holder data.

3.2. Data Subjects: Artists, performers, producers, songwriters, rights holders.

3.3. Data Types: Names, stage names, financials (royalties, earnings, recoupment), splits, roles, documents.

3.4. Duration: For the life of the Service relationship plus until all data deleted/returned.

4. Controller Obligations

As Data Controller, you are responsible for compliance with all applicable data protection laws in your jurisdiction, including but not limited to GDPR, CCPA, LGPD, and similar regulations. You must:

5. Processor Obligations

Catalog Manager commits to:

6. Sub-Processors

We engage the following Sub-Processors, grouped by purpose. Each receives only the data necessary for its function.

Core infrastructure

Transactional services

Optional, user-initiated integrations

AI features

Distribution and audio

Read-only metadata sources

These sources receive only non-personal search terms (such as a track title, artist name, ISRC, UPC, catalog number, or company name) and return public metadata: Spotify, Apple Music/iTunes, Beatport, Songstats, Soundcharts, Deezer, Discogs, UK Companies House, and data.gov.il.

Changes notified in advance. You may object; if unresolvable, you may terminate. Each Sub-Processor is bound by equivalent terms.

Cookies

The Service uses Vercel Analytics (cookieless), Sentry (cookieless, Session Replay off), and Paddle (strictly-necessary cookies used only for billing). Because the Service sets no non-essential or tracking cookies, no consent banner is required.

7. International Transfers

Where Personal Data is transferred internationally, appropriate safeguards are implemented in accordance with applicable law, including Standard Contractual Clauses or equivalent mechanisms. Data location disclosed on request.

8. Security

We rely on third-party infrastructure providers (such as Supabase) that implement industry-standard security measures, including encryption at rest and in transit. We also implement application-level controls:

9. Breach Response

Notify Controller within 72 hours. Include: nature of breach, subjects affected, consequences, remediation. Cooperate fully.

10. Data Subject Rights

Processor assists Controller via in-app export/deletion. Direct requests redirected to Controller.

11. Audits

Controller may audit annually, subject to reasonable notice, scope, and confidentiality limitations, as well as reasonable operational and security constraints. Processor provides compliance information per GDPR Art. 28 and equivalent provisions under applicable law.

12. Termination

DPA ends when Service ends. On termination: return data (structured format) or delete (within 90 days), except where retention is required by applicable law (e.g., financial data up to 7 years). Certify deletion on request.

13. Liability

Per Terms of Service. Each party liable for its own infringements of this DPA or applicable law.

14. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the State of Israel, without regard to conflict of law principles. Nothing in this DPA limits any rights you may have under mandatory local law in your jurisdiction. Disputes are resolved per the Terms of Service.

15. Agreement

This DPA is incorporated into the Terms of Service for Catalog Manager. By accepting the ToS, you agree to this DPA.

Contact

GUY MENTESH LTD (trading as Catalog Manager)
Israel
Email: legal@catalogmanager.app