← Back to Catalog Manager
Data Processing Agreement
Catalog Manager · Effective Date: April 1, 2026 · Version 1.0 · Pursuant to GDPR Article 28
1. Parties and Scope
This DPA forms part of the Terms of Service and Privacy Policy for Catalog Manager:
- Controller ("You"): The organization or individual who creates an account and uploads personal data.
- Processor ("We"): GUY MENTESH LTD, a company incorporated in Israel, trading as Catalog Manager.
This DPA applies globally and is effective automatically when you upload personal data of third parties. By using the Service, you agree to this DPA.
2. Definitions
- "Personal Data": Info relating to an identifiable person (GDPR Art. 4(1)).
- "Processing": Any operation on Personal Data (Art. 4(2)).
- "Data Subject": Person whose data you upload (artists, producers, rights holders).
- "Sub-Processor": Third party we engage to process on your behalf.
3. Subject Matter
3.1. Purpose: Processing Personal Data to provide Catalog Manager: hosting, storing, displaying catalog, financial, and rights holder data.
3.2. Data Subjects: Artists, performers, producers, songwriters, rights holders.
3.3. Data Types: Names, stage names, financials (royalties, earnings, recoupment), splits, roles, documents.
3.4. Duration: For the life of the Service relationship plus until all data deleted/returned.
4. Controller Obligations
As Data Controller, you are responsible for compliance with all applicable data protection laws in your jurisdiction, including but not limited to GDPR, CCPA, LGPD, and similar regulations. You must:
- Have a lawful basis for processing your artists'/rights holders' data.
- Ensure accuracy and currency of all uploaded data.
- Provide privacy notices to your Data Subjects about your use of Catalog Manager.
- Respond to Data Subject requests within legal timeframes.
- Ensure uploaded financial data is accurate and authorized.
- Inform us promptly when a Data Subject exercises rights.
- Comply with all applicable data protection laws.
5. Processor Obligations
Catalog Manager commits to:
- Process only on your documented instructions, and as necessary to provide, maintain, and secure the Service, except where required by law.
- Bind all authorized persons by confidentiality.
- Maintain industry-standard security measures via infrastructure providers such as Supabase, including application-level controls (RLS, session-scoped financial access).
- You provide general authorization for the use of Sub-Processors listed in the Privacy Policy. No new Sub-Processors without prior notification and your right to object. Current list in Privacy Policy.
- Assist with Data Subject requests (export, deletion capabilities in-app).
- Assist with DPIAs and supervisory consultations where required.
- Delete or return all data on termination, at your choice, except where retention is required by applicable law.
- Provide compliance evidence for GDPR Art. 28; allow audits.
- Notify you within 72 hours of any Personal Data breach.
6. Sub-Processors
We engage the following Sub-Processors, grouped by purpose. Each receives only the data necessary for its function.
Core infrastructure
- Supabase, Inc.: Database, authentication, and storage. SOC 2 Type II.
- Vercel Inc.: Application hosting and cookieless analytics.
- Upstash, Inc.: Rate limiting.
- Functional Software, Inc. (Sentry): Error monitoring. Session Replay is disabled.
Transactional services
- Resend (Plus Five Five, Inc.): Transactional email.
- Paddle.com Market Ltd.: Billing and merchant of record.
- Shufti Pro Ltd.: Identity verification (KYC/KYB). Receives only the identity documents and details you submit for verification.
Optional, user-initiated integrations
- Google LLC / Gmail API (optional): OAuth login and read-only inbox statement import. User-initiated only.
- Spotify AB (optional): Music metadata. User-initiated only.
AI features
- Anthropic PBC, Groq, Inc., and Google LLC (Gemini): AI features. Each receives only the content you submit to the relevant feature.
Distribution and audio
- LabelGrid: Distribution.
- ACRCloud: Audio fingerprinting.
Read-only metadata sources
These sources receive only non-personal search terms (such as a track title, artist name, ISRC, UPC, catalog number, or company name) and return public metadata: Spotify, Apple Music/iTunes, Beatport, Songstats, Soundcharts, Deezer, Discogs, UK Companies House, and data.gov.il.
Changes notified in advance. You may object; if unresolvable, you may terminate. Each Sub-Processor is bound by equivalent terms.
Cookies
The Service uses Vercel Analytics (cookieless), Sentry (cookieless, Session Replay off), and Paddle (strictly-necessary cookies used only for billing). Because the Service sets no non-essential or tracking cookies, no consent banner is required.
7. International Transfers
Where Personal Data is transferred internationally, appropriate safeguards are implemented in accordance with applicable law, including Standard Contractual Clauses or equivalent mechanisms. Data location disclosed on request.
8. Security
We rely on third-party infrastructure providers (such as Supabase) that implement industry-standard security measures, including encryption at rest and in transit. We also implement application-level controls:
- Row-Level Security for organizational data isolation.
- Session-scoped access for financial data.
- Regular security reviews and access audits.
- Measures appropriate to risk, nature of data (financial records, artist PII), state of the art, and cost.
9. Breach Response
Notify Controller within 72 hours. Include: nature of breach, subjects affected, consequences, remediation. Cooperate fully.
10. Data Subject Rights
Processor assists Controller via in-app export/deletion. Direct requests redirected to Controller.
11. Audits
Controller may audit annually, subject to reasonable notice, scope, and confidentiality limitations, as well as reasonable operational and security constraints. Processor provides compliance information per GDPR Art. 28 and equivalent provisions under applicable law.
12. Termination
DPA ends when Service ends. On termination: return data (structured format) or delete (within 90 days), except where retention is required by applicable law (e.g., financial data up to 7 years). Certify deletion on request.
13. Liability
Per Terms of Service. Each party liable for its own infringements of this DPA or applicable law.
14. Governing Law
This DPA shall be governed by and construed in accordance with the laws of the State of Israel, without regard to conflict of law principles. Nothing in this DPA limits any rights you may have under mandatory local law in your jurisdiction. Disputes are resolved per the Terms of Service.
15. Agreement
This DPA is incorporated into the Terms of Service for Catalog Manager. By accepting the ToS, you agree to this DPA.
Contact
GUY MENTESH LTD (trading as Catalog Manager)
Israel
Email: legal@catalogmanager.app