Privacy Policy

Catalog Manager — Effective Date: April 1, 2026 · Version 2.0

We never sell, share, or monetize your personal data or the data you upload. All data exists solely to power the service you use.

1. Introduction

This Privacy Policy explains how personal data is collected, used, stored, and protected when you use Catalog Manager ("the Service"). Catalog Manager is a standalone music catalog management platform for record labels, artists, managers, and rights holders. The Service is offered globally and may be accessed by users worldwide.

This policy complies with the GDPR (EU), CCPA/CPRA (California), LGPD (Brazil), PIPEDA (Canada), and other applicable privacy laws. Where you act as Data Controller, you are responsible for compliance with applicable data protection laws in your jurisdiction.

2. Roles and Responsibilities

2.1 Data Controller Identity

Catalog Manager is operated by Catalog Manager (company registration pending), based in Rome, Italy. Privacy inquiries: legal@catalogmanager.app.

2.2 Catalog Manager as Data Processor

Catalog Manager acts as a Data Processor. We provide the technology platform and infrastructure. We process personal data only on your instructions, and as necessary to provide, maintain, and secure the Service. We do not decide what data to collect or how to use it — you do.

2.3 You as Data Controller

When you create an account and upload data to Catalog Manager, you are the Data Controller:

You decide what personal data to upload (artist names, financial figures, rights holder splits, statement data).
You are responsible for having the legal right to upload and process that data.
You are responsible for the accuracy of all data you enter.
If you upload personal data about third parties, you must have a lawful basis — typically a contract with those individuals.

2.4 Independent Artists

If you are an independent artist managing your own catalog, you are both the Data Subject and Data Controller of your own data.

3. Data We Collect

3.1 Data We Collect Directly (as limited Controller)

Account credentials: email address, hashed password, organization name.
Usage data: login timestamps, feature usage, browser/device type.
Consent records: timestamp and version of Terms and Privacy Policy accepted.

For this data, Catalog Manager is the Data Controller. Lawful basis: contractual necessity (GDPR Art. 6(1)(b)).

3.2 Data You Upload (You as Controller, We as Processor)

Data Category	Examples	Purpose
Account Data	Email, name, password hash, org name	Auth, account mgmt, service delivery
Catalog Data	Releases, tracks, ISRCs, UPCs, artist names, genres	Core service — catalog management
Financial Data	Royalty statements, earnings, recoupment, PDFs	Storing financial records you upload
Rights Holder Splits	Rights holder names, split %, roles	Recording splits as you define them
Connected Tokens	Spotify/Gmail OAuth tokens	Optional integrations you connect
Usage Data	Login times, features used, browser	Security and improvement
Documents	Statement PDFs, artwork	Storage for your catalog

What we do NOT collect: Payment card data, biometric data, racial/ethnic origin, political opinions, religious beliefs, health data, or any GDPR Art. 9 special categories.

4. Lawful Basis for Processing

4.1 Account Data (We as limited Controller)

Contractual Necessity (Art. 6(1)(b)): To provide the Service.
Legitimate Interest (Art. 6(1)(f)): Security and service improvement.
Consent (Art. 6(1)(a)): Optional features like marketing.

4.2 User-Uploaded Data (You as Controller)

You determine the lawful basis for data you upload. We process it solely on your instructions as Processor, governed by the DPA.

5. How We Use Your Data

Providing the Service: hosting, storing, displaying your data.
Authentication and account management.
Optional third-party integrations when you authorize them.
Platform security and integrity.
Service improvement (aggregated, anonymized patterns only).
Critical service communications.

We do NOT: sell data, share for ads, profile, or make automated decisions. We do not access your content except as necessary to provide, maintain, and secure the Service.

6. Data Sharing and Sub-Processors

We do not sell, rent, or share your personal data with any third party.

Sub-processors:

Supabase (database, auth): SOC 2 Type II. AES-256, TLS.
Spotify API (optional): OAuth token + display name only.
Gmail API (optional, when you enable the Gmail Scanner): we use the gmail.readonly scope to detect and parse music distributor royalty statement emails. See section 6.1 below for the full Limited Use disclosure.

OAuth tokens (e.g., from Spotify and Google) are stored securely (AES-256-GCM encryption at rest) and used only to enable the integrations you request. Tokens are deleted when you disconnect an integration or close your account.

Each sub-processor is bound by data processing agreements. We will notify users of material sub-processor changes via email or in-app notification. We may disclose data if required by law.

6.1 Google API Services — Limited Use Disclosure

Catalog Manager's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

When you connect Gmail, Catalog Manager requests the gmail.readonly scope solely to detect and parse royalty statement emails sent by music distributors (e.g., DistroKid, TuneCore, CD Baby, Believe, Symphonic, AWAL). Specifically:

What we read: Only emails matching distributor sender addresses and statement-related keywords. Other emails are not read, indexed, or stored.
What we extract: Royalty figures (track title, period, payout amount) and attached statement files (PDF/CSV) referenced in matching emails.
What we store: Parsed financial figures, encrypted at rest in our database, scoped to your account. Raw email bodies are not stored on Catalog Manager's servers.
What we never do: We do not send email on your behalf, modify or delete your inbox, transfer Gmail data to third parties, use Gmail data to serve advertising, or allow humans to read your Gmail data except as required for security investigations or with your explicit consent.
Disconnect: You can disconnect Gmail any time inside Catalog Manager (Settings → Connected accounts) or at myaccount.google.com/permissions. Disconnecting revokes our refresh token and stops all further access immediately.

7. Data Security

We rely on third-party infrastructure providers (such as Supabase) that implement industry-standard security measures, including encryption at rest and in transit. We also implement application-level controls:

Row-Level Security: database-enforced organizational isolation.
Statement protection: secondary password, session-scoped access.
Financial blur: option to hide amounts for screen privacy.
Session-based access: expires on session end.

8. Data Retention

Account Data: While active. Deleted within 30 days on request.
Catalog Data: While active. Exportable, deletable on request.
Financial Data: Up to 7 years per record-keeping law. Exportable anytime.
Splits: While active. Deletable subject to record-keeping.
Usage Logs: Up to 12 months, then anonymized/deleted.
Tokens: Deleted on disconnect or account closure.

9. Your Rights

Depending on your jurisdiction, you may have rights under applicable data protection laws, including the right to access, correct, delete, restrict, port, and object to the processing of your personal data.

9.1 Account Data (We as Controller)

GDPR/CCPA/LGPD/PIPEDA and equivalent local laws: access, rectify, erase, restrict, port, object. Contact us and we will respond within 30 days.

9.2 Uploaded Data (You as Controller)

You control it. Edit, export, delete anytime. Third-party requests redirected to you; we assist.

9.3 US Privacy Laws

We do not sell or share personal data as defined under applicable US privacy laws, including the CCPA/CPRA.

10. International Transfers

Personal data may be transferred and processed outside your country of residence. Where required, appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms are implemented in accordance with applicable law.

11. Cookies

We use only essential cookies necessary for the operation of the Service (authentication, session management). We do not use advertising or tracking cookies.

12. Children

Not for under-16s. No knowing collection from children.

13. Policy Changes

Material changes: email/in-app notice, updated date/version, renewed consent where required.

14. Breach Notification

Authority notified within 72 hours. Users notified if high risk. All applicable laws followed.

15. Complaints

Garante per la protezione dei dati personali
Piazza Venezia 11, 00187 Roma — www.garanteprivacy.it

16. Governing Law

This Privacy Policy shall be governed by and construed in accordance with the laws of Italy, without regard to conflict of law principles. Nothing in this policy limits any rights you may have under mandatory local law in your jurisdiction.

17. Contact

Catalog Manager
Rome, Italy
Email: legal@catalogmanager.app