This Privacy Policy explains how personal data is collected, used, stored, and protected when you use Catalog Manager ("the Service"). Catalog Manager is a standalone music catalog management platform for record labels, artists, managers, and rights holders. The Service is offered globally and may be accessed by users worldwide.
This policy complies with the GDPR (EU), CCPA/CPRA (California), LGPD (Brazil), PIPEDA (Canada), and other applicable privacy laws. Where you act as Data Controller, you are responsible for compliance with applicable data protection laws in your jurisdiction.
Catalog Manager is operated by GUY MENTESH LTD, a company incorporated in Israel, trading as Catalog Manager. Privacy inquiries: legal@catalogmanager.app.
Catalog Manager acts as a Data Processor. We provide the technology platform and infrastructure. We process personal data only on your instructions, and as necessary to provide, maintain, and secure the Service. We do not decide what data to collect or how to use it. You do.
When you create an account and upload data to Catalog Manager, you are the Data Controller:
If you are an independent artist managing your own catalog, you are both the Data Subject and Data Controller of your own data.
For this data, Catalog Manager is the Data Controller. Lawful basis: contractual necessity (GDPR Art. 6(1)(b)).
| Data Category | Examples | Purpose |
|---|---|---|
| Account Data | Email, name, password hash, org name | Auth, account mgmt, service delivery |
| Catalog Data | Releases, tracks, ISRCs, UPCs, artist names, genres | Core service (catalog management) |
| Financial Data | Royalty statements, earnings, recoupment, PDFs | Storing financial records you upload |
| Rights Holder Splits | Rights holder names, split %, roles | Recording splits as you define them |
| Connected Tokens | Spotify/Gmail OAuth tokens | Optional integrations you connect |
| Usage Data | Login times, features used, browser | Security and improvement |
| Documents | Statement PDFs, artwork | Storage for your catalog |
What we do NOT collect: We do not collect or store the following GDPR Art. 9 special categories: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health data, or data concerning sex life or sexual orientation. We also do not store full payment card numbers (billing is handled by our merchant of record, Paddle).
If you are required to verify your identity (for example, before receiving payouts or accessing certain features), we collect identity verification data through our processor Shufti Pro:
You determine the lawful basis for data you upload. We process it solely on your instructions as Processor, governed by the DPA.
We do not sell, rent, or share your personal data with any third party. We use the sub-processors below to operate the Service. Each one is bound by a data processing agreement and receives only the data necessary for its function.
Core infrastructure:
Communications and billing:
Identity verification:
Optional integrations you connect:
gmail.readonly scope to detect and parse music distributor royalty statement emails. See section 6.1 below for the full Limited Use disclosure.AI features:
Music distribution and audio:
Read-only metadata sources: The following receive only non-personal search terms (such as a track title, ISRC, artist name, or company name) to look up public catalog or registry metadata, and receive no account data: Spotify, Apple Music and iTunes, Beatport, Songstats, Soundcharts, Deezer, Discogs, UK Companies House, and data.gov.il.
OAuth tokens (for example, from Spotify and Google) are stored securely (AES-256-GCM encryption at rest) and used only to enable the integrations you request. Tokens are deleted when you disconnect an integration or close your account.
We will notify users of material sub-processor changes via email or in-app notification. We may disclose data if required by law.
Catalog Manager's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
When you connect Gmail, Catalog Manager requests the gmail.readonly scope solely to detect and parse royalty statement emails sent by music distributors (e.g., DistroKid, TuneCore, CD Baby, Believe, Symphonic, AWAL). Specifically:
We rely on third-party infrastructure providers (such as Supabase) that implement industry-standard security measures, including encryption at rest and in transit. We also implement application-level controls:
Depending on your jurisdiction, you may have rights under applicable data protection laws, including the right to access, correct, delete, restrict, port, and object to the processing of your personal data.
GDPR/CCPA/LGPD/PIPEDA and equivalent local laws: access, rectify, erase, restrict, port, object. Contact us and we will respond within 30 days.
You control it. Edit, export, delete anytime. Third-party requests redirected to you; we assist.
We do not sell or share personal data as defined under applicable US privacy laws, including the CCPA/CPRA.
Personal data may be transferred and processed outside your country of residence. Where required, appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms are implemented in accordance with applicable law.
We use only strictly-necessary cookies required for the operation of the Service (authentication, session management, and billing). We do not use advertising or cross-site tracking cookies, and we do not build advertising profiles.
Because we set no advertising or tracking cookies and our analytics are cookieless, no cookie consent banner is required.
Not for under-16s. No knowing collection from children.
Material changes: email/in-app notice, updated date/version, renewed consent where required.
Authority notified within 72 hours. Users notified if high risk. All applicable laws followed.
Our lead supervisory authority is the Israeli Privacy Protection Authority (PPA). You may lodge a complaint with them at gov.il/en/departments/the_privacy_protection_authority. If you are in another jurisdiction, you may also have the right to complain to your local data protection authority.
This Privacy Policy shall be governed by and construed in accordance with the laws of the State of Israel, without regard to conflict of law principles. The competent courts of Tel Aviv-Yafo, Israel shall have exclusive jurisdiction over any dispute arising from this policy. Nothing in this policy limits any rights you may have under mandatory local law in your jurisdiction.
GUY MENTESH LTD (trading as Catalog Manager)
Israel
Email: legal@catalogmanager.app