Privacy Policy

Beat Flow LLC ("Beat Flow," "we," "us," or "our") respects your privacy and is committed to transparency about how we collect, use, and protect your personal information. This Privacy Policy explains our data practices for beatflow.org (the "Platform").

1. Information We Collect

1.1 Information You Provide

Account Information:

• Email address (required for account creation and magic link authentication)
• Display name / username (required)
• Profile information (optional: bio, location, social media links)
• Profile picture (optional)

Seller Information (if you sell beats):

• Legal name or business name
• Tax identification information (collected directly by Stripe)
• Bank account or payout information (collected directly by Stripe)
• Beat files and metadata (title, genre, BPM, key, description, pricing)
• Content origin attestation (whether beats contain samples)

Transaction Information:

• Beats purchased or sold
• License types selected
• Transaction amounts and dates
• Download history

Communications:

• Support inquiries and correspondence
• Email preferences

1.2 Information Collected Automatically

Technical Data:

• IP address
• Browser type and version
• Device type and operating system
• Referring URLs and pages visited
• Date and time of visits
• Audio file upload/download events

Cookies and Tracking Technologies:

• Essential Cookies: Session cookies for authentication (required for Platform functionality)
• Analytics Cookies: Usage statistics (optional, you can opt out)
• Preference Cookies: Remember your settings (optional)

Cloudflare Data:

• Security logs (DDoS protection, bot detection)
• Performance metrics (CDN caching, latency)
• Edge compute logs (Workers request/response data)

1.3 Information from Third Parties

From Stripe (Payment Processor):

• Payment verification status
• Fraud risk assessment
• Transaction success/failure status
• Payout confirmation

Important: We do NOT receive or store your credit card numbers or full bank account details. Stripe handles all sensitive payment information directly.

2. How We Use Your Information

We use your personal information for the following purposes:

2.1 Provide Services (Legal Basis: Contract Performance)

• Create and manage your account
• Process beat purchases and sales
• Deliver beat files via Cloudflare R2 storage
• Send transactional emails (purchase confirmations, download links)
• Facilitate magic link authentication
• Process payments via Stripe Connect
• Generate beat license agreements

2.2 Platform Security (Legal Basis: Legitimate Interest)

• Detect and prevent fraud
• Identify bots and malicious actors
• Enforce Terms of Service
• Respond to DMCA takedown notices
• Monitor for copyright infringement
• Prevent abuse of the Platform

2.3 Analytics & Improvement (Legal Basis: Legitimate Interest / Consent)

• Analyze usage patterns to improve the Platform
• Track popular beats and genres
• Measure feature adoption
• Identify technical issues and bugs

2.4 Marketing (Legal Basis: Consent)

• Send promotional emails about new features (you can opt out)
• Announce platform updates and news

2.5 Legal Compliance (Legal Basis: Legal Obligation)

• Maintain transaction records for tax purposes (7 years)
• Respond to law enforcement requests with valid legal process
• Comply with DMCA safe harbor requirements
• Meet payment processing regulations

3. How Long We Keep Your Data

Deletion Exceptions: We may retain certain data longer when required by legal holds, ongoing litigation, tax audits, pending disputes, law enforcement requests, or DMCA repeat infringer documentation.

4. Third-Party Services

Beat Flow uses the following third-party services to operate the Platform. These services process your data on our behalf as data processors.

4.1 Stripe (Payment Processing)

What they do: Process payments, manage seller payouts, verify identities

Data shared: Name, email, payment information, transaction amounts, tax ID (for sellers)

• Stripe Privacy Policy
• Stripe Connected Account Agreement

4.2 Cloudflare (Infrastructure & Hosting)

What they do: Host platform (Pages), run backend code (Workers), store beat files (R2), database (D1), security (DDoS protection), CDN

Data shared: IP addresses, browser data, uploaded files, request/response logs

• Cloudflare Privacy Policy
• Cloudflare Data Processing Agreement

Cloudflare is EU-US Data Privacy Framework certified and uses Standard Contractual Clauses for international data transfers. They maintain ISO/IEC 27001 certification for security.

4.3 Resend (Transactional Emails)

What they do: Send account-related emails (magic links, purchase confirmations, notifications)

Data shared: Email addresses, names, transaction details

4.4 No Data Sales

We do not sell your personal information to third parties. The services listed above are data processors who provide infrastructure and services to Beat Flow—they do not use your data for their own purposes (except as required by law or their own privacy policies).

5. Your Privacy Rights

5.1 Rights for All Users

• Access: Request a copy of your personal data
• Correction: Update inaccurate or incomplete data
• Deletion: Request deletion of your data (subject to legal retention requirements)
• Portability: Receive your data in a machine-readable format
• Opt-Out: Unsubscribe from marketing emails at any time
• Object: Object to processing based on legitimate interests

5.2 Additional Rights for EU Users (GDPR)

• Right to Restriction: Limit how we process your data in certain circumstances
• Right to Lodge Complaint: File a complaint with your local data protection authority
• Right to Withdraw Consent: Withdraw consent for processing at any time

5.3 Additional Rights for California Users (CCPA/CPRA)

• Right to Know: Know what personal information we collect, use, and share
• Right to Delete: Request deletion of personal information (with exceptions)
• Right to Opt-Out: We don't sell personal information, so no opt-out is needed
• Right to Non-Discrimination: We won't discriminate against you for exercising your rights
• Right to Correct: Request correction of inaccurate personal information
• Right to Limit Use of Sensitive Personal Information: Limit use of sensitive data (not applicable—we don't collect sensitive data beyond what's necessary)

5.4 How to Exercise Your Rights

To exercise any of these rights, contact us at:

• Email: [email protected]
• Subject Line: "Privacy Rights Request - [Your Request Type]"

We will respond within 30 days (GDPR) or 45 days (CCPA). We may request verification of your identity before processing requests.

6. Data Security

We implement industry-standard security measures to protect your personal information:

• Encryption: All data in transit is encrypted using TLS 1.3
• Authentication: Magic link authentication and secure session management
• Access Controls: Role-based access to sensitive data
• Infrastructure Security: Cloudflare DDoS protection and Web Application Firewall
• Payment Security: PCI DSS compliant payment processing via Stripe
• Regular Audits: Periodic security reviews and vulnerability assessments

Data Breach Notification: In the event of a data breach affecting your personal information, we will notify you and relevant authorities as required by GDPR (within 72 hours) and CCPA (without unreasonable delay).

7. Cookies and Tracking

7.1 Types of Cookies We Use

Essential Cookies (Required):

• Session authentication
• Security tokens
• Shopping cart functionality

Analytics Cookies (Optional):

• Usage statistics
• Feature adoption tracking
• Performance monitoring

Preference Cookies (Optional):

• Remember your settings
• Dark mode preference
• Audio player preferences

7.2 Cookie Management

You can manage cookie preferences in your browser settings. Note that disabling essential cookies may limit Platform functionality.

7.3 Do Not Track Signals

We respect Global Privacy Control (GPC) and Do Not Track (DNT) browser signals for non-essential tracking. When we detect these signals, we disable analytics and preference cookies.

8. International Data Transfers

Beat Flow is based in the United States. If you access the Platform from outside the U.S., your information will be transferred to, stored, and processed in the United States.

EU-US Data Transfers:

• We use Cloudflare and Stripe, both of which are EU-US Data Privacy Framework certified
• We have entered into Standard Contractual Clauses (SCCs) with our data processors
• We implement appropriate safeguards as required by GDPR Article 46

9. Children's Privacy (COPPA Compliance)

Beat Flow is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately at [email protected].

Users between 13 and 17 may only use the Platform with parental or guardian supervision. Parents or guardians are responsible for supervising minors' use of the Platform.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via:

• Email notification to registered users
• Prominent banner on the Platform
• Update to the "Last Updated" date at the top of this policy

Review Frequency: We review and update this Privacy Policy at least annually to ensure compliance with evolving privacy laws (as required by CCPA).

11. California Privacy Rights

11.1 Shine the Light Law

California residents may request information about sharing of personal information with third parties for direct marketing purposes once per year. We do not share personal information with third parties for their direct marketing purposes.

11.2 CCPA Categories of Personal Information

In the last 12 months, we have collected the following categories of personal information:

• Identifiers: Email, name, username, IP address
• Commercial Information: Purchase history, transaction records
• Internet Activity: Browsing history on Platform, interaction with ads
• Professional Information: Seller business name, tax information (via Stripe)

We do NOT collect:

• Sensitive personal information (as defined by CPRA)
• Biometric data
• Precise geolocation data
• Protected class characteristics

12. European Privacy Rights (GDPR)

12.1 Legal Basis for Processing

We process your data under the following legal bases:

• Contract Performance: Processing necessary to provide Platform services (GDPR Art. 6(1)(b))
• Legitimate Interests: Security, fraud prevention, analytics (GDPR Art. 6(1)(f))
• Legal Obligation: Tax compliance, DMCA compliance (GDPR Art. 6(1)(c))
• Consent: Marketing emails, optional analytics (GDPR Art. 6(1)(a))

12.2 Data Controller and Processor

Data Controller: Beat Flow LLC is the data controller for all personal information collected through the Platform.

Data Processors: Stripe, Cloudflare, and Resend process data on our behalf as data processors under signed Data Processing Agreements.

12.3 EU Representative

If required under GDPR Article 27, we will appoint an EU representative. Currently, we do not meet the threshold requiring appointment.

13. Contact Information

For privacy-related questions, requests, or concerns, contact us at:

For DMCA Copyright Issues: [email protected]
For General Support: [email protected]

This Privacy Policy was drafted to comply with GDPR (Regulation (EU) 2016/679), CCPA/CPRA (California Civil Code §§ 1798.100 et seq.), and COPPA (15 U.S.C. §§ 6501–6506). While comprehensive, this policy should be reviewed by a licensed privacy attorney in your jurisdiction.

Accessibility: This privacy policy is also available in printer-friendly format. To request an alternative format (large print, audio, etc.), contact [email protected].