Privacy Policy

Effective Date: February 26, 2026 — Last Updated: April 2, 2026

This Privacy Policy explains how Astrasonic ("we," "us," or "our"), operated by Plan Bakery B.V., a company registered in the Netherlands, collects, uses, stores, and protects your personal data when you use the Astrasonic application, website, and related services (the "Service").

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Data Controller

The data controller for the processing of your personal data is:

Astrasonic (operated by Plan Bakery B.V.)
The Netherlands
Email: [email protected]

2. Data We Collect

2.1 Account Data

Data Type	Purpose	Legal Basis
Email address	Account identification, communication	Contract performance
Authentication credentials	Account security (WebAuthn/passkeys)	Contract performance
IP address	Security, fraud prevention, rate limiting	Legitimate interest
Session identifiers	Maintaining authenticated state	Contract performance

2.2 Music Library Metadata

Data Type	Purpose	Legal Basis
Track titles, artists, BPM, key	Library analysis and processing	Contract performance
Playlist names and structure	Library organization features	Contract performance
Cue points and DJ settings	Backup and restoration	Contract performance
File paths (relative)	File mapping and deduplication	Contract performance

2.3 Cloud Backup Data

When you use the Cloud Backup Service, we additionally process:

Data Type	Purpose	Legal Basis
Music files (audio content)	Cloud backup storage and restoration	Consent / Contract performance
File SHA-256 hashes	Deduplication and integrity verification	Contract performance
File sizes	Storage quota tracking	Contract performance
Upload/download timestamps	Backup history and audit trail	Legitimate interest

2.4 Payment Data

Payment processing is handled by Stripe, Inc. We do not store credit card numbers, CVVs, or full bank account details. Stripe's handling of your payment data is governed by Stripe's Privacy Policy.

2.5 Data We Do NOT Collect

We do not listen to, analyze, or access the audio content of your music files.
We do not use your music files for training AI models or any purpose other than backup storage and restoration.
We do not sell, rent, or share your personal data with third parties for marketing purposes.
We do not track your browsing activity across other websites.

2.6 Desktop Application Data

The Astrasonic desktop application processes your DJ software database locally on your computer. The following describes what data stays local versus what is transmitted to our servers:

Data Type	Local Only	Sent to Server
Music audio files	Yes (unless using Cloud Backup)	Only if you enable Cloud Backup
DJ database (Rekordbox/Traktor)	Yes — read and modified locally	Metadata only (track info, playlists)
File paths on your computer	Yes (full paths stay local)	Relative paths only, for file mapping
Application logs and diagnostics	Stored locally	Error reports sent to Sentry (see 3.7)
Application settings and preferences	Yes — stored in local config file	No

2.7 Enrichment Data Sources

To enrich your music library metadata (BPM, key, genre, artist names, artwork), we query a variety of publicly available and licensed data sources. These include, but are not limited to: Apple Music, Beatport, MusicBrainz, and our own proprietary database. When we query these sources:

We send minimal track identifiers (typically artist name and track title) to match against their databases.
We do not share your personal data, account information, or full library contents with these services.
Data returned from these sources is used solely to enrich your library metadata and is not shared with third parties.

3. Third-Party Data Processors

Your data may be processed by the following third-party service providers, each acting as a data processor on our behalf.

3.1 Backblaze, Inc. (Cloud Storage)

Purpose: Storage of your music files when you use the Cloud Backup Service.

Data stored: Your music files (encrypted at rest with AES-256), file metadata (keys, sizes).

Location: EU Central data center (European Union).

Privacy policy: backblaze.com/company/policy/privacy

Backblaze acts as a sub-processor. We have entered into a Data Processing Agreement (DPA) with Backblaze to ensure GDPR-compliant handling of your data. Files are stored in Backblaze's EU data center to keep your data within the European Economic Area (EEA).

3.2 Railway (Application Hosting)

Purpose: Hosting our web application and API servers.

Data processed: Request metadata, IP addresses, session data.

Privacy policy: railway.app/legal/privacy

3.3 Stripe, Inc. (Payment Processing)

Purpose: Processing payments for paid features.

Data processed: Payment card details, billing information, transaction records.

Privacy policy: stripe.com/privacy

3.4 Google (Analytics)

Purpose: Website traffic analysis and user journey optimization (via Google Tag Manager and Google Analytics 4).

Data processed: Page views, referral source, device/browser info, approximate location (country/city level).

Privacy policy: policies.google.com/privacy

3.5 PostHog (Product Analytics)

Purpose: Product analytics, session replay, conversion funnel analysis.

Data processed: Page views, click events, scroll depth, anonymized session recordings (form inputs masked).

Location: EU data center (when using eu.posthog.com).

Privacy policy: posthog.com/privacy

3.6 Resend (Transactional Email)

Purpose: Sending verification codes and service notifications.

Data processed: Email addresses, email content.

Privacy policy: resend.com/legal/privacy-policy

3.7 Sentry (Error Monitoring)

Purpose: Monitoring application errors and crashes in both the web application and desktop app.

Data processed: Error stack traces, browser/OS type, anonymized user identifiers, request URLs. No music files or library content is included in error reports.

Privacy policy: sentry.io/privacy

4. How We Use Your Data

We process your personal data for the following purposes:

Service delivery: Providing the core functionality of the Astrasonic application, including music library analysis, processing, and cloud backup.
Account management: Creating and managing your account, authenticating your identity.
Security: Protecting against unauthorized access, fraud, and abuse.
Communication: Sending you service-related notifications, verification codes, and important updates.
Improvement: Analyzing aggregated, anonymized usage patterns to improve the Service (we do not profile individual users).

5. Data Retention

Data Type	Retention Period
Account data	Duration of account + 30 days after deletion request
Music library metadata	Duration of account + 30 days after deletion request
Cloud backup files	Duration of account + 30 days after deletion request
Payment records	As required by Dutch tax law (7 years)
Security logs (IP, auth attempts)	90 days
Anonymized analytics	Indefinite (non-personal)

6. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights:

Right of access (Art. 15): Request a copy of the personal data we hold about you.
Right to rectification (Art. 16): Request correction of inaccurate personal data.
Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
Right to restrict processing (Art. 18): Request that we limit the processing of your data.
Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format.
Right to object (Art. 21): Object to processing based on legitimate interests.
Right to withdraw consent: Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days as required by the GDPR.

6.1 Account and Data Deletion

You may request complete deletion of your account and all associated data at any time. Upon receiving a valid deletion request:

We will delete your account data from our servers within 30 days.
We will delete your cloud backup files from Backblaze within 30 days.
We will retain only what is legally required (e.g., payment records for tax compliance).
Deletion is irreversible — we cannot recover your data after deletion.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

Encryption at rest: All cloud backup files are encrypted with AES-256 on Backblaze's servers.
Encryption in transit: All data transfers use HTTPS/TLS encryption.
Access control: Presigned, time-limited URLs for file operations; no persistent direct access to storage.
Authentication: HMAC-signed session tokens, WebAuthn/passkey support, rate-limited auth attempts.
Isolation: User data is logically separated by unique user prefixes in storage.
Integrity: SHA-256 hashing for file deduplication and corruption detection.

8. International Data Transfers

We store and process your data within the European Economic Area (EEA):

Cloud backup files: Stored in Backblaze's EU Central data center (within the EU).
Application data: Processed on servers within the EEA where possible.

Where data is transferred outside the EEA (e.g., to certain sub-processors), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission.

9. Cookies and Tracking

9.1 Essential Cookies

These cookies are required for the Service to function and cannot be disabled:

Session cookie: Maintains your authenticated session. Expires when you close your browser or after a set period.
CSRF token: Protects against cross-site request forgery attacks.

9.2 Analytics (Optional)

With your consent, we use the following analytics tools to understand how visitors use our website and to improve the Service:

Tool	Purpose	Data Collected	Privacy Policy
Google Analytics 4 (via Google Tag Manager)	Website traffic analysis, acquisition channels, user journeys	Pages visited, time on site, referral source, device/browser type, approximate location (country/city level)	Google Privacy Policy
PostHog	Product analytics, session replay, conversion funnels	Page views, clicks, scroll depth, session recordings (with form inputs masked), feature usage	PostHog Privacy Policy

9.3 Your Cookie Choices

When you first visit our website, a cookie consent banner allows you to choose:

Accept All: Enables essential cookies and analytics.
Essential Only: Only essential cookies are used. Analytics tools are disabled and no tracking data is collected.

You can change your choice at any time by clearing your browser's local storage for our domain and refreshing the page.

We do not use advertising cookies or tracking pixels. We do not participate in any advertising networks. We do not sell, rent, or share analytics data with third parties for marketing purposes.

10. Children's Privacy

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and, where appropriate, by email. Your continued use of the Service after such changes constitutes acceptance of the updated policy.

12. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens):

Autoriteit Persoonsgegevens
Bezuidenhoutseweg 30, 2594 AV Den Haag, The Netherlands
Website: www.autoriteitpersoonsgegevens.nl
Phone: +31 70 888 8500

13. Contact

For any privacy-related questions, requests, or concerns, please contact us at:

Astrasonic (operated by Plan Bakery B.V.) — Data Protection
Email: [email protected]
Website: www.astrasonic.ai