Privacy Policy
Last updated: March 2026
Demo Log ("we", "us", "our") is operated by Mark Dunne, based in the United Kingdom. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Demo Log web application and related services (the "Service").
We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Data Controller
The data controller responsible for your personal data is:
Mark Dunne
Email: hello@demo-log.com
If you have any questions about how we handle your data, please contact us at the address above.
2. What Data We Collect
We collect and process the following categories of personal data:
Account data (collected at registration):
- Email address
- Display name
- Artist/producer name
Profile and preference data (entered by you in Settings):
- Default genre preferences
- Default artist name
Production and submission data (entered by you during use):
- Track titles, BPM, musical key, genre, vibe tags, production status, and notes
- Label names, contact details, submission history, and notes
- Submission dates, statuses, follow-up dates, and response notes
- Release information including catalogue numbers and platform links
- Local file paths you choose to record (stored as text references only; we do not access your local filesystem)
Audio files (Pro plan only, uploaded voluntarily):
- Audio files (WAV, MP3) uploaded for in-app playback and private link sharing
- These are stored in user-scoped private storage buckets
Payment data (processed by Lemon Squeezy):
- We do not collect or store your payment card details
- Lemon Squeezy processes payments on our behalf and shares with us only your email address, license key, and order confirmation
Technical data (collected automatically):
- IP address (logged by our hosting provider Vercel and by Supabase)
- Browser type and version
- Pages visited and timestamps
- Authentication session tokens (stored in cookies)
3. How We Use Your Data
| Purpose | Legal Basis (UK GDPR) |
|---|---|
| Providing the Service | Performance of contract (Art. 6(1)(b)) |
| User authentication and session management | Performance of contract (Art. 6(1)(b)) |
| Processing payments and activating Pro licenses | Performance of contract (Art. 6(1)(b)) |
| Sending transactional emails | Performance of contract (Art. 6(1)(b)) |
| Maintaining security and preventing abuse | Legitimate interest (Art. 6(1)(f)) |
| Improving the Service (aggregated, anonymised) | Legitimate interest (Art. 6(1)(f)) |
We do not use your data for:
- Advertising or marketing to third parties
- Selling, renting, or sharing your personal data with third parties
- Automated decision-making or profiling
- Training AI or machine learning models
4. Audio Files and User-Generated Content
If you are a Pro user and upload audio files to Demo Log:
- Your audio files are stored in private, user-scoped storage buckets on Supabase infrastructure (hosted on AWS)
- Each user's storage is isolated. Other users cannot access your files.
- Audio files are accessible only via time-limited signed URLs generated when you or someone you share a private link with requests playback
- Administrative access: As the platform operator, we have administrative access to the database and storage infrastructure for maintenance, technical support, and legal compliance. We will never listen to, download, copy, distribute, or use your audio files for any purpose other than providing technical support you have requested, investigating a reported technical issue, or complying with a valid legal obligation. We do not monitor, review, or browse user audio content.
- Ownership: You retain full ownership of all audio files and content you upload. Demo Log claims no rights, licenses, or ownership over your content.
- Deletion: When you delete a track, version, or your account, associated audio files are permanently deleted from our storage.
5. Administrative Access to User Data
As a cloud-based service, our administrative team has technical access to the database that stores your data. We want to be transparent about this:
- What we can access: Account information, production data, submission records, notes, and uploaded audio files
- When we access it: Only when necessary to provide technical support you have requested, to debug a reported issue, or to comply with a legal obligation
- What we will never do: Browse, read, or review your data out of curiosity or for any purpose unrelated to operating the Service; download or copy your audio files; share your data with any third party except as described in this policy
- Access logging: We maintain internal access controls. Database access via the administrative service role key is restricted to essential operations only.
6. Data Storage and Security
| Service | Purpose | Location |
|---|---|---|
| Supabase | Database, auth, file storage | AWS eu-west-2 (London, UK) |
| Vercel | Application hosting | Edge network (nearest region) |
| Lemon Squeezy | Payment processing | United States |
| Resend | Transactional email | United States |
Security measures we implement:
- All data is encrypted in transit (TLS/HTTPS)
- Database access is protected by Row-Level Security (RLS) policies
- Audio files are stored in private buckets with per-user access policies
- Passwords are hashed using bcrypt via Supabase Auth
- Administrative access credentials are stored securely and never exposed to the client
- Authentication sessions use httpOnly cookies to prevent XSS attacks
7. International Data Transfers
Our primary database is hosted in the UK/EU region. However, some third-party providers (Lemon Squeezy, Resend) are based in the United States.
Where personal data is transferred outside the UK, we rely on Standard Contractual Clauses (SCCs) as approved by the UK Information Commissioner's Office and the service provider's compliance with applicable data protection frameworks.
8. Data Retention
- Account and production data: Retained until you delete your account
- Audio files: Retained until you delete them individually or delete your account
- Payment records: Retained for 7 years after purchase for UK tax and accounting obligations
- Server logs: Retained by Vercel and Supabase according to their respective retention policies (typically 30-90 days)
When you delete your account, we permanently delete all your personal data, production records, and audio files within 30 days. Some data may persist in encrypted backups for up to 90 days.
9. Cookies
We use only essential cookies required for the Service to function:
| Cookie | Purpose | Duration |
|---|---|---|
| Supabase auth session | Maintains your login session | Session / 7 days |
We do not use tracking cookies, third-party analytics cookies, advertising cookies, or social media tracking pixels.
10. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
- Right of access: Request a copy of the personal data we hold about you
- Right to rectification: Request correction of inaccurate or incomplete data
- Right to erasure: Request deletion of your personal data
- Right to data portability: Receive your data in a structured, machine-readable format
- Right to restrict processing: Request that we limit how we use your data
- Right to object: Object to processing based on legitimate interests
- Right to withdraw consent: Where processing is based on consent, withdraw it at any time
How to exercise your rights:
- Self-service: Export all your data and delete your account from the Settings page
- By email: Contact us at hello@demo-log.com. We will respond within 30 days.
You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO): ico.org.uk | Helpline: 0303 123 1113
11. Third-Party Services
| Service | Data Shared | Purpose |
|---|---|---|
| Supabase | All user data, audio files | Database, auth, storage |
| Vercel | IP addresses, request data | Application hosting |
| Lemon Squeezy | Email, payment info, license keys | Payment processing |
| Resend | Email address | Transactional emails |
We do not share your data with any other third parties. We do not use any advertising networks, analytics platforms, or data brokers.
12. Children's Privacy
Demo Log is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date, notify registered users by email, and post a notice within the application.
14. Contact Us
For any privacy-related questions, data requests, or concerns:
Email: hello@demo-log.com
We aim to respond to all enquiries within 30 days.