PRIVACY POLICY
BandStream — Private Alpha Phase
Effective as of April 14, 2026
Article 1 — Data Controller
The data controller for personal data is BandStream SAS, 60 rue François 1er, 75008 Paris, France. RCS Paris 939 221 438 — SIRET 939 221 438 00012 — VAT FR 81939221438 — Contact: [email protected].
Article 2 — Data Protection Officer
The DPO can be reached at: [email protected]. The DPO is the point of contact for any questions regarding the processing of personal data and for the exercise of data subjects' rights.
Article 3 — Alpha Context — Specific Information
The Platform is currently in a private Alpha phase. Access is restricted to Alpha Users who have received an Invitation from BandStream. This phase involves the following specificities regarding personal data:
(a) BandStream may collect data specific to the Alpha phase, such as experience Feedback, bug reports, detailed usage data, and satisfaction survey responses, for the purpose of improving the Platform.
(b) Technical security measures may be in the process of deployment and may not reach the level of a final commercial version. BandStream nevertheless implements reasonable measures to protect the data of Alpha Users.
(c) In the event of the end of the Alpha phase, Alpha User data will be processed in accordance with article 8 (retention periods), unless the Alpha User continues their use in the commercial version.
Article 4 — Personal Data Collected
4.1 — Alpha User Data
Identification data: artist name or pseudonym, email address.
Connection data: IP address, browser type, operating system, date and time of connection, access logs.
Subscription data: plan type, subscription and renewal dates, billing history.
Content data: profile images, biography, links, event-related information.
Payment data: collected and processed directly by Stripe, Inc. Not stored by BandStream.
Alpha-specific data: experience Feedback, bug reports, detailed usage data (navigation paths, actions performed, features used), responses to internal surveys.
4.2 — Visitor Data
Aggregated and anonymized browsing data: country, traffic source, pages visited, duration. "Privacy-first" approach.
4.3 — Mandatory or Optional Nature of Data
Data marked with an asterisk (*) in the forms is mandatory for Account creation and the provision of Services. If this mandatory data is not provided, BandStream will not be able to create the User's Account or provide the Services. Other data is optional, and its non-provision does not prevent use of the Platform but may limit certain features (for example, the absence of a biography or profile image on the Artist Page).
Article 5 — Purposes and Legal Bases
————————————————- ———————————————-- —————————————- Purpose Data concerned Legal basis
Account creation and management Email, artist name Performance of the contract (art. 6.1.b GDPR)
Provision of Services Content, connection Performance of the contract (art. 6.1.b GDPR)
Subscription management Subscription, billing Performance of the contract (art. 6.1.b GDPR)
Payment processing Payment (via Stripe) Performance of the contract (art. 6.1.b GDPR)
Traffic statistics Aggregated browsing Legitimate interest (art. 6.1.f GDPR)
Platform improvement (Alpha) Alpha data, Feedback, detailed usage Legitimate interest (art. 6.1.f GDPR)
Service-related communications Email Performance of the contract (art. 6.1.b GDPR)
Marketing communications Email Consent (art. 6.1.a GDPR)
Ad Campaign management (advertising tracking) Content, performance Consent (art. 6.1.a GDPR)
Legal compliance All necessary data Legal obligation (art. 6.1.c GDPR) ————————————————- ———————————————-- —————————————-
Note: The "Ad Campaign management" purpose (Google Ads, Meta Pixel, TikTok) is based on User consent and not on the performance of the contract, in accordance with the recommendations of the CNIL regarding advertising tracking. The placement of advertising cookies and pixels is subject to prior consent obtained through the integrated consent manager.
Article 6 — Recipients and Processors
—————————-- —————————————- ——————————————————————————————-- Processor Function Location
Stripe, Inc. Payments EU / United States (SCCs)
IONOS SE Hosting France / Germany (EU)
Google LLC (Analytics) Audience measurement EU / United States (SCCs)
Brevo (formerly Sendinblue) Transactional and marketing emails France (EU)
Meta Platforms, Inc. Ad Campaign EU / United States (SCCs)
Google LLC (Ads) Ad Campaign EU / United States (SCCs)
TikTok (ByteDance Ltd.) Ad Campaign EU (Ireland) / Singapore / United States (SCCs + supplementary measures). See dedicated TIA. —————————-- —————————————- ——————————————————————————————--
Each processor is contractually bound to comply with the GDPR. BandStream may communicate data to competent authorities upon legal request.
Article 7 — Transfers Outside the EU
Data is primarily hosted in France and within the EU. Transfers outside the EEA are governed by standard contractual clauses or the EU-U.S. Data Privacy Framework.
In accordance with the recommendations of the European Data Protection Board (EDPB) and the Schrems II ruling (CJEU, case C-311/18), BandStream has conducted a Transfer Impact Assessment (TIA) for each processor located outside the EEA. These assessments are available upon request from the DPO at [email protected].
Supplementary measures (end-to-end encryption, pseudonymization, access segregation) are implemented when the TIA identifies a residual risk to the rights of data subjects.
Further information: [email protected].
Article 8 — Retention Periods
———————————————————— ————————————————————————————————————————————————- Category Duration
Account data (in case of deletion) Deletion within 30 days of the deletion request. Intermediate archiving with restricted access for dispute management: 3 years maximum.
Account data (active account) Duration of registration + 3 years after last activity
Billing data 10 years (legal obligation)
Connection data (logs) 1 year (LCEN)
Aggregated browsing data 25 months maximum
Prospecting data 3 years after last contact
Cookie consent 13 months maximum
Alpha-specific data (Feedback, detailed usage) Duration of the Alpha phase + 2 years after its end, then anonymization ———————————————————— ————————————————————————————————————————————————-
Upon expiration, data is deleted or irreversibly anonymized.
Article 9 — Data Subject Rights
Right of access (art. 15 GDPR): obtain confirmation of processing and a copy of the data.
Right to rectification (art. 16): correction of inaccurate or incomplete data.
Right to erasure (art. 17): deletion of data, subject to legal obligations.
Right to restriction (art. 18): temporary suspension of processing.
Right to data portability (art. 20): retrieval of data in a structured and readable format.
Right to object (art. 21): objection to processing based on legitimate interest, and objection to marketing at any time.
Right relating to automated decision-making and profiling (art. 22 GDPR): the User has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects them. As of the date of this policy, BandStream does not engage in any solely automated decision-making or profiling producing legal effects with respect to Users. In the event of any change, this policy will be updated to inform Users accordingly.
Withdrawal of consent: possible at any time, without retroactive effect.
Post-mortem directives (art. 85 of the French Data Protection Act): directives regarding the fate of data after death.
Requests should be sent to [email protected] with proof of identity. Response within one (1) month, extendable by two (2) months. Complaints may be filed with the CNIL (3 Place de Fontenoy, 75334 Paris Cedex 07 — www.cnil.fr).
Article 10 — Cookies
10.1 — Types of Cookies
Strictly necessary cookies: technical operation (session, authentication, security). No consent required.
Analytical cookies (Google Analytics): audience measurement. Consent required.
Advertising cookies (Pro Plan): Google Tag Manager, Meta Pixel. Consent required via the integrated consent manager.
10.2 — Detailed List of Cookies
—————————-- ————————————————- ————————- ———————————— Cookie name Purpose Duration Issuer
[session_id] User session (necessary) Session duration BandStream (1st party)
[consent_preferences] Cookie choice memorization (necessary) 13 months BandStream (1st party)
_ga, _gid Audience measurement (analytical) 26 months / 24h Google LLC (3rd party)
_fbp, _fbc Advertising tracking (marketing) 90 days Meta Platforms (3rd party)
_ttp Advertising tracking (marketing) 13 months TikTok / ByteDance (3rd party) —————————-- ————————————————- ————————- ————————————
This list is provided for informational purposes and will be updated as the tools integrated into the Platform evolve. The up-to-date version is available in the integrated consent manager.
10.3 — Consent Management
Consent banner displayed upon the first visit. Preferences may be modified at any time. Consent stored for a maximum of 13 months (CNIL recommendations).
Article 11 — Redirection to Third-Party Platforms and Processing of Browsing Data
11.1 — Leaving the BandStream Perimeter
The Platform allows Users to create Artist Pages containing hyperlinks redirecting Visitors to third-party music streaming platforms (including Spotify, Apple Music, Deezer, YouTube Music, Tidal, Qobuz) as well as to ticketing platforms or social networks.
When a Visitor clicks on one of these links, they leave the BandStream environment and access a site or application operated by an independent third party. From the point of redirection onward, the Visitor's personal data is collected and processed by the destination platform, acting as an independent data controller, in accordance with its own privacy policy. BandStream exercises no control over the data processing carried out by these third-party platforms and disclaims all liability in this regard.
BandStream encourages Visitors to review the privacy policies of third-party platforms before accessing them.
11.2 — Data Collected by BandStream Upon Click
Prior to the redirection, BandStream may collect browsing data related to the click made by the Visitor on the Artist Page. This data includes: the Visitor's country of origin (approximate geolocation derived from the IP address), the traffic source (referrer), the streaming platform selected by the Visitor, the type of device and browser used, and the date and time of the click.
This data is processed in an aggregated and anonymized manner, as part of the traffic statistics provided to Users with a Pro Plan, in accordance with BandStream's "privacy-first" approach. The legal basis for this processing is the legitimate interest of BandStream and its Users (article 6.1.f GDPR), consisting in measuring the audience and performance of Artist Pages.
11.3 — No Transmission of Personal Data to Streaming Platforms
BandStream does not transmit any personal data of Visitors to streaming platforms or to any other third party accessible via the links on the Artist Pages. The redirection is carried out by simple hyperlink: the Visitor's browser is redirected to the URL of the destination platform without any personal data being communicated by BandStream to said platform.
Streaming platforms are not processors of BandStream within the meaning of article 28 of the GDPR. They act as independent data controllers for the data they collect directly from Visitors after the redirection.
11.4 — Third-Party Cookies and Pixels on Artist Pages
When a User activates the Google Tag Manager or Meta Pixel features on their Artist Page (features that may be offered free of charge during the Alpha phase or included in a future paid plan), third-party cookies and pixels may be placed on the devices of Visitors who view said Artist Page. These cookies and pixels are operated by Google LLC and Meta Platforms, Inc., acting as independent data controllers for the data they collect through these technologies.
The placement of these third-party cookies and pixels is subject to the prior consent of the Visitor, obtained through the consent manager integrated into the Platform, in accordance with CNIL recommendations and the ePrivacy Directive. In the absence of consent, no third-party cookies or pixels are placed.
Article 12 — Security
Technical and organizational measures in accordance with article 32 of the GDPR: HTTPS/TLS encryption, authentication, access restriction, backups, monitoring. During the Alpha phase, these measures are being progressively deployed; BandStream implements reasonable measures proportionate to the Platform's stage of development.
In the event of a personal data breach likely to result in a high risk to the rights and freedoms of data subjects, BandStream will notify the breach to the CNIL within seventy-two (72) hours of its discovery, in accordance with article 33 of the GDPR. If this deadline cannot be met, the notification will be accompanied by the reasons for the delay. BandStream will also inform the data subjects concerned as soon as possible, in accordance with article 34 of the GDPR, indicating the nature of the breach and the measures taken or recommended to mitigate its effects.
Article 13 — Minors
The Platform is reserved for persons aged 16 and over (art. 8 GDPR, art. 7-1 of the French Data Protection Act). Data of minors under 16 collected without parental consent will be deleted.
Article 14 — Policy Amendments
This policy may be amended at any time. Users will be notified by email at least thirty (30) days in advance of any substantial amendment. The updated version will be published on the Site.
Article 15 — Contact
DPO: [email protected]
Customer service: [email protected]
Mail: BandStream SAS, 60 rue François 1er, 75008 Paris, France