Legal

Privacy Policy

Last updated: April 2025

Last updated: April 2025

Summary: OffRecord is a privacy-first platform. We do not sell your data. We do not show you ads. We collect only what we need to run the service, and we give you full control over your information.

1. Who we are

OffRecord B.V. (in the process of incorporation) is the data controller for the OffRecord platform. Our registered address will be in Amsterdam, Netherlands.

Contact: contact@offrecord.studio

As a company based in the Netherlands, OffRecord operates under the General Data Protection Regulation (GDPR) and Dutch data protection law. Your rights as a European Union resident are fully respected.

2. Data we collect

We collect the following categories of personal data:

  • Account data: Your name, email address, and password (hashed). If you choose to add profile information such as a profile photo, bio, genre preferences, or location, this is stored as well.
  • Verification data (artists/companies only): Chamber of Commerce (KVK) number or equivalent business registration details. This is collected solely to verify your identity badge.
  • Content you upload: Videos, photos, posts and community messages you share on the platform.
  • Usage data: Which features you use, which artists you follow, and general interaction patterns. This is used to improve the platform โ€” not to build an advertising profile.
  • Device & technical data: IP address, device type, operating system version and app version. Used for security and debugging.
  • Payment data (if applicable): Processed securely by Stripe (global) or Mollie (Netherlands). We never see or store your full payment card details.

3. How we use your data

We use your personal data only for the following purposes:

  • To create and manage your account on OffRecord
  • To deliver the features of the platform (Stage, Backstage, Map, Communities, etc.)
  • To verify artist and company identities
  • To process payments for exclusive communities or features
  • To send you relevant notifications about the artists you follow, events near you, and community activity (you can manage these in settings)
  • To detect and prevent fraud, abuse or illegal activity
  • To improve the platform based on usage patterns
  • To comply with legal obligations

We do not: sell your data, show you advertising, use your data to train AI models without explicit consent, or share your data with third parties for their own marketing purposes.

Under GDPR, we process your personal data on the following legal bases:

  • Contract performance: To provide the platform service as described in our Terms of Service
  • Legitimate interest: To improve the platform, detect fraud, and maintain security
  • Legal obligation: To comply with applicable laws and regulations
  • Consent: For optional features such as push notifications or marketing emails (which you can withdraw at any time)

5. Who we share data with

We share personal data only with the following categories of third parties, all of whom are bound by appropriate data processing agreements:

  • Supabase โ€” database and authentication infrastructure (EU-hosted)
  • Cloudflare R2 โ€” file and media storage
  • Stripe / Mollie โ€” payment processing
  • Expo (React Native) โ€” app delivery and push notification infrastructure

We do not share your data with advertisers, data brokers, or any third party for commercial purposes.

6. How long we keep your data

We retain your personal data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where we are required by law to retain it longer (e.g., financial records for 7 years under Dutch law).

Content you have published (videos, posts) that other users have already interacted with may be anonymised rather than deleted, to preserve community integrity.

7. Your rights

Under GDPR, you have the following rights:

  • Right of access: Request a copy of all personal data we hold about you
  • Right to rectification: Correct inaccurate personal data
  • Right to erasure ("right to be forgotten"): Request deletion of your account and personal data
  • Right to restriction: Limit how we use your data in certain circumstances
  • Right to data portability: Receive your data in a machine-readable format
  • Right to object: Object to processing based on legitimate interest
  • Right to withdraw consent: Withdraw any consent you have given at any time

To exercise any of these rights, email us at contact@offrecord.studio. We will respond within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

8. Cookies and tracking

The OffRecord mobile app does not use cookies. The OffRecord website (this website) uses only essential cookies required for the site to function. We do not use tracking cookies, analytics cookies, or advertising cookies.

When we launch a web platform version, we will update this section with a full cookie notice and consent mechanism.

9. Security

We take security seriously. Our measures include:

  • All data is encrypted in transit using TLS/HTTPS
  • Passwords are hashed and never stored in plain text
  • Database access is restricted and audited
  • Payment data is handled exclusively by PCI-compliant processors (Stripe, Mollie)
  • We follow industry-standard security practices in our codebase

In the event of a data breach that affects your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR.

10. Children's privacy

OffRecord is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email or a prominent notice within the app at least 14 days before the changes take effect. Continued use of the platform after that date means you accept the updated policy.

12. Contact

For any privacy-related questions, requests or concerns, please contact us:

We aim to respond to all privacy enquiries within 5 business days.