Privacy Policy
Last updated April 2026
[LEGAL REVIEW REQUIRED] — This Privacy Policy is a working draft. The final policy will be reviewed by qualified legal counsel and published before public launch.
This Privacy Policy explains how Stamped collects, uses, and protects information when you use our platform.
1. Information we collect
We collect the following categories of information: (a) Account information — your email address, display name, and avatar image, provided during sign-up or profile setup. (b) Artist profile information — bio, genres, social links, and Stripe Connect account status, provided voluntarily. (c) Transaction and deal records — deal terms, agreed amounts in cents, delivery status, dispute records, and stamp metadata. (d) File uploads — audio files, stems, or other deliverables uploaded through the platform, stored in encrypted cloud storage. (e) Usage data — server logs including IP addresses, user-agent strings, timestamps, and request paths, collected automatically for security and debugging purposes. We do not collect full payment card details — all payment data is handled directly by Stripe.
2. How we use your information
We use the information we collect to: operate the platform and process payments; verify deal delivery and administer disputes; generate and display stamps (permanent, public records of verified collaborations); send transactional notifications about your deals (acceptance, payment, delivery, confirmation); prevent fraud, abuse, and unauthorised access; comply with legal obligations including financial record-keeping requirements; and improve platform performance and reliability.
3. Third-party services
Stripe — we use Stripe to process payments and manage Stripe Connect accounts for sellers. Stripe receives payment method details and identity verification data necessary for payment processing and money transmission compliance. Stripe's Privacy Policy governs how Stripe handles this data. Supabase — our database, file storage, and authentication infrastructure is provided by Supabase. User data, deal records, files, and authentication tokens are stored on Supabase infrastructure. Supabase's Privacy Policy governs their data handling. Vercel — the platform is deployed on Vercel, which processes server request logs and edge network data. We do not share personal data with third parties for marketing or advertising purposes.
4. Cookies and local storage
Stamped uses session cookies managed by Supabase SSR to maintain your authenticated session. These cookies are httpOnly, secure, and SameSite-scoped. We do not use third-party advertising cookies or persistent tracking cookies. We do not use cookie consent banners for strictly necessary cookies, but no optional tracking cookies are set without explicit disclosure.
5. Public information
Stamps (verified collaborations) are publicly visible by design. A stamp record includes the artist names, the collaboration date, and the deal amount — this public record is the core product of Stamped. If you do not wish a stamp to be public, do not initiate or accept a deal on the platform. Delivery files (audio, stems) are never public — they are accessible only via time-limited signed URLs (1-hour expiry) to the deal participants.
6. Data retention
Account information is retained for as long as your account is active. Deal records, payment events, and stamps are retained indefinitely as permanent financial and collaboration records. File uploads are retained for a minimum of 90 days after deal completion, after which they may be purged from storage (the stamp record itself is not deleted). If you close your account, your personal information is anonymised where legally permissible, but financial records required by law will be retained for the statutory minimum period.
7. Your rights
You may request: (a) access to the personal data we hold about you; (b) correction of inaccurate personal data; (c) deletion of your account and personal data (subject to legal retention requirements for financial records); (d) a portable copy of your data in a machine-readable format; (e) restriction of processing in specific circumstances. To exercise any of these rights, contact us at privacy@stamped.music. We will respond within 30 days.
8. GDPR and international transfers
[PLACEHOLDER — LEGAL REVIEW REQUIRED] If you are located in the European Economic Area (EEA) or United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR) and UK GDPR. Our legal basis for processing your personal data includes: contractual necessity (operating the platform and processing payments), compliance with legal obligations, and our legitimate interests in preventing fraud and maintaining platform security. Data may be transferred to and processed in countries outside the EEA, including the United States, where our service providers (Stripe, Supabase, Vercel) operate. Such transfers rely on appropriate safeguards including Standard Contractual Clauses.
9. Security
We implement appropriate technical and organisational measures to protect your information, including encrypted storage, HTTPS-only transmission, signed URL access controls for files, Row Level Security (RLS) on all database tables, and rate limiting on sensitive API endpoints. No system is completely secure — we cannot guarantee absolute security of your data, but we take reasonable steps to protect it.
10. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the platform. Continued use of Stamped after changes take effect constitutes acceptance of the revised Policy.
11. Contact
For privacy questions, data requests, or to report a privacy concern, contact us at privacy@stamped.music or through the in-app support channel.
This Privacy Policy is a working draft subject to legal review before public launch.