Sign In
Back

Privacy Policy

Last updated: March 15, 2026

1. Introduction

BeatTrees ("we", "us", "our") operates the BeatTrees platform at beattrees.ai. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service. By using BeatTrees, you consent to the data practices described in this policy.

2. Information We Collect

2.1 Information You Provide

  • Account Registration: Email address, display name, and password when signing up with email, or your Google profile name, email, and avatar when using Google OAuth.
  • Profile Data: Genre preferences, bio, artist influences, username, and display settings you configure.
  • User-Generated Content: Saved beats, collections, custom alerts, followed producers, and search queries.
  • Payment Information: When subscribing to Pro, payment details are collected and processed directly by Stripe. We never receive or store your full card number, CVV, or bank account details. We store only your Stripe customer ID and subscription status.
  • Connected Accounts: If you connect your YouTube or TikTok account, we collect your channel/account ID, display name, subscriber/follower count, and video metadata. OAuth access and refresh tokens are encrypted with AES-256-GCM before storage.

2.2 Information Collected Automatically

  • Usage Data: Pages visited, features used, search queries, AI usage counts, and interaction patterns.
  • Device & Browser Information: IP address, browser type and version, operating system, and device type.
  • Cookies & Local Storage: Session tokens for authentication, cookie consent preferences, and UI state. See our Cookie Policy for details.
  • Analytics: When you consent, we use PostHog to collect anonymized usage analytics including page views, feature adoption, and user flows. Analytics are not loaded until you provide consent.

3. How We Use Your Information

  • Provide, operate, and maintain the BeatTrees platform
  • Personalize your experience (genre filtering, AI recommendations, dashboard content)
  • Process subscriptions and manage billing through Stripe
  • Enforce AI usage limits and subscription tier restrictions
  • Send transactional notifications (alerts, subscription status, security events)
  • Generate aggregated, anonymized analytics to improve the platform
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations

4. Legal Bases for Processing (GDPR)

If you are in the European Economic Area (EEA), UK, or Switzerland, we process your data under the following legal bases:

  • Contract Performance: To provide the service you signed up for, process payments, and manage your account.
  • Legitimate Interest: To improve our service, prevent fraud, and ensure platform security.
  • Consent: For analytics tracking (PostHog) and optional marketing communications. You may withdraw consent at any time.
  • Legal Obligation: To comply with applicable laws, regulations, and legal processes.

5. Third-Party Services & Data Sharing

We share data only with the following service providers, each under data processing agreements:

  • Supabase (US) — Authentication, database hosting, and file storage. All user data is protected by Row-Level Security.
  • Stripe (US) — Payment processing. Stripe is PCI-DSS Level 1 certified. See Stripe's Privacy Policy.
  • Vercel (US) — Application hosting and edge delivery.
  • Google / YouTube Data API (US) — To fetch publicly available beat/video metadata and to authenticate Google OAuth sign-ins. See Google's Privacy Policy.
  • TikTok (Singapore/US) — To fetch trending sounds and user video data when you connect your TikTok account. See TikTok's Privacy Policy.
  • Anthropic (Claude) (US) — AI features. Your AI consultant messages are sent to Claude for processing but are not stored by Anthropic for training purposes under our API agreement.
  • PostHog (EU/US) — Analytics, loaded only with your consent.
  • Upstash (US) — Redis-based rate limiting. Only stores anonymized request counters, not personal data.

We do not sell, rent, or trade your personal information to any third party for marketing purposes.

6. Data Retention

  • Account Data: Retained as long as your account is active. After account deletion, personal data is permanently removed within 30 days.
  • Payment Records: Retained for 7 years as required by tax and financial regulations.
  • Search Logs: Retained for 90 days for service improvement, then automatically purged.
  • OAuth Tokens: Encrypted tokens are deleted immediately when you disconnect a connected account.
  • Analytics Data: PostHog data is retained for 12 months and is anonymized.

7. Data Security

We implement industry-standard security measures including:

  • All data transmitted over HTTPS/TLS encryption
  • OAuth tokens encrypted at rest with AES-256-GCM
  • Row-Level Security (RLS) on all database tables ensuring users can only access their own data
  • Rate limiting on all API endpoints to prevent abuse
  • Passwords hashed using bcrypt (via Supabase Auth)
  • CORS restrictions limiting API access to authorized domains

8. International Data Transfers

Your data may be transferred to and processed in the United States where our service providers are located. For EEA/UK users, these transfers are protected by Standard Contractual Clauses (SCCs) or equivalent safeguards maintained by our service providers.

9. Your Rights

Depending on your jurisdiction, you have the right to:

  • Access: Request a copy of your personal data (available via Settings > Export > GDPR Data Export)
  • Rectification: Correct inaccurate personal data via your account settings
  • Erasure: Delete your account and all associated data via Settings > Danger Zone
  • Data Portability: Export your data in machine-readable format (JSON/CSV)
  • Withdraw Consent: Revoke analytics consent at any time via the cookie banner or browser settings
  • Object: Object to processing based on legitimate interests
  • Lodge a Complaint: File a complaint with your local data protection authority

To exercise any of these rights, contact us at privacy@beattrees.ai. We will respond within 30 days.

10. Children's Privacy

BeatTrees is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification at least 30 days before they take effect. The "Last updated" date at the top reflects the most recent revision.

12. Contact

For privacy-related inquiries, contact our Data Protection team:

Terms of ServiceCookie Policy