Privacy Policy
Effective Date: April 5, 2026 β Version 1.0
This Privacy Policy describes how Distrio ("Distrio," "we," "us," or "our") collects, uses, stores, and discloses personal data when you use the Distrio platform and related services (collectively, the "Service"). It applies to all users of the platform, including visitors, registered producers, and β where applicable β end customers of producer storefronts.
Distrio processes personal data in accordance with the EU General Data Protection Regulation (GDPR) and, where applicable, other relevant data protection laws. If you are located in Germany, the German Federal Data Protection Act (BDSG) may additionally apply.
A. Controller
The controller responsible for personal data processing under this Privacy Policy is:
| Operator | Distrio (not yet formally registered as a legal entity) |
| Address | Ludwigstr. 10, 76470 Oetigheim, Germany |
| Email (general) | contact@distrio.co |
| Privacy contact | privacy@distrio.co |
| Data Protection Officer | Not required at this stage; privacy inquiries are handled directly by the operator. |
Once Distrio is formally registered as a legal entity, this section will be updated to reflect the full registered name, address, and legal form.
B. Scope of This Privacy Policy
This Privacy Policy applies to:
- The Distrio website and any subdomains operated by Distrio
- The Distrio shop-builder platform and all associated features and modules
- Any APIs or integrations provided by Distrio
It covers the following categories of data subjects:
- Visitors: individuals who browse the Distrio website without registering
- Registered Producers: individuals or businesses who create an account and use the platform to build and operate their own storefront
- End Customers:individuals who visit and purchase from a producer's storefront powered by Distrio
Note regarding end customers:When a customer purchases from a producer's storefront, the producer acts as the independent data controller for that transaction. Distrio acts as a data processor on behalf of the producer for the purpose of operating the technical infrastructure. Producers are solely responsible for their own privacy obligations toward their end customers.
C. Categories of Personal Data Processed
C.1 Account and Authentication Data
When you register for Distrio, we process the following:
- Email address
- Account ID (internally generated)
- OAuth identifiers (e.g. Google account ID, where OAuth login is used)
- Authentication tokens and session identifiers
Passwords are never stored in plaintext. Where email and password authentication is used, passwords are stored using industry-standard secure hashing mechanisms. OAuth-based login does not result in Distrio receiving or storing your third-party password.
C.2 Profile and Account Data
After registration, you may provide additional information, including:
- Name or display name
- Business or artist name
- Billing information (name, address, country) for invoicing purposes
- Shop and brand configuration data (logo, colors, descriptions, custom domain settings)
C.3 Technical Data
We process certain technical data automatically when you use the Service:
- Session information and login state
- Browser type, device type, and operating system (general, non-fingerprinting level)
- IP addresses, to the extent necessary for security, abuse prevention, and fraud detection
- Server-side log data (request logs, error logs, timestamps)
Technical data is retained only as long as necessary for the purpose for which it was collected and is not used for profiling or targeted advertising.
C.4 Usage and Content Data
As a registered producer, the Service stores content you upload or configure:
- Beats, soundkits, and other audio files
- Product descriptions, cover artwork, and metadata
- License templates and pricing configurations
- Storefront settings and layout customizations
This content is stored on your behalf in Cloudflare R2 and associated metadata in Supabase. It is not used by Distrio for any purpose other than providing the Service.
C.5 Support and Communication Data
If you contact Distrio for support or any other reason, we process:
- Email correspondence and its content
- Any attachments or screenshots shared with us
- Feedback or feature requests you submit
Support communications are currently handled via email only. We do not use a third-party helpdesk tool at this stage.
C.6 Payment and Billing Data
Subscription payments are processed by Stripe (and, in future, PayPal). Distrio does not receive or store full payment card details. The following billing-related data is processed:
- Subscription plan status and billing history
- Invoices and payment receipts
- Payment tokens or subscription identifiers provided by Stripe
- Billing name and address for invoice generation
Stripe and PayPal each act as independent data controllers for payment processing. Their respective privacy policies apply to data processed by them.
D. Purposes and Legal Bases for Processing
We process personal data only where we have a lawful basis to do so under Article 6 GDPR. The following table summarises our processing purposes and the applicable legal bases:
| Purpose | Legal Basis (Art. 6 GDPR) |
|---|---|
| Providing and operating the Service | Art. 6(1)(b) β performance of a contract |
| Account registration and authentication | Art. 6(1)(b) β performance of a contract |
| Billing and payment processing | Art. 6(1)(b) β performance of a contract |
| Security, fraud prevention, abuse detection | Art. 6(1)(f) β legitimate interests |
| Error analysis and technical debugging | Art. 6(1)(f) β legitimate interests |
| Support and customer communications | Art. 6(1)(b) β performance of a contract |
| Aggregated analytics and service improvement (Vercel Analytics) | Art. 6(1)(f) β legitimate interests (privacy-preserving, no personal profiles) |
| Marketing emails (planned, not yet active) | Art. 6(1)(a) β consent (opt-in required before activation) |
| Compliance with legal obligations | Art. 6(1)(c) β legal obligation |
Legitimate interests: Where we rely on Art. 6(1)(f) GDPR, our legitimate interests are the secure and reliable operation of the platform, fraud prevention, and improvement of our service. We balance these interests against your rights and freedoms and will not override your fundamental interests.
E. Cookies and Similar Technologies
E.1 Strictly Necessary Technologies
Distrio uses certain session-based technologies that are strictly necessary to provide the Service. These include:
- Authentication tokens and session cookies required to maintain your logged-in state
- Security-related tokens used to prevent cross-site request forgery (CSRF)
- Server-side session data required for the correct functioning of the platform
These technologies are used solely on the basis of technical necessity and do not require your prior consent under applicable law.
E.2 Analytics Technologies
Distrio uses Vercel Analytics to understand how the platform is used in aggregate. Vercel Analytics is designed to be privacy-preserving: it does not use cookies, does not track individuals across sessions, and does not build personal profiles. Data collected is aggregated and anonymised. This processing is based on our legitimate interests in improving the Service.
E.3 Optional and Future Cookies
If Distrio introduces analytics, A/B testing, or marketing cookies in the future, these will only be set after obtaining your explicit prior consent via a cookie consent mechanism. You will always have the ability to withdraw consent at any time.
E.4 Managing Cookies
You may configure your browser to refuse or delete cookies at any time. Note that disabling strictly necessary session technologies may impair the functionality of the Service. Where a consent management tool is in use, you may adjust your preferences at any time through that interface.
F. Processors and Sub-Processors
Distrio engages the following third-party data processors, each bound by appropriate data processing agreements:
| Provider | Purpose | Location |
|---|---|---|
| Vercel Inc. | Hosting, deployment, edge functions, Vercel Analytics | USA (SCCs apply) |
| Supabase Inc. | Database, authentication, real-time backend | USA (SCCs apply) |
| Cloudflare Inc. (R2) | File storage (beats, soundkits, PDFs) | USA / Global (SCCs apply) |
| Stripe Inc. | Payment processing (subscription billing) | USA (SCCs apply) |
| PayPal Holdings, Inc. | Payment processing (planned) | USA (SCCs apply) |
| Resend Inc. | Transactional email delivery | USA (SCCs apply) |
Distrio will update this list as additional sub-processors are engaged. Where a new sub-processor is introduced that materially affects your data, Distrio will provide reasonable prior notice.
G. International Data Transfers
Several of Distrio's sub-processors are based in the United States, which is a third country outside the European Economic Area (EEA) for the purposes of GDPR Chapter V. Personal data transferred to these providers is protected by one or more of the following mechanisms:
- Standard Contractual Clauses (SCCs):We rely on the European Commission's approved Standard Contractual Clauses (2021/914) as the primary transfer mechanism for transfers to US-based sub-processors.
- Adequacy decisions: Where the EU Commission has adopted an adequacy decision for a recipient country, transfers may also rely on that decision.
You may request a copy of the relevant transfer safeguards by contacting us at privacy@distrio.io.
H. Retention Periods
Distrio retains personal data only for as long as necessary for the purposes described in this Privacy Policy, or as required by applicable law. The following retention guidelines apply:
| Data Category | Retention Period |
|---|---|
| Account and authentication data | Duration of account + 30 days post-deletion |
| Shop content (beats, soundkits, media) | Duration of account + 30 days post-deletion |
| Server logs and technical data | Up to 90 days, then aggregated or deleted |
| Support and communication data | 3 years from last interaction, or as legally required |
| Billing records and invoices | 10 years (statutory retention under German commercial law β Β§257 HGB) |
| Payment processor tokens | Managed by Stripe/PayPal per their own retention policies |
Upon account deletion or termination, we will delete or anonymise your personal data within the above timeframes, subject to any legal retention obligations. You may request early deletion subject to Section J.
I. Security
Distrio implements appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or alteration. These measures include:
- Encryption in transit using TLS for all data transmitted between your browser and our servers
- Encryption at rest for sensitive data stored in Supabase and Cloudflare R2
- Row-level security (RLS) policies in Supabase to enforce data isolation between accounts
- Authentication via Supabase Auth with secure session token management; OAuth via Google where elected
- Access controls limiting internal access to personal data on a need-to-know basis
- Automated backup and recovery capabilities provided by Supabase
- Periodic review of security configurations and third-party provider security posture
No method of transmission over the internet or electronic storage is completely secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security. In the event of a personal data breach, Distrio will comply with applicable notification obligations under Art. 33β34 GDPR.
J. Your Rights as a Data Subject
Under the GDPR, you have the following rights with respect to your personal data. To exercise any of these rights, please contact us at privacy@distrio.io:
J.1 Right of Access (Art. 15 GDPR)
You have the right to obtain confirmation of whether we process personal data about you, and if so, to receive a copy of that data along with information about the processing.
J.2 Right to Rectification (Art. 16 GDPR)
You have the right to request correction of inaccurate personal data or completion of incomplete data.
J.3 Right to Erasure (Art. 17 GDPR)
You have the right to request deletion of your personal data where the data is no longer necessary, where you withdraw consent (if consent was the legal basis), or where there is no overriding legitimate interest in continued processing. This right is subject to statutory retention obligations.
J.4 Right to Restriction of Processing (Art. 18 GDPR)
You have the right to request that we restrict the processing of your personal data in certain circumstances, for example where you contest the accuracy of the data or have objected to processing.
J.5 Right to Data Portability (Art. 20 GDPR)
Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to have it transmitted to another controller where technically feasible.
J.6 Right to Object (Art. 21 GDPR)
Where processing is based on our legitimate interests (Art. 6(1)(f) GDPR), you have the right to object to that processing on grounds relating to your particular situation. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, or processing is necessary for legal claims.
J.7 Right to Withdraw Consent (Art. 7(3) GDPR)
Where processing is based on your consent, you have the right to withdraw that consent at any time with effect for the future. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
We will respond to requests within one month of receipt. In complex cases, we may extend this period by a further two months, with prior notification.
K. Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority if you believe that our processing of your personal data violates applicable data protection law. The competent supervisory authority for Distrio is:
| Authority | Der Landesbeauftragte fΓΌr den Datenschutz und die Informationsfreiheit Baden-WΓΌrttemberg (LfDI BW) |
| Website | www.baden-wuerttemberg.datenschutz.de |
| poststelle@lfdi.bwl.de |
You may also lodge a complaint with the supervisory authority in your country of residence or place of work within the EEA.
L. Changes to This Privacy Policy
Distrio reserves the right to update this Privacy Policy from time to time to reflect changes in our practices, service features, or legal obligations. We will notify registered users of material changes by email or by a prominent notice within the platform.
The updated Privacy Policy will indicate the new effective date at the top of the document. For non-material changes (such as clarifications or typographical corrections), we may update the policy without individual notification. We encourage you to review this policy periodically.
Continued use of the Service after a change has taken effect constitutes acceptance of the updated Privacy Policy, to the extent permitted by applicable law.
M. Contact
For any questions, requests, or concerns regarding this Privacy Policy or the processing of your personal data, please contact:
| Privacy email | privacy@distrio.co |
| General email | contact@distrio.co |
| Postal address | [To be updated upon formal registration] |
We aim to respond to all privacy-related enquiries within 30 days of receipt.