PRIVACY POLICY

Effective Date: 15 February 2026 | Last Updated: 15 February 2026

1. INTRODUCTION

Signalised ("we", "us", "our") is a service owned and operated by AMcC London Limited, a company registered in England and Wales under company number 16703011, with its registered office at 128 City Road, London, EC1V 2NX.

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use the Signalised platform (the "Service").

Data Controller: AMcC London Limited is the "Data Controller" for the personal data you provide to us.

Data Protection Officer (DPO): Alex McCloy (hello@amcc.co)

2. PERSONAL DATA WE COLLECT

We collect data in two ways: data you provide directly, and data we collect automatically or from third parties.

2.1 Data You Provide

Account Data: Full name, email address, password (hashed), job title, and organisation name.
Billing Data: If you subscribe to a paid tier, our payment processor (Stripe) collects your payment method details and billing address. We do not store raw credit card numbers.
Input Data: The artist names, Spotify URIs, or other identifiers you input for scanning.

2.2 Data Collected Automatically

Usage Data: IP address, browser type, device information, operating system, and pages visited.
Authentication Logs: Sign-in times and IP addresses (via Supabase Auth) for security monitoring.

2.3 Data from Third-Party Sources (Article 14 Notice)

To provide our intelligence reports, we aggregate Public Professional Information regarding artists from third-party APIs. While this is primarily business data, it may constitute personal data under GDPR if it relates to an identifiable living individual.

Sources include:

Music Platforms: Spotify, Apple Music, YouTube (via APIs).
Data Aggregators: Soundcharts.
Metadata Repositories: MusicBrainz, Wikidata.
Social Media: Public Instagram and TikTok engagement metrics.

Note: We do not access private user accounts on these platforms. We only access publicly available metrics (e.g., follower counts, stream counts).

3. HOW WE USE YOUR DATA (LEGAL BASIS)

Under UK GDPR, we must have a lawful basis for processing your data. We rely on the following:

Purpose	Data Category	Legal Basis
To provide the Service (Logins, scanning, dashboards)	Account Data	Contract (Performance of Terms)
To process payments	Billing Data	Contract
To generate AI strategic advice	Input Data	Legitimate Interest (Providing business utility)
To fetch Third-Party Artist Data	Artist Data	Legitimate Interest (Public availability of professional data)
To ensure security & fraud prevention	Usage Logs, IP	Legal Obligation & Legitimate Interest
To send transactional emails (Invoices, password resets)	Email	Contract
To send marketing updates	Email	Consent (You may opt-out anytime)

4. SHARING YOUR DATA (SUB-PROCESSORS)

We generally do not share your personal data with third parties. However, we use trusted third-party service providers ("Sub-Processors") to operate our infrastructure. By using the Service, you acknowledge that data may be processed by:

Infrastructure & Hosting:

Vercel: Application hosting (Servers in US/Global).
Supabase: Database hosting and authentication (Data stored in UK/EU Clusters where possible).

Artificial Intelligence (AI):

OpenAI / Google / Anthropic: To generate the "AI Strategist" reports, non-identifiable artist metrics are sent to these LLM providers for processing.

Data Partners:

Soundcharts / Spotify: API requests may be sent to these providers to fetch data.

Payments:

Stripe: To process subscriptions and tax compliance.

We verify that all sub-processors have robust security measures in place. We do not sell your data to advertisers.

5. INTERNATIONAL DATA TRANSFERS

Some of our sub-processors (e.g., Vercel, Stripe, OpenAI) are located in the United States.

When we transfer data outside the UK or EEA, we ensure it is protected by:

The UK Extension to the EU-US Data Privacy Framework (where the provider is certified); or
Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner’s Office (ICO).

6. DATA RETENTION

We retain your personal data only as long as necessary:

Active AccountsDuration of subscription + 12 months

Artist Scan DataCached temporarily or stored up to 5 years for historical trending.

Billing Data6 years + current year (UK HMRC tax laws)

Anonymised LogsAccount deleted immediately; usage logs anonymised after 2 years.

Spotify Data: Specific data cached from Spotify is retained strictly in accordance with the Spotify Developer Policy and is not stored permanently if it violates their terms.

7. YOUR RIGHTS

Under the UK GDPR, you have the following rights:

Right of Access: You can request a copy of the personal data we hold about you.
Right to Rectification: You can correct inaccurate or incomplete data.
Right to Erasure ("Right to be Forgotten"): You can ask us to delete your account and data.
Right to Restriction: You can ask us to pause processing your data.
Right to Object: You can object to our processing (e.g., opt-out of marketing).
Right to Portability: You can request your data in a structured, machine-readable format.

To exercise these rights, email: hello@amcc.co

We will respond within one calendar month.

8. SECURITY & COOKIES

We implement industry-standard security measures including TLS/SSL encryption and AES-256 for data at rest. Access control via Row Level Security (RLS) ensures data isolation.

Cookies: We use only Strictly Essential Cookies necessary for the operation of the Service (e.g., keeping you logged in via Supabase Auth). We do not use third-party tracking or advertising cookies.

9. CONTACT

AMcC London Limited
128 City Road, London, EC1V 2NX
Email: hello@amcc.co