1. What we collect
We collect two kinds of data: account data (your email, display name, hashed password, optional 2FA secret) and workspace data (everything you create inside the app — catalogue records, fans, content drafts, brand DNA, project tasks).
We do not collect biometric data. We do not run third-party advertising trackers on the marketing surface or inside the app.
2. Why we hold it
We hold account data so you can sign in. We hold workspace data so the system can function — every module from CRM to Release System depends on the same spine. Lawful basis is contract performance (you signed up to use the service) and legitimate interest (running the service securely and improving it).
3. How it's protected
- All connections are TLS-encrypted (Let's Encrypt R13).
- Passwords are hashed with the framework default (bcrypt-class, never reversible).
- 2FA secrets are encrypted at rest with XChaCha20-Poly1305 using a server-side key (KEK) stored outside the deployed source tree.
- Database access is restricted to the application user and the operator (BAKERY). Postgres listens on localhost + ZeroTier only — never the public internet.
4. Sub-processors
ArtistOS runs on infrastructure operated by TechDyn / Techster Dynamics (UK). Mail delivery, payment processing, and analytics — when we add them — will be enumerated here with their respective data-processing agreements.
5. Your rights
You have the right to access, correct, export, restrict processing of, or delete your data. Email privacy@bakery.co from your registered address. We action requests within 30 days.
6. Cookies
The marketing surface sets no cookies of its own. The app sets a session cookie (MOCKSESSID / PHPSESSID) and an opt-in remember-me cookie. Both are first-party, secured, and short-lived.
7. Changes
We will notify all active users by email if we materially change this policy. The "updated" date at the top of this page is canonical.