/ LEGAL · PRIVACY · UPDATED 2026-06

Privacy.

A plain-English account of what data we hold, why, how it's protected, and — importantly — how and when it is processed by AI providers to power the features you use. The controller of record is BAKERY, registered in the United Kingdom.

1. What we collect

We collect account data (your email, display name, hashed password, optional 2FA secret) and workspace data — everything you create inside the app. Workspace data includes, depending on which modules you use:

  • CRM & audiences — the fans, industry contacts and network artists you add or capture, together with their email/handles, location, tags, private notes, engagement touchpoints, scores and segments.
  • Catalogue & creative — music works, releases, content drafts, Brand DNA, pages/smart-links and their analytics.
  • Operations — projects, tasks, calendar, documents and uploaded files.
  • Communications — messages sent and received through the unified inbox (email and connected social channels), and the email you send to fans through the app.
  • AI conversations — your chats with ARTIE and other AI features, retained so you can resume them across your devices.

We do not collect biometric data, and we run no third-party advertising trackers on the marketing site or inside the app. Where you connect a third-party account (e.g. a social platform or mailbox), we process the data that integration returns to operate the feature you enabled.

2. Why we hold it

We hold account data so you can sign in, and workspace data so the system can function — every module depends on the same shared spine. Our lawful basis is contract performance (you signed up to use the service) and legitimate interest (running the service securely and improving it). Where you build an audience in the CRM, you are the controller of that audience data and confirm you have a lawful basis to hold it; we process it as your processor to provide the service.

3. AI & LLM processing

ArtistOS uses artificial intelligence throughout — the ARTIE assistant, AI employees, content and page generation, document classification, engagement scoring and similar features. To deliver these, relevant content is sent to third-party AI/LLM providers for processing. You should read this section carefully.

  • Who processes it. We use AI providers including OpenAI, Anthropic and OpenRouter (a router that can reach multiple underlying model providers), and we may add others over time. The current list is maintained in §5.
  • What is sent. Only the content needed to fulfil the specific request — for example, the messages in your AI conversation plus any workspace records you reference. This can include the audiences and contacts you build in the CRM when you ask AI to act on or about a fan, contact or segment (e.g. "draft a note to this fan" or "summarise this contact"). It does not include your password or 2FA secret.
  • No training on your data. The providers we use do not use data submitted through their APIs to train their models, per their API terms, and we do not authorise any such training. Where a router (OpenRouter) can reach multiple providers, we prefer routes that honour no-training and minimal-retention policies.
  • Provider retention. Providers may retain submitted content transiently for abuse-monitoring and safety purposes under their own policies (typically up to ~30 days) and then delete it. We do not control and are not responsible for a provider's internal handling beyond the contractual terms we hold with them.
  • Our own logging. We keep an internal, access-controlled record of AI requests and responses (encrypted at rest) for safety, debugging and abuse-prevention. These records are pruned on a rolling retention window (currently 90 days).
  • AI can be wrong. AI output is generated and may be inaccurate. You are responsible for reviewing AI-drafted content — especially anything sent to a fan or contact — before you act on it. AI features are tools, not professional, legal or financial advice.

4. How it's protected

  • All connections are TLS-encrypted (Let's Encrypt).
  • Passwords are hashed with the framework default (bcrypt-class, never reversible).
  • Sensitive content — chat messages, AI conversations, and stored secrets such as 2FA and integration credentials — is encrypted at rest with authenticated encryption (AEAD) using a server-side key held outside the deployed source tree.
  • Database access is restricted to the application and the operator (BAKERY); Postgres listens on localhost + private network only, never the public internet.
  • Every workspace is tenancy-isolated: your data is scoped to your workspace and not visible to other customers.

5. Sub-processors

ArtistOS runs on infrastructure operated by TechDyn / Techster Dynamics (UK). For AI features we use the following AI sub-processors: OpenAI (OpenAI, L.L.C. / OpenAI Ireland), Anthropic (Anthropic PBC), and OpenRouter (which routes requests to multiple downstream model providers under its own data policies). Mail delivery, payment processing and analytics — when we add them — will be enumerated here with their data-processing agreements. We will update this list before relying on a new AI provider for your data.

6. International transfers

Some AI providers process data outside the UK/EU (for example, in the United States). Where your data is transferred internationally, we rely on the provider's data-processing agreement and appropriate safeguards (such as Standard Contractual Clauses or an equivalent transfer mechanism) to protect it. If you do not want any content processed by an AI provider, do not use AI features.

7. Retention

We hold workspace data while your account is active. AI request/response logs and high-volume behaviour logs are pruned on a rolling window (currently 90 days). On account closure we provide a full export on request and delete your workspace within 30 days, save where we must retain limited records to meet a legal obligation.

8. Your rights

You have the right to access, correct, export, restrict processing of, or delete your data. Email privacy@bakery.co from your registered address; we action requests within 30 days. If you build an audience in the CRM, you are responsible for honouring the rights of the individuals in it, and we will help you export or delete their records on request.

9. Cookies

The marketing surface sets no cookies of its own. The app sets a first-party session cookie, an opt-in remember-me cookie, and a CSRF-protection cookie. All are first-party, secured, and short-lived. We use no advertising or cross-site tracking cookies.

10. Changes

We will notify active users by email if we materially change this policy — including any change to the AI providers that process your data. The "updated" date at the top of this page is canonical.