Privacy Policy

The data controller for personal data processed through nitimusic.pro is the platform operator ("we", "us", "our"). For all data protection enquiries, please contact: dpo@nitimusic.pro

We are committed to processing your personal data lawfully, fairly, and transparently in accordance with the EU General Data Protection Regulation (GDPR) (EU) 2016/679, the ePrivacy Directive 2002/58/EC, and applicable national data protection laws.

We collect the following categories of personal data:

Account data: email address, display name, password hash, account creation date, subscription status, subscription plan.

Usage data: IP address, browser type and version, operating system, pages visited, videos streamed (UIDs, not content), download events, timestamps, and referring URLs. Collected automatically via server logs and analytics.

Payment data: payment method type, last 4 digits of card, billing country, transaction IDs. Full card numbers are never stored — they are processed directly by Stripe under their own PCI-DSS compliance.

Communication data: emails you send us, support tickets, and feedback submitted through the Platform.

Technical data: Cloudflare Stream playback tokens (time-limited, scoped to individual sessions); authentication tokens stored in HTTP-only cookies.

We process your personal data under the following legal bases as defined by GDPR Article 6:

Performance of a contract (Art. 6(1)(b)): processing necessary to provide you with the Platform services, manage your account, and fulfil subscription obligations.

Compliance with a legal obligation (Art. 6(1)(c)): processing required to comply with EU and national laws, including VAT/tax obligations, anti-fraud requirements, and data retention obligations.

Legitimate interests (Art. 6(1)(f)): processing necessary for our legitimate interests in operating the Platform securely, preventing abuse and fraud, improving our services, and sending transactional communications. We have conducted balancing tests and determined that our interests do not override your fundamental rights.

Consent (Art. 6(1)(a)): for any optional analytics or marketing communications. You may withdraw consent at any time without affecting the lawfulness of prior processing.

We use your personal data to: (a) create and manage your account; (b) process payments and manage subscriptions; (c) provide access to streamed and downloadable content; (d) send transactional emails (account confirmations, receipts, security alerts); (e) detect and prevent fraud, abuse, and security incidents; (f) comply with legal obligations; (g) improve Platform performance and functionality through aggregated analytics; (h) respond to support requests.

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects without your explicit consent.

We retain personal data only for as long as necessary for the purposes described in this Policy, or as required by law:

Account data: retained for the duration of your account, plus 3 years after deletion to satisfy legal and contractual obligations.

Payment records: retained for 7 years to comply with EU tax and accounting obligations.

Server logs: retained for 90 days, then deleted or anonymised.

Download and streaming activity: retained for 24 months for fraud prevention and licence compliance.

Support communications: retained for 3 years from resolution.

Upon account deletion, we will delete or anonymise your personal data within 30 days, subject to legal retention requirements.

We do not sell your personal data. We share data only with the following trusted third-party processors, under binding data processing agreements:

Supabase (authentication and database): processes account data and session tokens. Infrastructure located within the EU/EEA or subject to Standard Contractual Clauses (SCCs).

Stripe (payment processing): processes payment data under PCI-DSS Level 1 compliance and their own GDPR-compliant DPA. Stripe acts as an independent data controller for fraud prevention.

Cloudflare (video streaming and CDN): processes access tokens and IP addresses for content delivery and DDoS protection.

Vercel (hosting): processes server-side data for platform deployment. Subject to SCCs for any transfers outside the EEA.

We may also disclose data to: (a) law enforcement or regulators when required by law or court order; (b) professional advisers (legal, financial) under confidentiality obligations; (c) a successor entity in the event of a merger or acquisition, subject to equivalent protections.

Some of our third-party processors operate in countries outside the European Economic Area (EEA). Where such transfers occur, we ensure they are protected by one of the following mechanisms: (a) an EU adequacy decision under GDPR Article 45; (b) EU Standard Contractual Clauses (Module 2 — Controller to Processor) under GDPR Article 46(2)(c); (c) the EU-US Data Privacy Framework where applicable.

You may request details of the specific transfer mechanisms in place by contacting dpo@nitimusic.pro.

We use the following cookies and similar technologies:

Strictly necessary cookies: HTTP-only session cookies for authentication. These cannot be disabled as they are essential to Platform operation. Legal basis: legitimate interests / performance of contract.

Analytics cookies: anonymised usage analytics to understand Platform performance. Legal basis: consent. You may withdraw consent at any time via our cookie settings.

We do not use third-party advertising or tracking cookies. We do not participate in cross-site tracking or behavioural advertising.

As a data subject in the EU/EEA, you have the following rights under GDPR:

Right of access (Art. 15): you may request a copy of all personal data we hold about you, including information on purposes, categories, recipients, and retention periods.

Right to rectification (Art. 16): you may request correction of inaccurate or incomplete data.

Right to erasure / "right to be forgotten" (Art. 17): you may request deletion of your personal data where it is no longer necessary, or where you withdraw consent and no other legal basis applies.

Right to restriction of processing (Art. 18): you may request that we restrict processing of your data in certain circumstances.

Right to data portability (Art. 20): where processing is based on consent or contract and carried out by automated means, you may request your data in a machine-readable format.

Right to object (Art. 21): you may object to processing based on legitimate interests or for direct marketing purposes at any time.

Right not to be subject to solely automated decisions (Art. 22): you have the right not to be subject to decisions based solely on automated processing that produce significant effects on you.

To exercise any of these rights, contact us at dpo@nitimusic.pro. We will respond within 30 days (extendable by a further 60 days for complex requests, with notice). We may need to verify your identity before processing your request.

You also have the right to lodge a complaint with your national data protection supervisory authority. A list of EU supervisory authorities is available at https://edpb.europa.eu.

We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, including: TLS 1.3 encryption in transit; AES-256 encryption at rest; HTTP-only, Secure, SameSite cookies; time-limited signed access tokens for video content; bcrypt password hashing; role-based access controls; regular security reviews.

No method of transmission over the internet is 100% secure. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33/34.

The Platform is not directed at persons under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that we have collected personal data from a minor, we will delete it immediately. If you believe a minor has provided us with personal data, please contact privacy@nitimusic.pro.

We may update this Privacy Policy from time to time. Material changes will be communicated via email or prominent notice on the Platform at least 14 days before they take effect. The "Effective Date" at the top of this Policy reflects the most recent version. We encourage you to review this Policy periodically.

For all data protection enquiries, rights requests, or complaints: dpo@nitimusic.pro

For general privacy questions: privacy@nitimusic.pro

We aim to respond to all data protection enquiries within 5 business days.