Backline

Privacy Policy

Last updated: 11 July 2026
Effective date: 11 July 2026

1. Who we are

Backline is a business-to-business (B2B) analytics platform for the music industry. It aggregates data from third-party sources on behalf of music managers and labels ("Clients") and surfaces insights, suggestions, and AI-assisted analytics for the artists and projects they manage.

This policy is issued by Backline Limited ("Backline", "we", "us", "our"), a company registered in England and Wales (company number 16268720) with registered office at 5-11 Millbay Road, Plymouth, PL1 3LF.

We are a UK-based business serving Clients worldwide. We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, and our lead supervisory authority is the UK Information Commissioner's Office (ICO). Where a Client or data subject is located elsewhere, additional local data-protection laws may also apply to that Client's data.

For questions about this policy or how we handle personal data, contact us at ds@backlineagency.co.uk.

2. Our role: controller vs. processor

Data-protection law distinguishes between a controller (who decides why and how personal data is processed) and a processor (who processes it on a controller's behalf). Backline acts in both roles depending on the data:

Where we act as a processor, the Client's own privacy notice governs the underlying data subjects (e.g. their fans and audiences), and this policy describes the safeguards we apply as their processor.

3. Information we collect

3.1 Account and identity data (controller)

When an administrator invites a user, and as that user uses the platform, we process:

Backline is invite-only. There is no public self-service sign-up; accounts are created only when an administrator invites a user by email.

3.2 Client and project data (processor)

For each managed Client we hold configuration and reference data, including artist/project records, linked platform identifiers, and the credentials or access grants needed to retrieve that Client's analytics.

3.3 Analytics data ingested from third parties (processor)

On a Client's behalf we retrieve and store analytics from the integrations the Client has connected:

3.4 Smart-link and fan-interaction data

Backline hosts "smart links" — public landing pages that route fans to streaming platforms. When a fan clicks a smart link, we record non-identifying interaction data only:

We do not store fan personal data or personally identifiable information (PII) in smart-link records. We do not store fan IP addresses, names, or email addresses in these records. (If a Client later enables optional email capture for their own CRM, any such emails are passed directly to the Client's chosen CRM and are not stored by Backline — this feature is off unless a Client explicitly enables it.)

3.5 AI chat content

Backline offers an AI assistant ("Ask Backline AI"). When a user interacts with it, we process the messages exchanged and the Client analytics context needed to answer, and we store the conversation history so users can return to it. AI responses are generated using the Anthropic Claude API.

3.6 Technical and usage data

Like most web platforms, we automatically process technical data required to operate and secure the service — for example log data, approximate location derived from network headers, and strictly necessary cookies/session storage used to keep users signed in.

4. Integration credentials and access grants

To retrieve a Client's analytics we hold, per Client, the credentials or access grants for the platforms they connect:

Credential secrets are handled server-side only and are never returned to the browser; where the platform displays credential status, secret values are masked. We never expose or log raw API keys, secret keys, or tokens.

5. How we use information and our legal bases

We use the information above to:

Purpose Legal basis (UK GDPR)
Provide, operate, and maintain the platform and its features Performance of a contract
Authenticate users and secure accounts (invite-only access) Performance of a contract; legitimate interests (security)
Retrieve, aggregate, and display Client analytics and insights Performance of a contract (as processor, on Client instructions)
Generate AI-assisted insights and answers Performance of a contract; legitimate interests
Send in-app and email notifications relevant to a user's work Performance of a contract; legitimate interests
Monitor, debug, and improve the platform Legitimate interests
Comply with legal obligations Legal obligation

Where we act as a processor for Client analytics data, the Client is responsible for establishing the legal basis for that underlying processing.

6. Third-party services and sub-processors

We rely on the following categories of service providers, who process personal data on our behalf or as independent controllers for their own services. Data is shared with them only to the extent needed to deliver the platform.

Provider Purpose
Supabase Database, authentication, and file storage
Vercel Application hosting and serverless/cron execution
Anthropic (Claude API) AI assistant responses
Amplitude Client website/product analytics (per Client's own project)
Meta Platforms Social (Facebook/Instagram) and Meta Ads data
Google (Google Ads) Advertising campaign metrics
Songstats Streaming and audience geography data
Shopify Commerce/order data, where a Client connects a store

We do not sell personal data. We do not use Client analytics data or fan-interaction data to build advertising profiles.

7. AI processing

AI-assisted features send the relevant conversation and the Client analytics context required to answer to the Anthropic Claude API. We do not use these interactions to train third-party foundation models, and our use of the Anthropic API is governed by Anthropic's applicable terms. AI-generated content is sanitised before display and should be treated as analytical assistance, not professional advice.

8. International transfers

As a UK business with Clients and providers around the world, personal data we process is transferred internationally — both from the UK to our service providers and, for globally-distributed Clients, into the UK. Where we transfer personal data outside the UK to a country not covered by UK "adequacy" regulations, we rely on an appropriate safeguard, in practice the ICO's International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, together with any supplementary measures needed to protect the data. Our primary data hosting region is EU.

You can request information about the safeguards applying to a specific transfer by contacting us at the address in Section 14.

9. Data retention

10. Security

We apply technical and organisational measures appropriate to the risk, including:

No system is perfectly secure, but we work to protect personal data and to notify affected parties and regulators of qualifying breaches as required by law.

11. Your rights

Under the UK GDPR you have the following rights. Clients and data subjects located outside the UK may also have equivalent or additional rights under their own local laws (for example the EU GDPR, or US state laws such as the CCPA/CPRA), which we will honour where applicable:

To exercise these rights, contact ds@backlineagency.co.uk. If your data is processed by Backline as a processor on behalf of a Client, we will refer your request to the relevant Client (the controller) or act on their instructions.

12. Children

Backline is a B2B tool intended for professional use and is not directed to children. We do not knowingly collect personal data from children. Aggregated audience statistics we process on Clients' behalf do not identify individual audience members.

13. Changes to this policy

We may update this policy from time to time. Material changes will be communicated to account holders, and the "Last updated" date above will change. Continued use of the platform after an update constitutes acceptance of the revised policy.

14. Contact

Backline Limited
5-11 Millbay Road, Plymouth, PL1 3LF
Email: ds@backlineagency.co.uk