Privacy Policy
Last updated: 11 July 2026
Effective date: 11 July 2026
1. Who we are
Backline is a business-to-business (B2B) analytics platform for the music industry. It aggregates data from third-party sources on behalf of music managers and labels ("Clients") and surfaces insights, suggestions, and AI-assisted analytics for the artists and projects they manage.
This policy is issued by Backline Limited ("Backline", "we", "us", "our"), a company registered in England and Wales (company number 16268720) with registered office at 5-11 Millbay Road, Plymouth, PL1 3LF.
We are a UK-based business serving Clients worldwide. We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, and our lead supervisory authority is the UK Information Commissioner's Office (ICO). Where a Client or data subject is located elsewhere, additional local data-protection laws may also apply to that Client's data.
For questions about this policy or how we handle personal data, contact us at ds@backlineagency.co.uk.
2. Our role: controller vs. processor
Data-protection law distinguishes between a controller (who decides why and how personal data is processed) and a processor (who processes it on a controller's behalf). Backline acts in both roles depending on the data:
- As a controller — for the personal data of the people who hold Backline accounts (managers, label staff, and our own administrators). We decide how account, authentication, and platform-usage data are handled.
- As a processor — for the analytics and audience data we ingest from third-party platforms on a Client's behalf (for example streaming, social, advertising, and website analytics tied to a Client's artists). The Client is the controller of that data; we process it under our agreement with them and only on their instructions.
Where we act as a processor, the Client's own privacy notice governs the underlying data subjects (e.g. their fans and audiences), and this policy describes the safeguards we apply as their processor.
3. Information we collect
3.1 Account and identity data (controller)
When an administrator invites a user, and as that user uses the platform, we process:
- Name and email address
- Authentication credentials and session tokens (managed by our authentication provider, Supabase Auth)
- Profile settings and preferences
- The Clients (artists/projects) a user is authorised to access
- Notes, suggestions, comments, @mentions, reactions, and notifications the user creates in the platform
Backline is invite-only. There is no public self-service sign-up; accounts are created only when an administrator invites a user by email.
3.2 Client and project data (processor)
For each managed Client we hold configuration and reference data, including artist/project records, linked platform identifiers, and the credentials or access grants needed to retrieve that Client's analytics.
3.3 Analytics data ingested from third parties (processor)
On a Client's behalf we retrieve and store analytics from the integrations the Client has connected:
- Streaming and audience data (via Songstats) — track and catalogue statistics, and audience geography such as listener counts by city and country. This is aggregated audience data, not data about identifiable individual listeners.
- Social data (via Meta / Facebook & Instagram) — Page and account follower counts, post engagement, and recent post metrics for accounts the Client has connected.
- Advertising data (via Meta Ads and Google Ads) — campaign-level performance metrics for ad accounts to which the Client has granted Backline read-only access.
- Website/product analytics (via Amplitude) — event and usage metrics from the Client's own Amplitude project.
- Commerce data (via Shopify, where connected) — order and store metrics.
3.4 Smart-link and fan-interaction data
Backline hosts "smart links" — public landing pages that route fans to streaming platforms. When a fan clicks a smart link, we record non-identifying interaction data only:
- Destination platform selected
- Country (derived from network-edge headers)
- Device type and operating system (derived from the browser's User-Agent)
- Timestamp
We do not store fan personal data or personally identifiable information (PII) in smart-link records. We do not store fan IP addresses, names, or email addresses in these records. (If a Client later enables optional email capture for their own CRM, any such emails are passed directly to the Client's chosen CRM and are not stored by Backline — this feature is off unless a Client explicitly enables it.)
3.5 AI chat content
Backline offers an AI assistant ("Ask Backline AI"). When a user interacts with it, we process the messages exchanged and the Client analytics context needed to answer, and we store the conversation history so users can return to it. AI responses are generated using the Anthropic Claude API.
3.6 Technical and usage data
Like most web platforms, we automatically process technical data required to operate and secure the service — for example log data, approximate location derived from network headers, and strictly necessary cookies/session storage used to keep users signed in.
4. Integration credentials and access grants
To retrieve a Client's analytics we hold, per Client, the credentials or access grants for the platforms they connect:
- API keys / secret keys (e.g. Amplitude, Songstats, Shopify), stored server-side.
- OAuth tokens (e.g. Meta/Facebook), stored server-side.
- Read-only access grants for advertising accounts (Meta Business Manager partner access, Google Ads account links). For advertising, Backline never collects Client logins or passwords — access is granted by the Client to Backline's own business accounts.
Credential secrets are handled server-side only and are never returned to the browser; where the platform displays credential status, secret values are masked. We never expose or log raw API keys, secret keys, or tokens.
5. How we use information and our legal bases
We use the information above to:
| Purpose | Legal basis (UK GDPR) |
|---|---|
| Provide, operate, and maintain the platform and its features | Performance of a contract |
| Authenticate users and secure accounts (invite-only access) | Performance of a contract; legitimate interests (security) |
| Retrieve, aggregate, and display Client analytics and insights | Performance of a contract (as processor, on Client instructions) |
| Generate AI-assisted insights and answers | Performance of a contract; legitimate interests |
| Send in-app and email notifications relevant to a user's work | Performance of a contract; legitimate interests |
| Monitor, debug, and improve the platform | Legitimate interests |
| Comply with legal obligations | Legal obligation |
Where we act as a processor for Client analytics data, the Client is responsible for establishing the legal basis for that underlying processing.
6. Third-party services and sub-processors
We rely on the following categories of service providers, who process personal data on our behalf or as independent controllers for their own services. Data is shared with them only to the extent needed to deliver the platform.
| Provider | Purpose |
|---|---|
| Supabase | Database, authentication, and file storage |
| Vercel | Application hosting and serverless/cron execution |
| Anthropic (Claude API) | AI assistant responses |
| Amplitude | Client website/product analytics (per Client's own project) |
| Meta Platforms | Social (Facebook/Instagram) and Meta Ads data |
| Google (Google Ads) | Advertising campaign metrics |
| Songstats | Streaming and audience geography data |
| Shopify | Commerce/order data, where a Client connects a store |
We do not sell personal data. We do not use Client analytics data or fan-interaction data to build advertising profiles.
7. AI processing
AI-assisted features send the relevant conversation and the Client analytics context required to answer to the Anthropic Claude API. We do not use these interactions to train third-party foundation models, and our use of the Anthropic API is governed by Anthropic's applicable terms. AI-generated content is sanitised before display and should be treated as analytical assistance, not professional advice.
8. International transfers
As a UK business with Clients and providers around the world, personal data we process is transferred internationally — both from the UK to our service providers and, for globally-distributed Clients, into the UK. Where we transfer personal data outside the UK to a country not covered by UK "adequacy" regulations, we rely on an appropriate safeguard, in practice the ICO's International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, together with any supplementary measures needed to protect the data. Our primary data hosting region is EU.
You can request information about the safeguards applying to a specific transfer by contacting us at the address in Section 14.
9. Data retention
- Account data is retained for as long as the account is active and for a reasonable period afterward to meet legal, security, and audit needs, then deleted or anonymised.
- Client analytics data is retained for the duration of our agreement with the Client and deleted or returned on termination in accordance with that agreement.
- Smart-link interaction records contain no personal data and are retained in aggregate for analytics.
- Single-use tokens (e.g. connect links and page-picker sessions) expire automatically and are deleted after use or expiry.
- AI chat history is retained until deleted by the user or the associated Client relationship ends.
10. Security
We apply technical and organisational measures appropriate to the risk, including:
- Row-Level Security and role-based access controls so users only see Clients they are authorised for.
- Server-side-only handling of credentials and secrets, with masking in any UI and no secret logging.
- Encrypted transport (HTTPS) and encryption at rest through our infrastructure providers.
- Invite-only account provisioning with email confirmation and authentication rate limiting.
- Least-privilege service access and single-use, expiring tokens for sensitive public flows.
No system is perfectly secure, but we work to protect personal data and to notify affected parties and regulators of qualifying breaches as required by law.
11. Your rights
Under the UK GDPR you have the following rights. Clients and data subjects located outside the UK may also have equivalent or additional rights under their own local laws (for example the EU GDPR, or US state laws such as the CCPA/CPRA), which we will honour where applicable:
- Access the personal data we hold about you
- Correct inaccurate data
- Delete your data ("right to erasure")
- Restrict or object to certain processing
- Data portability
- Withdraw consent where processing relies on consent
- Lodge a complaint with a supervisory authority (in the UK, the Information Commissioner's Office)
To exercise these rights, contact ds@backlineagency.co.uk. If your data is processed by Backline as a processor on behalf of a Client, we will refer your request to the relevant Client (the controller) or act on their instructions.
12. Children
Backline is a B2B tool intended for professional use and is not directed to children. We do not knowingly collect personal data from children. Aggregated audience statistics we process on Clients' behalf do not identify individual audience members.
13. Changes to this policy
We may update this policy from time to time. Material changes will be communicated to account holders, and the "Last updated" date above will change. Continued use of the platform after an update constitutes acceptance of the revised policy.
14. Contact
Backline Limited
5-11 Millbay Road, Plymouth, PL1 3LF
Email: ds@backlineagency.co.uk