tothemixhub
Sign inGet started

Legal

Privacy Policy

Last updated: May 2025

Set NEXT_PUBLIC_LEGAL_* environment variables with your registered entity details before accepting paid traffic. Have a lawyer review this document before launch.

1. Who we are

tothemixhub is operated by Treeline Audio, registered in Ireland, with its registered address at Ireland("tothemixhub", "we", "us", or "our").

We operate the website tothemixhub.com and the associated mix review platform (together, the "Service"). This policy explains how we collect, use, disclose, and protect personal data when you use the Service.

For privacy enquiries, contact us at privacy@tothemixhub.com.

2. Who this policy applies to

This policy applies to two categories of people:

  • Engineers — audio professionals who create an account, upload files, and manage projects.
  • Client reviewers — people invited by an engineer to review and comment on audio. Reviewers do not need an account and are not direct customers of tothemixhub.

3. What data we collect

From engineers (account holders)

  • Name, email address, and organisation name — provided at sign-up
  • Password (stored as a bcrypt hash; we never have access to your plain-text password)
  • Brand settings: brand name, colour, and logo image
  • Payment information — processed by Stripe; we receive only a customer reference ID, not your card details
  • Audio files and project data you upload
  • Storage, bandwidth, playback, and delivery usage metrics

From client reviewers

  • Name, email address, and organisation name — entered when leaving a comment
  • Comments and timestamps you leave on audio tracks
  • IP address or hashed IP address — used for security, abuse prevention, and download records

Client reviewers interact with the platform under the engineer's account. The engineer controls the project and is responsible for having a lawful basis to share the audio with you.

Usage data (all users)

  • Play counts and last-played timestamps per track version
  • Authentication and review-access cookies
  • Workspace preferences stored in your browser, such as theme and dismissed notices
  • Basic performance telemetry from Vercel Speed Insights
  • Standard server logs (IP address, browser, request path, timestamp) retained briefly for security

What we do not collect

We do not use advertising networks, third-party analytics (e.g. Google Analytics), or tracking pixels. We do not sell personal data to any third party.

4. Why we process your data (lawful basis)

PurposeGDPR basis
Provide the Service (account, uploads, review links, comments)Performance of contract
Process subscription payments via StripePerformance of contract
Send transactional emails (share links, comment notifications)Performance of contract
Rate-limit API requests to prevent abuseLegitimate interest
Track play counts, playback analytics, bandwidth metering, and delivery download recordsLegitimate interest
Remember review-password unlocks and workspace preferencesLegitimate interest / strictly necessary storage
Measure site performance and reliabilityLegitimate interest
Comply with legal obligationsLegal obligation
Marketing emails to engineers (if opted in)Consent

5. Sub-processors (who we share data with)

We use the following third-party services to operate the platform. Each processes data on our behalf. The maintained list is published at tothemixhub.com/subprocessors.

Supabase
Database and authentication hosting · AWS us-east-1 (USA)
Cloudflare R2
Audio file object storage · USA / globally distributed CDN
Stripe
Subscription billing and engineer payout processing · USA
Resend
Transactional email delivery · USA
Vercel
Application hosting and performance telemetry · USA / globally distributed infrastructure
Modal
Audio waveform and analysis processing · USA / globally distributed infrastructure

We do not share your personal data with any other third parties except as required by law.

If we transfer data outside the European Economic Area, we rely on the recipient's Standard Contractual Clauses or an equivalent approved transfer mechanism.

6. Cookies

We use only cookies and browser storage needed to provide the Service or remember your preferences. Supabase Auth sets session cookies when you sign in. Password-protected review links may set a short-lived review-access cookie after you enter the correct password. The engineer app may store preferences such as theme choice in local storage.

We do not use advertising cookies or cross-site tracking cookies. We use Vercel Speed Insights to understand aggregate page performance. If we later add non-essential analytics or marketing cookies, we will update this policy and, where required, ask for consent before setting them.

7. Data retention

  • Engineer account data: retained while the account is active and for 30 days after closure, then permanently deleted.
  • Audio files stored in R2: deleted within 30 days of account closure.
  • Client comments and sign-off records: tied to the project they belong to; deleted when the engineer deletes the project.
  • Delivery download events and listen events: retained while the project exists unless deletion is requested and legally permitted.
  • Server logs: retained for up to 90 days for security purposes, then purged.
  • Payment records: retained as required by applicable tax and accounting law (typically 7 years).

8. Your rights

Depending on where you are located, you may have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you
  • Correction — ask us to correct inaccurate data
  • Deletion — ask us to delete your data ("right to be forgotten")
  • Portability — receive your data in a structured, machine-readable format
  • Restriction — ask us to pause processing in certain circumstances
  • Objection — object to processing based on legitimate interest
  • Withdraw consent — where processing is based on consent, withdraw it at any time

To exercise any of these rights, email privacy@tothemixhub.com. We will respond within 30 days. If you are in the EU/UK and believe we have mishandled your data, you have the right to lodge a complaint with your local supervisory authority (e.g. the ICO in the UK, or your national DPA in the EU).

9. California residents (CCPA / CPRA)

We do not sell or share personal information as defined by the California Consumer Privacy Act. California residents may still exercise the rights described in Section 8 by contacting us at privacy@tothemixhub.com.

10. Children

The Service is intended for adults aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, contact us and we will delete it promptly.

11. Security

We apply industry-standard security measures: encrypted connections (HTTPS/TLS), bcrypt password hashing, presigned URLs for file access, and row-level security policies on our database. However, no system is completely secure and we cannot guarantee absolute security.

12. Changes to this policy

We may update this policy from time to time. Material changes will be notified by email to registered engineers at least 14 days before taking effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Service after the effective date constitutes acceptance of the revised policy.

13. Contact

For any privacy-related questions or requests: privacy@tothemixhub.com

Treeline Audio
Ireland
Ireland

Terms of Service·Back to home