This Privacy Policy informs you about the nature, scope, and purpose of the processing of personal data (hereinafter also referred to as "data") within DrumBooth.Live (hereinafter "the Service"). It applies to all processing of personal data carried out by the controller, both in connection with the provision of services and on associated websites and online presences.
1. Controller
13351 Berlin
Germany
Email: pierondrums@proton.me
Phone: +49 1577 5384266
I am the sole controller of all data processed within the Service, within the meaning of Art. 4 (7) GDPR.
2. Overview of Processing Activities
Categories of personal data processed
- Identity and contact data (name, email, phone number)
- Contractual data (project details, agreed services, deadlines, BPM and key information)
- Content data (audio files submitted by you: stems, demos, reference tracks, tempo maps)
- Communication data (messages exchanged before, during, and after a session)
- Live session data (real-time audio and video streams transmitted during a recording session)
- Usage and metadata (IP addresses, timestamps, browser type, server log data)
- Payment data (bank account or PayPal identifiers, transaction records)
Categories of data subjects
- Clients (artists, producers, labels, bands) commissioning recording services
- Visitors to the website and form submission pages
- Participants in live online sessions
Purposes of processing
- Performing the contractual service (preparing and recording remote drum sessions)
- Communicating with you before, during, and after a session
- Invoicing and bookkeeping in compliance with German tax law
- Technical operation and security of the service infrastructure
- Compliance with legal obligations
3. Legal Bases
Personal data is processed on the following legal bases:
- Consent (Art. 6 (1) (a) GDPR) — where you have given specific, informed consent for a defined purpose.
- Performance of a contract or pre-contractual measures (Art. 6 (1) (b) GDPR) — where processing is necessary to deliver the service you have requested or to take steps prior to entering into a contract.
- Legal obligation (Art. 6 (1) (c) GDPR) — where processing is required to comply with statutory obligations (e.g. tax retention under § 147 of the German Fiscal Code, AO).
- Legitimate interests (Art. 6 (1) (f) GDPR) — where processing is necessary for the legitimate interests pursued by the controller, in particular ensuring secure, stable, and well-administered service operations, provided such interests are not overridden by your fundamental rights and freedoms.
In addition to the GDPR, the German Federal Data Protection Act (BDSG) applies as supplementary national law.
4. Security Measures
I implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Art. 32 GDPR. These include in particular:
- TLS/SSL encryption (HTTPS) for all data transmitted between your browser and the service.
- Access controls and authentication for all administrative interfaces.
- Self-hosted infrastructure under direct administrative control, minimising third-party data exposure.
- Regular backups and disaster-recovery procedures.
- Routine security updates of all software components.
5. Data Recipients and Processors
The following third parties may receive or process personal data in connection with the Service. Where applicable, data processing agreements (DPAs) under Art. 28 GDPR have been concluded.
5.1 Hetzner Online GmbH (Hosting)
The service infrastructure (Nextcloud, Jitsi, audio routing) is hosted on virtual servers provided by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. The physical servers used are located in Helsinki, Finland (European Union).
- Role
- Data processor (Art. 28 GDPR)
- Legal basis
- Art. 6 (1) (f) GDPR
- Data location
- Finland (EU/EEA)
- Privacy policy
- hetzner.com/legal/privacy-policy
5.2 Cloudflare, Inc. (DNS and Reverse Proxy)
Cloudflare, Inc. (101 Townsend St, San Francisco, CA 94107, USA) is used as a reverse proxy and DNS provider for certain subdomains of the Service (in particular forms.drumbooth.live). When you access these pages, Cloudflare processes your IP address, connection metadata, and request headers for the purposes of content delivery, traffic routing, and protection against denial-of-service attacks.
- Role
- Data processor (Art. 28 GDPR)
- Legal basis
- Art. 6 (1) (f) GDPR
- Data location
- United States (with global edge network)
- International transfer
- EU-US Data Privacy Framework (DPF). Cloudflare is DPF-certified.
- Privacy policy
- cloudflare.com/privacypolicy
5.3 8x8, Inc. (Jitsi STUN Server)
For live online sessions, the Service runs a self-hosted Jitsi Meet instance. To enable peer-to-peer audio and video connections through NAT and firewalls, the Jitsi client uses the public STUN server meet-jit-si-turnrelay.jitsi.net, operated by 8x8, Inc. (675 Creekside Way, Campbell, CA 95008, USA). The STUN server briefly receives your IP address solely for the purpose of establishing the connection. No audio, video, or content data is processed by 8x8.
- Role
- Third-party service provider
- Legal basis
- Art. 6 (1) (f) GDPR (necessary for live session operation)
- Data location
- United States
- International transfer
- Data Privacy Framework (DPF). 8x8 is DPF-certified.
- Privacy policy
- 8x8.com/privacy-policy
5.4 Proton AG (Email)
Email communication with clients is handled via Proton Mail, operated by Proton AG, Route de la Galaise 32, 1228 Plan-les-Ouates, Switzerland.
- Role
- Data processor for transmitted email content
- Legal basis
- Art. 6 (1) (b) GDPR
- Data location
- Switzerland
- International transfer
- EU Commission Adequacy Decision for Switzerland.
- Privacy policy
- proton.me/legal/privacy
5.5 PayPal (Payment Processing — when used)
Where you choose to pay via PayPal, payment data is processed by PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg.
- Role
- Independent controller for payment processing
- Legal basis
- Art. 6 (1) (b) GDPR
- Privacy policy
- paypal.com/legalhub/privacy-full
5.6 Google LLC (Google Fonts)
Web fonts used on form pages may be loaded from Google Fonts (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). When a form page is loaded, your browser may transmit your IP address, browser type, and operating system to Google servers in order to retrieve the font files.
- Role
- Third-party service provider
- Legal basis
- Art. 6 (1) (f) GDPR
- Data location
- United States (Google operates globally)
- International transfer
- Data Privacy Framework (DPF). Google LLC is DPF-certified.
- Privacy policy
- policies.google.com/privacy
6. International Data Transfers
Some of the recipients listed above are located outside the European Union/European Economic Area, in particular in the United States. For transfers to the United States, I rely primarily on the EU-US Data Privacy Framework (DPF), as recognised by the EU Commission's adequacy decision of 10 July 2023. Where additional safeguards are appropriate, I rely on Standard Contractual Clauses (SCCs) approved by the EU Commission. For transfers to Switzerland, the adequacy decision of the EU Commission applies.
You can find more information on the Data Privacy Framework at dataprivacyframework.gov.
7. Specific Processing Activities
7.1 Booking Forms (forms.drumbooth.live)
When you submit a booking form, the following data is collected and processed:
- Name, email address, phone number (if provided)
- Artist or project name and project description
- Genre, tempo, key, and reference tracks
- Audio files you choose to upload (stems, demos, tempo maps, click tracks)
- Submission date and time
- IP address (logged by the underlying Nextcloud Forms application)
Purpose: To prepare and deliver the requested recording service.
Legal basis: Art. 6 (1) (b) GDPR (pre-contractual measures and performance of contract).
Retention: Form submissions and uploaded files are retained for a maximum of 180 days after delivery of the final recording, unless a longer period is required to perform the contract, defend legal claims, or meet statutory retention obligations (commercial and tax law, typically up to 10 years for invoices and accounting records). After this period, audio files and form data are securely deleted.
Use of uploaded audio files: Audio files you upload are used exclusively for the purpose of preparing and performing the booked recording session. They are not used for portfolio promotion, training of AI models, sharing with third parties, or any other purpose without your separate, explicit consent.
7.2 Live Recording Sessions (session.drumbooth.live)
During a live online session, audio and (optionally) video streams are exchanged between you and the controller in real time. This processing involves:
- Real-time audio and video transmission via the self-hosted Jitsi Meet instance
- Connection metadata (IP address, session identifiers, timestamps)
- Optionally, the recording of the audio output (drum performance) on the controller's side, as the deliverable of the service
- Use of the public STUN server operated by 8x8, Inc. (see section 5.3)
Purpose: Performance of the booked recording service.
Legal basis: Art. 6 (1) (b) GDPR.
Recording: Sessions are not recorded by default beyond the drum audio that constitutes the deliverable. If recording of the full session (e.g. for archival or reference purposes) is desired, your explicit consent will be obtained beforehand.
Retention: Recordings produced during the session are retained as set out in section 7.1.
7.3 Reaper Web Control
During a session, the controller may grant clients limited remote access to a Reaper Web Control interface hosted on the same infrastructure (daw.drumbooth.live), enabling clients to monitor and interact with the recording in progress. Access is session-bound and revoked at the end of the session. No personal data is stored by this interface beyond standard server log data.
Legal basis: Art. 6 (1) (b) GDPR.
7.4 General Website Visits and Server Logs
When you visit any DrumBooth.Live page, the following technical data is automatically logged by the web server:
- IP address
- Date and time of access
- Page or resource requested
- HTTP response status
- Browser type, version, and operating system
- Referring URL
Purpose: To ensure security, stability, and proper functioning of the Service.
Legal basis: Art. 6 (1) (f) GDPR.
Retention: Server logs are retained for a maximum of 30 days, after which they are automatically deleted or anonymised, unless specific log entries are required to investigate a security incident or legal claim.
7.5 Cookies
The Service uses only strictly necessary cookies that are required for the technical operation of the platform (e.g. session cookies for the Nextcloud login). No tracking, analytics, or advertising cookies are used. Strictly necessary cookies do not require consent under § 25 (2) TTDSG and are processed on the basis of Art. 6 (1) (f) GDPR.
If at any time in the future non-essential cookies are introduced, a consent banner will be implemented and your prior consent will be obtained in accordance with § 25 (1) TTDSG.
8. Retention and Deletion
| Category of data | Retention period |
|---|---|
| Form submission data and uploaded audio files | 180 days after delivery |
| Recordings (drum audio deliverable) | 180 days after delivery |
| Session metadata (Jitsi connection logs) | 30 days |
| Server logs | 30 days |
| Invoices and accounting records | Up to 10 years (statutory) |
| Email communication | Until no longer needed for contract or claims |
Once a retention period expires, data is securely deleted or anonymised, unless a statutory obligation requires longer retention.
9. Your Rights
You have the following rights under the GDPR:
- Right of access (Art. 15 GDPR) — to obtain confirmation of whether your personal data is being processed, and a copy of the data.
- Right to rectification (Art. 16 GDPR) — to have inaccurate data corrected.
- Right to erasure (Art. 17 GDPR) — to have your data deleted, subject to legal exceptions.
- Right to restriction (Art. 18 GDPR) — to restrict processing under certain conditions.
- Right to data portability (Art. 20 GDPR) — to receive your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21 GDPR) — to object to processing based on legitimate interests.
- Right to withdraw consent (Art. 7 (3) GDPR) — at any time, without affecting the lawfulness of past processing.
- Right to lodge a complaint (Art. 77 GDPR) — with a supervisory authority, in particular in the EU Member State of your residence, workplace, or place of the alleged infringement.
The competent supervisory authority for the controller is:
datenschutz-berlin.de
To exercise any of these rights, please write to pierondrums@proton.me.
10. Note for Residents of California, USA
Although California privacy law (CCPA/CPRA) does not formally apply to this Service due to its size and scope, residents of California can rely on the same rights set out above (access, deletion, correction, portability, objection). The Service does not sell personal information to third parties. To exercise any privacy-related right, please write to pierondrums@proton.me.
11. Changes to This Privacy Policy
This Privacy Policy may be updated to reflect changes in legal requirements or in the Service. The current version is always accessible at the canonical URL of this page. Substantial changes will be communicated where required by law.