Privacy policy.
How NJYN collects, uses, and protects personal data. We keep this short, specific, and honest — no dark patterns, no surprises.
- Effective
- 2026‑05‑13
- Last updated
- 2026‑05‑13
- Version
- v1.0
- Controller
- NJYN GmbH, Berlin
Overview
NJYN is a royalty intelligence platform operated by NJYN GmbH("NJYN", "we"). When you use NJYN you trust us with information about you, your music catalog, and your business. This policy explains what we collect, why, and what control you have over it.
This policy applies to njyn.de and music.njyn.de, and to every feature or API offered under those domains. It does not apply to services we link to but do not operate (for example, Spotify).
Data we collect
You give us
- Account data. Name, email, password (hashed), role (admin, manager, artist, or pending), and the artist you are linked to.
- Catalog data. Artists, songs, ISRCs imported from Spotify, role mappings (performer / songwriter / producer), and royalty arrangements.
- Entity data. Rights holders and royalty recipients you create — legal entity name, billing address, VAT ID, contact email, bank details (where you choose to store them).
- Statement data. Royalty statements you record, their line items, currencies, and any documents you upload.
We collect automatically
- Audit trails. Who changed which entity, when. Used only to investigate disputes and security incidents.
- Server logs. IP address, browser, request paths, and timestamps generated by our hosting provider, used to operate and secure the service.
- Cookies. See our cookie information for the full list. As of today we only set a single session cookie.
We receive from third parties
- Spotify Web API — song metadata and artist identifiers for the artists you choose to import.
How we use your data
We use personal data only for the purposes described here:
- Run the service — keep your account working, sync your catalog, ingest statements, raise alerts for missing income.
- Detect anomalies — automated sanity checks compare statements against your catalog. The results are advisory and visible only to your team.
- Support you — answer questions, investigate issues, restore data on request.
- Secure the service — audit logs, RLS, role-based access control, rate limits.
- Comply with the law — respond to lawful requests, keep statutory records, prevent fraud.
We do not use your catalog or statement data to train machine-learning models, and we do not sell personal data. Ever.
Legal basis (GDPR)
Under the GDPR we process personal data on one of four legal bases:
- Contract — to provide the service you signed up for (Art. 6(1)(b) GDPR).
- Legal obligation — to comply with tax, accounting, and anti-money-laundering law (Art. 6(1)(c) GDPR).
- Legitimate interest — to secure the service, prevent fraud, and improve product features (Art. 6(1)(f) GDPR). You can object at any time.
- Consent — for any non-essential cookies or marketing email. None are currently set. You may withdraw consent at any time without affecting prior processing (Art. 6(1)(a) GDPR).
Data retention
We keep personal data only as long as we need it for the purpose it was collected, then delete or anonymize it. Specifically:
- Account data — for the lifetime of your account, plus 30 days after closure for re-activation.
- Catalog & entity data — for the lifetime of your account. Exportable on request before deletion.
- Statements — up to 10 years, as required by German commercial and tax law (§ 257 HGB, § 147 AO).
- Audit logs — for the lifetime of the related entity, then 24 months after deletion as a security record.
- Server logs— per our hosting provider's default, typically short.
International transfers
Data is primarily stored within the European Union (Frankfurt). Some sub-processors (notably the US entities of Vercel and Supabase) may process data outside the EU/EEA. Those transfers rely on EU Standard Contractual Clauses (Commission Decision 2021/914) and supplementary technical safeguards including encryption in transit and at rest.
Your rights
The GDPR gives you these rights over your personal data:
- Access — receive a copy of the data we hold about you (Art. 15).
- Rectification — correct anything inaccurate (Art. 16).
- Erasure — ask us to delete your data, subject to statutory retention (Art. 17).
- Restriction — limit how we process your data while a dispute is resolved (Art. 18).
- Portability — receive your data in a machine-readable format (Art. 20).
- Objection — object to processing based on legitimate interest (Art. 21).
- Withdraw consent — at any time, where processing is based on consent.
You can delete your account yourself under Settings. For other requests email info@njyn.de; we respond within 30 days. You may also complain to the Berlin supervisory authority: Berliner Beauftragte für Datenschutz und Informationsfreiheit.
Security
We protect personal data with measures appropriate to its sensitivity: TLS in transit, AES-256 at rest, encrypted backups, role-based access with row-level security, audit logs, and a written incident-response plan. We notify affected users and the relevant supervisory authority within 72 hours of any qualifying breach.
Automated decision-making
We do not use solely automated decision-making producing legal or similarly significant effects (Art. 22 GDPR). Our missing-income alerts are calculated automatically but are advisory — a person decides whether to act on them.
Changes
When we change this policy materially, we email account owners at least 14 days before the change takes effect and update the "Last updated" date at the top of this page.
Contact
For anything related to this policy or your personal data, the fastest route is info@njyn.de.
- Data controller
- NJYN GmbH
- Address
- Chausseestr. 86, 10115 Berlin, Germany
- Contact
- info@njyn.de
- Supervisory authority
- Berliner Beauftragte für Datenschutz und Informationsfreiheit, datenschutz-berlin.de