Legal

Privacy policy.

How NJYN collects, uses, and protects personal data. We keep this short, specific, and honest — no dark patterns, no surprises.

Effective
2026‑05‑13
Last updated
2026‑05‑13
Version
v1.0
Controller
NJYN GmbH, Berlin

Overview

NJYN is a royalty intelligence platform operated by NJYN GmbH("NJYN", "we"). When you use NJYN you trust us with information about you, your music catalog, and your business. This policy explains what we collect, why, and what control you have over it.

This policy applies to njyn.de and music.njyn.de, and to every feature or API offered under those domains. It does not apply to services we link to but do not operate (for example, Spotify).

Data we collect

You give us

  • Account data. Name, email, password (hashed), role (admin, manager, artist, or pending), and the artist you are linked to.
  • Catalog data. Artists, songs, ISRCs imported from Spotify, role mappings (performer / songwriter / producer), and royalty arrangements.
  • Entity data. Rights holders and royalty recipients you create — legal entity name, billing address, VAT ID, contact email, bank details (where you choose to store them).
  • Statement data. Royalty statements you record, their line items, currencies, and any documents you upload.

We collect automatically

  • Audit trails. Who changed which entity, when. Used only to investigate disputes and security incidents.
  • Server logs. IP address, browser, request paths, and timestamps generated by our hosting provider, used to operate and secure the service.
  • Cookies. See our cookie information for the full list. As of today we only set a single session cookie.

We receive from third parties

  • Spotify Web API — song metadata and artist identifiers for the artists you choose to import.

How we use your data

We use personal data only for the purposes described here:

  • Run the service — keep your account working, sync your catalog, ingest statements, raise alerts for missing income.
  • Detect anomalies — automated sanity checks compare statements against your catalog. The results are advisory and visible only to your team.
  • Support you — answer questions, investigate issues, restore data on request.
  • Secure the service — audit logs, RLS, role-based access control, rate limits.
  • Comply with the law — respond to lawful requests, keep statutory records, prevent fraud.

We do not use your catalog or statement data to train machine-learning models, and we do not sell personal data. Ever.

Sharing & sub-processors

We share data only with vendors that help us operate the service, under written data-processing agreements (Art. 28 GDPR). Current sub-processors:

  • Vercel Inc. (Walnut, CA, USA) — application hosting. EU regions used where available. Cross-border transfers covered by EU Standard Contractual Clauses.
  • Supabase Inc. (Singapore / US entity) — managed Postgres, authentication, file storage. Our project is hosted in the EU (Frankfurt, eu-central-1). Transfers covered by SCCs.
  • Spotify AB (Stockholm, Sweden) — accessed via the public Spotify Web API for catalog imports. We send only the search terms or artist identifiers you provide.
  • sevDesk GmbH (Offenburg, Germany) — invoice and bookkeeping integration, where you choose to enable it.

We notify customers of material sub-processor changes 30 days in advance.

Data retention

We keep personal data only as long as we need it for the purpose it was collected, then delete or anonymize it. Specifically:

  • Account data — for the lifetime of your account, plus 30 days after closure for re-activation.
  • Catalog & entity data — for the lifetime of your account. Exportable on request before deletion.
  • Statements — up to 10 years, as required by German commercial and tax law (§ 257 HGB, § 147 AO).
  • Audit logs — for the lifetime of the related entity, then 24 months after deletion as a security record.
  • Server logs— per our hosting provider's default, typically short.

International transfers

Data is primarily stored within the European Union (Frankfurt). Some sub-processors (notably the US entities of Vercel and Supabase) may process data outside the EU/EEA. Those transfers rely on EU Standard Contractual Clauses (Commission Decision 2021/914) and supplementary technical safeguards including encryption in transit and at rest.

Your rights

The GDPR gives you these rights over your personal data:

  • Access — receive a copy of the data we hold about you (Art. 15).
  • Rectification — correct anything inaccurate (Art. 16).
  • Erasure — ask us to delete your data, subject to statutory retention (Art. 17).
  • Restriction — limit how we process your data while a dispute is resolved (Art. 18).
  • Portability — receive your data in a machine-readable format (Art. 20).
  • Objection — object to processing based on legitimate interest (Art. 21).
  • Withdraw consent — at any time, where processing is based on consent.

You can delete your account yourself under Settings. For other requests email info@njyn.de; we respond within 30 days. You may also complain to the Berlin supervisory authority: Berliner Beauftragte für Datenschutz und Informationsfreiheit.

Security

We protect personal data with measures appropriate to its sensitivity: TLS in transit, AES-256 at rest, encrypted backups, role-based access with row-level security, audit logs, and a written incident-response plan. We notify affected users and the relevant supervisory authority within 72 hours of any qualifying breach.

Automated decision-making

We do not use solely automated decision-making producing legal or similarly significant effects (Art. 22 GDPR). Our missing-income alerts are calculated automatically but are advisory — a person decides whether to act on them.

Changes

When we change this policy materially, we email account owners at least 14 days before the change takes effect and update the "Last updated" date at the top of this page.

Contact

For anything related to this policy or your personal data, the fastest route is info@njyn.de.