Home
Remy Cooper logo

Privacy Policy

Last updated: May 9, 2026

1. Introduction

Remy Cooper Music ("we," "us," or "our") operates VAULT, a music organization platform. We are committed to protecting your privacy and handling your personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the Dutch General Data Protection Regulation (AVG).

This Privacy Policy explains how we collect, use, process, and protect your personal data when you use the VAULT platform. By using our Service, you consent to the data practices described in this policy.

We may update this Privacy Policy from time to time. When we make changes, we will update the "Last updated" date and notify you of material changes. Continued use of the Service after changes constitutes acceptance of the updated policy.

2. Data Controller

The data controller responsible for processing your personal data is:

Remy Cooper Music, sole proprietorship registered in the Netherlands
KvK: 61473413
VAT: NL002378599B97
Location: The Netherlands
Email: vault@toolkit.music

Our registered geographic address is on file with the Dutch Chamber of Commerce (KvK) under the registration number above and is available on request. We are not required to appoint a Data Protection Officer under GDPR Art. 37, and we have not voluntarily designated one. As we are established in the EU, we have not appointed an Art. 27 representative.

For any questions about this Privacy Policy or our data practices, please contact us using the information above.

3. Information We Collect

We collect and process the following categories of personal data:

3.1. Account Information

  • Email address (required)
  • Password (hashed and encrypted, required)
  • Name (required)
  • Username (required)
  • Profile picture/avatar (optional)
  • IPI code (optional, for music industry identification)

3.2. Content You Upload

  • Songs, tracks, and audio files
  • Artwork and images
  • Lyrics and text content
  • File attachments
  • Song metadata (title, artist, genre, tags, etc.)
  • Comments and messages

3.3. Usage Information

  • Storage usage data
  • Last login timestamp
  • Onboarding completion status
  • Feature usage patterns

3.4. Payment Information

  • Polar customer ID and billing references
  • Subscription status and plan name
  • Billing information (processed securely by Polar as Merchant of Record, not stored by us)

3.5. Communication Data

  • Email communication history
  • Marketing preferences (opt-in/opt-out)
  • Notification preferences

3.6. Consent Records

  • Terms of Service acceptance timestamp and version
  • Privacy Policy acceptance timestamp and version
  • Cookie consent choices and timestamp (browser-level analytics opt-in/opt-out)

3.7. User Search and Contact Features

  • User searchability preference (whether you allow other users to find you by name, email, or username)
  • Contact information stored by other users when they add you as a contact
  • Collaboration relationships and contact lists

3.8. AI Assistant Inputs (Conductor)

When you use Conductor, our built-in AI assistant (a Pro feature), we collect:

  • The prompts you submit and the conversation history within a session
  • Catalog items, attachments (including images and PDFs), and metadata you reference or that the assistant retrieves on your behalf
  • Token usage and billing telemetry per conversation

We retain conversation history to provide chat continuity. You can delete a conversation at any time, which permanently removes the associated prompts and responses from our active systems.

3.9. MCP Connections

When you connect an external AI client via the Model Context Protocol, we log the identity of the connecting client, the tools invoked, and timestamps for security and abuse-prevention purposes. The actual catalog data returned to the client is not retained by us beyond the request lifecycle, but is received by the AI provider you have connected.

3.10. Technical and Log Data

  • IP address and approximate location derived from it
  • Browser, device, and operating-system information (user agent)
  • Server access logs (request URLs, timestamps, response codes)
  • Session identifiers and security tokens

We use this data to operate the Service, prevent abuse, and protect security. Logs are retained for up to 90 days unless required for an active security investigation.

4. Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR Article 6:

  • Contract Performance: To provide and maintain the Service, process payments, and fulfill our contractual obligations to you
  • Consent: For marketing communications (you can withdraw consent at any time), and for processing Terms of Service and Privacy Policy acceptance
  • Legitimate Interests: To improve our Service, prevent fraud, ensure security, and send transactional emails necessary for service delivery. User Search and Contact Management: We process user search data based on legitimate interests to enable collaboration and contact management features. Users can opt out at any time in their account settings.
  • Legal Obligation: To comply with applicable laws and regulations, including tax and accounting requirements

5. How We Use Your Information

We use your personal data for the following purposes:

  • To provide, maintain, and improve the VAULT platform
  • To process your account registration and authenticate your identity
  • To store, organize, and make your content accessible to you and authorized collaborators
  • To process payments and manage subscriptions
  • To send transactional emails (welcome emails, collaboration invitations, password resets, etc.)
  • To send marketing communications (only if you have opted in)
  • To enable user search and contact management features for collaboration
  • To respond to your inquiries and provide customer support
  • To ensure security, prevent fraud, and enforce our Terms of Service
  • To comply with legal obligations and resolve disputes
  • To analyze usage patterns and improve our Service

6. Data Sharing and Third-Party Services

We share your personal data with the following third-party service providers to operate the Service:

6.1. Payment Processing

Polar: We use Polar as our Merchant of Record to process payments and manage subscriptions. Polar processes your payment information securely and handles tax collection, invoicing, and compliance. We only receive and store limited billing identifiers and subscription state, not your full payment details.View Polar's Privacy Policy.

6.2. File Storage

Wasabi S3 Storage: Your uploaded files (audio, images, attachments) are stored using Wasabi S3 Storage, a secure cloud storage service. Data is encrypted in transit and at rest. Wasabi provides S3-compatible object storage for your content.

6.3. Authentication

Supabase: We use Supabase for user authentication and session management.View Supabase's Privacy Policy.

6.4. Email Services

Amazon SES: We use Amazon SES to send transactional emails. Your email address is shared with Amazon SES only for the purpose of sending emails related to the Service.

6.5. Database and Server Hosting

Hostinger (VPS): Your account information, metadata, and self-hosted Supabase PostgreSQL database are stored on a Virtual Private Server provided by Hostinger International Ltd. The server is located in the European Union. Hostinger acts as a hosting infrastructure processor.

6.6. Content Delivery Network

Bunny CDN:We use Bunny CDN to deliver your audio, images, and other static assets to listeners with low latency. Files transit through Bunny's global edge network. Bunny acts as a processor and does not use your content for any purpose other than delivery.

6.7. AI Processing (Conductor and MCP)

OpenAI (Conductor, Pro feature):When you use Conductor, our built-in AI assistant, the prompts, conversation history, and any catalog content you reference are sent to OpenAI, L.L.C. (United States) to generate responses. Content is sent only when you actively use the feature, is processed under OpenAI's business-tier data processing agreement, and is not used to train OpenAI's models.

MCP (Bring your own AI, Pro feature): If you connect VAULT to your own AI account (such as ChatGPT, Claude, or a custom agent) via the Model Context Protocol, the AI client you connect will receive the catalog data it requests on your behalf. Once data leaves VAULT through your MCP connection, it is governed by the privacy policy of the AI provider you have chosen to use. We are not responsible for the actions of the AI client you connect.

6.8. Realtime Collaboration

Liveblocks: Collaborative editing features (such as multi-user lyrics or notes) use Liveblocks Inc. (United States) as a realtime synchronization service. Liveblocks receives the document content you and your collaborators are editing in real time. Document content is processed under a data processing agreement and is not used to train models.

6.9. Music Service Integrations

Spotify: If you choose to connect your Spotify account (Pro feature) to sync playlists, we share your VAULT-stored playlist data with Spotify AB (Sweden) and receive playlist data from Spotify on your behalf. We do not share data with Spotify unless you explicitly connect your account, and you can disconnect at any time from your account settings.

6.10. Advertising Measurement

Meta (Facebook): Only after you grant analytics consent through our cookie banner, we share page-view, sign-up, and purchase events with Meta Platforms Ireland Ltd. via Meta Pixel (browser-side) and Meta Conversions API (server-side) to measure advertising performance. This sharing is gated entirely by your consent; if you decline, no data is sent. See our Cookie Policy.

6.11. Mobile Push Notifications

Expo Push (Expo, Inc.): If you install our mobile app and enable push notifications, your device push token is shared with Expo, Inc. (United States) and forwarded to Apple Push Notification service or Firebase Cloud Messaging (Google) to deliver notifications to your device.

6.12. Subprocessor Changes

When we engage a new sub-processor that processes personal data, we will update this list at least 14 days before the new sub-processor begins processing. If you object, you may terminate your subscription and request a pro-rata refund of any unused prepaid period in accordance with our Refund Policy.

6.13. AI Training Commitment

We do not use your content, prompts, or any data you submit to VAULT to train artificial intelligence or machine-learning models, and we contractually require our AI sub-processors to do the same.

6.14. Other Sharing

We may share your data in the following circumstances:

  • With users you explicitly share content with through collaboration features
  • If required by law or legal process
  • To protect our rights, property, or safety, or that of our users
  • In connection with a business transfer (merger, acquisition, etc.)

7. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, where our third-party service providers are located.

We ensure that such transfers comply with GDPR requirements by:

  • Using service providers that are certified under appropriate frameworks (e.g., EU-U.S. Data Privacy Framework)
  • Implementing Standard Contractual Clauses (SCCs) where applicable
  • Ensuring adequate data protection measures are in place

8. Data Retention

We retain your personal data for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law:

  • Account Data and Content: Retained while your account is active. When you delete your account, we begin permanent deletion of your content from our active systems immediately. Encrypted backups, content delivery caches, and sub-processor logs are purged on rolling cycles within 30 days. Account recovery after deletion is not possible.
  • Payment Records: Retained for 7 years as required by tax and accounting laws
  • Consent Records: Retained to demonstrate compliance with data protection requirements
  • Marketing Preferences: Retained until you withdraw consent or delete your account

Important:Account deletion is permanent and cannot be reversed. Information we are legally required to retain — payment records (7 years), consent and acceptance logs, and abuse/fraud records — is preserved separately and deleted at the end of its statutory period. Please ensure you have backed up any content you wish to keep before deleting your account.

For data that we are legally required to retain (such as payment records), we will securely delete or anonymize it after the retention period expires.

9. Your Rights Under GDPR/AVG

You have the following rights regarding your personal data:

  • Right of Access: You can request a copy of the personal data we hold about you
  • Right to Rectification: You can request correction of inaccurate or incomplete data
  • Right to Erasure ("Right to be Forgotten"): You can request deletion of your personal data (subject to legal obligations)
  • Right to Restrict Processing: You can request that we limit how we process your data
  • Right to Data Portability: You can request a copy of your data in a structured, machine-readable format
  • Right to Object: You can object to processing based on legitimate interests, including opting out of user searchability in your account settings
  • Right to Withdraw Consent: You can withdraw consent for marketing communications at any time

To exercise these rights, please contact us at vault@toolkit.music. We will respond to your request within one month.

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) if you believe we have violated your data protection rights.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

  • Encryption of data in transit (HTTPS/TLS)
  • Encryption of data at rest
  • Secure password hashing (bcrypt)
  • Regular security assessments and updates
  • Access controls and authentication
  • Regular backups of your data

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

11. Cookies and Tracking Technologies

We use cookies and similar technologies to operate the Service, authenticate users, and remember your preferences. For detailed information about our use of cookies, please see our Cookie Policy.

12. Children's Privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information promptly.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately.

13. Marketing Communications

We only send marketing communications if you have explicitly opted in. You can:

  • Opt out at any time by updating your preferences in your account settings
  • Click the unsubscribe link in any marketing email
  • Contact us directly to unsubscribe

Note that even if you opt out of marketing communications, we may still send you transactional emails necessary for the Service (e.g., account notifications, collaboration invitations).

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes:

  • We will update the "Last updated" date
  • We will notify you via email or through the Service
  • For significant changes, we may require you to review and accept the updated policy

Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Remy Cooper Music
Email: vault@toolkit.music
Location: The Netherlands

For complaints regarding data protection, you can also contact the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

Account deletionTerms of ServiceCookie PolicyRefund PolicyHome