Effective Date: February 26, 2026 — Last Updated: April 2, 2026
This Privacy Policy explains how Astrasonic ("we," "us," or "our"), operated by Plan Bakery B.V., a company registered in the Netherlands, collects, uses, stores, and protects your personal data when you use the Astrasonic application, website, and related services (the "Service").
We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
The data controller for the processing of your personal data is:
Astrasonic (operated by Plan Bakery B.V.)
The Netherlands
Email: [email protected]
| Data Type | Purpose | Legal Basis |
|---|---|---|
| Email address | Account identification, communication | Contract performance |
| Authentication credentials | Account security (WebAuthn/passkeys) | Contract performance |
| IP address | Security, fraud prevention, rate limiting | Legitimate interest |
| Session identifiers | Maintaining authenticated state | Contract performance |
| Data Type | Purpose | Legal Basis |
|---|---|---|
| Track titles, artists, BPM, key | Library analysis and processing | Contract performance |
| Playlist names and structure | Library organization features | Contract performance |
| Cue points and DJ settings | Backup and restoration | Contract performance |
| File paths (relative) | File mapping and deduplication | Contract performance |
When you use the Cloud Backup Service, we additionally process:
| Data Type | Purpose | Legal Basis |
|---|---|---|
| Music files (audio content) | Cloud backup storage and restoration | Consent / Contract performance |
| File SHA-256 hashes | Deduplication and integrity verification | Contract performance |
| File sizes | Storage quota tracking | Contract performance |
| Upload/download timestamps | Backup history and audit trail | Legitimate interest |
Payment processing is handled by Stripe, Inc. We do not store credit card numbers, CVVs, or full bank account details. Stripe's handling of your payment data is governed by Stripe's Privacy Policy.
The Astrasonic desktop application processes your DJ software database locally on your computer. The following describes what data stays local versus what is transmitted to our servers:
| Data Type | Local Only | Sent to Server |
|---|---|---|
| Music audio files | Yes (unless using Cloud Backup) | Only if you enable Cloud Backup |
| DJ database (Rekordbox/Traktor) | Yes — read and modified locally | Metadata only (track info, playlists) |
| File paths on your computer | Yes (full paths stay local) | Relative paths only, for file mapping |
| Application logs and diagnostics | Stored locally | Error reports sent to Sentry (see 3.7) |
| Application settings and preferences | Yes — stored in local config file | No |
To enrich your music library metadata (BPM, key, genre, artist names, artwork), we query a variety of publicly available and licensed data sources. These include, but are not limited to: Apple Music, Beatport, MusicBrainz, and our own proprietary database. When we query these sources:
Your data may be processed by the following third-party service providers, each acting as a data processor on our behalf.
Purpose: Storage of your music files when you use the Cloud Backup Service.
Data stored: Your music files (encrypted at rest with AES-256), file metadata (keys, sizes).
Location: EU Central data center (European Union).
Privacy policy: backblaze.com/company/policy/privacy
Backblaze acts as a sub-processor. We have entered into a Data Processing Agreement (DPA) with Backblaze to ensure GDPR-compliant handling of your data. Files are stored in Backblaze's EU data center to keep your data within the European Economic Area (EEA).
Purpose: Hosting our web application and API servers.
Data processed: Request metadata, IP addresses, session data.
Privacy policy: railway.app/legal/privacy
Purpose: Processing payments for paid features.
Data processed: Payment card details, billing information, transaction records.
Privacy policy: stripe.com/privacy
Purpose: Website traffic analysis and user journey optimization (via Google Tag Manager and Google Analytics 4).
Data processed: Page views, referral source, device/browser info, approximate location (country/city level).
Privacy policy: policies.google.com/privacy
Purpose: Product analytics, session replay, conversion funnel analysis.
Data processed: Page views, click events, scroll depth, anonymized session recordings (form inputs masked).
Location: EU data center (when using eu.posthog.com).
Privacy policy: posthog.com/privacy
Purpose: Sending verification codes and service notifications.
Data processed: Email addresses, email content.
Privacy policy: resend.com/legal/privacy-policy
Purpose: Monitoring application errors and crashes in both the web application and desktop app.
Data processed: Error stack traces, browser/OS type, anonymized user identifiers, request URLs. No music files or library content is included in error reports.
Privacy policy: sentry.io/privacy
Purpose: Generating smart-playlist rules and natural-language helpers via the Claude API.
Data processed: The natural-language prompt you type plus non-identifying track metadata (genre, BPM, rating). We do not send audio files, email addresses, or IP addresses.
Privacy policy: anthropic.com/legal/privacy
Purpose: Running audio analysis models (tempo, key, genre, embeddings) on serverless GPUs when you opt into cloud analysis.
Data processed: Short audio features derived from your files. Raw audio is deleted after analysis.
Privacy policy: modal.com/legal/privacy
Purpose: Serving album artwork, waveforms, and onboarding screenshots to the mobile and desktop apps via a public CDN.
Data processed: HTTP request metadata (IP address, User-Agent) handled by Cloudflare's edge network.
Privacy policy: cloudflare.com/privacypolicy
Purpose: In-browser live chat so we can answer support questions on the marketing pages.
Data processed: Messages you send, page URL, browser/OS type, chat-session cookie.
Privacy policy: crisp.chat/privacy
Purpose: A long-term disaster-recovery archive (Glacier Deep Archive) of your cloud-backup files, separate from the primary Backblaze copy.
Data processed: Your music files, copied from the primary backup for redundancy.
Privacy policy: aws.amazon.com/privacy
Purpose: Optional account sign-in using your Google account (separate from the analytics use in 3.4).
Data processed: The identity token Google returns (your email address and name).
Privacy policy: policies.google.com/privacy
Purpose: Optional account sign-in using your Apple ID.
Data processed: The identity token Apple returns; you may choose to hide your email (Apple relay).
Privacy policy: apple.com/legal/privacy
Purpose: Only if you connect Spotify — to pull track metadata that helps enrich your library.
Data processed: The OAuth access/refresh tokens for your Spotify connection (deleted when you delete your account).
Privacy policy: spotify.com/legal/privacy-policy
Purpose: Only if you connect Beatport — to pull track metadata that helps enrich your library.
Data processed: The OAuth access/refresh tokens for your Beatport connection (deleted when you delete your account).
Privacy policy: beatport.com/privacy
We process your personal data for the following purposes:
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account + 30 days after deletion request |
| Music library metadata | Duration of account + 30 days after deletion request |
| Cloud backup files | Duration of account + 30 days after deletion request |
| Payment records | As required by Dutch tax law (7 years) |
| Security logs (IP, auth attempts) | 90 days |
| Anonymized analytics | Indefinite (non-personal) |
As a data subject under the GDPR, you have the following rights:
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days as required by the GDPR.
You may request complete deletion of your account and all associated data at any time. Upon receiving a valid deletion request:
We implement appropriate technical and organizational measures to protect your personal data, including:
If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority — the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) — without undue delay and, where feasible, within 72 hours of becoming aware of it, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk to you, we will also notify you directly without undue delay (Article 34 GDPR), describing the nature of the breach, its likely consequences, and the measures we have taken or propose to take.
We store and process your data within the European Economic Area (EEA):
Where data is transferred outside the EEA (e.g., to certain sub-processors), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission.
These cookies are required for the Service to function and cannot be disabled:
With your consent, we may load the following client-side (in-browser) analytics tools. These set cookies or local storage on your device, so they run only after you choose “Accept All” in the consent banner — never if you choose “Essential Only”:
| Tool | Purpose | Data Collected | Privacy Policy |
|---|---|---|---|
| Google Analytics 4 (via Google Tag Manager) | Website traffic analysis, acquisition channels, user journeys | Pages visited, time on site, referral source, device/browser type, approximate location (country/city level) | Google Privacy Policy |
| PostHog | Product analytics, session replay, conversion funnels | Page views, clicks, scroll depth, session recordings (with form inputs masked), feature usage | PostHog Privacy Policy |
When you first visit our website, a cookie-consent banner lets you choose:
You can change your choice at any time by clearing your browser's local storage for our domain and refreshing the page.
We do not use advertising cookies or tracking pixels. We do not participate in any advertising networks. We do not sell, rent, or share analytics data with third parties for marketing purposes.
Separately from the cookie-based tools in 9.2, we record a limited set of server-side product events (for example: an account was created, a payment completed, a page was served) via PostHog (EU). These events set no cookie and store nothing on your device, and they contain no directly-identifying data — only a pseudonymous session or account identifier, never your email address or IP address. Because they place nothing on your device, they fall outside the cookie-consent choice above and are processed under our legitimate interest (Art. 6(1)(f) GDPR) in understanding and improving the Service. You may object to this processing at any time (Art. 21) by contacting us.
The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and, where appropriate, by email. Your continued use of the Service after such changes constitutes acceptance of the updated policy.
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens):
Autoriteit Persoonsgegevens
Bezuidenhoutseweg 30, 2594 AV Den Haag, The Netherlands
Website: www.autoriteitpersoonsgegevens.nl
Phone: +31 70 888 8500
For any privacy-related questions, requests, or concerns, please contact us at:
Astrasonic (operated by Plan Bakery B.V.) — Data Protection
Email: [email protected]
Website: astrasonic.ai
See also: Terms of Service
HOME