Privacy Policy

Last revised: June 2026

1. General Information and Data Controller

This Privacy Policy describes how Make a Beat collects, uses, and discloses information about you. The data controller pursuant to Art. 4 (7) of the General Data Protection Regulation (GDPR) is:

Jonas Niemann c/o IP-Management #9655 Ludwig-Erhard-Straße 18 20459 Hamburg Germany E-Mail: contact@make-a-beat.com

2. Technical Infrastructure and Server Logfiles

Our platform is hosted by Hetzner Online GmbH, Germany. The servers are located exclusively in Germany.

Server Logfiles: When you visit our website, the server automatically collects information that your browser transmits. This includes: IP address (shortened/anonymized if possible), date and time of the request, browser type and version, operating system, and referrer URL.

The legal basis for this processing is Art. 6 (1) (f) GDPR (legitimate interest in maintaining IT security and website functionality). Data is stored for 7 days and then deleted.

3. Data Collection and User Input

A. Registration via Google OAuth — We use Google Login (Alphabet Inc.). We collect your email address, name, and profile picture. Legal basis: Art. 6 (1) (b) GDPR (contract performance).

B. User Content and Database — We store your beats, metadata (BPM), and account settings in our database (PocketBase, hosted on our Hetzner servers in Germany). Legal basis: Art. 6 (1) (b) GDPR.

C. AI Interaction (AI Act Transparency) — In accordance with Art. 50 of the EU AI Act, we inform you that our platform uses Artificial Intelligence to generate and process audio. Your text prompts are processed to generate audio; we use generative models to translate text descriptions into musical frequencies. Legal basis: Art. 6 (1) (b) GDPR.

D. Device Type at Registration — During registration we derive only the device type (desktop, mobile, or tablet) from your browser's User-Agent, to understand which kinds of devices our users sign up from and improve the service accordingly. We do not store the full User-Agent string, IP address, or location data. Legal basis: Art. 6 (1) (f) GDPR (legitimate interest).

4. Third-Party API Services (International Transfers)

To provide AI features, we transmit specific data to providers in the USA.

ElevenLabs Inc. (Audio Generation): Text prompts are transmitted. No personal profile data is shared.

Replicate, Inc. (Stem Splitting): Audio files are processed in volatile memory (RAM) and are not permanently stored by Replicate.

International Transfer: These transfers are based on the EU-U.S. Data Privacy Framework or Standard Contractual Clauses (SCCs).

5. Payments via Stripe (Data Processor)

Payments are processed by Stripe Payments Europe Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland ("Stripe"). Stripe acts as our data processor (Auftragsverarbeiter) under Art. 28 GDPR. We are the controller of payment-related personal data; Stripe processes it on our behalf under their Data Processing Agreement (https://stripe.com/legal/dpa).

Data processed via Stripe includes: your name, email address, payment method details (card brand, last four digits, expiry — we do not store the full card number), billing country, IP address, currency, amount, and transaction metadata (e.g. our internal user reference). Legal basis: Art. 6 (1) (b) GDPR (performance of contract).

For fraud prevention and global infrastructure, Stripe may transfer data to Stripe, Inc. in the United States. Such transfers are protected by the EU-U.S. Data Privacy Framework and Standard Contractual Clauses where applicable.

Stripe’s privacy policy: https://stripe.com/privacy. Stripe sets the cookies __stripe_mid, __stripe_sid, and m on its own domain (checkout.stripe.com) for fraud prevention; under § 25 (2) TDDDG these are strictly necessary and require no consent.

6. Contact and Feedback Forms

If you use the Contact or Feedback form on the website, your submission (name, email, message) is forwarded through our self-hosted n8n workflow automation instance, which runs on our Hetzner servers in Germany, for processing and routing to us.

Legal basis: Art. 6 (1) (a) GDPR (consent) for voluntary submissions, and Art. 6 (1) (f) GDPR (legitimate interest in responding to inquiries). Submissions are stored only as long as required to process and answer your request.

7. Transactional Emails via Resend

We use Resend, Inc. as our processor for transactional emails related to your account and the use of the service, such as onboarding and other account-related notifications. For this purpose, we transmit your email address and the data required to compose and deliver the relevant email to Resend.

Legal basis: Art. 6 (1) (b) GDPR where the message is necessary for account use or contract performance, and Art. 6 (1) (f) GDPR where we have a legitimate interest in reliable and secure service communication.

Resend processes data in the United States. According to Resend legal documentation, transfers may rely on the EU-U.S. Data Privacy Framework and, where applicable, additional safeguards such as Standard Contractual Clauses.

You can object to processing based on Art. 6 (1) (f) GDPR at any time by contacting contact@make-a-beat.com. We do not use this channel for separate marketing emails without an appropriate legal basis.

8. Cookies and Local Storage (TDDDG / GDPR)

Essential Cookies (no consent required, § 25 (2) TDDDG): We use technically essential cookies and local storage (e.g. authentication tokens). The mab-cookie-consent cookie stores your cookie preferences and has a 1-year duration. Legal basis: § 25 (2) TDDDG (technical necessity).

Analytics Cookies (only with your explicit consent, § 25 (1) TDDDG + Art. 6 (1) (a) GDPR): We use Google Analytics 4 (operated by Google Ireland Ltd. and Google LLC, USA) to understand how visitors use this site. Google Analytics uses the following cookies: _ga (2-year duration), _ga_EFRWFQ861C (1-year duration). These cookies collect anonymized usage statistics such as page views, session duration, and user journey. The data transfer to the USA is based on the EU-U.S. Data Privacy Framework and Standard Contractual Clauses (SCCs). You can withdraw your consent at any time by adjusting your cookie settings in the banner at the bottom of the page.

9. Data Security (SSL/TLS)

For security reasons and to protect the transmission of confidential content (e.g. payment info, login data), this site uses SSL/TLS encryption. You can recognize an encrypted connection by the "https://" in the browser line.

10. Global Leaderboard and Public Visibility

If you choose to "Publish" a beat, your username, avatar, and audio will be visible to the public. Legal basis: Art. 6 (1) (a) GDPR (consent). You can withdraw this consent at any time by deleting the post.

11. Your Rights

Under the GDPR, you have the right to access (Art. 15), rectify (Art. 16), erase (Art. 17), and object to the processing (Art. 21) of your data.

To exercise these rights, contact us at contact@make-a-beat.com. You also have the right to lodge a complaint with a data protection supervisory authority.