Privacy Policy

1. Privacy at a Glance

BassBench is a practice-tracking platform for bass players. We collect and process personal data solely to provide and improve our service. This privacy policy describes exactly what data we collect, how we use it, and which third-party services are involved.

2. Responsible Party & Your Rights

Responsible Party

The party responsible for data processing on this website is:

Your Rights Under GDPR

You have the following rights regarding your personal data at any time:

• Access (Art. 15 GDPR) — What data we have stored about you
• Rectification (Art. 16 GDPR) — Correction of inaccurate data
• Erasure (Art. 17 GDPR) — Deletion of your data, unless legal retention obligations apply
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR) — Receive your data in a common format
• Objection (Art. 21 GDPR) — In particular against processing based on legitimate interests

To exercise these rights, contact damir.abdic@kickbench.com. You also have the right to lodge a complaint with the competent supervisory authority (Art. 77 GDPR). For Bavaria, Germany: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA).

Withdrawal of Consent

Where processing is based on your consent, you may withdraw it at any time with effect for the future. The lawfulness of processing carried out prior to the withdrawal remains unaffected.

3. Hosting & Infrastructure

BassBench is externally hosted. Personal data collected on this website is stored on the servers of the following providers:

Legal basis: Contract fulfillment (Art. 6(1)(b) GDPR) and legitimate interest in secure, fast delivery (Art. 6(1)(f) GDPR). For data transfers to the USA and Singapore, the respective providers' EU Standard Contractual Clauses apply.

4. Data We Collect

Account Data

When you register for and use BassBench, we collect:

• Required: Email address, password (stored hashed by Supabase Auth)
• Profile data (optional): Username, first name, last name, city, country, profile picture, timezone, preferred currency
• Subscription data: Selected plan (Free/Premium), subscription status, trial periods

Legal basis: Contract fulfillment (Art. 6(1)(b) GDPR).

Practice Data

When you use BassBench for practice, we store your practice sessions. This includes:

• Date, duration, and type of practice session
• BPM used, time signature, instrument/gear
• Personal notes on sessions
• Streak data (current and longest practice streak)
• Total and weekly practice time

Legal basis: Contract fulfillment (Art. 6(1)(b) GDPR) — this data is the core of the service.

Library Data

You can build a personal library of presets, lists, and tracks in BassBench. We store:

• Preset data: title, BPM, time signature, subdivision, artist, album, genre
• Track data: YouTube URL, video ID, video title, channel name, sections, notes
• Lists: title, assigned presets

Legal basis: Contract fulfillment (Art. 6(1)(b) GDPR).

Gear Data

You can catalog your instruments and equipment. We store: nickname, condition, usage time (mileage), and an optional photo (in a private storage bucket).

Preferences

Your personal settings (e.g., theme, metronome configuration, benching preferences) are stored as JSON in your user profile.

Attribution Data

Upon registration, we capture UTM parameters (utm_source, utm_medium, utm_campaign, utm_content) and the HTTP referrer. This data is used for internal analysis of where new users come from and is not shared with third parties.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR).

Internal Event Data

We log certain application events (e.g., page views, feature usage) in an internal database. This data contains your user ID, event name, page path, and a session ID. We do not use any external analytics services (such as Google Analytics, Mixpanel, or similar).

Legal basis: Legitimate interest in improving the service (Art. 6(1)(f) GDPR).

Server Log Files

The hosting provider (Vercel) automatically collects server log data: browser type, operating system, referrer URL, IP address, and time of access. This data is not merged with other data sources.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR).

5. Cookies

BassBench uses only technically necessary cookies. We do not use any advertising, tracking, or analytics cookies.

Legal basis: Legitimate interest in technically error-free delivery of the service (Art. 6(1)(f) GDPR).

You can delete or block cookies in your browser settings at any time. However, without the authentication cookie, logging in is not possible.

6. Third-Party Services

Stripe (Payment Processing)

We use Stripe Inc., 354 Oyster Point Blvd, South San Francisco, CA 94080, USA for payment processing. When you subscribe to a paid plan, you are redirected to Stripe for payment entry (Stripe Checkout).

BassBench does not store credit card numbers or bank details. We only store a Stripe customer ID and Stripe subscription ID to manage your subscription status. Stripe processes your payment data in accordance with the Stripe Privacy Policy.

Legal basis: Contract fulfillment (Art. 6(1)(b) GDPR).

YouTube (Video Embedding & Metadata)

BassBench uses YouTube services to embed videos within the platform and retrieve metadata (video title, channel name) via the YouTube oEmbed API.

We store only: YouTube URL, video ID, video title, and channel name. We do not store video content, thumbnails, or personal viewer data. YouTube thumbnails are rendered exclusively by the embedded YouTube player.

When playing an embedded video, YouTube may set cookies and collect data about your usage behavior. The YouTube Terms of Service and Google Privacy Policy apply.

You can delete stored YouTube data at any time by removing the corresponding entry from your library.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR).

OpenAI (Song Metadata Detection)

BassBench offers an optional feature to automatically determine a song's BPM and time signature. For this, the song title and artist name are sent to the OpenAI API (model: gpt-4o-mini).

No personal data is sent to OpenAI — only the song title and artist name. OpenAI processes this data in accordance with the OpenAI Privacy Policy.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR). Use of this feature is optional.

Cloudflare Turnstile (CAPTCHA)

To protect against automated abuse, we use Cloudflare Turnstile on registration, login, and password reset pages. A script is loaded from challenges.cloudflare.com and a verification token is sent to Cloudflare.

Cloudflare may process technical data (IP address, browser information) in the process. The Cloudflare Privacy Policy applies.

Legal basis: Legitimate interest in protection against abuse (Art. 6(1)(f) GDPR).

Google Fonts (Local Hosting)

This site uses Google Fonts (Geist, Inter) for consistent font rendering. The fonts are downloaded at build time and served locally. No connection to Google servers is made when you visit the website.

7. Data Security & Retention

SSL/TLS Encryption

This website uses SSL/TLS encryption. All data transmissions between your browser and our servers are encrypted.

Retention Period

Your personal data is stored for as long as your user account exists and the purpose of processing continues to apply. After account deletion, all associated data is removed, unless legal retention obligations require otherwise.

Account Deletion

You can schedule your account for deletion at any time in your account settings. Upon deletion, all your data is removed: profile, practice sessions, library, gear, preferences, and internal event data. Stripe customer data is managed by Stripe according to their retention policies.

Contact for Privacy Questions

For questions about data protection, please contact: damir.abdic@kickbench.com