Privacy Policy

1. Privacy at a Glance

BassBench is a practice-tracking platform for bass players. We collect and process personal data solely to provide and improve our service. This privacy policy describes exactly what data we collect, how we use it, and which third-party services are involved.

2. Responsible Party & Your Rights

Responsible Party

The party responsible for data processing on this website is:

Your Rights Under GDPR

You have the following rights regarding your personal data at any time:

• Access (Art. 15 GDPR) — What data we have stored about you
• Rectification (Art. 16 GDPR) — Correction of inaccurate data
• Erasure (Art. 17 GDPR) — Deletion of your data, unless legal retention obligations apply
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR) — Receive your data in a common format
• Objection (Art. 21 GDPR) — In particular against processing based on legitimate interests

To exercise these rights, contact damir@bassbench.com. You also have the right to lodge a complaint with the competent supervisory authority (Art. 77 GDPR). For Bavaria, Germany: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA).

Withdrawal of Consent

Where processing is based on your consent, you may withdraw it at any time with effect for the future. The lawfulness of processing carried out prior to the withdrawal remains unaffected.

Revoking YouTube consent: Your consent to load the YouTube player is stored in your browser's Local Storage under the key yt_consent. You can revoke this consent at any time by clearing your browser's site storage:

• Chrome: Settings → Privacy → Clear browsing data
• Firefox: Settings → Privacy → Cookies and Site Data
• Safari: Settings → Privacy → Manage Website Data

Obligation to Provide Data

Providing the mandatory information required for registration (email address and password) is necessary for the performance of the user agreement (Art. 13(2)(e) GDPR). Without this information we cannot make the service available to you. All other information is optional; not providing it has no disadvantageous consequences other than waiving the corresponding feature.

Automated Decision-Making

We do not use automated decision-making, including profiling, within the meaning of Art. 22 GDPR that produces legal effects concerning you or similarly significantly affects you.

3. Hosting & Infrastructure

BassBench is externally hosted. Personal data collected on this website is stored on the servers of the following providers:

Legal basis: Contract fulfillment (Art. 6(1)(b) GDPR) and legitimate interest in secure, fast delivery (Art. 6(1)(f) GDPR). Application data (Supabase) is stored in the EU; no transfer of personal data to third countries takes place as part of the hosting itself. Where technical administrative access by the parent company Supabase Inc. (Singapore) or by Vercel Inc. and Upstash Inc. (USA) cannot be excluded in individual cases, we rely on the providers' EU Standard Contractual Clauses (SCC) (Art. 46(2)(c) GDPR).

4. Data We Collect

Account Data

When you register for and use BassBench, we collect:

• Required: Email address, password (stored hashed by Supabase Auth)
• Profile data (optional): Username, first name, last name, city, country, profile picture, timezone, preferred currency
• Subscription data: Selected plan (Free/Premium), subscription status, trial periods

Legal basis: Contract fulfillment (Art. 6(1)(b) GDPR).

Practice Data

When you use BassBench for practice, we store your practice sessions. This includes:

• Date, duration, and type of practice session
• BPM used, time signature, instrument/gear
• Personal notes on sessions
• Streak data (current and longest practice streak)
• Total and weekly practice time

Legal basis: Contract fulfillment (Art. 6(1)(b) GDPR) — this data is the core of the service.

Library Data

You can build a personal library of presets, lists, and tracks in BassBench. We store:

• Preset data: title, BPM, time signature, subdivision, artist, album, genre
• Track data: YouTube URL, video ID, video title, channel name, sections, notes
• Lists: title, assigned presets

Legal basis: Contract fulfillment (Art. 6(1)(b) GDPR).

Gear Data

You can catalog your instruments and equipment. We store: nickname, condition, usage time (mileage), and an optional photo (in a private storage bucket).

Preferences

Your personal settings (e.g., theme, metronome configuration, benching preferences) are stored as JSON in your user profile.

Attribution Data

Upon registration, we capture UTM parameters (utm_source, utm_medium, utm_campaign, utm_content) and the HTTP referrer. This data is used for internal analysis of where new users come from and is not shared with third parties.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR).

Internal Event Data

We log certain application events (e.g., page views, feature usage) in an internal database. This data contains your user ID, event name, page path, and a session ID.

In addition, we use Plausible Analytics (hosted in the EU) to measure aggregated website traffic and conversions in a privacy-friendly, cookieless way. We do not use advertising trackers.

Legal basis: Legitimate interest in improving the service and understanding product adoption (Art. 6(1)(f) GDPR).

Server Log Files

The hosting provider (Vercel) automatically collects server log data: browser type, operating system, referrer URL, IP address, and time of access. This data is not merged with other data sources.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR).

5. Cookies

BassBench uses only technically necessary cookies, plus a Local Storage entry to store your YouTube consent. We do not use any advertising cookies. Plausible Analytics runs without analytics cookies.

Cookies

Legal basis: Art. 6(1)(b) and (f) GDPR — no consent required, as these cookies are strictly necessary for technical operation and contract fulfillment.

You can delete or block cookies in your browser settings at any time. However, without the authentication cookie, logging in is not possible.

Local Storage & Session Storage

In addition to cookies, we use your browser's Local Storage and Session Storage to store preferences and consent. These entries never leave your device and are not transmitted to any server.

Legal basis for yt_consent: Art. 6(1)(a) GDPR (consent). Legal basis for all other entries: strictly necessary for the function requested by the user — no consent required.

6. Third-Party Services

Stripe (Payment Processing)

We use Stripe Inc., 354 Oyster Point Blvd, South San Francisco, CA 94080, USA for payment processing. When you subscribe to a paid plan, you are redirected to Stripe for payment entry (Stripe Checkout).

BassBench does not store credit card numbers or bank details. We only store a Stripe customer ID and Stripe subscription ID to manage your subscription status. Stripe processes your payment data in accordance with the Stripe Privacy Policy.

Legal basis: Contract fulfillment (Art. 6(1)(b) GDPR).

YouTube (Metadata Retrieval)

When you add a song to your library, BassBench fetches metadata (video title, channel name) server-side via the YouTube oEmbed API. No personal data is transmitted to YouTube in this process. We store only: YouTube URL, video ID, video title, and channel name.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — server-side request with no contact between your browser and YouTube.

YouTube (Video Player)

To play videos inside the app, the YouTube IFrame API is loaded. Because YouTube may set cookies on your device and collect usage data in the process, we ask for your explicit consent before loading the player. Only after you click "Allow & load video" will the YouTube IFrame API (youtube.com/iframe_api) be loaded in your browser.

Your consent is stored in Local Storage under yt_consent and remains valid until you revoke it (see Section 2).

Provider: Google LLC / YouTube, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The YouTube Terms of Service and Google Privacy Policy apply.

Legal basis: Art. 6(1)(a) GDPR (consent).

OpenAI (Song Metadata Detection)

BassBench offers an optional feature to automatically determine a song's BPM and time signature. For this, the song title and artist name are sent to the OpenAI API (model: gpt-4o-mini).

No personal data is sent to OpenAI — only the song title and artist name. OpenAI processes this data in accordance with the OpenAI Privacy Policy.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR). Use of this feature is optional.

Cloudflare Turnstile (CAPTCHA)

To protect against automated abuse, we use Cloudflare Turnstile on registration and magic-link login pages. A script is loaded from challenges.cloudflare.com and a verification token is sent to Cloudflare.

Cloudflare may process technical data (IP address, browser information) in the process. The Cloudflare Privacy Policy applies.

Legal basis: Legitimate interest in protection against abuse (Art. 6(1)(f) GDPR).

Resend (Email Delivery)

We use Resend Inc., 2261 Market St #5665, San Francisco, CA 94114, USA to send transactional emails. Resend is used for:

• Waitlist confirmation: Double opt-in email after signing up for the waitlist
• Newsletter confirmation: Double opt-in email after subscribing to the newsletter

Only your email address is transmitted to Resend. Resend processes this data in accordance with the Resend Privacy Policy. For data transfers to the USA, Resend's EU Standard Contractual Clauses apply.

Legal basis: Contract fulfillment (Art. 6(1)(b) GDPR) for the waitlist confirmation; consent (Art. 6(1)(a) GDPR) for the newsletter confirmation as part of the double opt-in process.

Google OAuth (Sign in with Google)

You can optionally sign in to BassBench using your Google account ("Continue with Google"). This establishes an OAuth connection to Google. In this process, Google transmits your email address and name to BassBench, provided you have consented to the transfer.

Provider: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The Google Privacy Policy applies. For data transfers to the USA, Google's EU Standard Contractual Clauses apply.

Legal basis: Art. 6(1)(a) GDPR (consent) — use of Google OAuth is optional; you can alternatively sign in via magic link without a Google account.

Google Fonts (Local Hosting)

This site uses Google Fonts (Inter) for consistent font rendering. The fonts are downloaded at build time and served locally. No connection to Google servers is made when you visit the website.

7. Data Security & Retention

SSL/TLS Encryption

This website uses SSL/TLS encryption. All data transmissions between your browser and our servers are encrypted.

Retention Period

Your personal data is stored for as long as your user account exists and the purpose of processing continues to apply. After account deletion, all associated data is removed, unless legal retention obligations require otherwise. Specifically, the following concrete periods or criteria apply:

Account Deletion

You can schedule your account for deletion at any time in your account settings. Upon deletion, all your data is removed: profile, practice sessions, library, gear, preferences, and internal event data. Stripe customer data is managed by Stripe according to their retention policies.

Contact for Privacy Questions

For questions about data protection, please contact: damir@bassbench.com