Privacy Policy

We collect personal information in several ways as you use Sessio. Understanding what data we gather helps you make informed decisions about your account and what information you share on our Platform.

1.1 Information you provide directly

When you create an account with Sessio, you provide us with information that identifies you. This includes your email address, which we use to send you account notifications, verify your identity, and communicate important updates about your account. We store your password in encrypted form so that only you can access your account. You also provide your display name, which appears on your public profile so other musicians can find and recognize you. If you choose to add additional profile details, you may include your location, a job description that explains your role in the music industry, a profile picture, and a link to your Spotify account. All of this information is optional, and you control what appears on your public profile.

When you create sessions on Sessio, we collect information about those sessions. This includes the title and description you give to each session, the dates and times you schedule for collaboration, the names of the collaborators you invite or accept, and any notes or details you add to help organize the session. If you choose to upload music files to share with collaborators, we store those files along with information about them, such as their duration, file format, and size. You may also choose to document credits and ownership information, as well as split agreements that explain how any future revenue or recognition will be divided among collaborators.

When you use the messaging and communication tools within Sessio to exchange information with other collaborators, we collect and store those messages, notes, and feedback. This allows you and your collaborators to have a record of your conversations and decisions about your projects. If you contact our support team with questions or concerns, we keep records of that correspondence so we can help you effectively and track any issues you report.

If Sessio adds paid features in the future, we will not directly store your credit card information. Instead, payment information will be processed through secure third-party payment processors such as Stripe or Wise. These processors handle all payment data according to their own security standards, and we will only receive confirmation that your payment was successful and basic transaction details needed for billing.

1.2 Information collected automatically

When you use the Sessio Platform, we automatically collect certain information about your activities. This includes your IP address, which helps us understand where you are accessing the Platform from and can help us detect fraudulent activity. We collect information about your browser type and version, the pages you visit on our Platform, how much time you spend on different features, which features you use, when you start and end your sessions, and information about your device such as its operating system and type.

We use cookies and similar technologies to remember you and improve your experience on Sessio. Cookies are small files that stay on your device. Some cookies are essential to the Platform's function, such as those that remember whether you are logged in and maintain your session security. Other cookies help us remember your preferences and settings so you do not have to enter them again. We also use cookies to understand how people use Sessio, which helps us improve features and fix problems. You can control cookies through your browser settings, though disabling essential cookies may prevent you from using some features.

We may use analytics tools to understand how people use the Platform. This helps us identify which features are most valuable, recognize bugs or performance issues, gather feedback about what is working well, and develop new features that users need. Any analytics data we collect is anonymized so that it does not identify you personally. We analyze patterns across all users to understand overall trends rather than tracking individual behavior.

1.3 Information from third parties

If you choose to connect your Spotify account to Sessio, we receive some information from Spotify. We get your Spotify username and public profile information so that your Spotify activity can be linked to your Sessio account. We do not receive your Spotify password, payment information, or any other sensitive data. You can disconnect your Spotify account from Sessio anytime in your account settings, and once disconnected, we no longer receive updates from Spotify about your account.

If Sessio adds payment processing in the future, payment processors such as Stripe will share certain information with us. This will be limited to information required to process payments and manage your billing, such as transaction confirmations and billing amounts. The payment processor will not share your full credit card number or other sensitive payment details with us.

Under the General Data Protection Regulation (GDPR), we are required to have a valid legal reason to collect and use your personal information. We use the following legal bases depending on the type of information and the purpose.

We process your information based on our contract with you because we need certain data to provide the services you have requested. Your email address is necessary to create your account, send you important updates, and verify your identity. Session and collaboration information is necessary to provide scheduling and coordination features. Split and ownership information is necessary to help you document agreements with other musicians about how credit and revenue will be attributed.

We also process some information because we have a legitimate business interest in doing so. We analyze how people use Sessio to understand which features are valuable and which need improvement. This helps us develop a better product. We also use information to detect and prevent fraud, such as unauthorized access attempts or terms of service violations, because protecting our users and our Platform is important to us. We monitor security to protect your data and prevent abuse.

We are required to process and retain certain information to comply with applicable laws. Danish tax law requires us to keep financial and ownership records for six to seven years. If we receive a legal request from law enforcement or a court order, we may be required to disclose information to comply with that legal obligation. We also may need to preserve information in order to defend ourselves in legal disputes.

We also process information when you have given us permission to do so. For example, we ask for your consent before sending marketing emails about new features or updates. You can withdraw this consent anytime by unsubscribing from marketing emails.

The primary reason we collect your personal information is to provide Sessio to you in a way that is personalized, safe, and efficient. We use your information for several important purposes.

We use your information to provide and maintain the Sessio Platform. We create and manage your account using your email address and password. We store and display the music content you choose to upload, the sessions you create, and the collaboration information you enter. We enable the session scheduling and collaboration coordination features that allow you to organize sessions with other musicians and manage who you work with. We process the messages and communications between collaborators so that you have a record of your conversations and decisions. We also create regular encrypted backups of all data on our servers so that we can recover from any technical problems and ensure you do not lose important information.

We use your information to continuously improve the Sessio Platform. We analyze patterns in how people use different features to understand which parts of the Platform are most valuable to users. When we identify bugs or technical problems, we work to resolve them. We review feedback from users and support requests to understand what features people need and what frustrations they experience. We use this information to optimize the performance and loading times of the Platform so that it works smoothly for everyone.

We use your information to communicate with you in several ways. We send transactional emails that are essential to the Platform's function, such as confirming your account creation, helping you reset your password if you forget it, or notifying you when someone has invited you to collaborate on a session. We respond to support emails when you contact us with questions or technical issues. We notify you of important changes to the Sessio Platform, our Terms of Service, or this Privacy Policy. If you have opted in to receive marketing emails, we send you information about new features, updates, and opportunities, though you can unsubscribe from marketing communications anytime.

We use your information to ensure security and prevent abuse. We monitor for unauthorized access attempts so that we can detect if someone is trying to hack into accounts. We work to detect and prevent spam and fraudulent activity on the Platform. We investigate violations of our Terms of Service to enforce our policies and protect users from harmful behavior. We take steps to protect the rights and safety of all users on Sessio.

We use your information to comply with legal obligations. We respond to requests from law enforcement or court orders as required by law. We preserve records for legal disputes so that we can defend our rights if necessary. We maintain audit trails of important transactions and activities for financial and tax purposes.

We use your information to help manage collaborations between users. We track the history of collaborations so that we can help resolve disputes if two users disagree about ownership or splits. We document ownership and copyright information to make clear who owns the original composition or arrangement. We also prepare information about revenue splits to help distribute payments and royalties if Sessio adds payment features in the future.

We do not share your personal information with third parties except as described in this section. We are careful about who has access to your data and only share information when necessary to provide services to you or when legally required.

4.1 Service providers (data processors)

We work with several service providers who help us operate Sessio. We share your information with these providers because they perform essential functions on our behalf, but they are only allowed to use your information to provide services to us.

We use Bubble.io to host our website and store all of our user data, including your account information, sessions, music files, and collaborations. Bubble.io is located in the United States and uses Standard Contractual Clauses to ensure that your data is protected even though it is stored outside the European Union. You can review Bubble.io's privacy practices at https://bubble.io/privacy. Bubble.io also uses subprocessors for certain functions, including AWS and Cloudflare. You can see the full list of Bubble.io's subprocessors at https://bubble.io/subprocessors.

We use Postmark to send transactional emails such as password reset requests and session invitations. We use Microsoft Outlook for internal team communications so that our staff can coordinate on product improvements and customer support. We use MailLite to send marketing and newsletter emails to users who have chosen to receive them.

If we use analytics tools, we may use Google Analytics to understand how people use the Platform. Google Analytics analyzes platform usage in an anonymized form, which means the data cannot be used to identify you personally. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on if you prefer not to have your usage patterns analyzed.

All of our service providers have agreed to Data Processing Agreements that require them to protect your information and only use it as directed by Sessio.

4.2 Legal requirements

We may share your information if required by law or in response to government action. We will disclose your information if we receive a court order, subpoena, or other legal process that requires disclosure. We may also disclose information if required to comply with other laws, regulations, or government requests. We share information when we believe disclosure is necessary to protect a person's rights, property, or safety. We may disclose information to enforce our Terms of Service and this Privacy Policy. We also may share information to detect, prevent, or address fraud, security issues, or technical problems that could harm users or the Platform.

4.3 Business transfers

If Sessio is acquired by another company, merged with another organization, or goes through bankruptcy, your information may be transferred as part of that business transaction. We will notify you if this happens and will ensure that any company that receives your information is required to honor the commitments we have made in this Privacy Policy.

4.4 With your consent

We will not share your information with third parties for their own marketing purposes unless you have explicitly consented. You can withdraw your consent at any time by contacting us at legal@sessio.io.

The GDPR gives you important rights regarding your personal information. Understanding these rights helps you maintain control over your data. You can exercise any of these rights by emailing legal@sessio.io with the specific request.

5.1 Right to access

You have the right to request confirmation of whether Sessio is processing your personal information. If we are processing your information, you have the right to obtain a copy of all personal information we hold about you. We will provide this information within 30 days in a portable, machine-readable format such as a CSV file. This information will include your account details, session history, music files, collaboration records, and any other personal data associated with your account.

5.2 Right to correction

You have the right to correct any information that is inaccurate or incomplete. You can update much of your personal information yourself by logging into your account and editing your profile, such as changing your email address, display name, location, or profile picture. If you need help correcting information, you can email us and we will assist you. We can only make changes on your behalf if we are able to verify your identity.

5.3 Right to erasure

You have the right to request that we delete your personal information under certain conditions. We will delete your information if it is no longer necessary for the purposes it was collected, if you withdraw your consent to processing, if you object to processing, or if processing violates the law. You can request deletion by emailing legal@sessio.io with "Data Deletion Request" in the subject line.

However, we have certain limitations on our ability to delete. We cannot delete information if we are obligated by law to keep it, such as tax records required by Danish law. We cannot delete information if we need it to establish, exercise, or defend legal claims, such as if we need to prove what happened in a dispute between collaborators. We cannot delete information if you are part of active collaborations with financial implications, because other collaborators need that information to manage splits and payments.

When you request deletion, we will delete your personal information such as your email address, password, profile picture, username, location, and job description within 60 days. Your music files and uploads will be deleted within 60 days of your request. However, we will retain anonymized collaboration and financial records for six to seven years to comply with tax law and to allow us to resolve future disputes about ownership and payments. After deletion, your name and profile will not be visible to other users. Instead, users will see "Anonymous Collaborator" along with your split percentage, but they will not see your personal information.

5.4 Right to restrict processing

You have the right to ask us to limit how we use your personal information while we verify its accuracy or determine the lawful basis for processing. When processing is restricted, we will still store your information but will not use it for any purpose except as necessary to comply with legal obligations or to establish, exercise, or defend legal claims. You can request restriction by emailing legal@sessio.io with "Restrict Processing Request" in the subject line.

5.5 Right to data portability

You have the right to request your personal information in a portable, machine-readable format so that you can transfer it to another service if you choose. You can request a data export by logging into your account and clicking "Download My Data" in your settings, or by emailing legal@sessio.io. We will provide your information within 30 days in a portable format that includes your account information, session history and scheduling data, collaboration records, music files you uploaded, and split agreements. This allows you to keep a backup of your information or move to another platform if you wish.

5.6 Right to object

You have the right to object to how we process your information in certain situations. You can object to receiving marketing emails by clicking the "Unsubscribe" link at the bottom of any marketing email or by emailing legal@sessio.io. If you object to analytical processing, we will anonymize your data so it cannot be associated with you. If you object to processing based on our legitimate interests, we will stop processing unless we have overriding legal reasons to continue.

5.7 Right to withdraw consent

If we are processing your information based on your consent, you have the right to withdraw that consent at any time. This is particularly relevant for marketing emails. Withdrawing your consent does not affect the lawfulness of the processing that occurred before you withdrew your consent, but it means we will stop processing in that way going forward.

5.8 Right to lodge a complaint

If you believe that Sessio has violated your privacy rights or failed to comply with GDPR, you have the right to lodge a complaint with the Danish Data Protection Authority, which is called Datatilsynet. You can contact them by email at bt@datatilsynet.dk, by phone at +45 3319 3200, or by visiting their website at www.datatilsynet.dk. Submitting a complaint to the supervisory authority does not prevent you from seeking other remedies.

We believe in the principle of data minimization, which means we keep your personal information only as long as necessary. The following describes how long we retain different types of information and why we keep each type for that length of time.

Your account information such as your email address, password, and display name will be retained for seven days after you request deletion. This allows us to process your deletion request and comply with GDPR requirements. Your profile information such as your picture, location, and job description will be deleted within seven days of account closure because it is no longer needed after you are no longer using the Platform.

Your IP address logs are retained for 30 days for security and analytics purposes. If we detect unusual activity or a security threat, we may need to review IP address history to understand what happened. After 30 days, older logs are deleted.

Usage analytics data showing which features you used and when you used them are retained for 30 days in identifiable form. After 30 days, this data is anonymized so that it cannot be associated with you personally. This follows GDPR's principle of data minimization, which requires us to limit how long we keep personal data.

Session history and scheduling data are retained for 90 days after you delete your account. This allows other users to reference past collaborations and understand your history with them.

Music files and uploads that you store on Sessio are retained for 60 days after you request deletion. This gives you a grace period to change your mind and restore your files if you accidentally request deletion. After 60 days, all of your uploaded files are permanently removed.

Collaboration and split agreements are retained for six to seven years because Danish tax law requires us to maintain financial and ownership records for this length of time. This ensures that we can prove what revenue splits were agreed to, help resolve disputes about ownership, and comply with tax regulations. These records are anonymized after your account is deleted, so users are not identified by name, only by ID number.

Support emails and tickets are retained for three years because this is the typical statute of limitations for disputes in Denmark. This allows us to defend ourselves if someone disputes what we discussed in support conversations.

Payment records, if we add payment processing in the future, will be retained for seven years to comply with Danish tax law.

Anonymized analytics data is retained indefinitely because this data cannot be associated with you personally. Anonymized data helps us improve the Platform over time by understanding how features are used, even years after the data was collected.

Some of the service providers we use are located outside the European Union, which means your personal information will be transferred to and stored in countries outside the EU. We take steps to ensure that your information receives the same level of protection outside the EU as it does within the EU.

Our primary hosting provider, Bubble.io, is located in the United States. We have a Data Processing Agreement with Bubble.io that includes Standard Contractual Clauses, which are legal agreements approved by the European Commission that ensure your data is protected even though it is transferred outside the EU. These clauses require Bubble.io to maintain the same security and privacy standards that would apply under EU law. You can review Bubble.io's detailed privacy practices at https://bubble.io/privacy.

If we use Google Analytics for analytics, only anonymized data is transferred to the United States. Since anonymized data cannot be used to identify you, the transfer of anonymized data is not subject to GDPR restrictions.

We only transfer your information to countries or to service providers that have adequate safeguards in place to protect your data. If there are any changes to the data protection laws in the countries where your data is stored, we will adjust our practices to maintain compliance.

By using Sessio and accepting this Privacy Policy, you consent to the transfer of your personal information outside the European Union to the extent described in this section. We recognize that international data transfers require your explicit understanding and agreement.

We take the security of your personal information seriously. We implement industry-standard technical and organizational security measures to protect your data from loss, misuse, unauthorized access, and alteration.

On the technical side, we use HTTPS encryption for all connections to the Sessio Platform. This protects your data while it is in transit from your device to our servers, ensuring that third parties cannot intercept your information. We use AES-256 encryption to protect data that is stored at rest on our servers, which is a military-grade encryption standard that makes it extremely difficult for unauthorized parties to access stored data even if they gain access to our servers. We offer two-factor authentication so that you can add an extra layer of security to your account beyond your password. We store your password using encryption hashing, which means we never store your actual password in a form that we can read. We apply regular security updates and patches to all of our systems to fix vulnerabilities as they are discovered. We create daily encrypted backups of all data so that we can recover quickly if something goes wrong and no user loses data.

From an organizational perspective, we limit access to our production systems and user data to a small number of authorized staff members who need this access to perform their jobs. We require all staff members to sign confidentiality agreements that prevent them from disclosing user information. We provide GDPR and privacy training to all staff who handle personal information. We require our team to use password managers so that strong, unique passwords are used for all accounts. We never store sensitive data in plaintext where it could be easily read if someone gained access to our systems. We conduct regular security audits and monitoring to identify and address any vulnerabilities.

However, we acknowledge that no security system is completely perfect. We cannot guarantee absolute protection against all possible threats, including sophisticated hacking attempts, data breaches, or unauthorized access. We encourage you to use a strong, unique password, keep your password confidential, and contact us immediately if you believe your account has been compromised.

Sessio is not intended for use by children under the age of 18. We do not knowingly collect personal information from children under 18 years old. If we become aware that a child under 18 has provided us with personal information, we will delete that information immediately and terminate the child's account without undue delay. If you are a parent or guardian and you believe that your child under 18 has created an account with Sessio, please contact us immediately at legal@sessio.io so that we can remove their information.

Cookies are small files that are stored on your device. We use cookies to improve your experience on Sessio and to help us understand how the Platform is being used.

We use essential cookies that are necessary for the Platform to function properly. These cookies remember whether you are logged into your account so that you do not have to log in again every time you visit. These cookies also maintain your session security by protecting against unauthorized access. Essential cookies help us prevent fraud by detecting suspicious patterns of use.

We use preference cookies that remember your choices and settings. These cookies remember your language preference and your theme preference, such as whether you prefer dark mode or light mode. These cookies also remember whether you have accepted this Privacy Policy so we do not have to ask you again.

We use analytics cookies that help us understand how people use Sessio. These cookies track which features are used most often, measure how well different pages perform, and help us understand user behavior in an anonymized way. This information helps us improve the Platform.

You have control over cookies through your browser settings. You can adjust your internet browser to disable cookies. However, disabling essential cookies may prevent you from logging into your account or using some features of the Platform. If you choose to disable cookies, we recommend that you keep essential cookies enabled.

We do not track your activity across third-party websites. We do not attempt to follow you when you leave the Sessio Platform and visit other websites. We do not respond to "Do Not Track" browser signals, but you can manage your cookie settings and tracking through your browser preferences if you prefer not to be tracked.

The Sessio Platform may contain links to third-party websites such as Spotify, YouTube, SoundCloud, and other music platforms. We are not responsible for the privacy practices of these third-party websites. We encourage you to review the privacy policies of any third-party website before you provide them with personal information.

If you choose to connect your Spotify account to Sessio, you are allowing us to access certain public information from your Spotify profile. We only receive your public profile information, not your password or payment information. You can disconnect your Spotify account from Sessio anytime in your account settings. Once you disconnect, we no longer receive updates from Spotify and we stop using your Spotify data. The privacy practices of Spotify are governed by their privacy policy, which you can review at https://www.spotify.com/privacy/.

We respect your preferences regarding marketing communications. We only send marketing emails to users who have opted in to receive them.

When you sign up for Sessio, you have the option to check a box that says "Subscribe to our newsletter." If you check this box, we will send you marketing emails about new features, updates to the Platform, special promotions, and other opportunities. You can unsubscribe from marketing emails at any time by clicking the "Unsubscribe" link at the bottom of any marketing email, or by emailing hello@sessio.io. Unsubscribing from marketing emails is immediate and does not require you to provide any additional information.

We will send you transactional emails regardless of whether you have opted in to marketing emails. These are emails that are essential for the Platform to function, such as confirmation that your account has been created, help with resetting your password if you forget it, invitations to collaborate on a session, and important notifications about changes to your account or our Terms of Service. These emails are not promotional and you cannot unsubscribe from them, though you can change your account settings to disable certain types of notifications.

If Sessio adds SMS or text message communications in the future, we will only send SMS messages with your explicit consent. You will be able to opt out of SMS messages at any time by texting "STOP" in response to any message.

We may update this Privacy Policy as our business practices evolve or as required by new or changing laws. We will always notify you of significant changes to this Privacy Policy. We will post the updated policy on this page and update the "Last Updated" date at the bottom of the policy. If we make material changes that significantly affect your privacy rights or how we process your information, we will send you an email notice so that you have time to review the changes and understand how they affect you.

Your continued use of the Sessio Platform after we have posted an updated Privacy Policy constitutes your acceptance of the updated policy. If you object to any changes we make, you have the right to close your account and stop using the Platform.

If you have questions about this Privacy Policy, if you would like to exercise any of your GDPR rights, or if you believe that Sessio has violated your privacy rights, please contact us using the following methods.

For privacy questions and concerns, you can email us at legal@sessio.io. For general support and technical issues, you can email us at hello@sessio.io. If you are exercising a specific GDPR right, please include "GDPR Data Rights Request" in your subject line so that we handle your request appropriately.

You can reach us by mail at the following address:

• Sessio ApS
• Burmeistersgade 2, 1. th
• 1429 København K
• Danmark

We will respond to all data rights requests and privacy inquiries within 30 days. If your request is complex and requires more time, we will notify you and provide a timeline for when you can expect a response.

If you believe that Sessio has not adequately addressed your privacy concerns or has violated the GDPR, you have the right to lodge a complaint with the Danish Data Protection Authority, known as Datatilsynet.

• Email: bt@datatilsynet.dk
• Phone: +45 3319 3200
• Website: www.datatilsynet.dk

Submitting a complaint to the supervisory authority does not prevent you from pursuing other remedies, and we encourage you to contact us first so that we can try to resolve any issues directly.

If you are an organization that needs a formal Data Processing Addendum for legal or compliance purposes, you can request one from Sessio. A Data Processing Addendum is a legal contract that outlines how Sessio will process and protect your personal information and the information of your users. Please contact us at legal@sessio.io if you need a DPA.