Privacy Policy

SessionLinked is a remote audio collaboration service operated as a sole-trader business from the United Kingdom. The trading name is “SessionLinked”. Throughout this policy, “we”, “us”, and “our” refer to SessionLinked.

We are the data controller for personal information collected through our marketing website (sessionlinked.com), our companion application, our signalling and storage infrastructure, and any related services we offer.

If you have any questions about this policy or want to exercise any of the rights described below, contact us at hello@sessionlinked.com.

We collect the following categories of personal information:

• Account information: when you create a SessionLinked account we collect your email address, your chosen display name, and a password hash. Authentication is handled by AWS Cognito; we never see your password in plaintext.
• Profile information: when you set up your profile we collect optional fields such as your DAW preference, instruments, hourly rate, and a short bio.
• Waitlist signups: when you join our waitlist via the website we collect your email address, your IP address, and the user-agent string sent by your browser.
• Audio recordings and session metadata: when you take part in a SessionLinked session, audio you record and choose to share is uploaded to our cloud storage so it can be delivered to your collaborators. We also collect basic metadata about each session: timestamps, participants, file sizes, and DAW transport state.
• Wallet and transaction data (when paid features are enabled): if you top up a SessionLinked wallet or pay another user for a session, we record the transaction amount, the involved user IDs, and the time of the transaction. Card details are handled directly by Stripe and never touch our servers.
• Service logs: our infrastructure (AWS Lambda, CloudFront, S3, DynamoDB) records standard server-side logs that may include IP addresses, request timestamps, and error traces. These are used to operate the service and diagnose problems.

Under the UK GDPR and EU GDPR, we rely on the following lawful bases:

• Contract: for everything required to deliver the service to you — authentication, session participation, audio routing, file storage, payments. Without this data we cannot operate the product you signed up for.
• Consent: for waitlist signups (you give consent by submitting the form) and for any optional marketing emails. You can withdraw consent at any time.
• Legitimate interest: for security, fraud prevention, basic troubleshooting via server logs, and aggregate product analytics. We balance this against your privacy rights and only retain logs for as long as is necessary.
• Legal obligation: where we are required by law to retain records for tax, accounting, or regulatory purposes.

• Account information: until you delete your account. After deletion we retain a minimal record of the deletion event (timestamp + anonymous ID) for one year for audit purposes.
• Audio recordings: retention depends on your subscription tier. Free accounts have a 7-day session archive. Pro accounts have 30 days. Studio accounts have unlimited retention until you delete the session. Recordings are deleted permanently from cloud storage after the retention window.
• Waitlist signups: until v1 launch, plus a maximum of 90 days after, at which point waitlist data is deleted unless you have signed up for an account.
• Wallet and transaction history: we retain transaction records for 7 years to comply with UK accounting law.
• Server logs: 30 days unless we are actively investigating a security incident, in which case we may retain a specific log set for as long as the investigation requires.

We do not sell your personal information. We share data only with the following types of third parties, and only to the extent necessary to deliver the service:

• Amazon Web Services (AWS): we use AWS to host all of our infrastructure (Cognito, DynamoDB, S3, Lambda, CloudFront). AWS processes your data in the EU (eu-west-1, Ireland) under their GDPR-compliant data processing addendum.
• Stripe (when paid features are enabled): Stripe handles all card processing on our behalf. We share the transaction amount and a SessionLinked user identifier with Stripe; we do not share or store card details ourselves.
• Your collaborators: when you join a SessionLinked session, the audio you choose to share, your display name, and your session role are visible to the other participants in that session. Sessions are private to invited participants.

We do not share your personal information with advertisers, data brokers, or third-party analytics providers. We do not run third-party tracking scripts on our website.

All SessionLinked data is stored in the European Union, in AWS region eu-west-1 (Ireland). We do not transfer personal data outside the EU/UK except where strictly necessary for service delivery (for example, when you connect to a collaborator who is located in another country, the audio session itself is routed through our EU infrastructure).

Under the UK GDPR and EU GDPR you have the following rights regarding your personal information. To exercise any of these rights, contact us at hello@sessionlinked.com. We will respond within one calendar month.

• Right of access (Article 15): request a copy of all personal information we hold about you. Email hello@sessionlinked.com with the subject line “Data access request” and we will respond within one calendar month.
• Right to rectification (Article 16): ask us to correct any inaccurate information.
• Right to erasure (Article 17): ask us to delete your account and all associated data by emailing hello@sessionlinked.com with the subject line “Delete my account”. Deletion is permanent and will be completed within 30 days of confirmation.
• Right to restrict processing (Article 18): ask us to stop processing your data while a complaint or correction is being investigated.
• Right to data portability (Article 20): receive your data in a structured, machine-readable format (JSON). Use the same access request process above.
• Right to object (Article 21): object to processing based on legitimate interest, including any direct marketing.
• Right to withdraw consent: where we rely on consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
• Right to lodge a complaint: if you believe we have mishandled your personal information, you have the right to complain to the UK Information Commissioner’s Office at ico.org.uk or your local EU data protection authority.

We use AWS managed services with security baselines enabled by default: encryption at rest for S3 (AES-256) and DynamoDB, TLS 1.2+ for all data in transit, AWS Identity and Access Management (IAM) least-privilege roles for our application code, and AWS Cognito for password hashing and authentication.

Audio recordings stored on your local machine remain on your local machine and are not uploaded to our infrastructure unless you take part in a session and choose to share them.

No system is perfectly secure, and we cannot guarantee absolute security. If we discover a personal data breach that affects you, we will notify you and the UK Information Commissioner’s Office in accordance with Article 33 and 34 of the GDPR (within 72 hours where feasible).

The SessionLinked marketing website does not set non-essential cookies and does not run third-party tracking scripts. The companion application uses local storage and the operating system keychain (via Electron safeStorage) to remember your authentication state between launches; this data never leaves your device.

SessionLinked is intended for users aged 16 or over. We do not knowingly collect personal information from anyone under 16. If you become aware that a child has provided us with personal information, please contact us and we will delete it.

We may update this policy from time to time. If we make a material change, we will notify you by email (if you have an account) and update the “last updated” date at the top of this page.

Questions or requests: hello@sessionlinked.com