What data we hold, and whose it is.

GateCrate sits in two different positions depending on whose data we’re talking about, and the difference is the whole product. Read this bit even if you skip the rest.

• Your fans’ data — you’re the controller, we’re the processor. When a fan clears your gate and you collect their email, you decide what happens with it. GateCrate only holds and handles it on your instructions to run the service. We don’t market to your fans for ourselves and we never sell your list.
• Your artist account — we’re the controller. For the data you give us to run your account (your email, login, profile, usage), GateCrate is the controller and this policy explains what we do with it.

This policy is governed by the UK GDPR and the Data Protection Act 2018. GateCrate is operated by GateCrate Ltd (England & Wales).

To run GateCrate we hold:

• Account data: your name or artist name, email, hashed password, profile (handle, avatar, links), and settings.
• Content you upload: tracks, artwork, audio previews, reward files, and the gates and copy you build.
• Fan data, on your behalf: the email a fan submits, their consent state, the gate they unlocked, and the minimum needed to verify any platform steps. We dedupe fans globally by email but keep consent and segments per-artist, so a fan’s relationship with one artist never leaks into another’s.
• Usage and telemetry: funnel and event logs (which gate, which step, timestamps), kept without raw fan emails so the audit trail can’t become a second copy of the PII.
• Technical data: IP address, device/browser, and the small set of cookies described in our Cookie Policy.

• Contract: we process your account data to give you the service you signed up for.
• Consent: fans join your list through real, double-opt-in consent — nothing is pre-ticked, and they confirm by clicking a link in an email.
• Legitimate interests: keeping the platform secure, preventing abuse and fake engagement, and improving the product — balanced against everyone’s rights.
• Legal obligation: where we have to keep records (for example, tax records for paid features).

We don’t sell data. We use a short list of trusted sub-processors to run the service, each under a data-processing agreement:

• Vercel — hosting and content delivery.
• Neon — the Postgres database.
• Resend — sending transactional and double-opt-in emails.
• Gate platforms (Spotify, YouTube/Google, Discord, SoundCloud) — only when you or a fan chooses to connect one to clear a step, and only for that verification. Those connections are kept isolated from your login session.

We’ll also disclose data if the law genuinely requires it, and we’d tell you unless we’re forbidden from doing so.

Our suppliers may process data outside the UK. Where they do, we rely on UK-approved transfer safeguards (such as the International Data Transfer Agreement or adequacy decisions) so your data keeps essentially the same protection it has at home.

We keep account and fan data for as long as your account is active, then delete or anonymise it within a reasonable window after you close it — except records we’re legally required to retain. When a fan is erased, we anonymise their personal details in place rather than deleting the row, so an artist’s unlock counts and chart contributions stay honest while the fan’s identity is gone.

Under the UK GDPR and the Data Protection Act 2018 you can ask to access, correct, delete, restrict, or port your data, and object to certain processing. For your own account data, email privacy@gatecrate.com or use the data-rights page. We aim to respond within one month.

Your fans have the same rights — but because you’re their controller, requests usually go through you. GateCrate gives you the tools to honour them: look a fan up, show them everything you hold, and anonymise or delete it. If a fan contacts us directly, we’ll route them to you and help you respond.

If you think we’ve mishandled your data, you can complain to the UK’s Information Commissioner’s Office (ico.org.uk) — though we’d rather you gave us the chance to fix it first.

Passwords are hashed, never stored in the clear. Download links are short-lived and signed — storage keys never reach the browser. Platform tokens for gate verification are isolated from your login session. We use encryption in transit and limit who can touch production data. No system is perfect, but we treat your fan list like the asset it is.

GateCrate isn’t for under-18s, and we don’t knowingly collect their data. If you think a child’s data has ended up here, tell us at privacy@gatecrate.com and we’ll remove it.

When this policy changes materially, we’ll update the date at the top and flag bigger changes in the app or by email. Reach the team any time at privacy@gatecrate.com or via the contact form.