Privacy Policy
Effective: 23 March 2026
1. Who We Are
HumanMade is a public registry for human-created music, operated from New Zealand.
- Website: humanmaderegister.com
- Contact: privacy@humanmaderegister.com
For the purposes of the EU and UK General Data Protection Regulation (GDPR), HumanMade is the data controller.
2. What We Collect
We collect the following information:
Account Information
- Email address
- Display name / artist name
- Password (stored as a secure hash - we never see your actual password)
- Profile photo (if uploaded)
Submission Data
- Work title, type (single, EP, album, art), and metadata (ISRC, genre, release date, etc.)
- Cover artwork and any evidence images you upload
- Collaborator details you provide (performers, contributors, songwriters)
Payment Information
- Payment is processed by Polar.sh. We receive confirmation of payment (transaction ID, amount, status) but do not store your card number or bank details.
Technical Data
- IP address (used for rate limiting and security)
- Browser type and device information (from standard HTTP headers)
3. How We Use Your Data
| Purpose | Legal Basis (GDPR) |
|---|---|
| Create and manage your account | Contract performance |
| Process submissions and issue registration numbers | Contract performance |
| Process payments via Polar.sh | Contract performance |
| Display registered works on public verification pages | Contract performance |
| Send transactional emails (verification, receipts, status updates) | Contract performance |
| Review submissions for AI-generated content | Legitimate interest (registry integrity) |
| Rate limiting and platform security | Legitimate interest (security) |
| Comply with legal obligations (e.g., tax records) | Legal obligation |
We do not sell your personal data. We do not use your data for advertising.
4. Public Visibility
The HumanMade registry is public by design. When you register a work, the following is displayed on your public verification page and may appear in search results:
- Artist name
- Work title and type
- Registration number
- Cover artwork
- Release date
Your email address is never displayed publicly.
5. Who We Share Data With
We share your data only with the service providers we need to operate the platform:
| Provider | Purpose | Location |
|---|---|---|
| Cloudflare | Hosting, database, image storage, security | Global (US-headquartered) |
| Polar.sh | Payment processing | US / EU |
| Resend | Transactional email delivery | US |
We do not share your data with advertisers, data brokers, or any other third parties.
6. International Data Transfers
Your data may be transferred to and processed in the United States by our service providers (Cloudflare, Polar.sh, Resend). These transfers are protected by:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- The UK International Data Transfer Addendum where applicable
- Provider participation in the EU-US Data Privacy Framework (where certified)
Under New Zealand's Privacy Act 2020 (IPP 12), we ensure overseas recipients are bound by comparable privacy protections through contractual safeguards.
7. Cookies & Session Data
HumanMade uses only strictly necessary cookies for:
- Authentication: A session cookie to keep you logged in
- Security: Temporary data used for rate limiting (stored in Cloudflare KV, not on your device)
We do not use analytics cookies, advertising cookies, or any third-party tracking. Because our cookies are strictly necessary for the service, no consent banner is required under the ePrivacy Directive.
8. Automated Processing
HumanMade may use automated tools to assist in reviewing submissions for AI-generated content. These tools produce a confidence score that supports human review - they do not make final decisions. No submission is automatically rejected or revoked without human oversight. You have the right to contest any review outcome by contacting us.
9. Data Retention
| Data | Retention Period |
|---|---|
| Account information | Until you delete your account, or 2 years after last login |
| Verified registry entries (public data) | Permanent (part of the public registry record) |
| Unverified / rejected submissions | Deleted within 90 days of rejection or expiry |
| Payment records | 7 years (tax and accounting obligations) |
| IP addresses (rate limiting) | Deleted within 24 hours |
10. Your Rights
Depending on where you live, you have some or all of the following rights over your personal data:
- Access - Request a copy of the data we hold about you
- Correction - Ask us to correct inaccurate data
- Deletion - Ask us to delete your data (subject to legal retention requirements and the permanent nature of verified registry entries)
- Restriction - Ask us to restrict processing of your data in certain circumstances
- Portability - Receive your data in a structured, machine-readable format (EU/UK)
- Objection - Object to processing based on legitimate interests (EU/UK)
- Withdraw consent - Where processing is based on consent, withdraw it at any time
To exercise any of these rights, email privacy@humanmaderegister.com. We will respond within 30 days.
Additional Rights by Region
EU / UK: You have the right to lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner's Office (ICO).
New Zealand: You may complain to the NZ Privacy Commissioner.
Australia: You may complain to the Office of the Australian Information Commissioner (OAIC).
California (USA): Under the CCPA/CPRA, you have the right to know what personal information we collect, request deletion, and opt out of the sale or sharing of personal information. We do not sell or share your personal information as defined by the CCPA.
11. Data Security
We protect your data using:
- HTTPS encryption on all connections
- Passwords hashed with industry-standard algorithms (never stored in plain text)
- Cloud infrastructure with Cloudflare's enterprise-grade security
- Rate limiting to prevent abuse
- Access controls limiting who can view personal data
No system is 100% secure. In the event of a data breach that poses a risk to your rights, we will notify the relevant authorities and affected users as required by the NZ Privacy Act 2020, the GDPR, and other applicable laws.
12. Children's Privacy
HumanMade is not directed at children. You must be at least 16 years old to create an account. We do not knowingly collect data from anyone under 13. If we learn that we have collected data from a child under 13, we will delete it promptly. If you believe a child has provided us with personal data, please contact us.
13. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated by email or a notice on the platform at least 30 days before they take effect. The effective date at the top of this page will be updated accordingly.
14. Contact Us
For any privacy-related questions or to exercise your rights, contact us at: