Privacy Policy

SessionLinked is operated by SessionLinked Ltd, a private limited company registered in England and Wales, with registered office at 11 Oldham Street, Liverpool, L1 2SU, United Kingdom.

For data protection purposes, SessionLinked Ltd is the controller of the personal data described in this policy. References to “SessionLinked”, “we”, “us”, and “our” throughout this policy mean SessionLinked Ltd.

We are the data controller for personal information collected through our marketing website (sessionlinked.com), our companion application, our signalling and storage infrastructure, and any related services we offer.

If you have any questions about this policy or want to exercise any of the rights described below, contact us at hello@sessionlinked.com.

We collect the following categories of personal information:

• Account information: when you create a SessionLinked account we collect your email address, your chosen display name, and a password hash. Authentication is handled by AWS Cognito; we never see your password in plaintext.
• Profile information: when you set up your profile we collect optional fields such as your DAW preference, instruments, hourly rate, and a short bio.
• Waitlist signups: when you join our waitlist via the website we collect your email address, your IP address, and the user-agent string sent by your browser.
• Audio recordings and session metadata: when you take part in a SessionLinked session, audio you record and choose to share is uploaded to our cloud storage so it can be delivered to your collaborators. We also collect basic metadata about each session: timestamps, participants, file sizes, and DAW transport state.
• Wallet and transaction data (when paid features are enabled): if you top up a SessionLinked wallet or pay another user for a session, we record the transaction amount, the involved user IDs, and the time of the transaction. Card details are handled directly by Stripe and never touch our servers.
• Service logs: our infrastructure (AWS Lambda, CloudFront, S3, DynamoDB) records standard server-side logs that may include IP addresses, request timestamps, and error traces. These are used to operate the service and diagnose problems.

Under the UK GDPR and EU GDPR, we rely on the following lawful bases:

• Contract: for everything required to deliver the service to you — authentication, session participation, audio routing, file storage, payments. Without this data we cannot operate the product you signed up for.
• Consent: for waitlist signups (you give consent by submitting the form) and for any optional marketing emails. You can withdraw consent at any time.
• Legitimate interest: for security, fraud prevention, basic troubleshooting via server logs, and aggregate product analytics. We balance this against your privacy rights and only retain logs for as long as is necessary.
• Legal obligation: where we are required by law to retain records for tax, accounting, or regulatory purposes.

• Account information: until you delete your account. After deletion we retain a minimal record of the deletion event (timestamp + anonymous ID) for one year for audit purposes.
• Audio recordings: retention depends on your subscription tier. Free accounts have a 7-day session archive. Pro accounts have 30 days. Studio accounts have unlimited retention until you delete the session. Recordings are deleted permanently from cloud storage after the retention window.
• Waitlist signups: until v1 launch, plus a maximum of 90 days after, at which point waitlist data is deleted unless you have signed up for an account.
• Wallet and transaction history: we retain transaction records for 7 years to comply with UK accounting law.
• Server logs: 30 days unless we are actively investigating a security incident, in which case we may retain a specific log set for as long as the investigation requires.

We do not sell your personal information. We share data only with the following types of third parties, and only to the extent necessary to deliver the service:

• Amazon Web Services (AWS): we use AWS to host all of our infrastructure (Cognito, DynamoDB, S3, Lambda, CloudFront). AWS processes your data in the EU (eu-west-1, Ireland) under their GDPR-compliant data processing addendum.
• Stripe (when paid features are enabled): Stripe handles all card processing on our behalf. We share the transaction amount and a SessionLinked user identifier with Stripe; we do not share or store card details ourselves.
• Your collaborators: when you join a SessionLinked session, specific pieces of information about you become visible to the other participants in that session. See the “What collaborators see about you” subsection below for an exhaustive list.

What collaborators see about you

When you join a SessionLinked session, the other participants in that session receive the following from us in real time, as a direct consequence of your participation:

• Your display name as shown in your SessionLinked profile (not your account email).
• Your session role (host, participant, observer) and connection state.
• Any audio you choose to share via the session, streamed in real time and, where the session permits recording, captured as a downloadable file by each permitted participant’s companion application.
• Any DAW transport events you trigger while connected (play, stop, record, locate, tempo changes) for the purpose of MMC synchronisation.
• Your video stream if you have camera enabled.
• Any chat messages or session notes you post within the session view.

Collaborators do not receive: your account email address, your IP address, your payment history, your billing status, your profile biographical fields (unless your profile is public on the SessionLinked Hub), or any personal data you have not explicitly shared inside the session.

What happens when content is deleted

SessionLinked sessions are inherently collaborative, which has a consequence for your right to erasure that we want to explain in plain language rather than leave buried in legal boilerplate.

Our cloud copy. When you delete a session from our cloud storage (or we delete it at your request under your right to erasure), we remove our hosted copies of the session audio, metadata, and transport logs from AWS within 30 days. This covers every copy that we control.

Collaborator copies. However, if during the session a collaborator received and saved a copy of audio you shared with them, that copy lives on their local system or their own DAW project and is outside our reach. We cannot delete files from a collaborator’s computer on your behalf, and deleting the session from our cloud does not automatically remove local copies your collaborators may already have.

What to do. If you need a recording removed from a collaborator’s system, you must contact that collaborator directly and ask them to delete it. If a collaborator refuses, you may have rights under your local data protection law that you can pursue independently — contact us at hello@sessionlinked.com if you need the collaborator’s contact details that we hold (we will verify your identity before sharing).

We do not share your personal information with advertisers, data brokers, or third-party analytics providers. We do not run third-party tracking scripts on our website.

Storage at rest. We store customer account data, session metadata, session chat, audio recordings, and operational logs in AWS region eu-west-1 (Ireland), inside the European Union. We do not maintain copies of this data anywhere outside the EU/UK.

Data in transit. When data travels between your device and our infrastructure, it is encrypted in transit using TLS 1.2 or higher. Audio streams between session participants use WebRTC, which provides mandatory end-to-end SRTP encryption of media payloads.

Remote participant access from outside the UK/EEA. SessionLinked is a collaboration product, so it is normal for session participants to be located in countries outside the UK/EEA — for example, a London-based user running a session with a Los Angeles-based collaborator. In that case, your EU-hosted session data is transmitted to the other participant’s device over the public internet and is temporarily or permanently stored on their device. We do not control the onward storage or processing of data that a participant has legitimately received from a session they were invited to.

This is a practical consequence of real-time collaboration with remote participants, and we cannot eliminate it while still providing the product as described. By inviting or accepting an invitation from a participant in another country, both parties accept that personal data exchanged during the session may be accessed from that country.

International transfers by us. Where personal data is transferred internationally by us (for example, if a third-party processor we rely on operates from outside the EU/UK), we rely on the safeguards required by applicable law, including the UK International Data Transfer Agreement and the EU Standard Contractual Clauses where appropriate. We do not currently use any third-party processor outside the EU/UK, but this section covers the case where we may need to add one in future.

Law enforcement access. Our AWS infrastructure is subject to the laws of the Republic of Ireland and the European Union, including EU data protection law. It is not subject to the US Cloud Act or equivalent third-country disclosure regimes that apply to US-headquartered cloud providers operating US-based facilities.

Under the UK GDPR and EU GDPR you have the following rights regarding your personal information. To exercise any of these rights, contact us at hello@sessionlinked.com. We will respond within one calendar month.

• Right of access (Article 15): request a copy of all personal information we hold about you. Email hello@sessionlinked.com with the subject line “Data access request” and we will respond within one calendar month.
• Right to rectification (Article 16): ask us to correct any inaccurate information.
• Right to erasure (Article 17): ask us to delete your account and all associated data by emailing hello@sessionlinked.com with the subject line “Delete my account”. Deletion is permanent and will be completed within 30 days of confirmation.
• Right to restrict processing (Article 18): ask us to stop processing your data while a complaint or correction is being investigated.
• Right to data portability (Article 20): receive your data in a structured, machine-readable format (JSON). Use the same access request process above.
• Right to object (Article 21): object to processing based on legitimate interest, including any direct marketing.
• Right to withdraw consent: where we rely on consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
• Right to lodge a complaint: if you believe we have mishandled your personal information, you have the right to complain to the UK Information Commissioner’s Office at ico.org.uk or your local EU data protection authority.

We use AWS managed services with security baselines enabled by default: encryption at rest for S3 (AES-256) and DynamoDB, TLS 1.2+ for all data in transit, AWS Identity and Access Management (IAM) least-privilege roles for our application code, and AWS Cognito for password hashing and authentication.

Audio recordings stored on your local machine remain on your local machine and are not uploaded to our infrastructure unless you take part in a session and choose to share them.

No system is perfectly secure, and we cannot guarantee absolute security. If we discover a personal data breach that affects you, we will notify you and the UK Information Commissioner’s Office in accordance with Article 33 and 34 of the GDPR (within 72 hours where feasible).

The SessionLinked marketing website does not set non-essential cookies and does not run third-party tracking scripts. The companion application uses local storage and the operating system keychain (via Electron safeStorage) to remember your authentication state between launches; this data never leaves your device.

We use only first-party operational analytics needed to maintain and improve the service, such as aggregate counts of sessions, error rates, and feature usage. We do not use third-party advertising trackers, cross-site profiling technologies, or behavioural advertising networks.

SessionLinked is intended for users aged 16 or over. We do not knowingly collect personal information from anyone under 16. If you become aware that a child has provided us with personal information, please contact us and we will delete it.

We may update this policy from time to time. If we make a material change, we will notify you by email (if you have an account) and update the “last updated” date at the top of this page.

Questions or requests: hello@sessionlinked.com