Privacy policy

GetSession is operated by Rewansson ApS (“we”, “us”, “our”), a company registered in Denmark under registration number DK41747889, with its registered office at Vesterbrogade 208, 1800 Frederiksberg C.

This policy explains what personal data we collect when you use the GetSession platform (the “Service”), how we use it, who we share it with, and the rights you have over it. It covers both signed-up account holders and off-platform people who receive an email from us (for example, because a writer named you as a contributor on a song) and click through to a magic-link page we host.

We are the data controller for the personal data described here. If you have a question, a request, or a complaint, write to us at hello@get-session.com.

We collect personal data from three sources.

a) From you, directly

When you create an account or use the Service we collect:

• Identity and profile data: your name, email address, password (stored only as a salted hash), profile photo, biography, the city and country you tell us you’re based in, your studio address (optional), your time zone, your main role (e.g. Songwriter, Producer, Manager), additional roles, music genres, and a tier you select.
• PRO and publisher information: optional publisher, IPI number, and collecting-society details. We treat this as private data: it is never visible on your public profile and is only revealed to your co-writers after they have accepted a split with you.
• Content you upload: song audio files, photos for your “worked with” entries, and artwork for credits you add to your profile.
• Activity you create: sessions you book or are invited to, scheduling polls you start or vote in, songs you create, contributor splits you propose and accept, amendments you propose to those splits, roster invitations you send or respond to.
• Notification preferences: whether you want to receive email about in-platform activity.

b) From other users, about you

• Invitations naming you: when a representer invites you to their roster (or vice versa), when a writer invites you to a session, or when a contributor proposes a split that includes you, the inviter’s record of you is stored so we can show you the invitation.
• Referrals: if you’re referred to GetSession by an existing user, we store your email and a short description they provided until you complete signup or the referral expires.
• Off-platform contributor records: a writer can add you as a contributor on a song before you have an account. In that case we store your name, email address, and a one-time magic token so we can email you a link to accept or decline the split.

c) From connected services

• Google Sign-In (if you choose to sign in with Google): we receive your Google account email, your name, and a flag indicating Google has verified the email.
• Google Calendar (if you choose to connect it): we read free/busy windows from your primary calendar so the Service can suggest meeting times, and we create calendar events on your calendar for sessions you book through us. We do not read the title, description, location, or attendee list of events that we did not create on your calendar.

d) Automatically

Our hosting platform records minimal operational data — request timing, HTTP status codes, error stack traces — to keep the Service running and let us debug problems. This data has a short retention and is not used to profile you. We do not use third-party analytics, marketing pixels, or behavioural tracking tools.

Under the EU and UK General Data Protection Regulation (“GDPR” and “UK GDPR”), every use of personal data needs a lawful basis. Here are ours.

• Performance of a contract(Art. 6(1)(b) GDPR). To create and run your account, host the songs, sessions, splits, polls, and roster relationships you participate in, and to deliver transactional email (e.g. invitation, accept, decline, retraction notices) that the Service can’t function without.
• Legitimate interests(Art. 6(1)(f) GDPR). To keep the Service secure, detect abuse, fix bugs, and improve the platform using aggregate, non-identifying signals. We balance these interests against your rights and we don’t use this basis for anything you’d reasonably object to.
• Consent (Art. 6(1)(a) GDPR). Connecting Google Calendar is optional — we only access it after you grant the relevant scope. If we ever introduce marketing email, that will also be consent-based; today there is no such email.
• Legal obligation (Art. 6(1)(c) GDPR). To respond to data-subject requests and to keep records where law requires it.

We do not make automated decisions with legal or similarly significant effects about you (Art. 22 GDPR).

We share personal data only as described below.

a) Service providers (processors)

These providers process personal data on our instructions, under written data processing agreements, and only for the purposes we engage them for.

b) Other users on the platform

Some personal data is shared with other GetSession users as part of how the Service works:

• Your public profile (name, photo, role, city/country, bio, credits, “worked with”) is visible to other authenticated users.
• When you accept a split on a song, your name and share become visible to every other contributor on that song. Your publisher / IPI / society fields become visible to those contributors only after acceptance, so co-writers can register the work with the relevant societies.
• If you are represented by a manager, publisher, or A&R user (and you have accepted that representation), they can act on your behalf for the things the Service supports — for example, booking sessions or reviewing songs.

c) Off-platform invitees

When you invite someone to a song or session who is not yet a GetSession user, we send them an email containing your name and the relevant song or session details, and we host a magic-link page where they can review and respond. If they decline or never accept, the record is removed on request — see section 6.

d) Legal disclosures

We disclose personal data to authorities only when compelled to do so by valid legal process, and we’ll notify the user where the law permits us to.

e) We do not sell personal data

We do not sell or “share” personal information as those terms are defined under the California Consumer Privacy Act (“CCPA”), and we have never done so.

Some of our processors (Vercel, Resend, Google) are based in the United States. When personal data leaves the European Economic Area or the United Kingdom, we rely on the European Commission’s Standard Contractual Clauses (and the UK Addendum where applicable) as the transfer mechanism, supplemented by the processor’s technical and organisational safeguards. Where a processor is certified under the EU-US Data Privacy Framework, we additionally rely on that adequacy decision.

We keep personal data for as long as it’s needed for the purposes set out in this policy.

• Account data: while your account is active. When you delete your account, the data cascades through our database and is removed.
• Off-platform contributor records: removed within 30 days of a request from the named individual, or when the song or amendment they are attached to is deleted, whichever comes first.
• Waitlist entries: kept while the referral is active. Rejected or expired entries are retained for up to 12 months for audit purposes and then deleted.
• Calendar tokens: access tokens are short-lived and rotate automatically. Refresh tokens are revoked immediately when you disconnect Google Calendar or delete your account.
• Uploaded files (profile photos, song audio, artwork): removed within 30 days of account deletion.
• Operational logs: kept by the hosting platform for a short period (typically less than 30 days) and not used to profile users.

Where law requires us to retain a record longer (for example, financial records), we will, and we’ll restrict access to it during that period.

EU users (GDPR)

You have the right to:

• access the personal data we hold about you;
• have inaccurate data rectified;
• have your data erased (the “right to be forgotten”);
• restrict our processing of your data;
• receive your data in a portable format and transmit it elsewhere;
• object to processing based on our legitimate interests (Art. 21 GDPR);
• withdraw consent at any time where processing is based on consent;
• not be subject to a decision based solely on automated processing (Art. 22 GDPR — we don’t do this);
• lodge a complaint with your local supervisory authority. Our lead authority is Datatilsynet (datatilsynet.dk), and you can also complain to the authority where you live or work.

UK users (UK GDPR + DPA 2018)

You have the same rights as EU users above. The relevant supervisory authority is the Information Commissioner’s Office (ico.org.uk).

California residents (CCPA)

If you live in California, you have the right to:

• know what personal information we have collected about you;
• request deletion of your personal information;
• request correction of inaccurate personal information;
• opt out of the sale or sharing of your personal information (we do not sell or share — see section 4(e));
• not be discriminated against for exercising any of these rights.

You may use an authorised agent to submit a request on your behalf; we will ask for proof of authorisation.

How to exercise your rights

Email hello@get-session.com from the address associated with your account. We’ll respond within 30 days under GDPR / UK GDPR and within 45 days under CCPA. We may ask for proof of identity before acting on a request, to protect your data from impersonation.

The Service is built around several layers of protection:

• Database access is restricted with row-level security, so users can only see the rows they’re authorised for.
• Uploaded files are served through short-lived signed URLs, not public links.
• Connections to third-party services are OAuth-based where possible, with the minimum scopes required for the feature.
• Magic-link tokens used in invitation emails are unique per recipient row and generated with a cryptographic RNG.
• Passwords are salted-hashed by our auth provider — we never see them in plain text.

No system is bulletproof. If a breach affects your personal data, we will notify the lead supervisory authority within 72 hours where the GDPR requires it, and notify affected users without undue delay where the breach is likely to result in a high risk to them.

GetSession is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has signed up, contact us at hello@get-session.com and we will delete the account.

We may update this policy from time to time — for example, when we add a new feature or switch a processor. When we make a material change, we’ll update the “Last updated” date at the top of this page and notify active users by in-app banner and email before the change takes effect.

Rewansson ApS
Vesterbrogade 208, 1800 Frederiksberg C
Email: hello@get-session.com