Privacy Policy

Learn how we collect, use, and protect your personal data.

Bopkit Privacy Policy
Last updated: 10th July 2025

1. Introduction and Controller Information

Bopkit ("we", "our", "us") is currently operated as a sole trader in Malta and acts as the data controller governing your personal data. This Privacy Policy explains how we collect, use, share, store, and protect your personal data, and your rights under GDPR and other applicable laws. We operate in the EU but serve users globally.

2. Scope and Applicability

This Policy applies to personal and usage data of all Users (Sellers, Buyers, visitors) collected via our website, API integrations (e.g. YouTube), payments (e.g. PayPal), and related services.

3. Key Definitions

  • Buyer / Seller: as defined in the Terms and Conditions.
  • Personal Data: any information relating to an identified or identifiable person.

4. What Data We Collect

A. Information You Provide

  • Registration: name, email, username, password, profile image, bio, social media links (YouTube, Instagram, SoundCloud).
  • Content uploads: beats and metadata (title, BPM, key), cover art, collaborator information and profit-sharing details.
  • Shop Customization: color themes, background images, currency preferences.
  • Settings: audio tag preferences, default pricing, YouTube upload settings.

B. Automatically Collected Data

  • Session Information: IP address, user agent, session tokens and expiration times.
  • Technical logs for debugging and system maintenance.

C. Third-Party Sources and Integrations

  • PayPal: merchant account details, payment processing, and transaction information.
  • YouTube API Services: for uploading video content (we do not collect analytics or usage statistics).
  • Google OAuth: basic profile information (name, email) when you choose to sign in with Google.

5. Legal Basis and Purpose of Processing

We process personal data under GDPR legal bases:

  • Contract: account provisioning, content hosting, payment processing, licensing sales, collaborator profit-sharing arrangements, shop customization services.
  • Legitimate interest: basic service functionality, system security, maintaining service quality.
  • Legal compliance: retention for tax/accounting obligations, responding to legal requests.
  • Consent: YouTube API integration (for video uploads), optional social login via Google OAuth.

Primary purposes:

  • Platform delivery: user accounts, beat licensing, content hosting, payment processing.
  • Service provision: shop customization, collaborator management, content organization.
  • Security: account protection, secure payment processing.
  • Communication: transactional emails (password reset, order confirmations), support responses.
  • Legal compliance: tax reporting, regulatory requirements.
  • API Integration: YouTube video uploads (with user consent), social authentication (optional)

YouTube Data Usage: When you connect your YouTube account, we are able to access your channel information and upload videos on your behalf. We do not store or analyze your YouTube analytics data.

6. YouTube API Use Disclosure

We integrate with YouTube API Services to enable video uploads to your YouTube channel.

Data We Access:

  • Your YouTube channel information (channel name, thumbnail image, channel ID)
  • Video upload capabilities to publish content you create

How We Use YouTube Data:

  • Display your connected YouTube channel information in your account settings
  • Upload videos you create (combining your audio tracks with artwork) to your YouTube channel
  • We do NOT collect, store, or analyze YouTube analytics, view counts, or performance metrics

API Compliance: Your use of our YouTube integration is also subject to the Google Privacy Policy.

Revoking Access: You may revoke Bopkit's access to your YouTube account at any time by unlinking your account or via Google Security Settings.

7. Sharing and Disclosures

We do not sell personal data. We may share data with:

Service Providers:

  • PayPal: for payment processing and merchant account management
  • Supabase: for secure file storage (audio tracks, images)
  • Resend: for transactional email delivery (password resets, notifications)
  • Vercel: for application hosting and content delivery
  • Inngest: for background processing of YouTube video uploads
  • Google: for YouTube API integration and optional OAuth authentication

Legal Disclosures:

  • Legal authorities: when required by law, court order, or to protect our rights and users' safety
  • Business transfers: in connection with any merger, acquisition, or sale of assets (with notice to users)

International Transfers:

Some of our service providers may process your data outside your country of residence. We ensure all international transfers comply with applicable data protection laws through appropriate safeguards including Standard Contractual Clauses, adequacy decisions, or equivalent protections.

8. Cookies and Tracking

Cookie Types:

  • Essential: Authentication, security, guest cart functionality (required)
  • Functional: Interface preferences like sidebar layout (optional)
  • Third-party: PayPal (payments), Google (login/YouTube integration)

Browser Storage:

  • We store non-sensitive preferences locally (currency, table settings)
  • This data stays on your device and is not transmitted to our servers

Your Rights:

  • Functional cookies require your consent in regions where legally required
  • You can withdraw consent at any time through browser settings
  • Strictly necessary cookies cannot be disabled as they're essential for platform security and functionality
  • Third-party cookies are controlled by their respective privacy policies

Managing Cookies:

  • Browser settings: Most browsers allow you to block or delete cookies
  • Functional impact: Disabling necessary cookies will prevent platform use
  • Third-party opt-out: Available through PayPal and Google privacy controls

9. Data Retention and Transfers

Retention Periods:

  • Account data: Until account deletion or 3 years of inactivity
  • Payment records: 7 years (legal/tax compliance requirements)
  • Content files: Until you delete them or close your account
  • Session/security logs: 90 days maximum

Deletion: You may request account deletion anytime. Some data may be retained longer where legally required (payment records, dispute resolution).

International Transfers:

We may transfer data outside your country to service providers including:

  • PayPal (payment processing)
  • Google (YouTube/authentication)
  • Cloud hosting providers (application infrastructure)
  • Email services (transactional communications)

Safeguards: All transfers use GDPR-standard protections including Standard Contractual Clauses, adequacy decisions, or equivalent safeguards.

10. Data Subject Rights

Under GDPR and other laws, you have the right to:

  • Access, correct, delete, or restrict processing of your data.
  • Withdraw consent at any time (without affecting prior lawful processing).
  • Receive your data in portable format (data portability)
  • Object to processing based on legitimate interests
  • Lodge complaints with your local data protection authority.

To exercise these rights, contact us at: privacy@bopkit.com

Response Time: We will respond to requests within 30 days (may extend to 60 days for complex requests with notification).

Identity Verification: We may request identification to verify your identity before processing certain requests.

11. Security Measures

We implement technical and organizational safeguards including encryption in transit and at rest, secure authentication, access controls, and secure hosting infrastructure. Access to personal data is limited to authorized personnel only.

12. Children

Bopkit is intended for users aged 18 or older. We do not knowingly collect data from anyone under 18. If you believe we have collected data from a minor, please contact us immediately and we will delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. The latest version will always be available on this page. Where required, we will notify you of significant changes (e.g., by email or in-app notice).

Have questions about this privacy policy? Contact our privacy team

Essential cookies are necessary for this site to function. By clicking 'Accept all', you also allow us to use additional cookies to enhance your experience. Learn more.