Apply to onboard

Data Processing Policy

Last version: November 2025

Introduction

When you (hereinafter the “Customer”) use the services of AndR (“ANDR”), ANDR provides analytics and related services to you, which may require the Processing of Personal Data. In this context:

  • The Customer acts as the Controller of the Personal Data, determining the purposes and means of its Processing; and,
  • ANDR acts as the Processor, Processing Personal Data on behalf of the Customer in accordance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 (“Privacy Legislation”).

This Data Processing Policy (the “Policy”) sets out:

  1. How ANDR will collect, process, and secure Personal Data on behalf of the Customer; and
  2. The obligations of both Parties to ensure compliance with the Privacy Legislation.

By using ANDR’s services, the Customer acknowledges and agrees to the terms of this Policy regarding the Processing of Personal Data.

Definitions

In this Data Processing Policy, the following terms shall have the meanings set out below when written with a capital letter:

Controller

The entity (the Customer) that determines the purposes and means of Processing Personal Data.

Data Subject

The natural person to whom the Personal Data relates (e.g., an artist, manager, or audience member whose data is processed).

Data Breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by ANDR on behalf of the Customer.

Privacy Legislation

All applicable data protection and privacy legislation, including:

  • The Belgian Privacy Law of 30 July 2018;
  • The General Data Protection Regulation (EU) 2016/679 (GDPR);
  • Any applicable European or Belgian legislation implementing or supplementing these laws, as amended or replaced from time to time.

Processing/Process

Any operation performed on Personal Data, whether or not by automated means, including (but not limited to): collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, alignment, combination, restriction, erasure, or destruction.

Processor

The entity (in this case ANDR) that Processes Personal Data on behalf of the Controller.

Services

All services provided by ANDR to the Customer that involve Processing Personal Data, including access to and use of the ANDR platform, its APIs, and related support.

Sub-processor

Any processor engaged by ANDR to Process Personal Data on behalf of the Customer.


The Data Processing Policy includes the following annexes:

Annex I

Overview of (i) the Personal Data expected to be processed, (ii) the categories of Data Subjects, and (iii) the purposes and means of Processing.

Annex II

Description of the technical and organizational security measures taken by ANDR.

Annex III

List of Sub-processors

Annex IV

Third-Party Data Sources 

3. Roles of the Parties

In accordance with the Privacy Legislation, the Customer is the Controller and determines the purposes and means of Processing Personal Data. ANDR acts solely as a Processor and processes Personal Data on behalf of the Customer in accordance with this Policy and the Customer’s documented instructions.

4. Use of the Services

The Customer acknowledges and agrees that:

4.1 Use of Services

ANDR acts solely as a facilitator of the Services and does not determine how or to what extent the Customer uses the Services.

4.2 Customer Responsibility

The Customer remains responsible for ensuring that its use of the Services complies with applicable Privacy Legislation and any other relevant regulations.

The Customer is responsible for the accuracy, quality, and legality of the Personal Data uploaded, created, or enriched through the Services.

4.3. The Customer acknowledges that any analytics, insights or enriched data generated through the Services are created solely for informational use and internal analysis. Such outputs do not constitute professional, financial, strategic or legal advice. The Customer remains solely responsible for assessing the accuracy and suitability of all outputs before relying on them.

4.4 No Automated Decisions or Reliance

ANDR does not make automated decisions that produce legal or similarly significant effects for Data Subjects. Any decisions or actions taken by the Customer based on the outputs remain solely the responsibility of the Customer. ANDR shall have no liability for any consequences arising from such decisions.

4.5 Example Reports and Demo Outputs

Any example reports, demonstrations or pre contract materials provided by ANDR in connection with the Services shall be subject to the same responsibilities and limitations described in this Policy.

4.6 Authorized Users

The Customer is responsible for ensuring that its authorized users are informed of this Policy and applicable data protection obligations.

The Customer is liable for the acts or omissions of such users when using the Services.

4.7 Adjustments to Data

ANDR bears no responsibility for adjustments or changes made to Personal Data by the Customer or at the Customer’s explicit request.

4.8 Misuse of Services

In case of misuse of the Services or Personal Data by the Customer, ANDR shall not be held liable for any resulting damages, except where such damages are caused by ANDR’s own breach of the Privacy Legislation. The Customer shall indemnify ANDR against third-party claims arising from such misuse.

5. Object

5.1 The Customer acknowledges that, as a result of using ANDR’s Services, ANDR Processes Personal Data collected by or on behalf of the Customer.

5.2 ANDR shall:

  • Process Personal Data in a proper, secure, and transparent manner, in accordance with the Privacy Legislation and other applicable data protection rules; and
  • Perform the Services with the care and expertise reasonably expected of a specialized data processor.

5.3 ANDR shall only Process Personal Data:

  • On documented instructions from the Customer and as described in Annex I, unless required to do so by applicable law; and
  • For the duration and purposes necessary to perform the Services.

5.4 The Customer:

  • Retains full control and responsibility for (i) determining the purposes of Processing, (ii) the categories of Personal Data Processed, (iii) the proportionality and lawfulness of such Processing, and (iv) the instructions provided to ANDR;
  • Is solely responsible for the accuracy, quality, and legality of the Personal Data disclosed to ANDR and for ensuring it has acquired such data lawfully;
  • Must ensure that Data Subjects are informed in accordance with the Privacy Legislation, including where some Personal Data originates from third-party sources, and must maintain its own privacy policy for this purpose.

Control and ultimate responsibility for the Processing of Personal Data under this Policy shall remain with the Customer at all times.

5.4 The Customer acknowledges that certain outputs may be generated or enriched through automated processes or artificial intelligence. ANDR does not guarantee the accuracy, completeness or correctness of such outputs.

5.5 ANDR shall not follow any instruction that it reasonably believes would violate the Privacy Legislation or the Agreement.

6. Security of Processing

6.1 Taking into account the state of the art, the cost of implementation, and the nature, scope, and risks of Processing, ANDR implements appropriate technical and organizational measures to protect Personal Data, as described in Annex II.

These measures are designed to ensure:

  • Protection against unauthorized or unlawful Processing, accidental loss, destruction, or damage; and
  • Ongoing confidentiality, integrity, availability, and resilience of Processing systems.

7. Sub-Processors

7.1 The Customer acknowledges and agrees that ANDR may engage third-party sub-processors in connection with the delivery of the Services. ANDR shall ensure that any sub-processor is bound by written obligations that provide at least the same level of data protection as those set out in this Data Processing Policy.

7.2 A list of current sub-processors and data sources is included in Annex III and IV. ANDR shall keep this list up to date and notify the Customer of any significant changes (such as adding or replacing a sub-processor).

7.3 The Customer may object to the engagement of a new sub-processor by providing written, reasoned notice to ANDR within thirty (30) days of receiving the notification.

7.4 If the Customer objects and the objection is not unreasonable, ANDR will use reasonable efforts to:

  • make available an alternative way to provide the Services without the use of the objected sub-processor; or
  • recommend a commercially reasonable change to the Customer’s use of the Services to avoid the Processing of Personal Data by the objected sub-processor.

If ANDR is unable to provide such an alternative within thirty (30) days of the Customer’s objection, the Customer may terminate the affected part of the Services by providing written notice, provided that:

  • The Services cannot reasonably be delivered without the use of the objected sub-processor; and/or
  • The termination only applies to the Services that cannot be delivered without the use of that sub-processor.

7.5 ANDR shall remain fully liable for the acts and omissions of its sub-processors to the same extent as if it performed the relevant Processing itself.

7.6 The Customer acknowledges that certain Processing activities depend on third party services, APIs or data sources, and that ANDR shall not be liable for any delays, inaccuracies or limitations that arise from such external dependencies.

8. Transfer of Personal Data to Third Countries

8.1 Any transfer of Personal Data to a third country or international organization (not based on the Customer’s instructions) shall only occur where:

  • The European Commission has issued an adequacy decision for that country; or
  • Appropriate safeguards are in place, including:
    • Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision (EU) 2021/914 or any successor decision);
    • Binding Corporate Rules (BCRs) approved in accordance with the GDPR; or
    • Approved certification mechanisms or other lawful transfer tools under the GDPR.

8.2 In all cases, ANDR shall ensure that the recipient provides adequate protection of Personal Data in line with the Privacy Legislation before any transfer takes place.

9. Confidentiality

9.1 ANDR shall maintain the confidentiality of all Personal Data and shall not disclose or transfer it to third parties without the prior written consent of the Customer, unless disclosure is required by law, regulation, or court order. In such a case, ANDR shall, to the extent legally permitted, inform the Customer in advance and discuss the scope and manner of disclosure.

9.2 ANDR ensures that all personnel engaged in Processing Personal Data:

  • Are informed of its confidential nature;
  • Have received appropriate data protection and confidentiality training; and
  • Are bound by written confidentiality obligations that survive the termination of their employment or engagement.

9.3 ANDR shall limit access to Personal Data strictly to those personnel who require it for the performance of the Services, in accordance with this Data Processing Policy.

10. Notification

10.1 ANDR shall inform the Customer without undue delay if it:

  • Receives a request for information, subpoena, or inspection from a competent public authority relating to the Processing of Personal Data;
  • Intends to disclose Personal Data to a competent public authority, unless legally prohibited;
  • Determines or reasonably suspects that a Data Breach has occurred involving Personal Data.

10.2 In the event of a Data Breach, ANDR shall:

  • Notify the Customer without undue delay after becoming aware of the breach and provide reasonable assistance to enable the Customer to meet its reporting obligations under the Privacy Legislation; and
  • Take appropriate and timely remedial measures to contain, investigate, and mitigate the breach and to prevent future occurrences.

11. Rights of Data Subjects

11.1 If a Data Subject exercises their rights under the Privacy Legislation (e.g., access, rectification, erasure, restriction, or objection) and the Customer cannot fulfill the request directly, ANDR shall provide reasonable assistance to enable the Customer to comply.

11.2 ANDR shall promptly inform the Customer if it receives such a request directly from a Data Subject. ANDR shall not respond to the Data Subject other than to confirm that the request should be directed to the Customer, unless legally required or instructed otherwise by the Customer.

12. Liability

12.1 Each Party shall be individually liable towards supervisory authorities and/or Data Subjects for claims, damages, or fines arising from its own breach of this Data Processing Policy or non-compliance with the Privacy Legislation. Each Party shall indemnify the other against claims, damages, or fines to the extent such liability arises from its own breach.

12.2 The contractual liability of ANDR towards the Customer for breaches of this Data Processing Policy shall be limited in accordance with the liability provisions set out in the main agreement between ANDR and the Customer, except where such limitation is not permitted under the Privacy Legislation.

12.3 All limitations and exclusions of liability set out in the main Agreement apply equally to this Data Processing Policy.

13. Return and Deletion of Personal Data

13.1 Upon formal termination of the Services, ANDR shall, at the Customer’s written request:

  • Delete or return all Personal Data processed on behalf of the Customer; and
  • Delete existing copies unless applicable law requires further retention.

13.2 ANDR may retain and use only anonymized and aggregated data for analytical and product improvement purposes, provided that such data can no longer be linked to an identified or identifiable natural person.

14. Control

14.1 ANDR shall provide the Customer with all information reasonably necessary to demonstrate compliance with this Data Processing Policy and the Privacy Legislation.

14.2 The Customer (or an independent auditor appointed by the Customer) may conduct audits or inspections to verify ANDR’s compliance, provided that:

  • Such audits are conducted during normal business hours and upon reasonable prior written notice; and
  • Audits are limited to once per year unless required by a supervisory authority or in case of a suspected material breach.

ANDR shall provide reasonable cooperation and assistance during such audits.

15. Term

15.1 This Data Processing Policy shall remain in force for as long as ANDR Processes Personal Data on behalf of the Customer and shall automatically terminate upon the complete cessation of such Processing.

16. Applicable Law and Jurisdiction

16.1 This Data Processing Policy shall be governed by and construed in accordance with Belgian law, without prejudice to mandatory rights or remedies available under the Privacy Legislation.

16.2 Any dispute concerning the validity, interpretation, or enforcement of this Policy that cannot be resolved amicably shall be submitted to the exclusive jurisdiction of the competent courts or, where applicable, the competent supervisory authority at ANDR’s registered office

Annex I : Overview of Personal Data

AndR processes the following categories of Personal Data. Depending on the specific services used, not all categories will apply to every Data Subject.

Identification and Profile Information

  • Full name
  • Profile image or avatar
  • Public biography or description
  • Website or portfolio links
  • Public social media handles or profile URLs
  • Artist or band names and public descriptions
  • Associated management, label or booking details if publicly available

Contact Information

  • Email address
  • Telephone number if provided
  • Billing name and billing address processed by a secure payment service
  • Masked payment identifiers such as the last four digits of a card

Technical and Device Information

  • Device type, operating system and browser type
  • Approximate device location at city or region level
  • Referring URL or domain
  • Log data such as pages visited, clicks and time on the platform
  • Account identifier, creation date and last login
  • IP address stored in a pseudonymized or de-identified format

Platform Usage and Interaction Data

  • Saved items, uploads and connected integrations
  • Consent and preference settings
  • Emails or support messages voluntarily submitted by the Data Subject

Data Imported or Collected Through Third Party Integrations

(sourced only when the Customer authorizes or connects integrations)

  • Public streaming performance metrics
  • Public social media engagement metrics
  • Public video or content performance metrics
  • Public radio or media mention metrics
  • Public touring or live event information
  • Public audience demographics and engagement trends

Manually Added Data

Provided directly by the Customer or Data Subject:

  • Additional public links or identities
  • Manual corrections or additions to performance data
  • Private or unpublished event information
  • Uploaded press, media or promotional materials
  • Self reported sales, revenue or performance notes
  • Manually entered financial, ticketing or merchandise information

Overview of Newly Created or Enriched Personal Data

As part of providing analytics services, AndR generates enriched or derived Personal Data by structuring, combining, and analyzing the data listed in Annex I.1. This process includes aggregating and enriching data retrieved from connected APIs and public sources.

The enriched data may include, but is not limited to:

Music and Streaming Analytics

  • Stream counts, listener trends over time, playlist placements, and audience demographics
  • Aggregated performance comparisons across platforms 

Social Media Analytics

  • Follower growth and engagement trends
  • Post performance and content interaction rates
  • Cross-platform comparisons (e.g., Facebook, Instagram, X, TikTok)

Touring & Radio Analytics

  • Show and touring performance data
  • Radio airplay mentions, spins, and estimated audience reach

Audience Insights & Behavior Analysis

  • Aggregated audience demographics and geographies
  • Listening behavior patterns (e.g., most active markets, time-based trends)
  • Cross-channel correlations (e.g., social media activity vs. streaming growth)

Public Web Presence

  • Basic analytics of the Customer’s website or public profiles (e.g., referral sources, traffic trends), where available

The enriched data is generated solely for the purpose of providing analytics and insights to the Customer and remains linked to the original data sources. The enrichment process may include the use of automated analytical methods to identify trends and correlations; however, no automated decisions with legal or significant effects on individuals are made.

The categories of Data Subjects whose Personal Data shall be Processed

  • Artists and/or their representatives (e.g., managers, label or booking agents) using AndR
  • Fans and audience members of the artists, as far as their data is publicly available via connected platforms (e.g., follower counts, demographic statistics)

The use (ways of Processing) of the Personal Data, and the purposes and means of Processing:

Ways of Processing

  • Collecting and receiving data (via APIs or manual uploads)
  • Structuring, organizing, and storing data
  • Analyzing and combining data to generate enriched insights
  • Retrieving, consulting, and updating data
  • Transferring data between connected services as instructed by the Customer
  • Erasing or destroying data upon request or at the end of the retention period

Means of Processing

  • AndR’s own software platform and storage infrastructure
  • APIs of streaming and performance data providers (aggregated streaming, social and radio analytics)
  • APIs of music and content platforms (streaming performance and audience metrics)
  • APIs of touring and live performance data providers (touring, show history and event analytics)

Purpose of Processing

  • To provide artists and their representatives with analytics on streaming, social, and touring performance
  • To create enriched insights (e.g., audience trends, playlist performance, radio airplay, revenue trends)
  • To support career decision-making, such as release planning, touring strategy, or audience targeting
  • To display usage and performance statistics within the AndR dashboards
  • To allow secure synchronization with third-party services

Annex II : Description of security measures

ANDR warrants and undertakes that, at all times, it maintains appropriate technical and organizational measures to protect all Personal Data it Processes on behalf of the Customer against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. This applies particularly where Processing involves the transmission of data over a network, and against all other unlawful forms of Processing.

The measures include, but are not limited to:

Physical and Infrastructure Security

  • Secure data center facilities provided by ISO 27001–certified cloud providers
  • Physical access restrictions with badge and surveillance systems (data center level)

Logical and Data Access Controls

  • Role-based access control (RBAC) ensuring only authorized personnel can access Personal Data
  • Strong password policies and enforced multi-factor authentication (MFA) for all administrative accounts
  • Regular review and revocation of access rights

Data Transfer and Storage Controls

  • Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent)
  • Strict API authentication for third-party integrations
  • Segregation of Customer data to prevent cross-customer access

Input and Change Controls

  • Audit logging of data access and changes to Personal Data
  • Regular monitoring for unauthorized or unusual data access patterns

Data Minimization and Pseudonymisation

  • IP addresses and similar identifiers are stored in a pseudonymized or de-identified format wherever possible
  • Only data strictly required for analytics purposes is collected and stored

System Reliability and Recovery

  • Daily backups and secure offsite storage
  • Ability to restore data availability and access in a timely manner in the event of an incident
  • Regular disaster recovery and business continuity testing

Continuous Risk Management

  • Regular security patching and vulnerability scans
  • Periodic internal security audits and, where relevant, penetration testing
  • Security measures reviewed and updated based on the state of the art, cost of implementation, and risk level

ANDR shall continue to review and update these measures in line with industry standards and the risk of varying likelihood and severity to the rights and freedoms of natural persons.

Annex III : List of Sub-processors

The following sub-processors are engaged by AndR for the provision of its services and may process Personal Data on behalf of the Customer:

Amazon Web Services (AWS) – Cloud infrastructure and data storage (ISO 27001-certified). Data is stored in Frankfurt.

Stripe Payments Europe Ltd. – Subscription and payment processing, including billing details.

Intercom R&D Unlimited Company – Customer support, onboarding, and messaging (Ireland).

HubSpot Ireland Ltd. – CRM for managing Customer contact information and communication history (Ireland).

Mixpanel Inc. – Product usage tracking and analytics (data is pseudonymised where possible; EU data center.

Annex IV : Third-Party Data Sources

ANDR may retrieve or synchronize data from the following categories of third party sources, depending on the Customer’s integrations and authorizations:

  • Streaming platforms and artist performance data providers
  • Social media platforms and engagement analytics providers
  • Radio airplay and touring data aggregators
  • Royalty and revenue reporting services
  • Audience analytics and industry data platforms
  • API based analytics and market intelligence tools
  • Customer selected integrations or manually authorized third party services

A detailed list of specific third party data sources may be provided to the Customer upon request, subject to confidentiality obligations.