Your data
stays yours.

The short version: Reverb only sees the numbers that come back from a scrape. We never see your distributor passwords. You can export everything we hold on you in one click, and delete your account just as easily.

Last updated: 9 June 2026

Pillar 1

GDPR Article 20.

EU law gives you a statutoryright to receive your own personal data from any platform that holds it, in a machine-readable format, and to transmit that data to another service. Reverb exercises that right on your behalf, with your explicit consent. Spotify, Buma, TuneCore and the rest can't legally block this. Read Article 20 →

Pillar 2

You run the agent.

Reverb doesn't scrape from our servers. The extension runs in your browser, with your login session, on yourmachine. We're a user-agent acting on your behalf, exactly like 1Password reading your saved logins or RescueTime tracking your own browsing. Same legal posture, same protection.

1. Who we are.

Reverb ("we", "us") is run by the team behind myreverb.nl, operating as a sole-trader based in the Netherlands. We're the data controller for the information described below. EU users can reach us at privacy@myreverb.nl for any privacy question or to exercise your rights under GDPR.

2. What we collect.

Two kinds of data, both minimum-necessary for the service to work.

From you, directly:

Email + name (via Clerk, our auth provider).
Artist profile fields you fill in during onboarding (artist name, country, roles, genres).
Payment + subscription state, if you upgrade to Plus (via Stripe).

From the distributor APIs you connect:

Royalty earnings (per song, per platform, per month).
Stream counts (daily, weekly, all-time).
Wallet balances (available + pending withdrawals).
Quarterly statement data (for Buma/Stemra: per-work royalties).
Last-sync metadata (timestamps, success/failure status).

We never collect, see, or store:

Passwords for any distributor.
Payment-card numbers (Stripe holds those, not us).
Browser history outside the connected distributor sites.
Listener-level data (who streamed your music — distributors don't share that anyway).

3. Why it's legal for us to hold this data.

Under GDPR we need a legal basis for every type of processing. We rely on three of the six bases the regulation allows:

Contract performance — we need your royalty data to deliver the dashboard you signed up for. Same basis Spotify uses to process your listening history.
Your consent — the first time you Connect a distributor in the Reverb extension, you explicitly authorise us to read your data from that platform on your behalf. You can revoke at any time by disconnecting the integration.
Article 20 right exercise — when we pull your data from a distributor, you're exercising your data-portability right. We're the tool you use to do it; the legal basis lives with you.

4. Where it sits, and who can see it.

Full technical detail lives on the Security page. Headline answers:

Database: Neon (EU region, Frankfurt). Encrypted at rest with AES-256.
App + API: Vercel (EU region). HTTPS-only, HSTS enforced.
Authentication: Clerk. They handle password hashing, MFA, session rotation.
Payments: Stripe (only when you upgrade to Plus).

Every row in our database is scoped to your user ID and filtered server-side. Other Reverb users can't see anything of yours. The team can access anonymised aggregate data for debugging; identifiable rows only for an explicit, audited support request.

5. What we do (and don't do) with your data.

We hold your data for one reason: to render it back to you on the dashboard. The storage exists because you asked us to show you these numbers, and we have to keep them somewhere to be able to show them on every visit. Past that point, the processing stops. Specifically:

We don't sell your data. Not to advertisers, not to data brokers, not to anyone.
We don't share it with marketing or ad-tech platforms. There is no embedded tracker on the dashboard.
We don't use it to build aggregate analytics or commercial insights products — there's no "industry trends" report sourced from your numbers.
We don't train AI models on it. Not ours, not anyone else's.
We don't profile you across the dashboard. No behavioural scoring, no personalised offers based on your earnings.

The vendors who power the service (Neon, Vercel, Clerk, Stripe) each see a slice of your data because they host the relevant piece of infrastructure. All four are GDPR-compliant processors under standard Data Processing Agreements. They process on our behalf and cannot use your data for their own purposes.

When you Connect a distributor, the extension talks directly from your browser to that distributor (we never proxy your session through our servers).

6. How long we keep it.

As long as your account is active, plus the time it takes to export everything if you ask for it.

When you delete your account: everything tied to your user ID is wiped from the database within 30 days. Backups are rotated on a 30-day cycle and overwritten in the same window. We email you a confirmation with row counts deleted so you can verify.

7. Your rights under GDPR.

You have all of them. Practical pointers per right:

Access

Settings → Export my data. JSON dump of every row we have, emailed to you within 24 hours.

Rectification

Settings → edit your profile. For data scraped from distributors, the source-of-truth is the distributor; correct it there and we'll pick it up on the next sync.

Erasure ("right to be forgotten")

Settings → Delete account. Wipes everything. No 30-day cool-off games.

Portability (Article 20)

Same Export endpoint. JSON is machine-readable and matches the schema described in our public migration files.

Objection / restriction

Email privacy@myreverb.nl. We respond within 30 days as required by GDPR.

Complaint to a supervisor

If we mess up: the Autoriteit Persoonsgegevens is the Dutch DPA. They take complaints in English.

8. Cookies, analytics, tracking.

We set exactly two kinds of cookies on myreverb.nl:

The Clerk authentication session cookie (so you stay signed in).
A theme preference cookie (dark vs. cream mode).

Both are first-party, strictly necessary, and require no consent banner under the ePrivacy Directive. We don't use Google Analytics, Mixpanel, Posthog, Segment, or any other third-party analytics product. No Facebook Pixel. No ad tracking.

9. Changes to this policy.

If we materially change what we collect, share, or how we hold it, we'll email every active user at least 14 days before the change takes effect. The "Last updated" date at the top tells you when this version went live.

Questions? Concerns?

We're a small team. If anything on this page doesn't line up with what you'd expect, or you want to exercise a GDPR right, mail us. We'll respond within 30 days, usually a lot sooner.

Email privacy@myreverb.nl →

Your data stays yours.