Privacy Policy

Last updated: 1 June 2026

Plain English summary. We collect only the data we need to run the service: your account credentials, your scheduled shows, and the OAuth token you authorise so we can upload to your own Mixcloud account. We don't sell your data. We delete recorded audio shortly after upload (we are not a media storage service). You can request a copy or deletion of your data at any time.

1. Who we are

MixManager is an independent software service ("we", "us"). The data controller for the personal data described in this notice is the operator of mixmanager.io. Contact: [email protected].

2. What we collect, why, and our legal basis

Data	Why we hold it	Legal basis (UK GDPR)
Email address	Login, account recovery, transactional notifications	Contract performance
Password (hashed, bcrypt)	Authentication	Contract performance
Display name / station name	Personalising your dashboard and uploads	Contract performance
Tenant timezone, plan, trial status	Scheduling shows correctly, enforcing plan limits	Contract performance
Scheduled show config (title, stream URL, times, tags, artwork)	To record and upload the shows you've scheduled	Contract performance
Mixcloud OAuth access token and username	Uploading shows to your own Mixcloud account on your behalf	Contract performance (you authorise this when you connect Mixcloud)
Google Drive OAuth refresh token + chosen folder ID (per tile)	Listing and downloading audio files you've placed in your Google Drive for scheduled airtime	Contract performance (you authorise via Google's consent screen)
Dropbox OAuth refresh token + chosen folder path (per tile)	Listing and downloading audio files from your Dropbox for scheduled airtime	Contract performance (you authorise via Dropbox's consent screen)
SFTP credentials (host, port, username, password) and folder path	Connecting to your SFTP host to download pre-recorded shows. Credentials are encrypted at rest with AES-256-GCM.	Contract performance (you enter these directly)
Drop-folder file metadata (filename, modified timestamp, external file id)	Preventing duplicate uploads — we remember which files have already been ingested	Contract performance, legitimate interest
Recording history (filenames, timestamps, Mixcloud URLs, error messages)	Showing your upload history, supporting retries, audit trail	Contract performance, legitimate interest
Stripe customer ID, subscription ID, status, billing email	Processing payments and managing your subscription	Contract performance
Audio recordings (temporarily)	Capturing the stream and uploading to Mixcloud. Deleted shortly after upload (see retention below).	Contract performance
T&Cs acceptance timestamp	Audit trail of acceptance	Legitimate interest, legal compliance
AI chat messages (when you use the in-app support chat widget)	Generating responses via Anthropic's Claude API. Sent to Anthropic as our processor. Not used to train their models.	Legitimate interest (providing customer support)
Server logs (HTTP access, errors, cron output)	Diagnostics, security, abuse detection	Legitimate interest

3. Who we share data with

We share data with the minimum number of third parties required to operate the service. Each is itself a separate data controller or processor with their own privacy notices:

Mixcloud Ltd — we upload your show audio + metadata to your own Mixcloud account, using the OAuth permission you grant. Mixcloud is the destination for the recordings; their privacy policy applies to what they do with content stored on their platform.
Google LLC — when you connect a Google Drive source for Drop Folder, we use Google APIs (drive.readonly scope) to list and download audio files in folders you choose. We never read files outside the configured folder. Google's privacy policy.
Dropbox, Inc. — when you connect a Dropbox source, we use the Dropbox API (files.metadata.read + files.content.read scopes) to list and download audio files. Dropbox's privacy policy.
Your own SFTP hosts — when you configure an SFTP source, MixManager connects to whatever server you specify using credentials you provide. We act as a client to your infrastructure; the SFTP host operator is the data controller for that environment.
Stripe, Inc. — payment processing for paid subscriptions. We send Stripe your email, name, and billing address; Stripe handles card data directly. Stripe's privacy policy.
Resend (Resend, Inc.) — transactional email delivery (signup confirmation, post-upload notifications, missed-show alerts, password resets). We send the recipient email address and the message body. Resend's privacy policy.
Hosting provider — server infrastructure running the service.

We do not sell personal data, run targeted advertising, or share data with social networks or data brokers.

3a. Drop Folder — Google API Services User Data Policy compliance

If you enable the Drop Folder bolt-on and connect a Google Drive source, MixManager accesses your Google Drive data via Google APIs. This section explains exactly how that data is used.

Limited Use. MixManager's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

What we request. The single scope https://www.googleapis.com/auth/drive.file — per-file access limited to folders you specifically select via Google's Picker. We do not request full-Drive read or any edit/delete scopes.

What we access. Only folders you explicitly point a tile at, by pasting their Google Drive folder ID into the tile editor. We never read files outside those folders, and never scan your full Drive.

What we do with file content. At each tile's scheduled show end time, we download the oldest unconsumed audio file from the configured folder, upload it to your own Mixcloud account, and then delete the local copy according to your plan's download retention window (7–14 days depending on plan). The audio is never shown to other MixManager customers and is never used for advertising or training of AI/ML systems.

What metadata we store long-term. Filename, file id, file size, and modification timestamp — in our database, encrypted at rest. This prevents us re-uploading the same file twice. We do not store the file content itself long-term.

How to revoke access. At any time, visit myaccount.google.com/permissions, find MixManager, and click Remove. You can also remove the source from your MixManager Sources page; we will purge our copy of the refresh token immediately.

The same principles (read-only, folder-scoped, transient downloads, no AI/ML use, no resale) apply to Dropbox sources via the Dropbox API and to SFTP sources via your own credentials.

4. Cookies

We use the minimum number of cookies necessary to operate the service:

Session cookie — to keep you logged in. Expires when you log out or after a period of inactivity.

We do not use analytics cookies, advertising cookies, or third-party tracking cookies.

5. How long we keep your data (retention)

Audio recordings: deleted shortly after successful upload to Mixcloud. Paid plans retain a temporary post-upload download window — 2 days on Solo DJ, Pro DJ, Station Lite, and Station Plus; 3 days on Station Pro. Starter accounts have no download window. Failed uploads are kept for up to 72 hours of retry attempts, then purged.
Account data and recording history (DB rows): kept while your account is active. If you close your account, we delete it within 30 days unless we are required to retain billing records (typically 6 years under UK accounting rules for invoices).
Server logs: rotated automatically, generally kept no longer than 30–90 days.

6. Your rights under UK GDPR

You have the right to:

Request a copy of your personal data (subject access request)
Have inaccurate data corrected
Have your data deleted ("right to be forgotten") — subject to legal retention requirements for billing records
Receive your data in a portable format
Object to processing where we rely on legitimate interest
Withdraw consent at any time where consent is the legal basis (e.g. disconnect your Mixcloud account)

To exercise any of these rights, email [email protected] from the email address registered on your account. We will respond within 30 days.

7. Security

We protect your data through:

HTTPS encryption for all browser traffic (TLS via Cloudflare)
Passwords stored as bcrypt hashes — we never store plaintext passwords
Server-side OAuth tokens kept in the application database, not exposed to the browser
Quarterly security review of dependencies and rotating of API credentials
Limited admin access to the production environment

No system is perfectly secure. If you suspect your account has been compromised, contact us at [email protected] immediately so we can lock it and investigate.

8. International data transfers

Our servers are hosted in the United Kingdom. Some of our processors (notably Stripe, Resend, Cloudflare, and Anthropic) operate globally and may process data outside the UK/EEA. Where this happens, transfers are protected by appropriate safeguards including the UK International Data Transfer Agreement and Standard Contractual Clauses.

9. Children

MixManager is not intended for use by people under the age of 16. We do not knowingly collect data from children. If you believe a minor has registered an account, contact us at [email protected] and we will close it.

10. Changes to this policy

We may update this notice from time to time. The "Last updated" date at the top will change. Material changes will be notified by email and via the dashboard at least 14 days before they take effect.

11. Contact

Questions about your data, requests under UK GDPR, or any privacy concern: [email protected].