Privacy Policy

Second Chair (“we”, “us”, “our”) is operated by Connor Devine, trading as Second Chair, based in the United Kingdom. We are the data controller for personal data collected through secondchair.studio and the Second Chair plugin.

Contact: connor@secondchair.studio

We collect the following categories of personal data:

• Account data — your name, email address, artist or producer name, and Spotify artist page URL (if provided) when you apply for beta access or create an account.
• Usage data — which analysis types you use, how many analyses you perform per month, and which machines you run the plugin on (stored as SHA-256 hashes, not raw identifiers).
• Feedback data — responses to our feedback surveys, including testimonials you choose to share.
• Payment data — billing information processed by Stripe. We do not store card numbers or payment credentials directly.
• Technical data — your IP address (used for rate limiting and security), and plugin version.

We do not store any audio you capture using the Second Chair plugin. Audio is transmitted directly to Google Gemini for analysis and is not retained on our servers. We do not use your audio for any purpose other than generating the feedback you requested.

We process your personal data on the following lawful bases under UK GDPR:

• Contract — processing necessary to provide the Second Chair service you have signed up for, including licence management and usage tracking.
• Legitimate interests — security and fraud prevention, improving the product, and communicating with beta users about their access. We have assessed that these interests are not overridden by your rights.
• Consent — for optional testimonials and marketing communications where we ask for your explicit agreement.

• To create and manage your account and licence
• To enforce usage limits and reset monthly quotas
• To send transactional emails (licence keys, feedback requests, payment receipts)
• To improve the Second Chair plugin and service based on aggregated usage patterns
• To display approved testimonials on our website (only with your explicit consent)
• To comply with legal obligations

We share your data with the following sub-processors, each bound by their own privacy commitments:

• Google Gemini — receives audio and prompts for analysis. Audio is not retained by Google after processing. Google Privacy Policy
• SendGrid (Twilio) — email delivery for transactional emails. Twilio Privacy Policy
• Stripe — payment processing. Stripe Privacy Policy
• Railway — hosting of our database and API server. Data is stored in their US infrastructure. Railway Privacy Policy
• Vercel — hosting of our website. Vercel Privacy Policy

• Account and licence data — retained for the duration of your account, plus 2 years after closure for legal and financial record-keeping.
• Usage events — retained for 12 months then aggregated and anonymised.
• Feedback submissions — retained indefinitely unless you request deletion. Approved testimonials may be retained for marketing purposes with your consent.
• Audio — not retained. Discarded immediately after analysis.

You have the following rights regarding your personal data:

• Access — request a copy of the data we hold about you.
• Rectification — ask us to correct inaccurate data.
• Erasure — ask us to delete your data where there is no compelling reason for us to keep it.
• Restriction — ask us to restrict processing of your data in certain circumstances.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, email connor@secondchair.studio. We will respond within 30 days.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

We use the following cookies:

• Session cookies — essential cookies to keep you logged into the portal. These expire when you close your browser or after 30 days.
• Admin session cookie — used to authenticate admin users. Expires after 8 hours.

We do not use advertising, analytics, or tracking cookies.

We take reasonable technical and organisational measures to protect your data, including encrypted connections (HTTPS), hashed storage of machine identifiers, and access controls on our admin systems. No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

We may update this Privacy Policy from time to time. We will notify active users of material changes by email. The date at the top of this page reflects the most recent revision.