1. Introduction
Matthias Strobel Hohmann e.K. ("Music Ecosystem HIVEs", "we", "us", "our") operates the Music Ecosystem HIVEs App — a white-label, invite-only professional networking platform for music industry conferences and ecosystem events.
This Privacy Policy explains how personal data is collected, used, stored, and protected when you access or use the Music Ecosystem HIVEs App.
This policy applies to:
- Delegates and attendees who access the App within a conference instance ("HIVE")
- Conference organisers and administrators
- Visitors of the Music Ecosystem HIVEs mobile and web app
This policy is issued under the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and German data protection law (Bundesdatenschutzgesetz — BDSG).
2. Controller Identity and Contact Details
For personal data processed in connection with Music Ecosystem HIVEs's own business operations (see Section 3), the Data Controller is:
Matthias Strobel Hohmann e.K.
Ebertystrasse 29, 10249 Berlin, Germany
Email (general): hey@musicecosystem.net
Privacy contact: contact@musicecosystem.net
Website: musicecosystem.net
3. Our Role in Data Processing
Music Ecosystem HIVEs operates in two distinct legal roles depending on the context of data processing. Understanding this distinction is important for knowing where to direct your requests.
Data Processor
When you join a conference HIVE as a delegate, the conference organiser who has licensed the App is the Data Controller. Music Ecosystem HIVEs acts exclusively as a Data Processor on behalf of that organiser (Art. 28 GDPR).
For questions about your data within a specific conference, contact the relevant organiser directly.
Data Controller
Music Ecosystem HIVEs acts as Data Controller for: platform infrastructure operation; organiser account management; technical support; security monitoring; platform analytics (aggregated/pseudonymised); and legal compliance obligations.
4. Personal Data We Process
The following categories of personal data are processed through the App. Data marked with † is mandatory for core platform functionality.
4.1 Profile Data
- Full name †
- Email address †
- Gender (optional)
- City and country of residence or operation †
- Company or organisation name †
- Job title or role †
- Area of expertise and professional skills †
- Bio or professional description (optional)
- Profile photograph / avatar (optional)
- Collaboration interests and communication preferences (optional)
4.2 Transactional and Interaction Data
- Connection requests sent and received
- Accepted connections and network graph within a HIVE
- Direct messages exchanged with other delegates
- Invite code used to register
- Search queries and discovery interactions within the platform
4.3 Technical and Device Data
- IP address (at time of authentication and API requests)
- Device type, operating system version
- Authentication tokens (JWT access tokens and refresh tokens)
- Push notification tokens (device registration with Firebase or Apple APNs)
- Session timestamps and request logs
4.4 Audit and Security Data
- Access logs, moderation actions, and account management events
- Error logs and platform health telemetry (pseudonymised)
† Mandatory fields — required for core platform access and functionality.
5. Legal Bases for Processing
Where Music Ecosystem HIVEs acts as Data Controller (Section 3, Role B), we rely on the following legal bases under Art. 6 GDPR:
5.1 Performance of a Contract (Art. 6(1)(b))
Processing necessary to provide the App platform to conference organisers and to enable delegates to access and use their conference HIVE — including account creation, authentication, profile hosting, directory search, messaging, and push notification delivery.
5.2 Legitimate Interests (Art. 6(1)(f))
Processing for our legitimate interests where not overridden by your fundamental rights, including:
- Platform security: detecting and preventing unauthorised access, abuse, and fraud
- Service continuity: backups, disaster recovery, and audit trails
- Platform improvement: aggregated, pseudonymised analytics
- Legal defence: retaining records necessary to defend legal claims
5.3 Legal Obligation (Art. 6(1)(c))
Processing required to comply with applicable legal obligations, including GDPR obligations, German commercial law record-keeping requirements, and tax obligations.
5.4 Consent (Art. 6(1)(a))
Where processing is based on your consent (e.g. for optional profile fields or future marketing communications), you have the right to withdraw that consent at any time without affecting the lawfulness of prior processing.
6. Data Retention
We retain personal data only for as long as necessary for the purposes set out in this policy, or as required by applicable law.
| Data Category | Retention Period | Notes |
|---|---|---|
| Delegate profile data (name, email, professional attributes) | 18 months post-event | From end date of conference; configurable by organiser |
| Direct messages | 18 months post-event | Same event window as profile data |
| Connection records | 18 months post-event | Same event window as profile data |
| Authentication tokens (JWT / refresh) | Session duration (max 30 days idle) | Invalidated on logout or password reset equivalent |
| Invite codes (unused) | 180 days from issuance | Automatically purged after expiry |
| Security and audit logs | 24 months | Required for incident response |
| Account deletion | Processed within 30 days | Residual copies removed from backups within 90 days |
| Support communications | 3 years | Legitimate interests / legal obligation |
7. Sub-Processors and Third-Party Recipients
Music Ecosystem HIVEs engages the following sub-processors, all bound by data processing agreements and required to implement appropriate technical and organisational security measures.
| Sub-Processor | Country | Purpose | Safeguard |
|---|---|---|---|
| Hetzner Cloud GmbH | Germany (EU) | App servers, object storage, backups | EU jurisdiction; ISO 27001:2022 |
| Scaleway SAS | France (EU) | Managed PostgreSQL database | EU jurisdiction |
| Brevo (Sendinblue SAS) | France (EU) | Transactional email delivery (magic-link auth, notifications) | EU jurisdiction; Brevo DPA in place |
| Google LLC (Firebase Cloud Messaging) | United States | Push notification delivery (Android) | EU–US Data Privacy Framework |
| Apple Inc. (APNs) | United States | Push notification delivery (iOS) | EU–US Data Privacy Framework |
| Grafana Labs | EU region | Platform monitoring, error tracking, logging | Data processed in EU region only |
8. International Data Transfers
Music Ecosystem HIVEs's primary infrastructure is hosted within the European Union (Germany and France), and the large majority of personal data is processed within the EEA.
Transfers outside the EEA occur solely in connection with push notification delivery via Firebase Cloud Messaging (Google LLC) and Apple Push Notification Service (Apple Inc.), both based in the United States. These transfers are lawful on the basis of the adequacy decision of the European Commission for the EU–US Data Privacy Framework (DPF), adopted on 10 July 2023. Both Google LLC and Apple Inc. are certified participants under the DPF.
No other personal data is transferred to third countries outside the EEA. Should any additional cross-border transfer become necessary, Music Ecosystem HIVEs will ensure an appropriate transfer mechanism is in place before any transfer occurs.
9. Your Rights Under GDPR
If you are located in the EEA, you have the following rights regarding your personal data where Music Ecosystem HIVEs acts as Data Controller. For data processed by Music Ecosystem HIVEs as Processor on behalf of a conference organiser, direct requests to the relevant organiser.
| Article | Right | How to Exercise |
|---|---|---|
| Art. 15 | Right of access — obtain a copy of your personal data | Email contact@musicecosystem.net |
| Art. 16 | Right to rectification — correct inaccurate data | Edit in-app or email us |
| Art. 17 | Right to erasure ('right to be forgotten') | In-app settings or email us |
| Art. 18 | Right to restriction of processing | Email contact@musicecosystem.net |
| Art. 20 | Right to data portability — receive data in machine-readable format | Email contact@musicecosystem.net |
| Art. 21 | Right to object to processing based on legitimate interests | Email contact@musicecosystem.net |
| Art. 7(3) | Right to withdraw consent at any time | In-app settings or email us |
| Art. 77 | Right to lodge a complaint with a supervisory authority | See Section 10 below |
10. Right to Complain to a Supervisory Authority
You have the right to lodge a complaint with a supervisory authority if you consider that our processing of your personal data infringes the GDPR (Art. 77 GDPR).
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219, 10969 Berlin, Germany
Website: datenschutz-berlin.de
You may also lodge a complaint with the supervisory authority in your country of habitual residence or place of work. We encourage you to contact us first at contact@musicecosystem.net so that we can attempt to resolve your concern directly.
11. Profiling and Automated Decision-Making
The Music Ecosystem HIVEs App uses an algorithmic matching system to generate professional connection recommendations based on your profile attributes (expertise, interests, and collaboration preferences). This constitutes profiling within the meaning of Art. 4(4) GDPR.
Human review and decision-making govern all moderation and access control actions. You may object to profiling for recommendation purposes at any time by contacting contact@musicecosystem.net.
12. Security Measures
Music Ecosystem HIVEs implements appropriate technical and organisational measures to protect personal data. These include:
- EU-hosted infrastructure with physical and network security controls (Hetzner ISO 27001:2022)
- PostgreSQL Row Level Security (RLS) enforcing per-tenant data isolation
- API-level tenant segregation via authenticated tenant identifiers
- Encryption of data in transit (TLS 1.2+) and at rest
- JWT-based authentication with short-lived access tokens and refresh token rotation
- Magic-link email authentication (no password storage)
- Automated backup and point-in-time recovery
- Centralised audit logging retained for 24 months
- Rate limiting and WAF edge protection
13. Children's Privacy
The Music Ecosystem HIVEs App is a professional networking platform intended for adults (18 years and over). It is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under the age of 16.
If you believe that a person under 16 has provided personal data through the App, please contact contact@musicecosystem.net and we will take prompt steps to delete that data.
14. Provision of Data: Statutory or Contractual Requirement
Provision of mandatory profile data (marked † in Section 4.1) is a contractual requirement for access to and use of the App. Without this data, we are unable to create your account, verify your identity as a conference delegate, or provide the core networking functionality.
Optional data fields may be left blank without affecting access to core platform features, though omitting optional data may reduce the relevance of algorithmic recommendations.
15. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The version number and last updated date at the top of this document will be updated accordingly.
For material changes, we will notify you via the email address associated with your account or via a prominent notice within the platform at least 14 days before the change takes effect. Continued use of the App following notification constitutes acceptance of the updated policy.
Previous versions of this policy are available on request.
16. Contact
For all privacy-related queries, rights requests, or complaints:
Matthias Strobel Hohmann e.K.
Email: contact@musicecosystem.net
General enquiries: hey@musicecosystem.net
Address: Ebertystrasse 29, 10249 Berlin, Germany