Privacy

Privacy Policy

Effective · June 25, 2026

Who we are

mgmtOS is an operating system for music management — a workspace that helps managers, labels, and artist teams run releases, shows, contacts, and tour finances in one place. This policy explains what data we process when you use the mgmtOS web app, the mgmtOS iOS app, and the mgmtos.io marketing site (together, the “Services”), how we use it, who else processes it on our behalf, and the rights you have.

The Services are operated from Kazakhstan by RetailApps KZ LLP, a limited liability partnership registered in the Republic of Kazakhstan under Business Identification Number (BIN) 221040038450, with its registered office at 1/96 Kurmangazy St., apt. 25, Medeu District, Almaty 050010 (“mgmtOS”, “we”, “us”). For questions about this policy or your data, contact us at info@mgmtos.io.

Controller and processor. For the account, profile, billing, and usage data we collect to run the Services, mgmtOS is the data controller. For the content you and your team create inside a workspace, the organization that owns the workspace is the controller and mgmtOS acts as a processor handling that content on the organization’s instructions. If you use mgmtOS as part of an organization, that organization’s administrators control your workspace data and you should also consult their privacy practices.

We do not sell personal data, we do not share it for cross-context behavioral advertising, and we use it only to operate, secure, and improve the product.

Data we collect

We collect personal data from three sources.

  • Data you provide. When you sign in with Google we receive your email address, your name, and a Google account identifier so we can authenticate you and provision your workspace. We also receive anything you create in mgmtOS: artists, releases, shows, contacts, tasks, notes, attachments, financial records (fees, deposits, expenses, splits, taxes, commissions), team membership, and any messages you send our support team. If you subscribe to a paid plan, our payment provider collects your payment details directly; we receive only the subscription status, plan, billing email, and country.
  • Data collected automatically. Product analytics events (which screens you visit, which actions you take), error reports, and server logs (IP address, user agent, request path, timestamp), plus the session token your client uses to stay signed in. On iOS the session token is stored in the iOS Keychain on your device.
  • Data from third parties. Our sign-in provider (Google) confirms your identity, and our payment provider (Polar) returns your subscription status. We do not request access to Gmail, Drive, contacts, or any other third-party service beyond what is needed to sign you in and bill you.

Under California law these map to the statutory categories of identifiers, customer records, commercial information, internet and network activity, and inferences. Account log-in credentials are treated as sensitive personal information and are used only to authenticate you and keep your account secure.

How we use your data

  • To provide the product: authenticate you, sync your workspace across devices, deliver collaboration features, and run the calculations on your finances.
  • To send service messages: email verification, sign-in and security notifications, and billing receipts and renewal notices.
  • To keep the service running and secure: detect abuse, debug issues, monitor uptime, and prevent fraud.
  • To understand usage in aggregate: which features are used, which flows fail, and where the product needs work. We use pseudonymous identifiers for product analytics and do not build advertising profiles.
  • To comply with legal, tax, and accounting obligations, and to establish, exercise, or defend legal claims.

We do not use your workspace content to train machine-learning models, and we do not subject you to decisions producing legal or similarly significant effects based solely on automated processing.

Legal bases (EEA / UK)

If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases under the GDPR and UK GDPR:

  • Performance of a contract (Art. 6(1)(b)). Providing the Services, managing your account, syncing your workspace, and sending the service and billing messages you need to use mgmtOS.
  • Legitimate interests (Art. 6(1)(f)). Securing the Services, preventing fraud and abuse, and understanding aggregate usage to improve the product. We balance these interests against your rights and you may object at any time (see below).
  • Consent (Art. 6(1)(a)). Non-essential analytics cookies and any marketing email, where required. You may withdraw consent at any time without affecting prior processing.
  • Legal obligation (Art. 6(1)(c)). Retaining invoices and financial records and responding to lawful requests.

Cookies and analytics

The marketing site uses Vercel Analytics, which measures aggregate traffic without cookies and without identifying you. We use strictly necessary storage to keep you signed in and remember your preferences; this does not require consent.

Inside the app we use PostHog for product analytics and session replay: pseudonymous records of which screens you visit and how you navigate the interface, with form inputs and text masked. PostHog stores identifiers on your device, so where consent is required (including the EEA, the UK, and Switzerland) it does not run until you accept it through the cookie banner. You can decline and keep using the app, and you can withdraw consent later. Where consent is not required, we rely on our legitimate interest in understanding and improving the product.

We honor the Global Privacy Control signal. We do not respond to browser “Do Not Track” signals because there is no common standard for them.

Who processes your data

mgmtOS relies on a small set of trusted sub-processors. Each is contractually limited to processing data on our instructions, and each is named here with the country from which it operates so you know where your data goes.

  • Convex (United States) — primary database and real-time backend. Stores your workspace content, with sensitive fields encrypted before storage (see “Encryption”).
  • Vercel (United States) — hosting for the marketing site and the web application, and cookieless site analytics. Processes standard request logs.
  • Google (United States / EU) — sign-in via Google OAuth. We exchange a Google ID token for your email and name only.
  • Polar (United States) — our payment provider and merchant of record. Polar handles your payment method, name, and billing address directly; we receive subscription status only.
  • Resend (United States) — transactional email delivery (verification, sign-in, account notifications).
  • PostHog (European Union) — product analytics. Receives pseudonymous event data about how the product is used.

We also disclose data when required by law, to establish or defend legal claims, and to a successor in the event of a merger, acquisition, or sale of assets, in which case we will notify you.

International and cross-border transfers

mgmtOS is operated from Kazakhstan, and our sub-processors operate from the United States and the European Union. This means your data is transferred to and processed in those countries regardless of where you use mgmtOS from. By creating an account and using the Services you consent to this cross-border transfer of your personal data to the sub-processors named above, in the countries named above, for the purposes described in this policy. This consent is given for the purposes of Kazakhstan’s Law on Personal Data and its Protection (art. 16) and you may withdraw it by deleting your account.

For transfers originating in the EEA or the UK, we rely on a European Commission or UK adequacy decision where one applies (including the EU–US Data Privacy Framework and its UK Extension for certified recipients) and otherwise on the European Commission’s Standard Contractual Clauses together with the UK International Data Transfer Addendum, with additional safeguards where required. You can obtain a copy of the relevant safeguards by emailing info@mgmtos.io.

Data retention

We keep your account data and workspace content for as long as your account is active. When you delete your account, we mark it for deletion immediately and run a 30-day grace period in case you change your mind, after which a cascading delete removes your workspace content, attachments, audit records, and account from our database. Operational logs (server access logs, error reports) are retained for up to 90 days for security and debugging, then deleted. Invoices and financial records are retained for as long as tax and accounting law requires.

Backups are rotated on a rolling 30-day schedule; deleted content disappears from backups as those backups age out.

Encryption and security

All traffic between your devices and our servers is protected by TLS, and data at rest in our database is encrypted by Convex.

On top of that, sensitive fields — show fees, deposits, expense amounts, taxes, manager commissions, free-form financial notes, and links to private materials — are encrypted at the field level using AES-256-GCM before they leave our backend. The encryption key is held only by mgmtOS and is not available to Convex or any other sub-processor, so even in the unlikely event of a database breach those fields cannot be read without our key. No method of transmission or storage is completely secure, but we work to protect your data using measures appropriate to its sensitivity.

Your rights

Depending on where you live (including under the GDPR, UK GDPR, the California Consumer Privacy Act, and Kazakhstan’s Law on Personal Data and its Protection) you may have the right to access the personal data we hold about you, correct it, export it in a portable format, request deletion or blocking, restrict or object to certain processing, and withdraw consent where consent is the legal basis.

  • Access and export. You can export your workspace content as CSV from the app at any time, and you can request a full copy by email.
  • Correction and deletion. You can edit your data in the app and delete your account from within the app. Deletion is cascading: every record tied to your account is removed within 30 days.
  • Other requests. Email info@mgmtos.io from the address tied to your account and we will action the request within a reasonable time at no cost. We may need to verify your identity first.

You may also lodge a complaint with your local supervisory authority. In the EEA this is your national data protection authority; in the UK it is the Information Commissioner’s Office.

California privacy rights

If you are a California resident, you have the right to know what personal information we collect and how we use and disclose it, to request access to or deletion of that information, to correct inaccurate information, and not to be discriminated against for exercising these rights.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We have not sold or shared personal information in the preceding twelve months. To exercise a request, email info@mgmtos.io; you may use an authorized agent, and we will verify your identity before acting on a request to know or delete.

Kazakhstan data subjects

If your personal data is processed under the law of the Republic of Kazakhstan, you have the rights set out in art. 24 of the Law on Personal Data and its Protection: to know that your data is being processed, to demand its correction, blocking, or destruction, to withdraw your consent, and to seek compensation for harm. You can give or withdraw consent and see which operators hold access through the state personal-data access-control service on egov.kz and via the 1414 contact center.

The authority responsible for personal-data protection is the Committee for Information Security of the Ministry of Artificial Intelligence and Digital Development of the Republic of Kazakhstan, to which you may also submit a complaint.

Children's privacy

The Services are intended for adult professionals working in the music industry and are not directed to children. We do not knowingly collect personal data from anyone under the age at which consent is valid in their country (16 in much of the EEA, 13 in the United States). If you believe a child has provided us with personal data, contact us and we will delete it.

Third-party sites and integrations

The Services may link to or integrate with third-party sites and services that we do not control. This policy does not apply to them, and we are not responsible for their privacy practices. Review their policies before sharing your data with them.

Changes to this policy

We may update this policy as the product evolves. When we make material changes we will update the effective date at the top of this page and, for changes that affect existing users, send notice by email or inside the app before the changes take effect. Continued use of the Services after a change takes effect means you accept the updated policy.

Contact

For privacy questions, data requests, or anything else covered by this policy, email info@mgmtos.io. We aim to respond within seven business days.