Privacy Policy

mgmtOS is an operating system for music management — a workspace that helps managers, labels, and artist teams run releases, shows, contacts, and tour finances in one place. This policy explains what data we collect when you use the mgmtOS web app, the mgmtOS iOS app, and the mgmtos.io marketing site, how we use it, and who else processes it on our behalf.

We do not sell personal data, we do not share it with advertisers, and we use it only to operate, secure, and improve the product.

We collect three categories of data.

• Account data. When you sign in with Google we receive your email address, your name, and a Google account identifier so we can authenticate you and provision your workspace. If you subscribe to a paid plan, our billing processor collects your payment details directly; we receive only the subscription status, plan, and billing email.
• Workspace content. Everything you create inside mgmtOS — artists, releases, shows, contacts, tasks, notes, attachments, financial records (fees, deposits, expenses, splits, taxes, commissions), and team membership. You and the collaborators you invite control this content.
• Usage and operational data. Product analytics events (which screens you visit, which actions you take), error reports, server logs (IP address, user agent, request path, timestamp), and the session token your client uses to stay signed in. On iOS the session token is stored in the iOS Keychain on your device.

• To provide the product: authenticate you, sync your workspace across devices, deliver collaboration features, and run the calculations on your finances.
• To send transactional messages: email verification, password reset, billing receipts, and security notifications.
• To keep the service running and secure: detect abuse, debug issues, monitor uptime, and prevent fraud.
• To understand usage in aggregate: which features are used, which flows fail, where the product needs work. We use pseudonymous identifiers for product analytics; we do not build advertising profiles.

We do not use your workspace content to train machine-learning models.

mgmtOS relies on a small set of trusted sub-processors. Each is contractually limited to processing data on our instructions.

• Convex — primary database and real-time backend. Stores your workspace content (with sensitive fields encrypted before storage, see below).
• Google — sign-in via Google OAuth. We exchange a Google ID token for your email and name; we do not request access to Gmail, Drive, or any other Google service.
• Polar — billing and subscription management. Polar handles your payment method, name, and billing address directly; we receive subscription status only.
• Resend — transactional email delivery (verification, password reset, account notifications).
• PostHog — product analytics. Receives pseudonymous event data about how the product is used.
• Vercel — hosting for the marketing site and the web application. Processes standard request logs.

All traffic between your devices and our servers is protected by TLS. Data at rest in our database is encrypted by Convex.

On top of that, sensitive fields — show fees, deposits, expense amounts, taxes, manager commissions, free-form financial notes, and links to private materials — are encrypted at the field level using AES-256-GCM before they leave our backend. The encryption key is held only by mgmtOS and is not available to Convex or any other sub-processor. This means even in the unlikely event of a database breach, those fields cannot be read without our key.

We keep your account data and workspace content for as long as your account is active. When you delete your account, we mark it for deletion immediately and run a 30-day grace period in case you change your mind, after which a cascading delete removes your workspace content, attachments, audit records, and account from our database. Operational logs (server access logs, error reports) are retained for up to 90 days for security and debugging, then deleted.

Backups are rotated on a rolling 30-day schedule; deleted content disappears from backups as those backups age out.

mgmtOS is operated from the United States. Our primary sub-processors (Convex, Vercel, PostHog, Resend, Polar, Google) also operate from the United States and the European Union. If you use mgmtOS from outside these regions, your data will be transferred to and processed in the United States and/or the European Union under appropriate safeguards, including the Standard Contractual Clauses where applicable.

Depending on where you live (e.g. under GDPR, UK GDPR, or the CCPA) you have the right to access the personal data we hold about you, correct it, export it in a portable format, request deletion, object to certain processing, and withdraw consent where consent is the legal basis.

• Access and export. You can export your workspace content as CSV from the app at any time. You can also request a full copy by email.
• Deletion. You can delete your account from within the app. Deletion is cascading: every record tied to your account is removed within 30 days.
• Other requests. Email privacy@mgmtos.io from the address tied to your account and we will action the request within a reasonable time at no cost.

mgmtOS is intended for adult professionals working in the music industry. The service is not directed to children, and we do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

We may update this policy as the product evolves. When we make material changes we will update the effective date at the top of this page and, for changes that affect existing users, send a notice by email or inside the app before the changes take effect.

For privacy questions, data requests, or anything else covered by this policy, email privacy@mgmtos.io. We aim to respond within seven business days.