Privacy Policy · last updated May 9, 2026
How we handle your data.
This page describes what personal data we collect, why we collect it, how long we keep it, and the rights you have over it. It is written for an international audience and reflects the requirements of the EU GDPR, the UK GDPR, the California Consumer Privacy Act (CCPA / CPRA), and Russian Federal Law 152-FZ. Privacy requests: support@lev-mourne.com.
1. Who we are
The data controller is Protopopov Dmitrii, a self-employed individual based in the Russian Federation, performing as Lev Mourne. Throughout this Policy we use "Producer", "we", "us" interchangeably.
2. Data we collect
We deliberately collect the minimum data needed to deliver the service. The categories below are exhaustive — we do not maintain hidden categories.
| Category | Examples | Why | Lawful basis |
|---|---|---|---|
| Account data | Email, password hash, optional display name | Account creation, sign-in, password reset | Contract (GDPR Art. 6(1)(b)) |
| Purchase data | Order ID, beat title, license tier, price, currency, buyer legal name (license PDF), buyer email | Issuing the license contract, sending the receipt, providing redownload | Contract |
| Payment data | Provider transaction reference token; never raw card details | Linking the payment provider's transaction to your order | Contract |
| Download logs | Order ID, asset key, timestamp, IP address, user agent | Issuing signed download URLs, abuse prevention, audit trail | Legitimate interest (Art. 6(1)(f)) |
| Newsletter subscription | Email, opt-in timestamp, source page | Sending occasional newsletter emails (only if you opt in) | Consent (Art. 6(1)(a)) |
| Authentication cookies | Supabase session cookie | Keeping you signed in | Strictly necessary |
| Cart state | Beat IDs, license tiers, quantities | Persisting your cart across reloads | Strictly necessary (browser storage only) |
| Server logs | IP, user agent, request path, timestamp, status code | Operating the service, debugging, security incident response | Legitimate interest |
| Audit logs | Admin actions, webhook events, license issuance, refunds | Compliance, dispute resolution, fraud investigation | Legal obligation / legitimate interest |
We do not collect: precise location, device fingerprints, biometric identifiers, government-ID numbers, or special categories of personal data (health, race, political opinions, religion, sexual orientation, trade-union membership). We do not run third-party advertising, behavioral profiling, or tracking pixels.
3. Service providers (sub-processors)
We share only the minimum data needed for each provider to deliver its specific operational role.
| Provider | Purpose | Region |
|---|---|---|
| Supabase | Database, authentication, file storage | EU / US |
| Vercel | Web hosting, edge serving, image optimization | Global edge |
| Resend | Transactional email and newsletter | EU / US |
| lava.top | Card and alt-payment processing | RU / international |
| Cryptomus | Crypto payment processing | International |
| Cloudflare R2 | Audio asset storage | Global |
| Songtrust / BMI | Royalty administration (composition metadata only) | United States |
Where personal data leaves the European Economic Area, we rely on the provider's Standard Contractual Clauses or an equivalent transfer mechanism.
4. How long we keep your data
| Data | Retention |
|---|---|
| Account data | Deleted on request; periodic cleanup runs at least every 18 months of inactivity |
| Purchase data and license contracts | Indefinite — required for license enforceability and tax/audit |
| Payment provider reference tokens | Same as purchase data |
| Download logs | 12 months, then aggregated and raw rows deleted |
| Newsletter subscription | Until unsubscribe (honored within 24 hours) |
| Server logs | 30 days rolling |
| Audit logs | 7 years (financial / dispute archive) |
5. Your rights
Wherever you are based, contact support@lev-mourne.com to exercise the following rights:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Delete your account data — purchase records may be retained for legal reasons but identifying personal data within them can be redacted.
- Export a portable copy of your account data.
- Object to processing based on legitimate interest.
- Withdraw consent for newsletter subscription (one-click unsubscribe in any email also works).
EU/UK residents have the right to lodge a complaint with their national data protection authority. California residents have the additional rights granted by CCPA / CPRA, including the right to know what personal data has been collected and the right to non-discrimination. We do not sell or share personal data for cross-context behavioral advertising as those terms are defined under California law.
We respond to verifiable requests within 30 days. We delete inactive accounts on request and run periodic cleanup at least every 18 months. Self-service /account/delete and /account/export flows are scheduled before public launch.
6. Children
The Site is not directed to children under 16. We do not knowingly collect personal data from anyone under 16. If you believe we have collected such data, contact support@lev-mourne.com and we will delete it promptly.
7. Security
We follow industry-standard security practices:
- All data in transit is encrypted with TLS 1.2+.
- Master audio files are stored in a private bucket and served only via short-lived signed URLs (TTL ≤ 15 minutes).
- Authentication is delegated to Supabase Auth; passwords are hashed with bcrypt or argon2.
- Webhooks are verified by HMAC-SHA256 before any database write.
- Row-Level Security (RLS) is enabled on every public-schema table — users see only their own purchase records.
- Service-role credentials are isolated to a single server-side module and never reach the browser.
- Rate limiting is applied to authentication, newsletter, and admin upload.
- An OWASP Top-10 audit pass is performed before public launch and after major changes.
If we learn of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and notify affected users where required.
9. Automated decision-making
We do not engage in automated decision-making that produces legal or similarly significant effects on you, with one operational exception: when a payment webhook arrives, our system automatically issues the license PDF and download links if the signature and amount are valid. This is a fulfillment step, not a decision about you.
10. Changes to this Policy
Material changes will be communicated by updating the "last updated" date and, for registered users, by email. Continued use of the Site after a change takes effect constitutes acceptance of the updated Policy.
11. Contact
For any privacy question or to exercise any right above: support@lev-mourne.com.
Last updated: 2026-05-09