Data Handling & GDPR
This section addresses how TrackForge handles personal data within the certification process, the GDPR implications, and the measures taken to ensure compliance. It is intended for data protection officers, privacy counsel, and any party conducting due diligence on TrackForge's data handling practices.
Personal data classification
The certification process involves the following categories of data, each with distinct privacy characteristics:
| Data Category | Classification | Rationale |
|---|---|---|
| Writer names | Personal data | Names of natural persons; identifiable individuals. |
| IPI numbers | Personal data (professional identifier) | Assigned to identified individuals by collecting societies; constitutes a persistent professional identifier linked to a natural person. |
| Writer shares / splits | Commercially sensitive data | Percentage allocations of rights; may also be personal data where attributable to an identified individual. |
| Catalogue metadata (titles, ISRCs, ISWCs, durations) | Client commercial data | Generally not personal data, though edge cases exist (e.g., an artist who is the sole writer of a uniquely titled work). |
| Operator actions | Personal data (employment context) | Operator names and actions recorded in the audit trail; handled under the employment/engagement relationship. |
Legal basis for processing
TrackForge processes personal data in the certification context on the basis of legitimate interest (Article 6(1)(f) GDPR). The legitimate interest is the provision of a metadata certification service that benefits the music industry by improving the accuracy and reliability of rights data used in royalty distribution.
A Legitimate Interest Assessment (LIA) has been conducted and is available upon request.
Data Processing Agreement requirements
A Data Processing Agreement (DPA) is required for every B2B engagement. The DPA addresses the following matters:
- Data ownership — The client remains the data controller. TrackForge processes data on the client's behalf as a data processor.
- Processing purpose — Data is processed solely for the purpose of catalogue enrichment, verification, and certification as described in the service agreement.
- Sub-processors — TrackForge consults external data sources as part of the enrichment pipeline. These include Spotify (API), MusicBrainz (API), Discogs (API), Last.fm (API), PRS for Music, MLC, and additional collecting societies. Each sub-processor consultation is documented in the certification methodology. The current sub-processor list is maintained and made available to the client.
- Data retention —
- Certification records (certificates, Merkle proofs, blockchain anchors): retained indefinitely, as these constitute the certification output.
- Working data (intermediate enrichment results, draft records): retained per the schedule agreed in the DPA, then deleted.
- Operator audit trail: retained for the duration specified in the DPA (minimum period aligned with the applicable limitation period for professional negligence claims).
- Termination — Upon termination, working data is deleted per the agreed schedule. Certification records persist (they are the deliverable of the service and are anchored to the blockchain).
- Security measures — Technical and organisational measures are documented in the DPA, including encryption at rest and in transit, access controls, and audit logging.
- Breach notification — TrackForge commits to notifying the client of any personal data breach without undue delay, and in any event within the timeframe specified in the DPA (not exceeding the 72-hour GDPR requirement for controller notification to the supervisory authority).
Self-service privacy considerations
For the self-service tier (when available):
- Account deletion — A user may request deletion of their account and associated data. Certification records (certificates, hashes, blockchain anchors) persist, as they are the deliverable of the service. The underlying metadata can be deleted or anonymised.
- Verification page — The public certificate verification page operates without cookies, tracking, or analytics. It accepts a certification hash and confirms whether a valid certification exists for that hash. No personal data is displayed on the verification page.
Public vs private data boundary
This boundary is critical and is enforced at every level of the system. The following data may appear on publicly accessible certificates, verification pages, or blockchain records:
| Public (may be exposed) | Private (never exposed publicly) |
|---|---|
| ISRC (recording identifier) | Writer names |
| Certification date | IPI numbers |
| SHA-256 hash of canonical metadata | Writer splits / shares |
| Merkle root hash | Catalogue names |
| Blockchain transaction ID | Track titles |
| Methodology version | Canonical JSON content |
No personal data is written to the blockchain or exposed on public verification pages. The blockchain anchor contains only the Merkle root hash — a cryptographic digest that cannot be reversed to recover the underlying data. Writer names, IPI numbers, splits, shares, catalogue names, and track titles are never included in any public-facing output.
:::1
What goes on the blockchain
The blockchain anchor consists solely of the Merkle root hash — a single SHA-256 digest derived from the Merkle tree of all track hashes in the certification batch. This hash is anchored via OpenTimestamps.
The Merkle root hash is:
- Not personal data — It is a fixed-length cryptographic digest (256 bits) that cannot be reversed, decoded, or used to identify any natural person.
- Not catalogue data — It reveals nothing about the content, titles, writers, or commercial terms of the certified catalogue.
- Persistent — Once anchored, the hash cannot be removed from the blockchain. This is by design: it provides the tamper-proof timestamp that underpins the certification.
Because the blockchain anchor contains no personal data, GDPR deletion requests do not require (and cannot achieve) removal of the hash from the blockchain. The underlying metadata records held by TrackForge can be deleted or anonymised in compliance with a valid deletion request, while the hash — which is not personal data — persists as proof that a certification was issued at a specific time.