← Back to Dr. Bror
Legal
PRIVACY POLICY
Last updated: 10 April 2026
This Privacy Policy explains how Andrén Music & Marketing AB ("we", "us", "Dr. Bror") collects, uses, and protects personal data when you visit drbror.com or use our Services. We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR) and Swedish data protection law.
1. Data Controller
Andrén Music & Marketing AB
Crafoords Väg 14, 113 24 Stockholm, Sweden
Org. no: 559360-6071 · VAT: SE559360607101
Privacy contact: max@drbror.com
2. What Data We Collect
2.1 Data you give us
- Contact info: name, email address (via signup forms or checkout).
- Billing info: billing address, country, VAT number (via Stripe checkout). Card numbers are processed by Stripe and never touch our servers.
- Onboarding info: artist name, Spotify/music links, creative assets you provide after purchase.
2.2 Data collected automatically
- Technical data: IP address, browser type, device type, referrer URL, pages visited, time on site.
- Cookies & similar technologies: see our Cookie Policy.
- Advertising data: if you consent, we use Meta Pixel and the Meta Conversions API to measure ad performance. This includes hashed email addresses, IP, and events such as page views, form submissions, and purchases.
3. Why We Collect It (Legal Basis)
| Purpose | Legal Basis (GDPR Art. 6) |
|---|
| Provide & deliver Services | Contract performance (Art. 6(1)(b)) |
| Process payments | Contract performance (Art. 6(1)(b)) |
| Invoicing & accounting records | Legal obligation (Art. 6(1)(c)) |
| Respond to enquiries via signup forms | Legitimate interest (Art. 6(1)(f)) |
| Advertising analytics (Meta Pixel / CAPI) | Consent (Art. 6(1)(a)) |
| Essential site functionality | Legitimate interest (Art. 6(1)(f)) |
4. Who We Share It With
We share data only with service providers that help us run the Site and deliver Services. Each of these is a data processor acting on our instructions:
- Vercel Inc. (USA / EU) — website hosting and serverless functions.
- Stripe Payments Europe, Ltd. (Ireland / USA) — payment processing.
- FormSubmit.co (USA) — forwards signup form submissions to our email inbox.
- Meta Platforms Ireland Ltd. (Ireland) — advertising analytics via Meta Pixel and Conversions API (only with consent).
- Google Ireland Ltd. / YouTube (Ireland) — serving ads when you are in an ad audience.
- Google Fonts (USA) — self-referential, fonts are loaded from Google's CDN.
Some of these providers may transfer data outside the EU/EEA. Where this happens, we rely on Standard Contractual Clauses or the EU–US Data Privacy Framework to ensure an adequate level of protection.
5. How Long We Keep It
- Billing records: 7 years (Swedish Accounting Act requirement).
- Active subscription data: for the duration of your subscription plus 3 years.
- Signup form submissions: up to 12 months if no contract is formed.
- Analytics / advertising events: up to 24 months.
- Cookies: see our Cookie Policy for individual cookie lifetimes.
6. Your Rights Under GDPR
You have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure ("right to be forgotten") — request deletion, subject to legal retention obligations.
- Restriction — ask us to limit how we use your data.
- Portability — receive your data in a machine-readable format.
- Object — object to processing based on legitimate interest.
- Withdraw consent — at any time, where processing is based on consent.
- Lodge a complaint — with the Swedish Authority for Privacy Protection (IMY) at imy.se, or your local supervisory authority.
To exercise any of these rights, email max@drbror.com. We will respond within 30 days.
7. Security
We use TLS encryption for all traffic, rely on reputable processors (Stripe, Vercel) that maintain industry-standard security, and restrict access to personal data to authorized personnel only. No system is 100% secure, but we take reasonable technical and organisational measures to protect your data.
8. Children
Our Services are not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe we have collected data from a minor, contact us and we will delete it.
9. Changes to This Policy
We may update this Policy. The "Last updated" date reflects the most recent version. Material changes will be notified via email to active subscribers.