Privacy Policy

Last updated: 30 April 2026

Royalti is operated by AJL Technologies Ltd, a company registered in England and Wales ("Royalti", "we", "our", "us"). This policy explains what data we collect, how we use it, how long we keep it, and what rights you have. If anything is unclear, email support@royaltiapp.com.

1. What we collect

Account information

When you create an account: your name, email address, and role (artist or manager). Authentication is handled by Clerk; we never see or store your password. If you sign in with Apple or Google, we receive only your name and email.

Royalty data

The core of the product. This includes:

• Deals you create or import (deal name, type, payer, payment dates, amounts, recoupment balances)
• Bank transactions identified as royalty payments via your linked bank (Plaid in the US, Yapily in the UK/EU)
• Royalty statements you forward by email — we parse them with AI to extract payment data

Subscription state

Whether you have an active subscription or trial, refreshed on each app open from Apple's StoreKit. We never see your credit card; Apple handles all billing.

Anonymous analytics

We collect anonymous usage events (e.g. "a user opened the app", "a user confirmed a parsed statement"). These events contain no user identifier — they are stored as aggregate counters only. They cannot be linked back to your account.

What we don't collect

• Bank credentials — Plaid and Yapily handle authentication directly
• Credit card or payment details — Apple handles all subscription billing
• Location, contacts, photos, microphone, camera
• Browsing history outside the app

2. How long we keep it

We apply automatic expiry timers to anything sensitive that isn't part of your active product data. After the timer runs out, the data is permanently deleted by our database — we do not need to take any action for this to happen.

3. How we use your data

• Detect and display royalty payments from connected bank accounts
• Parse forwarded statements and create deal records
• Provide analytics, reports, and tax exports of your own income
• Enable manager–artist connections you explicitly authorise
• Send transactional emails (invites, payment alerts) you can opt out of
• Power the in-app AI assistant (Rex), which sees only the deal data needed to answer your question
• Operate and improve the product (debugging, capacity planning, fixing the parser)

4. Aggregate industry data

We compute industry-level statistics — for example, the median payment from a major royalty source, or the distribution of deal types across users. This dataset is built from fully anonymised counters stored in a separate database namespace that has never seen and never will see a user identifier. It cannot be reverse-engineered to reveal individual users or accounts.

We may publish or share these aggregate insights as part of industry reports, blog posts, or commercial partnerships. If you would prefer your account's confirmed deals not to contribute even to anonymised aggregate counters, email us and we'll exclude you.

5. Third-party services

We use these vendors to operate the product. Each receives only the minimum data needed for its role.

• Clerk — authentication, session management
• Plaid (US) and Yapily (UK/EU) — bank connectivity. We never see your credentials.
• Anthropic — AI parsing of forwarded statements and the in-app Rex assistant. Statement contents are sent for parsing; Anthropic does not train on this data per their API terms.
• Upstash Redis — application database
• Resend and Postmark — transactional email (invites, alerts) and inbound email parsing
• Vercel — application hosting
• Apple StoreKit — subscription billing

6. Sharing your data

We do not sell, rent, or trade your personal information. We do not share your individual royalty figures with labels, publishers, PROs, distributors, or any third party.

Data flows only to:

• The third-party services listed above, as required to deliver functionality you've asked for
• A manager you have explicitly invited to view your data — and only for as long as you allow it
• Law enforcement, only if compelled by valid legal process and only the minimum required

7. Security

All connections to Royalti are encrypted in transit (HTTPS / TLS). API endpoints require authenticated sessions, are rate-limited per user, and validate every input. Bank credentials are never transmitted to or stored on our servers — Plaid and Yapily handle authentication directly via OAuth flows. Internal admin access is restricted by an explicit email allow-list.

8. Your rights

Regardless of where you live, you can:

• Access your data — your dashboard already shows everything we have on you. Email us if you'd like a downloadable copy.
• Correct your data — edit any deal directly in the app.
• Delete your account — Settings → Delete account. This permanently removes every record tied to your account, including parsed statements, bank links, and confirmed deals.
• Disconnect your bank — Settings → Banking, at any time.
• Revoke manager access — Settings → Team, at any time.
• Opt out of aggregate counters — email us.

Users in the EU, UK, or California have additional rights under GDPR / UK-GDPR / CCPA, including the right to data portability and to lodge a complaint with a supervisory authority. We honour all such requests.

9. Children

Royalti is not directed at and not intended for use by anyone under 18. We do not knowingly collect data from minors.

10. Changes to this policy

We will update this page if our data practices change. The "Last updated" date at the top will reflect the latest revision. Material changes will be communicated in-app.

11. Contact

Questions, requests, complaints: support@royaltiapp.com. We aim to respond within 7 days.