Legal & policies

Terms of Service

1. Acceptance of these terms

These Terms of Service (“Terms”) form a legally binding agreement between you and Incubate & Innovate Limited (trading as Learn the Music Industry)(“Learn the Music Industry”, “we”, “us”, or “our”), a company incorporated in England and Wales.

By accessing or using the Learn the Music Industry website and platform at learnthemusicindustry.com(the “Platform”), you agree to be bound by these Terms. If you do not agree, you must not use the Platform. If you are using the Platform on behalf of an organisation, you represent that you have authority to bind that organisation to these Terms.

2. Eligibility and accounts

You must be at least 16 years old to create an account. If you are between 16 and 18, you confirm that you have the consent of a parent or guardian where required by applicable law.

You may browse and access free public lessons without registering. To access account features (including progress tracking, personalised recommendations, and tier benefits) you must register using a valid e-mail address and password via our authentication provider (Supabase).

You are responsible for keeping your login credentials confidential and for all activity that occurs under your account. Please notify us immediately at the contact address below if you suspect unauthorised use.

3. Service tiers

Learn the Music Industry is offered across the following tiers:

• Public (no account required). All core lessons, the interactive episode player, and the follow-the-money explorer are freely accessible to anyone without registration. No fee applies.
• Firm plan (paid, organisation licence).Organisations (including accounting firms, management companies, and other music-industry businesses) subscribe to a single firm plan to onboard staff, priced by team-size band rather than per seat. A firm plan is governed by these Terms together with any applicable Order Form or Subscription Agreement entered into between the organisation and Learn the Music Industry. Payments are processed via Stripe (see section 8).

We reserve the right to introduce, modify, or discontinue any tier, feature, or pricing at any time, subject to reasonable notice where this materially affects an existing paid subscription.

4. Acceptable use

You agree not to:

• use the Platform for any unlawful purpose or in a way that violates any applicable law or regulation;
• attempt to gain unauthorised access to any part of the Platform, its servers, or any systems or networks connected to it;
• scrape, crawl, or systematically extract content from the Platform without our prior written consent;
• reproduce, distribute, or create derivative works from Platform content except as expressly permitted by these Terms or in writing by us;
• use the Platform in any way that could damage, disable, overburden, or impair it or interfere with other users' enjoyment of it.

We may suspend or terminate access for any breach of this section without prior notice.

5. Educational content, not professional advice

6. Intellectual property

All content on the Platform (including lesson text, interactive exercises, illustrations, diagrams, the episode player, the follow-the-money explorer, and underlying software) is owned by or licensed to Learn the Music Industry and is protected by copyright and other intellectual property laws.

We grant you a limited, non-exclusive, non-transferable, revocable licence to access and use the Platform for your own personal, non-commercial educational purposes. You may not reproduce, republish, sell, or otherwise exploit any Platform content without our prior written permission.

Nothing in these Terms transfers any intellectual property rights to you. References to third-party trade marks, organisations, or products on the Platform are for educational illustration only and do not imply endorsement by or affiliation with those parties.

7. User content

Learn the Music Industry involves little user-generated content. What you provide is your account details and your responses to lessons and assessments, used to run your account and track your progress. You represent that anything you submit is your own and does not infringe any third party's rights or contain anything unlawful. Our use of your personal data is described in our Privacy Policy.

8. Payments and refunds

Firm plan subscriptions are charged via Stripe, Inc., our third-party payment processor. By providing payment details, you authorise us to charge the applicable fees in accordance with the relevant Order Form or Subscription Agreement. All prices are shown exclusive of VAT unless stated otherwise; VAT will be added where applicable under UK law.

Refund policy: to be confirmed following legal review (Consumer Contracts Regulations 2013 and relevant B2B terms apply).

We are not responsible for any fees or charges imposed by your bank or payment provider. If a payment fails, access to paid features may be suspended until payment is successfully processed.

9. Termination

You may close your account at any time by contacting us at the address below. On closure, your account data will be handled in accordance with our Privacy Policy.

We may suspend or terminate your access to all or part of the Platform at any time, with or without notice, if we reasonably believe you have breached these Terms, if we are required to do so by law, or for any other legitimate operational reason. Where termination affects a paid subscription, we will provide reasonable notice except where the termination is for cause.

On termination, all licences granted to you under these Terms cease immediately. Provisions that by their nature should survive termination (including sections 5, 6, 10, and 11) will continue to apply.

10. Limitation of liability

Nothing in these Terms limits or excludes our liability for death or personal injury caused by our negligence, for fraud or fraudulent misrepresentation, or for any other matter that cannot lawfully be limited or excluded.

Subject to the above, Learn the Music Industry's total liability to you, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, arising out of or in connection with these Terms or your use of the Platform shall be limited to the greater of (a) the total fees you have paid to us in the twelve months preceding the claim, or (b) £100.

We shall not be liable for any indirect, consequential, special, or punitive loss, or for loss of profits, revenue, data, business, or goodwill, even if we have been advised of the possibility of such loss.

The Platform is provided “as is” and “as available”. We do not warrant that it will be uninterrupted, error-free, or free from viruses or other harmful components.

If you are a consumer resident in the United Kingdom, these Terms do not affect your statutory rights.

11. Changes to these terms

We may update these Terms from time to time. Where we make a material change, we will notify registered users by e-mail (via Postmark) or by a prominent notice on the Platform, with at least 14 days' notice before the change takes effect. Your continued use of the Platform after the effective date of any change constitutes your acceptance of the revised Terms.

We recommend you save or print a copy of these Terms for your records.

12. Governing law and disputes

These Terms and any dispute or claim arising out of or in connection with them (including non-contractual disputes) shall be governed by and construed in accordance with the law of England and Wales. Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any such dispute, subject to any mandatory consumer-protection provisions that apply in your country of residence.

If you are a consumer in the UK, you may also have the right to refer a dispute to an alternative dispute resolution scheme. Details are available from the Citizens Advice Bureau or the relevant approved ADR body.

13. General

These Terms constitute the entire agreement between you and Learn the Music Industry in relation to the Platform and supersede all prior representations, agreements, or understandings. If any provision is found to be invalid or unenforceable, it shall be modified to the minimum extent necessary to make it valid and enforceable; the remaining provisions shall continue in full force and effect.

Our failure to exercise or enforce any right under these Terms does not constitute a waiver of that right. We may assign or transfer our rights and obligations under these Terms without restriction. You may not assign your rights without our prior written consent.

14. Contact

Questions about these Terms or your account? Reach us through our contact form.

Incubate & Innovate Limited (trading as Learn the Music Industry)

Privacy Policy

1. Who we are and what this policy covers

Learn the Music Industry (“we”, “us”, “our”) is an interactive learning platform that teaches how the music industry’s money works. This policy explains what personal information we collect, why we collect it, how we use it, and your rights under UK GDPR and the UK Data Protection Act 2018.

The data controller is Incubate & Innovate Limited (trading as Learn the Music Industry), reachable at the address in section 12 below.

2. What information we collect

2a. Anonymous visitors (public learning path)

The public learning path (episodes and the knowledge graph) is fully accessible without creating an account. We collect no personal data from anonymous visitors. Episode progress and quiz answers are stored exclusively in your own browser via localStorage and are never transmitted to our servers.

Vercel (our hosting provider; see section 7) receives standard server logs (IP address, browser type, URL, timestamp) as part of normal HTTP traffic. We do not use this data to identify or profile individuals.

2b. Registered accounts

If you create a Learn the Music Industry account you provide an email address and choose a password. These are managed by Supabase Auth (see section 7). We store the following data in our Supabase Postgres database, with row-level security so each user can only access their own records:

• Profile: user identifier, email address, display name (optional), account creation date.
• Episode progress: which episodes you have completed and when, linked to your user ID.
• Competency attempts: your responses to assessment questions, used to calculate your skill profile.
• Entitlements:your access tier (preview / full), source (e.g. firm plan), and expiry date.

2c. Firm / organisation accounts

If your employer subscribes to a firm plan, we also hold:

• Organisation record: firm name, type, plan band, and (when billing is live) Stripe customer ID.
• Membership record: links your user ID to the organisation with a role (owner or member) and status.

2d. Communications

We plan to use Postmark for transactional emails (account confirmation and password reset). When this feature is live, your email address will be passed to Postmark solely for delivery of that message. We do not send marketing emails without separate consent.

2e. Payments

Firm billing is planned via Stripe. When live, payment card data will be handled entirely by Stripe and never stored on our servers. We will hold only a Stripe customer reference ID.

3. Why we use your information and our legal basis

• Contract performance (Art. 6(1)(b) UK GDPR): providing your account, managing your access tier, and (when live) processing a firm plan subscription or Stripe transaction.
• Legitimate interests (Art. 6(1)(f) UK GDPR): security logging (Vercel server logs), detecting abuse, and improving the platform. We balance these interests against your rights; the anonymous public path minimises data collection by design.
• Legal obligation (Art. 6(1)(c) UK GDPR): retaining billing records as required by UK tax and financial regulations.
• Consent (Art. 6(1)(a) UK GDPR): marketing emails, if and when introduced.

4. Cookies and local storage

The public learning path uses browser localStorage only. No cookies are set for anonymous visitors. Registered accounts use a session cookie maintained by Supabase Auth to keep you signed in.

For full details of cookies and similar technologies used on this site, see the Cookies tab.

5. Third-party processors

We use the following sub-processors. Each is engaged under a data-processing agreement that meets UK GDPR / GDPR requirements.

• Supabase: database and authentication. Stores all account data, progress, and entitlements in a Postgres database with row-level security. Infrastructure is provided by AWS (EU region).
• Vercel:hosting and edge delivery. Processes request logs (IP, browser, URL, timestamp) to serve the site. Data is held on Vercel’s infrastructure, primarily in the US and EU.
• Postmark (planned): transactional email delivery. Your email address is shared only to deliver a specific message you have requested.
• Stripe (planned):payment processing. Handles all payment card data for firm plan subscriptions. Stripe is certified to PCI DSS Level 1. We receive only a customer reference ID from Stripe.
• Clerk: authentication for internal admin tools only (founder access). End-user accounts are not managed by Clerk.

6. Data retention

• Anonymous visitor data:server logs held by Vercel per their standard retention policy (typically 30 days). Your localStorage data remains on your device until you clear your browser storage.
• Account data:held for as long as your account is active. If you delete your account, we will erase your profile, progress, and competency records within 30 days, subject to any legal obligation to retain billing records.
• Billing records: retained for seven years as required by UK tax law.

7. Your rights under UK GDPR

You have the right to:

• Access: request a copy of the personal data we hold about you.
• Rectification: ask us to correct inaccurate or incomplete data.
• Erasure(“right to be forgotten”): ask us to delete your data, subject to legal retention obligations.
• Portability: receive your data in a structured, machine-readable format.
• Restriction: ask us to limit how we use your data while a complaint is being resolved.
• Object: object to processing based on legitimate interests.
• Withdraw consent:where processing is based on consent (e.g. marketing emails), you may withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email us at the address in section 12. We will respond within one calendar month. If you are unhappy with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).

8. International data transfers

Some of our processors (Vercel, Stripe) operate infrastructure in the United States. Transfers outside the UK are made under the UK International Data Transfer Agreement (IDTA) or equivalent adequacy mechanisms. Supabase defaults to AWS EU regions; we will confirm the exact region when the production database is provisioned.

9. Children’s privacy

Learn the Music Industry is not directed at children under the age of 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

10. Security

We apply technical and organisational measures to protect your data, including:

• HTTPS enforced across all routes, with HTTP Strict Transport Security headers.
• Row-level security on all user data in Supabase Postgres, so each user can only query their own rows.
• Secrets (database URLs, API keys) stored in environment variables, never committed to the source repository.
• Admin tooling gated behind a single-founder allowlist enforced at both middleware and application level.
• Regular dependency audits (npm audit) as part of the continuous-integration pipeline.

No system is perfectly secure. If you discover a vulnerability, please report it to us privately at the address in section 12 rather than opening a public issue.

11. Changes to this policy

We may update this policy from time to time, for example when we add new features (such as transactional email or Stripe billing). Material changes will be notified via a notice on the site or by email to registered users. The “last updated” date at the top of this page reflects the most recent revision. Continued use of Learn the Music Industry after a change constitutes acceptance of the revised policy.

12. Contact and data controller

For questions, to exercise your data rights, or to report a security issue, use our contact form (pick the Privacy or Security topic).

Cookie Policy

Learn the Music Industry uses strictly necessary storage only. We do not use advertising cookies, analytics cookies, or any third-party tracking. The table below lists everything we store in your browser and why.

What we store

How to clear stored data

You can remove all Learn the Music Industry data from your browser at any time:

• Chrome / Edge: Settings → Privacy and security → Site settings → View permissions and data stored across sites → search for learnthemusicindustry.com → Delete.
• Firefox:Settings → Privacy & Security → Cookies and Site Data → Manage Data → search for learnthemusicindustry.com → Remove Selected.
• Safari: Settings → Advanced → Website Data → search for learnthemusicindustry.com → Remove.
• All browsers: DevTools → Application (or Storage) tab → clear localStorage and cookies for this origin.

Clearing localStorage will reset your lesson progress. Clearing auth cookies will sign you out.

Contact

Questions about how we handle your data? Use our contact form.

Security overview

A plain, honest account of how we protect data. We describe what we actually do, and we are explicit about what is on the roadmap rather than in place today.

Data minimisation by design

The free, public learning experience has no sign-in and stores no personal data. Progress lives in your browser’s local storage, never on our servers. Personal data only exists for account and firm-seat features, and even then we keep it to the minimum: an e-mail address, a firm role, and learning progress.

Access control

• Row-level security (RLS). Every database table that holds user data enforces RLS, so a signed-in user can only ever read or write their own rows.
• Least-privilege service role. Privileged operations (granting entitlements, reviewing verifications, firm-wide reads) run through a service role that is server-only and never exposed to the browser. Privileged writes are deny-by-default for ordinary users.
• Founder-gated admin. The admin console is restricted to a single founder allowlist, enforced both in middleware and in code.

Encryption and transport

All traffic to and from the platform is served over HTTPS (TLS), so data is encrypted in transit. Data at rest is held by our database and hosting providers (see subprocessors), which provide encryption at rest.

No PII on public paths

Public pages, the lessons and the episode player, carry no personal data and require no account. This sharply limits the surface where personal data could be exposed.

Append-only logs

Privileged actions (verification decisions and entitlement changes) are written to an append-only audit log that only the service role can write, and that ordinary users cannot read or alter. Assessment attempts are similarly recorded in an append-only log. This gives a tamper-evident record of who did what, and when.

Input validation

Server actions and routes validate and authorise every request server-side; we never trust client input. Submitted links (for example, musician-verification links) are validated to be genuine http(s) URLs before an admin ever sees them.

Authentication

Certifications

Reporting a vulnerability

See also our subprocessors and data processing agreement.

Accessibility

We want everyone to be able to learn how the music industry’s money really works, regardless of how they read, hear, or operate a screen. This statement describes what we’ve built, where we know we fall short, and how to tell us when something doesn’t work for you.

Our commitment

We aim to meet the Web Content Accessibility Guidelines (WCAG) 2.1, Level AA. Accessibility isn’t a one-off audit for us. It’s a build constraint we test on every change, and we treat a regression as a bug.

What we’ve done

• AA-contrast-guarded colour.Our text and surface colours are defined as design tokens, and an automated test reads those real tokens and fails the build if any content-text/background pair drops below the WCAG AA contrast ratio (4.5:1). Contrast isn’t left to chance. It’s enforced.
• Keyboard-operable interactive lessons.The interactive “beats” (predict-the-answer, drag-to-order, match, allocate, and the live simulators) are operable by keyboard, with visible focus outlines and labelled controls. Sliders expose an accessible label and a spoken current-value text.
• Screen-reader alternatives for charts. Visual data (charts, waterfalls, distributions) is paired with an equivalent data-table or text alternative, so the numbers are available to assistive technology, not just to sighted users.
• Reduced-motion support. We respect the operating-system prefers-reduced-motion setting and tone down or remove non-essential animation for people who ask for less movement.
• Semantic, no-PII public path. The free lessons need no sign-in and use semantic headings and landmarks, so a screen reader can navigate the structure.

Known limitations

How to report a problem