Skip to main content
Royalty Reporting
// Legal

Privacy Policy

Last updated: May 13, 2026

1. Who we are

Royalty Reporting ("we," "us," or "our") is a product of RetailNorthstar, Inc., a Delaware corporation, operating the royalty-reporting.com website (the "Site") and the Royalty Reporting platform (the "Platform"; together with the Site, the "Service"). For purposes of EU and UK data-protection law, RetailNorthstar is the data controller for personal data collected on the Site and the data processor for personal data processed on the Platform on behalf of our customers. Our registered office address is available on written request via our privacy contact form.

2. Information we collect

Information you provide directly:

  • Name and work email address (when you book a demo, request a template, or contact us)
  • Company name, job title, and role
  • Royalty and licensing data you upload to the Platform (licensor agreements, rate cards, sales data, advance schedules, royalty statements, audit responses)
  • Communications you send us (support requests, feedback)

Information collected automatically (only after you accept cookies):

  • Browser type, device information, and operating system
  • IP address and approximate geographic location
  • Pages visited, time spent, and interaction patterns
  • Referral source and search terms

Analytics scripts (Google Analytics 4 and Microsoft Clarity) do not load unless you accept the cookie banner. If you decline, neither service receives any data about your visit.

3. Legal bases for processing (EU/UK)

For visitors and contacts in the EU, UK, or other GDPR-aligned jurisdictions, we rely on the following legal bases under GDPR Article 6:

  • Consent (Art. 6(1)(a)) — for non-essential cookies, analytics, marketing email subscriptions, and session-replay tooling. You may withdraw consent at any time.
  • Performance of a contract (Art. 6(1)(b)) — to provide the Platform under your Service Agreement, respond to demo requests, and deliver support.
  • Legitimate interests (Art. 6(1)(f)) — to operate, secure, and improve the Service; to detect fraud; to maintain audit logs. Balanced against your rights and freedoms.
  • Legal obligation (Art. 6(1)(c)) — to comply with applicable tax, accounting, audit-defense, and law-enforcement obligations.

4. How we use your information

  • To provide, operate, and improve the Royalty Reporting Service
  • To respond to demo requests and support inquiries
  • To send relevant royalty and licensing content (only if you opt in; unsubscribe anytime)
  • To analyze website usage (only after you accept cookies)
  • To detect and prevent fraud or security issues
  • To comply with legal obligations and respond to lawful requests

5. Data sharing

We do not sell your personal information. We share information only with:

  • Service providers (sub-processors) — hosting (DigitalOcean), analytics (Google Analytics, Microsoft Clarity, only with consent), and email delivery, each under contractual confidentiality and data-protection obligations and solely to operate the Service. A current list of sub-processors is available via our DPA — see DPA page.
  • Legal compliance — when required by law, regulation, valid legal process, or to defend our rights.
  • Business transfers — in connection with a merger, acquisition, or sale of assets, subject to equivalent protections.
  • Parent company — limited sharing with RetailNorthstar, Inc. for billing, support escalation, and security-incident response, under common data-protection standards.

6. Your royalty data and customer data

Royalty and licensing data uploaded by customers to the Platform (licensor agreements, rate cards, sales data, advance schedules, royalty calculations, statements, audit history, and any derived calculations, reports, or analytics generated from such data) belongs to the customer. We process this data only on the customer's instructions, under the terms of the applicable Service Agreement and Data Processing Addendum.

  • We do not use customer data to train AI/ML models, benchmark against other customers, or for any purpose other than delivering the Service to that customer.
  • We implement tenant isolation, role-based access controls, and engineering practices designed to prevent customer data from being accessed by other customers, including other licensees that may report to the same licensors. While we apply commercially reasonable safeguards, no multi-tenant system can guarantee zero risk of accidental exposure; our Service Agreement governs how any such incidents are handled.
  • We do not transmit customer data to third-party AI/ML services without the customer's prior written consent.

7. International data transfers

Our infrastructure is operated in the United States. If you access the Service from the EU, UK, or another jurisdiction with data-protection rules, your personal data is transferred to the United States for processing. We rely on Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework where applicable to provide an adequate level of protection. Copies of the SCCs and our sub-processor commitments are available via our DPA.

8. Data security and breach notification

We implement commercially reasonable security measures including encryption in transit (TLS 1.2 or higher), encryption at rest, role-based access controls, multi-factor authentication for administrative access, tenant data isolation, and regular security reviews. No method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security.

In the event of a personal data breach affecting your data, we will notify affected customers without undue delay after becoming aware of the breach, consistent with our obligations under applicable law (including GDPR Art. 33 and Art. 34 where applicable). Security-research disclosures: see our security.txt.

9. Data retention

We retain personal data only as long as needed for the purposes described in this policy:

  • Demo and contact submissions — up to 24 months from last activity, then deleted or anonymized.
  • Marketing contacts — until you unsubscribe; we honor unsubscribe within 10 business days.
  • Customer Platform data — for the duration of your subscription; upon termination you have 30 days to export, after which we delete or anonymize the data, except where retention is required by law (e.g., tax records) or for audit-defense purposes specified in your Service Agreement.
  • Analytics data — Google Analytics retention is set to 14 months; Microsoft Clarity retention follows Microsoft's default (currently 13 months).
  • Server and security logs — up to 12 months for fraud, abuse, and incident-response purposes.

10. Cookies and tracking

Our website may use:

  • Google Analytics 4 (GA4) — to understand website traffic and content engagement (loads only after you accept the cookie banner).
  • Microsoft Clarity — to analyze anonymized user-interaction patterns (heatmaps, session recordings). Clarity may record mouse movement, scrolling, and clicks. It does NOT load unless you accept the cookie banner.
  • Essential storage — your theme preference (light/dark) and your cookie-consent choice are stored in your browser's localStorage. These do not load any analytics scripts.

To change your cookie choice, clear this site's browser storage (Application → Local Storage → delete rr_cookie_consent_v1) and reload. The banner will reappear on next visit.

11. Your rights — EU/UK/EEA

If you are in the EU, UK, or EEA, you have the following rights under GDPR / UK GDPR:

  • Right of access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure / "right to be forgotten" (Art. 17)
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object (Art. 21), including to direct marketing
  • Right to withdraw consent at any time
  • Right to lodge a complaint with your local supervisory authority

To exercise any of these rights, contact our privacy team. We will respond within one month of receiving a verifiable request, as required by Art. 12(3).

12. Your rights — California (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) grants you the following rights:

  • Right to Know — what personal information we collect, the sources, the purposes, and with whom we share it.
  • Right to Delete — request deletion of personal information we have collected.
  • Right to Correct — request correction of inaccurate personal information.
  • Right to Opt-Out of Sale or Sharing — we do not "sell" personal information as defined by the CCPA. We may "share" personal information for cross-context behavioral advertising via analytics cookies; you can opt out by declining the cookie banner or sending a Global Privacy Control (GPC) signal.
  • Right to Limit Use of Sensitive Personal Information — we do not use sensitive personal information for purposes that trigger this right.
  • Right to Non-Discrimination — we will not deny service, charge a different price, or provide a different level of service if you exercise any CCPA right.

Categories of personal information collected (CCPA enumeration):

  • Identifiers (name, email, IP address)
  • Commercial information (company, job title, role)
  • Internet/network activity (pages visited, referrals — only with consent)
  • Geolocation (approximate, from IP — only with consent)
  • Professional or employment-related information (job title, employer)
  • Inferences drawn from the above

Sources: directly from you; automatically from your browser (with consent); from our service providers acting on our behalf.

To exercise any California right, contact our privacy team. You may also designate an authorized agent.

13. Children

The Service is intended for businesses and is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided personal information, please contact us and we will delete it.

14. Third-party links

Our Site may link to third-party websites (including RetailNorthstar's primary site, licensor reference pages, and external resources). We are not responsible for the privacy practices or content of third-party sites. Review their privacy notices when visiting.

15. Changes to this Policy

We may update this Privacy Policy from time to time. We will revise the "Last updated" date for any change. For material changes, we will provide more prominent notice (e.g., banner notice or email to subscribers) and, where required by law, obtain affirmative re-acceptance before the changes apply to existing customers.

16. Contact

Questions about this Policy or to exercise your rights: contact our privacy team.