Privacy Notice

The controller responsible for the processing of your personal data within the meaning of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) is the entity named in our Impressum.

• Account data: email address, hashed password, display name, profile bio, avatar, social/website links.
• Content data: tracks you upload (audio files, titles, descriptions, genre, BPM, key, cover art, pricing, stems).
• Usage data: uploads, downloads, plays, likes, follows, messages, log files, IP address, browser/device information, timestamps.
• Subscription & purchase data: plan tier, subscription status, billing period, Paddle customer/subscription/transaction identifiers (we do not store full card numbers).
• Communication data: private messages, contact-form submissions, DMCA reports, verification applications, support correspondence.
• Security data: 2FA settings, recovery codes (hashed), known-device fingerprints, sign-in events.
• Cookies / local storage: session token (essential), site-gate token (essential), player state, optional anonymous analytics ID (consent only).

• Providing the Service — account creation, hosting tracks, streaming, downloads, messaging, playlists, pools. Legal basis: Art. 6(1)(b) GDPR (contract).
• Subscriptions & track sales — checkout, invoicing, refunds, tax compliance via Paddle as Merchant of Record. Legal basis: Art. 6(1)(b) and 6(1)(c) GDPR.
• Security & fraud prevention — 2FA, sign-in alerts, abuse detection, rate limiting. Legal basis: Art. 6(1)(f) GDPR (legitimate interests).
• Anonymous analytics — counting unique plays and views to give artists statistics. Legal basis: Art. 6(1)(a) GDPR (your consent) in combination with § 25(1) TTDSG.
• Transactional emails — verification, password reset, security alerts, purchase receipts. Legal basis: Art. 6(1)(b) and 6(1)(f) GDPR.
• Optional notification emails — daily digest, new follower, comments. Legal basis: Art. 6(1)(a) GDPR; you can opt out at any time in your settings or via the unsubscribe link.
• Legal compliance — tax retention, responding to lawful requests, DMCA. Legal basis: Art. 6(1)(c) GDPR.

We share personal data only with the following processors, each under a written data-processing agreement (Art. 28 GDPR):

• Lovable (and its underlying infrastructure providers, including Supabase and Cloudflare) — application hosting, database, authentication, file storage, edge delivery, server logs.
• Paddle.com Market Limited — Merchant of Record for subscriptions and track purchases (payments, tax, invoicing, fraud screening). See Paddle's Privacy Notice.
• Resend, Inc. — sending of transactional and notification emails on our behalf.
• Professional advisers — accountants, lawyers, auditors, where strictly necessary.
• Public authorities — only where required by law or court order.

Some processors (in particular Paddle, Cloudflare, Resend, and Supabase's infrastructure) may process data outside the European Economic Area, including in the United Kingdom and the United States. Such transfers are protected by appropriate safeguards under Art. 46 GDPR — typically EU Commission adequacy decisions (UK, EU–US Data Privacy Framework where applicable) or the EU Standard Contractual Clauses (SCCs), supplemented by additional technical and organisational measures where necessary.

• Account and uploaded content: lifetime of your account, deleted within 90 days of account deletion (subject to legal retention).
• Subscription / purchase / invoicing records: 10 years after the end of the calendar year of the transaction (§ 147 AO).
• Server log files: typically up to 30 days.
• 2FA codes and unsubscribe tokens: short-lived (minutes to hours).
• Support correspondence: up to 3 years after resolution.
• Anonymous analytics ID (browser): up to 24 months from your last visit.

We use the following categories of cookies and local storage on your device:

• Strictly necessary — sign-in session (Supabase), site-gate token, player state. No consent required.
• Payment — set by Paddle when you start a checkout. No consent required because you specifically requested checkout.
• Analytics (optional) — a random anonymous ID stored in your browser to count unique plays and views. Only set with your consent.

You can change your choices any time via the cookie button at the bottom-left of the page.

• Access (Art. 15)
• Rectification (Art. 16)
• Erasure (Art. 17) — you can delete your account directly in Settings.
• Restriction (Art. 18)
• Portability (Art. 20)
• Objection (Art. 21) to processing based on legitimate interests.
• Withdraw consent (Art. 7(3)) at any time.
• Lodge a complaint with your local supervisory authority. In Germany, this is the data protection authority of the federal state in which we are established.

To exercise any of these rights, contact us using the address in our Impressum.

We use TLS in transit, encrypted storage at rest, role-based access control, secure password hashing (PBKDF2/SHA-256 and Argon2 via Supabase Auth), and offer optional two-factor authentication.

We may update this notice as our Service evolves or as required by law. The "Last updated" date above indicates the latest revision. Material changes will be communicated in advance.