Privacy Notice

The controller responsible for the processing of your personal data within the meaning of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) is:

Your Company Name
Your Street Address
Postal Code, City, Germany
Email: support@example.com

• Account data: email address, password (hashed), display name, profile bio, avatar.
• Content data: tracks you upload (audio files, titles, descriptions, genre, cover art, pricing).
• Usage data: uploads, downloads, plays, log files, IP address, browser type, device identifiers, timestamps.
• Subscription data: plan tier, subscription status, billing period, Paddle customer/subscription identifiers (we do not store full card details).
• Support data: messages and information you send us when contacting support.

• Providing the Service — creating and managing your account, hosting and delivering your tracks, enabling downloads. Legal basis: performance of contract (Art. 6(1)(b) GDPR).
• Subscriptions and payments — managing your plan, checkout, invoicing. Legal basis: performance of contract (Art. 6(1)(b) GDPR) and legal obligation (Art. 6(1)(c) GDPR).
• Security and fraud prevention — detecting abuse, protecting accounts and content. Legal basis: legitimate interests (Art. 6(1)(f) GDPR).
• Service improvement and analytics — understanding aggregate usage to improve features. Legal basis: legitimate interests (Art. 6(1)(f) GDPR), or consent where required (Art. 6(1)(a) GDPR).
• Customer support — answering your questions and resolving issues. Legal basis: performance of contract (Art. 6(1)(b) GDPR) and legitimate interests (Art. 6(1)(f) GDPR).
• Legal compliance — complying with tax, accounting, and other legal obligations. Legal basis: legal obligation (Art. 6(1)(c) GDPR).

We share personal data only with the following categories of recipients:

• Hosting and infrastructure provider — to host the application, database, and audio file storage.
• Paddle.com Market Limited — our Merchant of Record. Paddle processes payments, manages subscriptions, handles tax compliance, and issues invoices. See Paddle's Privacy Notice.
• Email service providers — for transactional emails (account verification, password reset, receipts).
• Professional advisers — accountants, lawyers, and auditors where strictly necessary.
• Authorities — where required by law or court order.

Each processor acts under a written data processing agreement in accordance with Art. 28 GDPR.

Some of our service providers (including Paddle and our hosting/email providers) may process data outside the European Economic Area, including in the United Kingdom and the United States. Such transfers are protected by appropriate safeguards under Art. 46 GDPR — typically the European Commission's adequacy decisions or Standard Contractual Clauses (SCCs), supplemented by additional technical and organisational measures where necessary.

We keep personal data only as long as necessary for the purposes described above:

• Account and content data: for the lifetime of your account, then deleted within 90 days of account deletion (subject to legal retention).
• Subscription/billing records: 10 years after the end of the calendar year of the transaction, as required by German tax law (§ 147 AO).
• Server log files: typically up to 30 days, longer only when needed to investigate a security incident.
• Support correspondence: up to 3 years after resolution, unless a longer period is required.

You have the following rights regarding your personal data:

• Access (Art. 15) — to obtain confirmation of and a copy of the data we hold about you.
• Rectification (Art. 16) — to correct inaccurate or incomplete data.
• Erasure (Art. 17) — to have your data deleted, subject to legal retention obligations.
• Restriction (Art. 18) — to limit how we use your data.
• Portability (Art. 20) — to receive your data in a structured, machine-readable format.
• Objection (Art. 21) — to object to processing based on our legitimate interests.
• Withdraw consent (Art. 7(3)) — at any time, where processing is based on your consent.
• Lodge a complaint with a supervisory authority, in particular in your country of residence, workplace, or place of the alleged infringement. In Germany, the competent authority depends on the federal state in which we are established.

We aim to respond to requests within one month. To exercise any of these rights, contact us at support@example.com.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or alteration, including encryption in transit (TLS), encrypted storage, role-based access control, secure password hashing, and regular review of our security practices.

We use a minimal set of cookies and similar technologies:

• Strictly necessary cookies — required to keep you signed in and to operate the Service. These do not require your consent.
• Payment/checkout cookies — set by Paddle when you start a checkout. See Paddle's privacy notice for details.

We do not currently use marketing or third-party analytics cookies. If we add any in the future, we will request your consent in advance through a cookie banner.

We may update this Privacy Notice as our Service evolves or as required by law. The "Last updated" date above indicates the latest revision. Material changes will be communicated to you in advance.

For privacy questions or to exercise your rights, contact us at support@example.com.