1. What this page covers
This page lists every cookie, local-storage key, and similar technology that growyour.music sets on your device, who set it, what it does, and how long it lasts. It is the companion document to our Privacy Policy and the Subprocessors list.
You can change your cookie choices at any time via the "Cookies" link in our footer, which re-opens the cookie preferences modal.
2. Consent model
- Strictly necessary cookies are always on. Without them the site cannot authenticate you or process payments.
- Analytics and Marketing cookies are off by default. We use an opt-in consent-mode banner; nothing loads until you accept.
- Global Privacy Control (GPC). If your browser sends the
Sec-GPC: 1header, we automatically treat it as an opt-out of the sale/sharing of personal information and disable marketing cookies for that session.
3. Strictly necessary cookies
| Name | Vendor | Purpose | Duration |
|---|---|---|---|
| next-auth.session-token | NextAuth.js (first-party) | Authenticated session identifier. Required for login to work. | 30 days |
| next-auth.csrf-token | NextAuth.js (first-party) | CSRF protection for authentication flows. | Session |
| __twr_csrf | growyour.music (first-party) | Double-submit CSRF token for state-changing API requests. | Session |
| cc_cookie | vanilla-cookieconsent (first-party) | Stores your cookie-preference choices so we do not re-prompt on every visit. | 182 days |
| gpc_optout | growyour.music (first-party) | Persists a Global Privacy Control opt-out signal detected from the Sec-GPC request header. | 365 days |
| __stripe_mid / __stripe_sid | Stripe | Fraud prevention on payment pages. | 1 year / session |
3. Analytics cookies
| Name | Vendor | Purpose | Duration |
|---|---|---|---|
| ph_* (e.g. ph_phc_<token>_posthog) | PostHog | Product analytics (anonymous visitor id, session id, feature-flag evaluation). Only loaded after analytics consent. | 1 year |
3. Marketing cookies
| Name | Vendor | Purpose | Duration |
|---|---|---|---|
| _fbp | Meta (Facebook) | Meta Pixel attribution for ad campaigns. Only loaded after marketing consent and only when we are running active ad campaigns. | 90 days |
| _fbc | Meta (Facebook) | Click-ID for Meta ads conversion tracking. | 90 days |
| _ttp | TikTok | TikTok Pixel attribution. Only loaded after marketing consent. | 13 months |
| reddit_uid | Reddit Ads | Reddit conversion tracking. Only loaded after marketing consent. | 2 years |
4. Audio fingerprints
When you upload an audio demo we compute a Chromaprint / AcoustID hash of the track. That hash is used to detect duplicate uploads inside the platform and to check the recording against the public MusicBrainz / AcoustID database for copyright matches.
These hashes are technical content signatures of the audio file — not voiceprints, not biometric identifiers of a natural person. They cannot be used to identify or re-identify you. They are stored for up to 7 years from upload, aligned with copyright limitation periods, then purged automatically by a scheduled job.
The rationale for this classification is documented in our compliance log (see docs/compliance/decisions.md CD-001 and CD-002 in our public source repository).
5. Managing your choices
- Click "Cookies" in the site footer to re-open the preferences modal.
- Visit /legal/do-not-sell to exercise your CCPA/CPRA right to opt out of the sale or sharing of personal information.
- Most browsers let you block all cookies or clear existing cookies from their settings. Doing so may break parts of the site that rely on the strictly-necessary set (e.g. you will not be able to stay logged in).
6. Contact
Questions about this page? Email privacy@growyour.music.