Privacy Policy

1. Introduction

growyour.music ("we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

This policy applies to users in the European Economic Area (EU GDPR), the United Kingdom (UK GDPR + Data Protection Act 2018), and California (CCPA/CPRA). Visitors from other jurisdictions are welcome to use the service; to the extent we process your data we apply the most protective of these regimes.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, password, profile photo
• Payment Information: Credit card details (processed by Stripe)
• Content: Audio files, feedback text, messages
• Connected Streaming Accounts: When you connect a Spotify or SoundCloud account (optional, for presave campaigns or download-gate follow verification), we receive your platform user ID, public profile, and OAuth access/refresh tokens. See Section 5a for the full scope + retention details.
• Communications: Support requests, feedback, survey responses

2.2 Automatically Collected

• Device Information: IP address, browser type, operating system
• Usage Data: Pages visited, features used, timestamps
• Audio Fingerprints: Chromaprint / AcoustID hashes of uploaded audio used for duplicate detection and copyright matching. These are technical content hashes of a track — they are not voiceprints or biometric identifiers of a natural person (see Cookies & Technologies).
• Cookies: Session and preference data (see Section 7)

3. How We Use Your Information

We use your information to:

• Provide, maintain, and improve the Service
• Process transactions and send related communications
• Connect artists with curators and facilitate feedback
• Detect and prevent copyright infringement
• Send promotional communications (with your consent)
• Comply with legal obligations
• Protect our rights and prevent fraud

4. Legal Basis for Processing (EU Users)

Under GDPR, we process your data based on:

• Contract: To provide the services you requested
• Consent: For marketing communications and optional features
• Legitimate Interest: For security, fraud prevention, and service improvement
• Legal Obligation: To comply with applicable laws

5. Information Sharing

We share information with:

• Curators: Your submitted demos for review (as requested by you)
• Service Providers: Stripe (payments), Resend (emails), Supabase (database + auth), cloud hosting. Full list in our Subprocessors page.
• Streaming Platforms (OAuth, user-initiated only): Spotify AB and SoundCloud Limited, when you choose to connect your account. See Section 5a.
• Legal Requirements: When required by law or to protect rights
• Business Transfers: In case of merger, acquisition, or asset sale

We do not sell your personal information to third parties.

5a. Connected Streaming Accounts (OAuth)

Some features require you to connect a third-party streaming account. This is always optional and user-initiated (we never connect on your behalf). When you click “Connect Spotify” or “Connect SoundCloud”, you are redirected to that platform’s consent screen, where you approve the specific permissions listed below. You can revoke at any time from your platform account settings or by deleting your growyour.music account.

Spotify

Used by presave campaigns (so we can save a release to your library on release day) and download gates (to verify you follow the artist). Spotify account connection is currently limited to an invitation-only beta — most fans interact with presave campaigns and download gates via email capture + outbound Spotify links rather than connecting a Spotify account.

• Scopes requested: user-library-modify (add releases you presaved), user-follow-modify + user-follow-read (follow an artist; verify the follow), user-read-private (identify the authenticated user).
• Data stored: Spotify user ID, display name, profile image URL, access token, refresh token. Stored encrypted at rest; tokens refreshed via Spotify’s token endpoint.
• Data never collected: playlists, listening history, private saved tracks, financial data, inbox/messages.
• Retention: refresh tokens are deleted when you revoke the connection, delete your growyour.music account, or when the Spotify campaign a token was collected for is archived — whichever comes first.
• Revoke: spotify.com/account/apps → remove access for growyour.music.
• Spotify’s own policy: spotify.com/legal/privacy-policy.

SoundCloud

Used by download gates to verify you follow, repost, or like the artist before unlocking a download.

• Scopes requested: read access to your public profile and follow/repost/like relationships needed for gate verification.
• Data stored: SoundCloud user ID, display name, profile URL, access token, refresh token.
• Retention + revocation: same policy as Spotify above. Revoke at soundcloud.com/settings/apps.

Full subprocessor contractual details (entity, location, transfer mechanism) are published on our Subprocessors page.

6. Data Retention

We retain your data:

• Account Data: For as long as your account is active, plus a 30-day grace window after deletion
• Audio Files: 90 days after submission completion
• Audio Fingerprints: 7 years from creation (aligned with UK CDPA 1988 limitation periods and standard commercial record-keeping)
• Transaction Records: 7 years (tax / accounting obligation — retained in anonymized form where possible after account deletion)
• Consent Records: 7 years (to demonstrate lawful basis under GDPR Art. 7(1))
• Support Communications: 2 years after resolution

The canonical retention schedule is kept in our source repository at docs/compliance/retention-schedule.md. If this list and that file ever diverge, the repository file is authoritative and we will correct the public page.

7. Cookies and Tracking

We use the following types of cookies:

You can manage cookie preferences in your browser settings.

8. Your Rights

Depending on your location, you may have the following rights:

9. Security

We implement appropriate security measures including:

• Encryption of data in transit (TLS) and at rest
• Regular security assessments and penetration testing
• Access controls and authentication
• Employee training on data protection

10. International Data Transfers

Your data may be transferred to and processed in countries outside the UK or EEA, principally the United States (via our subprocessors listed on the Subprocessors page). For EEA and UK transfers we rely on the UK International Data Transfer Addendum and the EU Standard Contractual Clauses where no adequacy decision applies.

11. Children's Privacy

Our Service is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us.

12. How to Exercise Your Rights

You can exercise most of your rights directly from your account settings:

• Access / Export: /settings/account/data — download a ZIP of your personal data
• Rectification: /settings — edit your profile and preferences
• Erasure / Deletion: /settings/account/delete — delete your account
• Marketing preferences: /settings/notifications — opt out per category
• "Do Not Sell or Share" (CCPA/CPRA): /legal/do-not-sell — no account required

We also honor the Global Privacy Control (GPC) browser signal as an affirmative opt-out of the sale / sharing of personal information under California law.

13. Complaints & Supervisory Authority

If you believe we have mishandled your personal data, we would prefer you contact us first so we can investigate. You also have the right to lodge a complaint with a supervisory authority:

• UK: Information Commissioner's Office (ICO) — ico.org.uk/make-a-complaint
• EEA: Your local data-protection authority. A directory is available at edpb.europa.eu/about-edpb/members
• California: California Privacy Protection Agency — cppa.ca.gov

14. Contact Us

For privacy-related inquiries or to exercise your rights: