Lyrics View

We don't have em lyrics yet...

Privacy Policy

SOUNDVIA — PRIVACY POLICY Effective Date: 13 March 2026 Last Updated: 05 May 2026 (rev. 11) Platform: soundvia.eu Operator: Soundvia LLC, a Wyoming limited liability company Registered Agent: Registered Agents Inc 30 N Gould St Ste R Sheridan, WY 82801 USA Data Controller Contact: [email protected]

This Privacy Policy explains how Soundvia ("we", "us", "our") collects, uses, stores, and shares personal information when you use our Platform at soundvia.eu. It also explains your rights under applicable data protection law, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the Polish Personal Data Protection Act (UODO), and other applicable regional laws.

If you are a resident of California (USA), please also see Section 14. If you are a resident of Brazil, please also see Section 15. If you are a resident of Australia, please also see Section 16. If you are a resident of Canada, please also see Section 17.

1. WHO IS THE DATA CONTROLLER?

The data controller responsible for your personal information is:

Soundvia LLC A Wyoming limited liability company Registered Agent: Registered Agents Inc 30 N Gould St Ste R Sheridan, WY 82801 USA Email: [email protected] Website: soundvia.eu

For EU/EEA residents, we are the data controller as defined under the GDPR. We do not currently have a formal EU representative (Article 27 GDPR); EU users may contact us directly at [email protected].

2. INFORMATION WE COLLECT

2.1 Information You Provide to Us

(a) Account Registration. When you register, we collect:

Username (handle)
Display name
Email address
Password (stored in hashed form using bcrypt; we never store plain-

text passwords)

reCAPTCHA v3 anti-abuse assessment data used to protect

registration and account security (including risk score, action name, and technical request metadata processed by Google)

Optional invite/referral metadata where invite campaigns are active

(for example, invite code generated by another user)

Optional: profile picture, banner image, biography

(a1) Google Sign-In (Optional). If you sign in with Google OAuth, we receive from Google:

Google subject identifier ("sub")
Email address and email verification flag
Profile name and profile image URL

We use this data to authenticate you, link an existing account where appropriate, and reduce account fraud.

(b) Content You Upload. We collect and store:

Audio files (music tracks), which are transcoded to HLS format for

adaptive streaming and stored in cloud object storage

Cover artwork images
Track and release metadata: title, genre, tags, release date, ISRC,

UPC, lyrics, credits, copyright information, and description

Comments you post on tracks, including any user @mentions within

comment text and optional timestamp references (timed comments)

Secondary Artist credits you submit or accept on tracks

Estimated BPM (tempo)
Estimated loudness (dB RMS)
Estimated musical key and mode (major/minor)
Track duration (seconds)
An audio fingerprint (generated via Chromaprint/fpcalc if available,

or a SHA-256 spectral fallback). This fingerprint is used for content identification and duplicate detection purposes. These derived values are stored alongside the track record and are not shared publicly by default.

(d) Communications. If you contact us by email or through the Platform, we collect the content of those communications.

(e) Label and Distributor Partners. For partner accounts, we additionally collect:

Business display name and contact email
API tokens (stored and transmitted securely)
Contract and signature information (for Label partners), including

legal representative name, electronic signature image (stored in cloud storage), and a SHA-256 signature hash

Signed contract PDF documents

(f) DMCA Takedown / Copyright Claim Notices. If you submit a copyright notice, we collect:

Full name and email address
Mailing address
Description of the copyrighted work and the alleged infringing

material

Good-faith and accuracy declarations
Notice status history, reviewer metadata, and timestamps
Related counter-notice metadata (if submitted), including contact

details, legal declarations, signature, and review outcome

Enforcement lifecycle metadata, including takedown-mode activation,

counter deadline, and finalization status (such as expiry deletion)

(g) Artist Claims. If you submit an artist plusfile claim, we collect:

Your user account identity
The target artist plusfile you are claiming
Your stated reason for the claim
Supporting information you choose to provide

(h) Library and Saved Content. When you save Releases or Playlists to your Library, we record the identifiers of saved items against your account, along with your preferred ordering of library items. This data is used to display your Library, generate personalized recommendations, and notify the relevant artist when their Release is saved (see Section 3.10).

(i) Push Notification Subscriptions. If you opt in to browser push notifications, we collect and store:

Your browser push subscription endpoint URL
The cryptographic keys associated with your subscription (p256dh and

auth), as required by the Web Push protocol

Your push notification preference settings (which notification

categories you have enabled) These are stored against your user account and deleted if you unsubscribe or delete your account.

(j) Onboarding Preferences. During initial onboarding, we collect your stated preferences for:

Music genres you are interested in
Tags or topics you want to discover
Artists you already follow or want to discover

These preferences are stored against your account and used to personalize your discovery feed and recommendations. They decay in weight over time as your listening history grows.

(k) Lyrics. When you submit lyrics for a track (either as the track owner or as a community contributor), we collect:

The submitted lyrics text, including any LRC-style sync timestamps

if provided

Whether you submitted lyrics as a direct edit (artist/credited

collaborator) or as a community submission pending moderation review

Your user identity as the last editor or submitting user

(l) Artist Picks. If you designate tracks as your "Artist Picks" on your profile, we store the ordered list of up to three pinned track IDs against your user account. This is used solely to display highlighted tracks on your public profile.

(m) Comments. When you post a comment on a track, we collect:

Your user account identity, display name, username, and avatar at

the time of posting

The comment text (up to 280 characters)
Any @mentions of other users within the comment
An optional timestamp reference (timed comment), linking the comment

to a position in the track's playback

Whether the comment is a top-level comment or a reply to another

comment We also process comment reports submitted by other users, collecting the reporter's identity and the stated reason for the report.

(n) Direct Messages and Messaging Keys. When you use direct messaging, we collect:

Conversation metadata (participants, timestamps, unread counts)
Message content you send through the current in-Platform messaging

flow

Optional messaging public key you upload for client-side encrypted

messaging workflows

Message read status and reply linkage metadata

(o) Profile Customization and Social Links. We collect profile customization settings, including custom CSS, profile background preferences, and social links you configure (including custom links).

(p) AI Theme Generation Inputs. If you use AI-assisted profile theme generation, we process:

Your text prompt
Current profile custom CSS (if provided)
Limited profile style/context snippets generated by our system

to produce a CSS theme suggestion.

(p1) Cherry Summary Inputs and Outputs. If you view or request Cherry Summary on a track page, we process:

Track lyrics text associated with that track
Track title and artist display context used for prompt quality
AI-generated output fields (summary, themes with example excerpts,

moods, and age rating label)

A generation timestamp and short-lived cache metadata used to avoid

repeated regeneration

(p2) Cherry Select Inputs and Outputs. If you use Cherry Select, we process:

Your prompt text (up to current product limits)
Exclusion preferences and prompt context used to avoid

repeating previously suggested tracks

Candidate track metadata used to generate results

(title, artist, tags, genre, recommendation context)

AI-generated response text, optional per-track commentary,

and selected track payloads returned to your chat history

Message metadata (role, timestamps, and message IDs)

(q) Developer Apps and API Telemetry. If you use the Developer Portal, we collect and store:

App metadata (app name, app tier, verification status)
App credentials (token and client identifier)
Usage aggregates (request totals, response-bytes totals)
API request telemetry (endpoint, method, status code, response size,

duration, timestamp) for platform integrity, abuse prevention, and operations.

(q1) OAuth App Authorization and Token Data. If you authorize a third-party app through Soundvia OAuth, we process:

OAuth request parameters (client_id, redirect_uri, requested scopes,

state, response_type)

Authorization decision (approve/deny), selected scopes, and

authorization code metadata (expiry, one-time use status)

Access token and refresh token records (hashed/token values,

expiry, revocation status, app ID, client ID, user ID, and scope)

OAuth endpoint activity needed to issue, refresh, inspect,

and revoke tokens

(q2) Artist Plus Billing and Entitlements. If you subscribe to Artist Plus, we process:

Billing customer and subscription identifiers
Subscription status, plan interval, trial start/end, and

cancellation state

Subscription period windows and related entitlement fields

(current period start/end, cancel_at, canceled_at, remaining window indicators, and gifted-source flags)

Invoice and checkout metadata (amount, currency, tax/VAT

totals, payment status, period dates)

Billing portal and checkout session metadata used to

create customer portal access and hosted checkout URLs

Product-side entitlement shadow fields on your account

(for example has_artist_plus and badge-sync state)

Entitlement state used to grant product features (for

example Cherry Video access, preset slot limits, priority export lane, enhanced bump limits, premium preset access, advanced analytics surfaces, upload quota entitlement state, and badge visibility)

(q3) Artist Plus Gifts and Redemption. If you purchase, send, receive, or redeem an Artist Plus gift, we process:

Gift identifiers and gift lifecycle state (pending payment,

available, redeemed)

Gift duration and recipient targeting metadata (recipient

username and/or account ID where provided)

Gift checkout/payment metadata and redemption timestamps
Redeemer identity, gift-linked message metadata, and

notification flags used to prevent duplicate notices

Gift-related communication records (in-Platform notices,

direct message gift cards, and transactional emails)

(r) Invite Campaign and Challenge Data. If you use invite campaign features, we may process challenge session data, attempts, and invite code generation/usage metadata for anti-abuse and integrity checks.

2.2 Information We Collect Automatically

(a) Stream and Playback Data. When you listen to tracks on the Platform, we collect:

Track identifier and timestamps of play events
Listening duration (seconds listened, reported and server-verified)
Whether a stream event was counted as a "valid stream" (50+ seconds

played)

Whether a stream was flagged by anti-abuse controls
A stream session identifier linking heartbeat events to a session
IP address at time of stream (used for anti-abuse and security)
User-Agent string (browser/device type)

(b) Playback Session Heartbeats. The Platform sends periodic heartbeat updates during playback to track cumulative listening time within a session. We record elapsed wall-clock time alongside reported client- side listening time to validate accuracy and detect abuse.

(c) Playlist Play Events. When you play a playlist, we log a playlist play event associated with your user account and the playlist identifier. This data is used to power personalized recommendations.

(d) Rate Limit Records. For security and anti-abuse purposes, we store temporary rate limit counters keyed by IP address and/or user identifier. These records expire automatically (typically within minutes to hours) and are not retained long-term.

(e) Account Activity Logs. We log significant account actions (login, upload, deletion) for security and operational purposes.

(f) Geographic Location (Country Level). We may read a country code from HTTP request headers forwarded by our CDN or load balancer (e.g., CF-IPCountry) to apply geographic access controls (see Section 3.5). We do not perform precise IP-to-location lookups and do not store this country code as a persistent data point.

(g) Timezone. If you allow it, a timezone preference cookie records your local timezone to display release dates correctly. See Section 10.

2.3 Recommendation and Personalization Data

We build a personalized recommendation profile based on your listening activity and stated preferences. Specifically, we:

Track which artists and genres you listen to, weighted by recency
Use your onboarding genre, tag, and artist preferences as initial

signals, which decay in influence over time as your listening history grows (approximately 180 days)

Compute a similarity score between your listening profile and other

users' listening profiles (collaborative filtering) to identify artists and tracks you may enjoy

Cache a personalized playlist ("YourSpace") and a "Your Artists Dropped"

playlist, each refreshed approximately every 6 hours

Use bumped/promoted tracks (see Section 3.6) as a secondary signal in

recommendation feeds

Use your Library saves, playlist play history, and library ordering as

additional signals in generating your discovery feed and personalized playlists

Recommendation processing uses aggregated, pseudonymous identifiers (user IDs) and does not expose individual users' listening histories to other users. The recommendation engine runs server-side; no third-party advertising or tracking platform is involved.

2.4 Information We Receive from Third Parties

We do not purchase or receive personal data from third-party data brokers. If a label or distributor creates an artist plusfile on your behalf, we receive basic identity information (name, handle) from them. You may claim such a profile through our artist claim process (see Section 2.1(g)).

3. HOW WE USE YOUR INFORMATION

We use your personal information for the following purposes and on the following legal bases under GDPR:

3.1 To Provide and Operate the Platform Legal basis: Contract performance (Article 6(1)(b) GDPR)

Authenticating your account and maintaining your login session
Delivering music streaming, HLS audio delivery, and discovery features
Displaying your profile, tracks, and releases to other users
Processing audio uploads: transcoding to HLS segments and storing in

cloud object storage (Cloudflare R2)

Operating follow, comment, playlist, library, notification, and

Secondary Artist credit features

Displaying Artist Picks on your public profile
Processing and displaying comments, replies, and timed comments on tracks
Processing @mention notifications within comments
Operating direct messaging, conversation state, and unread tracking
Storing and serving optional messaging public keys for client-side

encryption workflows

Operating profile customization settings and social links display
Operating developer app registration, token management, and

verification workflows

Sending transactional account emails (email confirmation, password reset,

notifications)

3.2 To Personalise Your Experience Legal basis: Legitimate interests (Article 6(1)(f) GDPR) — providing a relevant and useful experience without overriding your rights

Generating personalised music recommendations using your listening

history, onboarding preferences, Library saves, and playlist plays (collaborative filtering and content-based signals)

Building and refreshing the "YourSpace" and "Your Artists Dropped"

personalized playlists

Ordering discovery feeds and surfacing relevant releases and playlists
Using your stated onboarding preferences as early personalization signals

3.3 To Improve and Develop the Platform Legal basis: Legitimate interests (Article 6(1)(f) GDPR)

Analysing usage patterns and aggregate stream analytics
Diagnosing technical issues and improving performance
Developing new features and improving recommendation quality

3.4 To Ensure Safety, Security, and Platform Integrity Legal basis: Legitimate interests (Article 6(1)(f) GDPR) / legal obligation (Article 6(1)(c) GDPR)

Detecting and preventing fraud, abuse, and unauthorized access
Enforcing our Terms of Service and anti-abuse policies
Applying rate limiting to protect the Platform against automated abuse

(including on registration, login, streaming, commenting, comment reporting, and promotion features)

Validating stream authenticity using server-side elapsed time comparison
Moderating community-submitted lyrics through a staff review queue
Processing comment reports and taking moderation action where required
Responding to copyright notices and legal requests
Enforcing invite campaign integrity, invite code generation rules, and

anti-abuse checks where invite flows are active

3.5 Geographic Access Controls Legal basis: Legal obligation / legitimate interests

We block access to the Platform from certain geographic regions based on

legal or regulatory requirements. Access is denied at the request level using country codes from CDN headers; no persistent geolocation profile is built.

3.6 Track Promotion (Bump System) Legal basis: Contract performance / legitimate interests

Artists may "bump" their own tracks to increase their visibility in

recommendation feeds for a limited window (48 hours). When a bump is applied, we record the artist's user ID, the track ID, the role at the time of bumping, and the bump expiry time. This data is used solely to enforce bump limits and inject bumped tracks into discovery feeds.

3.7 To Communicate with You Legal basis: Contract performance / legitimate interests

Sending account-related notifications (e.g., email confirmation,

password reset, claim updates, takedown notices, follower activity, playlist additions, release saves, comment mentions, comment replies, Secondary Artist credit requests, lyrics submission outcomes, and administrative messages)

Sending notice lifecycle updates related to takedown mode and

counter-notice outcomes (accepted/rejected), including email notices where appropriate

Responding to your support or legal enquiries
We use SMTP to deliver emails from [email protected]

3.8 To Comply with Legal Obligations Legal basis: Legal obligation (Article 6(1)(c) GDPR)

Retaining records as required by applicable copyright, contract, and

data protection law

Responding to valid law enforcement requests and takedown notices

3.9 With Your Consent Legal basis: Consent (Article 6(1)(a) GDPR)

Where we rely on consent for any optional feature (including push

notifications), you may withdraw it at any time without affecting the lawfulness of prior processing.

3.10 Library Save Notifications Legal basis: Legitimate interests (Article 6(1)(f) GDPR)

When you save a Release to your Library, the Release's artist receives

an in-Platform notification that includes your display name. This allows artists to understand the reach of their music. We do not disclose your email address, handle, or any other personal information beyond your display name in this notification.

3.11 Push Notifications Legal basis: Consent (Article 6(1)(a) GDPR)

If you opt in to push notifications, we use your stored push

subscription data to deliver browser notifications about account activity (follows, playlist additions, release saves, comment mentions, and other categories you enable). We implement a deduplication guard to avoid sending the same notification more than once in sequence. Subscriptions that return permanent delivery errors (HTTP 404 or 410) are automatically removed. You may withdraw consent and unsubscribe at any time through your account settings.

3.12 Secondary Artist Credits Legal basis: Contract performance / legitimate interests

When a primary artist designates you as a Secondary Artist on a track,

we send you an in-Platform notification. Your acceptance or decline is recorded against the track. Accepted credits are displayed publicly on the track's profile page. Declined or pending credits are not shown publicly.

3.13 Lyrics and Community Lyrics Submissions Legal basis: Contract performance / legitimate interests

Track owners and their credited secondary artists may add or edit lyrics

directly. Other users may submit lyrics for moderation review. Submitted lyrics are held in a moderation queue and are not published until reviewed and approved by Platform staff. Approved submissions replace or supplement existing lyrics. Declined submissions are retained briefly for moderation audit purposes and then discarded. We notify the submitting user of the outcome of their submission.

Lyrics locked by Platform staff to artist-only editing cannot be

modified by community submissions.

3.14 Lyrics Video Export Legal basis: Contract performance / legitimate interests

When you use the Lyrics Video Maker to export a video, the Platform

generates a temporary video file combining your rendered visual and the track's audio. This file is stored on our server for a short period (currently up to 5 minutes) to allow you to download it. The file is then automatically deleted. We store a minimal record of the export (token, user ID, track ID, timestamps) for session management and security purposes. These records expire automatically.

3.15 Comment Mentions and Notifications Legal basis: Contract performance / legitimate interests

When you @mention another user in a comment, that user receives an

in-Platform notification containing your display name and a link to the relevant track. When you reply to another user's comment, that user similarly receives a notification. Track owners receive a notification when a new top-level comment is posted on their track. Only your display name and the comment context are shared; your email address is not disclosed.

3.16 Onboarding Preference Processing Legal basis: Legitimate interests (Article 6(1)(f) GDPR)

We use your onboarding genre, tag, and artist preferences to seed your

initial personalized discovery experience. These preferences are stored against your account and used as described in Section 2.3. You may update your preferences at any time through your account settings.

3.17 Google Sign-In Processing Legal basis: Contract performance / legitimate interests

If you choose Google sign-in, we use Google account data (Section 2.1(a1))

to authenticate your account, link existing accounts by verified email where appropriate, and prevent duplicate or fraudulent account creation.

3.18 AI Theme Generation Processing Legal basis: Consent / contract performance (feature use)

When you request an AI-generated profile theme, we process your prompt,

current CSS, and generated style context to obtain a CSS suggestion from a third-party inference provider. This processing occurs only when you invoke the feature.

3.19 Cherry Summary Processing Legal basis: Legitimate interests / contract performance (feature use)

When Cherry Summary is requested on a track page, we process the track's

lyrics and related track context to generate AI-assisted insights (summary, themes, moods, and age rating label). We cache generated output for a limited period to improve performance and reduce repeated processing.

3.20 Cherry Select Processing Legal basis: Legitimate interests / contract performance (feature use)

When you use Cherry Select, we process your prompts and recommendation

context to generate conversational music suggestions and per-track commentary.

Cherry Select stores your message history (including prompts and

generated responses) to preserve chat continuity and to reduce immediate repetition of suggestions.

3.21 OAuth Authorization and Token Processing Legal basis: Contract performance / legitimate interests

We operate first-party OAuth authorization-code and refresh-token flows

for Developer Apps you choose to authorize.

We process scopes, authorization grants, token issuance, token refresh,

revocation, and token inspection to enforce app permissions, security, and API access controls.

We may use OAuth metadata to investigate abuse, enforce revocation, and

maintain account and developer ecosystem integrity.

3.22 Developer API Telemetry and Abuse Prevention Legal basis: Legitimate interests (Article 6(1)(f) GDPR)

We log developer API usage metadata per app to enforce rate limits,

detect abuse, maintain service quality, and provide operational insights. This includes endpoint, method, response status, response size, and request timestamp.

3.23 Artist Plus Billing and Entitlement Enforcement Legal basis: Contract performance / legal obligations / legitimate interests

We process subscription and invoice metadata to activate, maintain, and

terminate Artist Plus entitlements.

We process billing status updates (including failed payments,

cancellation, and renewal outcomes) to determine whether paid features remain available on your account.

We process billing webhook payloads and account metadata to reconcile

entitlement state and keep account-level Artist Plus access synchronized.

3.24 Advanced Analytics and AI Tips Legal basis: Legitimate interests / contract performance (feature use)

We process aggregate stream and listener metrics to produce artist-facing

analytics surfaces, including country-level map visualization, repeat-listener metrics, momentum metrics, and best listening hours.

Where enabled, we may generate AI-assisted analytics tips using

aggregated account metrics. These tips are informational and not used for legal or similarly significant decisions.

3.25 Artist Plus Gift Purchase and Redemption Processing Legal basis: Contract performance / legitimate interests

We process Artist Plus gift checkout, recipient assignment, redemption

status transitions, and gifted entitlement windows to deliver gift functionality.

We process gift-linked direct message metadata and recipient/buyer

notification events to provide redemption updates and reduce duplicate system notices.

3.26 Artist Plus Lifecycle Messaging and Reminder Processing Legal basis: Legitimate interests / contract performance

We process subscription and gifted-period timing metadata to trigger

lifecycle notices (for example trial-start, ending-soon, purchase, and redemption notices) by email and in-Platform channels.

4. HOW WE SHARE YOUR INFORMATION

4.1 Publicly Visible Information. The following is visible to all users and visitors of the Platform:

Your display name, handle, profile picture, and biography
Your public tracks, releases, playlists (if set to public), and their

metadata including tags

Your Artist Picks (pinned tracks displayed on your public profile)
Your configured public profile social links and profile customization

output as rendered on your profile page

Your public follow and follower counts; follower lists are visible on

your profile page

Comments you post on tracks (including timed comment labels, but not

internal comment identifiers)

Secondary Artist credits you have accepted on tracks
Verification and badge indicators shown on your profile and content,

including Artist Plus badge visibility where applicable

Your artist claim status (approved claims result in profile reassignment)

4.2 With Labels and Distributors. If a label or distributor manages your artist plusfile, they have access to:

Your artist handle and display name
Tracks and releases associated with your profile
Stream analytics for those tracks (aggregate counts; not raw logs)

4.3 Service Providers. We share personal data with trusted third-party service providers who process it on our behalf under contractual obligations consistent with this Privacy Policy:

Cloudflare R2 (Cloudflare, Inc.) — cloud object storage for audio

files, HLS segments, images, signed contract documents, and lyrics video export temporary files. Cloudflare may process data in multiple countries. Privacy policy: https://www.cloudflare.com/privacypolicy/

OVHcloud VPS (OVH SAS) — we operate our Platform and self-hosted

database on a Virtual Private Server provided by OVHcloud, physically located in Warsaw, Poland (EU). All application data, including user records, track metadata, stream logs, comments, lyrics moderation records, and the MongoDB database, resides on this server. OVHcloud acts as our infrastructure provider and does not have access to the content of your personal data. Privacy policy: https://www.ovhcloud.com/en/personal-data-protection/

SMTP mail provider (mail.soundvia.eu) — used to send transactional

emails including account confirmation and password reset messages.

Stripe Payments Europe, Ltd. and Stripe, Inc. — payment processing and

billing infrastructure for Artist Plus subscriptions (checkout, customer billing records, invoice/tax computation, subscription lifecycle events, cancellation portal functionality, and one-time Artist Plus gift purchases/redemptions). Privacy policy: https://stripe.com/privacy

GitHub Models inference endpoint (GitHub, Inc., plus model providers

within that service) — used when you request AI profile theme generation and when Cherry Summary is generated on track pages; may receive your theme prompt and CSS context, and for Cherry Summary may receive lyrics text, track title, and artist context required to return structured AI output.

GitHub Models inference endpoint (GitHub, Inc., plus model providers

within that service) — also used by Cherry Select to process prompt text and recommendation context and return AI-generated response text and commentary.

GitHub Models inference endpoint (GitHub, Inc., plus model providers

within that service) — may also be used to generate Artist Plus AI analytics tips from aggregate metrics.

Google OAuth services (Google LLC) — used only if you choose Google

sign-in to authenticate your account and retrieve basic profile identity fields described in Section 2.1(a1).

Third-party Developer Apps you explicitly authorize via Soundvia OAuth

— receive only the scope-limited account data and actions you approve at consent time. You can deny authorization or revoke access tokens.

4.4 Legal Disclosures. We may disclose your information:

To comply with a legal obligation, court order, or valid governmental

request;

To protect the rights, property, or safety of Soundvia, its users, or

the public;

In connection with a takedown counter-notification process.

4.5 Business Transfers. In the event of a merger, acquisition, or sale of substantially all of our assets, your information may be transferred to the acquiring entity, subject to the same privacy protections.

4.6 No Advertising. Soundvia does not serve advertisements and does not share your personal data with advertisers or ad networks.

4.7 No Sale of Personal Data. We do not sell, rent, or trade your personal information to third parties for their own marketing or commercial purposes.

5. INTERNATIONAL DATA TRANSFERS

5.1 Soundvia LLC is organized under the laws of Wyoming, USA, and operates the Platform primarily from infrastructure located within the European Union. Your data is primarily stored within the EU on our OVHcloud VPS infrastructure, physically located in Warsaw, Poland.

5.2 As a US-based entity processing personal data of EU/EEA residents, we are subject to the GDPR where applicable. We rely on Standard Contractual Clauses (SCCs) and other appropriate transfer mechanisms under GDPR Chapter V where personal data is transferred from the EU/EEA to the United States or other third countries.

5.3 Cloudflare R2 storage may process data in countries outside the EU/EEA. Where such transfers occur, Cloudflare relies on Standard Contractual Clauses (SCCs) approved by the European Commission or other appropriate transfer mechanisms under GDPR Chapter V.

5.4 Our database is self-hosted on our OVHcloud VPS located in Warsaw, Poland. Database data is not transferred to or processed by any third-party cloud database provider. We operate and secure this infrastructure directly, and it remains within the EU at all times.

5.5 Email delivery via our SMTP provider may route through servers outside the EU. We take reasonable steps to ensure that any such transfers are subject to appropriate safeguards.

5.6 Push notification delivery uses the standard Web Push protocol and routes through browser vendor infrastructure (e.g., Google FCM for Chrome, Mozilla for Firefox). The payload delivered is encrypted end-to-end using your subscription's public key before transmission. Browser vendor push services may process encrypted payloads in countries outside the EU/EEA; they cannot read the content of the notification.

5.7 When transfers to third countries occur, we ensure that appropriate safeguards are in place (such as SCCs or adequacy decisions) in accordance with GDPR Article 46.

6. DATA RETENTION

6.1 Account Data. We retain your account data for as long as your account remains active. If you delete your account, we delete or anonymize your personal data within a reasonable period (typically within 30 days), except as noted below.

6.2 Content (Audio, Images, Metadata). Audio files, HLS segments, images, and associated metadata are deleted from live storage when you delete the track or release, or when your account is deleted. Residual copies in backups may persist for a short additional period before being overwritten.

6.3 Audio Analysis and Fingerprint Data. BPM, loudness, key, mode, duration, and fingerprint data derived from your audio are stored as part of the track record and deleted when the track is deleted.

6.4 Stream Logs and Analytics. Raw stream event records are retained for operational and anti-abuse purposes for a period proportionate to our legitimate interests (currently up to 24 months unless subject to a legal hold). Aggregate, non-personal analytics may be retained indefinitely.

6.5 Recommendation Cache. Personalized recommendation data and playlist caches are refreshed regularly and are deleted when your account is deleted. Onboarding preferences stored against your account are deleted when your account is deleted and may be updated by you at any time.

6.6 Rate Limit Records. Temporary rate limit counters expire automatically (typically within minutes to hours) via MongoDB TTL index and are not retained long-term.

6.7 Track Bump Records. Bump records expire automatically after 48 hours (the bump window). Expired records are retained briefly for audit and anti-abuse purposes before deletion.

6.8 Takedown and Counter-Notice Records. DMCA takedown notices (U.S.) and copyright claim/takedown notices (outside the U.S.), together with related counter-notices, are retained for legal compliance, dispute resolution, abuse prevention, and audit purposes. Where content enters takedown mode, we also retain enforcement timeline metadata (including counter deadline, review outcomes, and finalization status) for as long as needed to fulfill applicable legal obligations and defend legal claims.

6.9 Contract Documents. Signed label contracts, signature images, and associated PDFs are retained for the duration of our legal obligations and business relationship. These records are not deleted upon simple account deletion requests where legal retention obligations apply.

6.10 Library and Saved Content Records. Records of your saved Releases and Playlists, and your library ordering preference, are deleted when you remove items from your Library or when your account is deleted.

6.11 Push Notification Subscriptions. Push subscription endpoints and keys are retained until you unsubscribe, until a permanent delivery error is received (HTTP 404 or 410), or until your account is deleted, whichever occurs first.

6.12 Invite Code Records. Records of Invite Codes you generated or used, including the inviter's user ID, invitee's user ID, and timestamps, are retained for audit and anti-abuse purposes for the duration of your account.

6.13 Secondary Artist Credit Records. Records of Secondary Artist credits (accepted, declined, or pending) are stored as part of the track record and deleted when the track or your account is deleted.

6.14 Comment Records. Comments you post are stored as part of the track's comment thread. If you delete a comment, its text is replaced with a placeholder and the record is marked as deleted; the record itself is retained briefly to preserve thread integrity (e.g., so reply counts remain accurate). Comment report records are retained for moderation audit purposes and deleted when the associated comment record is removed.

6.15 Lyrics and Lyrics Moderation Records. Lyrics stored on a track are deleted when the track is deleted. Community lyrics submission records (including pending, approved, and declined submissions) are retained for moderation audit purposes. Declined submissions are retained briefly and then discarded. Approved submissions are incorporated into the track record and retained with it.

6.16 Lyrics Video Export Records. Temporary video export files are automatically deleted after a short retention period (currently up to 5 minutes) once generated. The associated export record (token, user ID, track ID, timestamps) expires automatically and is purged by a TTL index.

6.17 Artist Picks Records. Your pinned track selection is stored against your user account and deleted when your account is deleted or when you remove picks.

6.18 Onboarding Preference Records. Your stated genre, tag, and artist preferences collected during onboarding are stored against your account and deleted when your account is deleted.

6.19 Direct Message Records. Direct message content and conversation metadata are retained while your account is active, subject to security, moderation, and legal requirements. Message read-status metadata is retained as part of conversation integrity.

6.20 Messaging Public Keys. Optional messaging public keys are retained until you replace or remove them, or until your account is deleted.

6.21 Profile Customization and Social Link Records. Profile customization data (including custom CSS and social links) is retained while your account is active and deleted when your account is deleted, subject to backup windows.

6.22 Developer App and API Usage Records. Developer app metadata is retained while the app is active and for reasonable audit periods afterwards. API request telemetry is retained for operational and abuse-prevention purposes (currently up to 365 days unless legal or security needs require longer retention).

6.23 Cherry Summary Cache Records. Cherry Summary output (summary, themes, moods, age rating, and generation timestamp) is retained on the track record for up to 14 days from generation and may then be replaced by a newly generated summary when requested again.

6.24 Cherry Select Message Records. Cherry Select chat messages (user prompts, generated responses, selected track references, and timestamps) are stored on your account until you clear Cherry Select history or delete your account.

6.25 OAuth Authorization and Token Records. OAuth authorization codes are short-lived and expire automatically (currently around 10 minutes). Access tokens are short-lived (currently around 1 hour), and refresh tokens may remain valid longer (currently up to 90 days) unless revoked. Revoked/expired token records may be retained for a reasonable audit and security period.

6.26 Legal Holds. We may retain any data longer when required by law, court order, or to resolve a pending legal dispute, takedown notice, or claim.

6.27 Backups. Database and storage backups may retain data for a reasonable period after deletion from live systems before being overwritten.

6.28 Artist Plus Billing Records. Subscription and invoice records are retained for accounting, fraud prevention, legal compliance, and dispute handling. Retention period depends on applicable tax and accounting requirements.

6.29 Artist Plus Gift Records. Gift records (including gift ID, buyer/recipient linkage, gift duration, status transitions, and redemption timestamps) are retained for fraud prevention, support, abuse prevention, and dispute handling. Retention depends on legal and accounting requirements.

6.30 Artist Plus Lifecycle and Notification Flags. We retain Artist Plus lifecycle notification flags and entitlement-shadow metadata for account integrity, reminder deduplication, and auditability for a reasonable operational period.

7. AUTOMATED DECISION-MAKING AND PROFILING

7.1 Recommendation Engine. We use automated processing of your listening history, onboarding preferences, Library saves, and playlist play events to generate personalized track and artist recommendations. This constitutes profiling under GDPR Article 4(4). However, this processing does not produce legal or similarly significant effects on you — it affects only the order and selection of music surfaced in your discovery feed and personalized playlists.

7.2 Anti-Abuse Stream Validation. We use automated logic to compare client- reported listening time against server-elapsed time and per-user/per-track rate limits to determine whether a stream event should be credited as valid. This automated check does not produce legal effects; it affects only whether a stream contributes to a track's stream count.

7.3 Geographic Blocking. Country-level access control is applied automatically based on CDN-supplied country codes. This may result in access being denied. You may contact us at [email protected] if you believe you have been incorrectly blocked.

7.4 Push Notification Deduplication. An automated deduplication guard checks whether a push notification is identical to the most recently sent notification for your account before delivery. Duplicate notifications in sequence are suppressed. This does not produce legal or significant effects.

7.5 Comment Rate Limiting. Automated rate limit checks are applied to comment posting and comment reporting to prevent abuse. Exceeding rate limits results in a temporary posting restriction. This does not produce legal effects.

7.6 Lyrics Moderation Routing. Community lyrics submissions are automatically routed to a staff review queue. No automated decision to approve or decline a submission is made without human review.

7.7 Right to Object. You have the right to object to profiling under Section 7.1 based on your particular situation. Contact us at [email protected]. Note that objecting to recommendation profiling may reduce the personalization of your experience.

7.8 Cherry Summary Automation. Cherry Summary uses automated AI processing of lyrics text to generate informational output fields. This does not produce legal or similarly significant effects and does not make enforcement decisions about your account.

7.9 Cherry Select Automation. Cherry Select uses automated AI processing to generate recommendation dialogue and selected track suggestions based on your prompt and recommendation context. This does not produce legal or similarly significant effects and does not make enforcement decisions.

7.10 Artist Plus Analytics Tip Automation. Artist Plus analytics tips may be generated by automated AI processing of aggregate account metrics. This processing does not produce legal or similarly significant effects and is used only to provide non-binding product guidance.

7.11 Artist Plus Entitlement and Queue Automation. We use automated checks to determine Artist Plus entitlement state (including gifted windows and subscription status) and to route eligible exports through priority queues where configured. This processing does not produce legal or similarly significant effects.

8. YOUR RIGHTS

Depending on your jurisdiction, you may have the following rights regarding your personal data:

8.1 Right of Access (GDPR Art. 15). You have the right to request a copy of the personal data we hold about you.

8.2 Right to Rectification (GDPR Art. 16). You have the right to request correction of inaccurate or incomplete personal data. You can update much of your information directly through your account settings.

8.3 Right to Erasure / "Right to be Forgotten" (GDPR Art. 17). You have the right to request deletion of your personal data where:

it is no longer necessary for the purpose it was collected;
you withdraw consent (where consent is the legal basis);
you object to processing and there are no overriding legitimate grounds;
the data has been unlawfully processed.

You can delete your account through your account settings, which triggers deletion of your data subject to retention exceptions in Section 6.

8.4 Right to Restriction of Processing (GDPR Art. 18). You may request that we restrict processing of your data in certain circumstances.

8.5 Right to Data Portability (GDPR Art. 20). Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine- readable format.

8.6 Right to Object (GDPR Art. 21). You have the right to object to processing based on legitimate interests, including profiling for recommendations (Section 7.1) and Library save notifications (Section 3.10). We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

8.7 Rights Related to Automated Decision-Making (GDPR Art. 22). We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing. See Section 7 for details on our automated systems.

8.8 Right to Withdraw Consent. Where we rely on consent for processing (e.g., push notifications), you may withdraw that consent at any time through your account settings or by contacting us. Withdrawal does not affect the lawfulness of processing before withdrawal.

8.9 Right to Lodge a Complaint. You have the right to lodge a complaint with your local supervisory authority:

EU users: your national data protection authority — e.g., UODO in Poland

(Urząd Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warsaw, Poland; https://uodo.gov.pl/)

UK users: the Information Commissioner's Office (ICO);

https://ico.org.uk/

Other jurisdictions: your relevant national privacy regulator.

8.10 Exercising Your Rights. To exercise any of the above rights, contact us at [email protected]. We will respond within 30 days (extendable to 90 days for complex requests with notice). We may need to verify your identity before processing your request. We will not charge a fee for reasonable requests.

9. SECURITY

9.1 We implement technical and organizational measures to protect your personal data against unauthorized access, loss, destruction, or alteration. These include:

Bcrypt password hashing (passwords are never stored in plain text)
HTTPS encryption for all data in transit
Secure session management with HttpOnly, Secure, and SameSite=Lax cookie

flags; sessions expire after 30 days of inactivity

Role-based access controls restricting admin and label panel access
Cryptographic token hashing for email confirmation and password reset

tokens (SHA-256); raw tokens are never stored

Secure cloud storage (Cloudflare R2) with access key management
Rate limiting on sensitive endpoints (login, registration, streaming,

password reset, bump actions, comment posting, comment reporting) to mitigate brute-force and denial-of-service attacks

End-to-end encryption of push notification payloads using subscriber

public keys (Web Push / VAPID protocol); we cannot read notification content once transmitted

Temporary lyrics video export files are stored in a controlled server

directory with short-lived access tokens and automatic expiry

Our server infrastructure (OVHcloud VPS, Warsaw, Poland) is secured

with restricted SSH access, firewall rules, and access limited to Soundvia operational personnel only

9.2 No method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security and are not responsible for unauthorized access beyond our reasonable control.

9.3 In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required by law, notify affected individuals without undue delay.

10. COOKIES AND TRACKING TECHNOLOGIES

10.1 We use the following cookies on the Platform:

(a) Strictly Necessary Cookies (no consent required)

Session cookie: maintains your authenticated login session. This

cookie is set with HttpOnly, Secure, and SameSite=Lax flags. Lifetime: 30 days (permanent session).

CSRF protection tokens: protect against cross-site request forgery

on form submissions. These cookies are essential for the Platform to function. The Platform cannot operate without them.

(b) Functional Cookies (no consent required)

soundvia_tz: stores your local timezone string (e.g.,

"Europe/Warsaw"). This is used to display track and release dates in your local timezone. It is not used for tracking or advertising. Lifetime: persistent (browser-managed). You can clear this cookie to revert to UTC display.

10.2 We do not use advertising cookies, third-party tracking pixels, analytics SDKs (e.g., Google Analytics), social media tracking buttons, or any cross- site tracking technologies.

10.3 You can configure your browser to refuse or delete cookies, but doing so may prevent you from remaining logged in to the Platform.

10.4 If we introduce additional cookies in the future that require consent, we will update this section and obtain your consent where required by law.

11. EMAIL AND PUSH COMMUNICATIONS

11.1 Transactional Emails. We send the following transactional emails that are necessary for account operation:

Email address confirmation (sent upon registration)
Password reset links (sent upon request)
Account notifications (claim updates, takedown notices, follower activity,

track added to playlist, lyrics submission outcomes, administrative messages)

11.2 We do not currently send marketing or promotional emails. If we do so in the future, we will obtain your consent where required and provide a clear unsubscribe mechanism.

11.3 Emails are sent from [email protected] via our SMTP mail server (mail.soundvia.eu). Security tokens included in confirmation and reset emails expire after a defined period (24 hours for confirmation, 2 hours for password reset). Raw tokens are not stored on our servers — only their SHA-256 hash is retained.

11.4 Push Notifications. If you opt in to browser push notifications through your account settings, we may send you notifications about activity on your account. These are delivered using the Web Push protocol (VAPID). Notification payloads are encrypted before transmission and can only be decrypted by your browser. You can manage which notification categories you receive, or disable push notifications entirely, at any time through your account settings. Disabling push notifications does not affect in-Platform notification delivery.

12. CHILDREN'S PRIVACY

12.1 The Platform is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16.

12.2 If you believe a child under 16 has provided us with personal information, please contact us at [email protected] and we will delete such information promptly.

12.3 For users between 16 and 18, we recommend parental oversight. Where local law requires a higher age for data processing consent, we will comply with those requirements.

13. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date at the top of this document and post a notice on the Platform. For significant changes that materially affect how we process your personal data, we may also notify you by email.

Your continued use of the Platform after the effective date of changes constitutes your acceptance of the revised Privacy Policy. If you do not agree, you must stop using the Platform and may delete your account.

14. CALIFORNIA RESIDENTS — CCPA/CPRA DISCLOSURES

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the following rights:

14.1 Right to Know. You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purpose, and the categories of third parties with whom we share it.

14.2 Right to Delete. You have the right to request deletion of your personal information, subject to certain exceptions.

14.3 Right to Correct. You have the right to request correction of inaccurate personal information.

14.4 Right to Opt-Out of Sale or Sharing. We do not sell or share personal information as defined under CCPA/CPRA.

14.5 Right to Limit Use of Sensitive Personal Information. We do not use sensitive personal information for purposes beyond those permitted under CPRA without your consent.

14.6 Right to Non-Discrimination. We will not discriminate against you for exercising your CCPA/CPRA rights.

14.7 Categories of Personal Information Collected. In the preceding 12 months, we have collected the following categories:

Identifiers: name, email address, IP address, user ID
Internet or electronic network activity: stream events, playback

sessions, playlist plays, library saves and ordering, comment activity, page interactions

Audio and visual data: uploaded music files, cover artwork, profile

images, lyrics video export temporary files

Derived audio analysis data: BPM, key, loudness, duration, fingerprint
User-generated content: comments (including timed comments and

@mentions), submitted lyrics, artist picks selections

Professional or employment-related information: label/distributor context
Push notification subscription data: endpoint URL and cryptographic keys
Preference data: onboarding genre, tag, and artist preferences
OAuth identity data (where used): Google account identifier and basic

profile fields

OAuth authorization and token records: authorized scopes, app/client

identifiers, authorization code/token lifecycle and revocation metadata

Developer app and API telemetry data: app identifiers, endpoint usage,

response metrics, and verification metadata

Messaging security metadata: optional messaging public keys
Cherry Select prompts and generated recommendation messages
Inferences drawn from the above: recommendation profiles, listening

preferences

14.8 To exercise your California rights, contact us at [email protected] with "California Privacy Request" in the subject line.

15. BRAZIL RESIDENTS — LGPD DISCLOSURES

If you are located in Brazil, the Lei Geral de Proteção de Dados (LGPD) grants you rights including: confirmation of processing, access to data, correction of inaccurate data, anonymization/blocking/deletion of unnecessary data, portability, information about sharing, and the right to object.

To exercise your rights under LGPD, contact [email protected]. Our legal bases for processing under LGPD include contract performance, legitimate interest, legal obligation, and consent where applicable.

16. AUSTRALIA RESIDENTS — PRIVACY ACT DISCLOSURES

If you are located in Australia, we comply with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). You have the right to access and correct your personal information. To make a request, contact [email protected]. If you are unsatisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at https://www.oaic.gov.au/.

17. CANADA RESIDENTS — PIPEDA / PROVINCIAL LAW DISCLOSURES

If you are located in Canada, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws (including Quebec's Law 25 / Law 64). You have the right to access and correct your personal information and to withdraw consent subject to legal or contractual restrictions. To make a request or complaint, contact [email protected]. You may also contact the Office of the Privacy Commissioner of Canada at https://www.priv.gc.ca/.

18. THIRD-PARTY SERVICES AND LINKS

The Platform may contain links to third-party websites. We are not responsible for the privacy practices of those third parties. We encourage you to read their privacy policies. Our key third-party processors are:

Cloudflare, Inc. (R2 object storage and CDN):

https://www.cloudflare.com/privacypolicy/

OVH SAS / OVHcloud (VPS infrastructure, Warsaw, Poland):

https://www.ovhcloud.com/en/personal-data-protection/

Self-hosted MongoDB (database): operated on our OVHcloud VPS in Warsaw,

Poland; no third-party cloud database provider is used.

19. CONTACT US

For any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact:

Soundvia LLC Email: [email protected] Website: soundvia.eu

For DMCA takedown (U.S.) and copyright claim/takedown (outside the U.S.) matters: Email: [email protected] Form: https://soundvia.eu/dmca

We aim to respond to all privacy requests within 30 days.