Privacy Policy

SOUNDVIA — PRIVACY POLICY Effective Date: 13 March 2026 Last Updated: 20 March 2026 (rev. 3) Platform: soundvia.eu Operator: Soundvia, operated by a natural person under Polish unregistered activity principles (działalność nierejestrowana), pre-incorporation. Data Controller Contact: [email protected]

This Privacy Policy explains how Soundvia ("we", "us", "our") collects, uses, stores, and shares personal information when you use our Platform at soundvia.eu. It also explains your rights under applicable data protection law, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the Polish Personal Data Protection Act (UODO), and other applicable regional laws.

If you are a resident of California (USA), please also see Section 14. If you are a resident of Brazil, please also see Section 15. If you are a resident of Australia, please also see Section 16. If you are a resident of Canada, please also see Section 17.

1. WHO IS THE DATA CONTROLLER?

The data controller responsible for your personal information is:

Soundvia Operated under Polish unregistered business activity (działalność nierejestrowana), pre-incorporation. Email: [email protected] Website: soundvia.eu

For EU/EEA residents, we are the data controller as defined under the GDPR. We do not currently have a formal EU representative (Article 27 GDPR) as we are in a pre-incorporation phase; EU users may contact us directly at [email protected].

2. INFORMATION WE COLLECT

2.1 Information You Provide to Us

(a) Account Registration. When you register, we collect:

  • Username (handle)
  • Display name
  • Email address
  • Password (stored in hashed form using bcrypt; we never store plain-

    • text passwords)

  • Invite Code used at registration (retained to track referral origin

    • and enforce single-use validity during the Alpha Phase)

  • Optional: profile picture, banner image, biography

(b) Content You Upload. We collect and store:

  • Audio files (music tracks), which are transcoded to HLS format for

    • adaptive streaming and stored in cloud object storage

  • Cover artwork images
  • Track and release metadata: title, genre, release date, ISRC, UPC,

    • lyrics, credits, copyright information, and description

  • Comments you post on tracks
  • Secondary Artist credits you submit or accept on tracks

(c) Audio Analysis Data. When you upload a track, we automatically analyse the audio file to derive:

  • Estimated BPM (tempo)
  • Estimated loudness (dB RMS)
  • Estimated musical key and mode (major/minor)
  • Track duration (seconds)
  • An audio fingerprint (generated via Chromaprint/fpcalc if available,

    • or a SHA-256 spectral fallback). This fingerprint is used for content identification and duplicate detection purposes. These derived values are stored alongside the track record and are not shared publicly by default.

(d) Communications. If you contact us by email or through the Platform, we collect the content of those communications.

(e) Label and Distributor Partners. For partner accounts, we additionally collect:

  • Business display name and contact email
  • API tokens (stored and transmitted securely)
  • Contract and signature information (for Label partners), including

    • legal representative name, electronic signature image (stored in cloud storage), and a SHA-256 signature hash

  • Signed contract PDF documents

(f) DMCA Notices. If you submit a copyright notice, we collect:

  • Full name and email address
  • Mailing address
  • Description of the copyrighted work and the alleged infringing

    • material

  • Good-faith and accuracy declarations

(g) Artist Claims. If you submit an artist profile claim, we collect:

  • Your user account identity
  • The target artist profile you are claiming
  • Your stated reason for the claim
  • Supporting information you choose to provide

(h) Library and Saved Content. When you save Releases or Playlists to your Library, we record the identifiers of saved items against your account. This data is used to display your Library, generate personalized recommendations, and notify the relevant artist when their Release is saved (see Section 3.10).

(i) Push Notification Subscriptions. If you opt in to browser push notifications, we collect and store:

  • Your browser push subscription endpoint URL
  • The cryptographic keys associated with your subscription (p256dh and

    • auth), as required by the Web Push protocol

  • Your push notification preference settings (which notification

    • categories you have enabled) These are stored against your user account and deleted if you unsubscribe or delete your account.

2.2 Information We Collect Automatically

(a) Stream and Playback Data. When you listen to tracks on the Platform, we collect:

  • Track identifier and timestamps of play events
  • Listening duration (seconds listened, reported and server-verified)
  • Whether a stream event was counted as a "valid stream" (50+ seconds

    • played)

  • Whether a stream was flagged by anti-abuse controls
  • A stream session identifier linking heartbeat events to a session
  • IP address at time of stream (used for anti-abuse and security)
  • User-Agent string (browser/device type)

(b) Playback Session Heartbeats. The Platform sends periodic heartbeat updates during playback to track cumulative listening time within a session. We record elapsed wall-clock time alongside reported client- side listening time to validate accuracy and detect abuse.

(c) Playlist Play Events. When you play a playlist, we log a playlist play event associated with your user account and the playlist identifier. This data is used to power personalized recommendations.

(d) Rate Limit Records. For security and anti-abuse purposes, we store temporary rate limit counters keyed by IP address and/or user identifier. These records expire automatically (typically within minutes to hours) and are not retained long-term.

(e) Account Activity Logs. We log significant account actions (login, upload, deletion) for security and operational purposes.

(f) Geographic Location (Country Level). We may read a country code from HTTP request headers forwarded by our CDN or load balancer (e.g., CF-IPCountry) to apply geographic access controls (see Section 3.5). We do not perform precise IP-to-location lookups and do not store this country code as a persistent data point.

(g) Timezone. If you allow it, a timezone preference cookie records your local timezone to display release dates correctly. See Section 10.

2.3 Recommendation and Personalization Data

We build a personalized recommendation profile based on your listening activity. Specifically, we:

  • Track which artists and genres you listen to, weighted by recency
  • Compute a similarity score between your listening profile and other

    • users' listening profiles (collaborative filtering) to identify artists and tracks you may enjoy

  • Cache a personalized playlist ("YourSpace") and a "Your Artists Dropped"

    • playlist, each refreshed approximately every 6 hours

  • Use bumped/promoted tracks (see Section 3.6) as a secondary signal in

    • recommendation feeds

  • Use your Library saves and playlist play history as additional signals

    • in generating your discovery feed and personalized playlists

Recommendation processing uses aggregated, pseudonymous identifiers (user IDs) and does not expose individual users' listening histories to other users. The recommendation engine runs server-side; no third-party advertising or tracking platform is involved.

2.4 Information We Receive from Third Parties

We do not purchase or receive personal data from third-party data brokers. If a label or distributor creates an artist profile on your behalf, we receive basic identity information (name, handle) from them. You may claim such a profile through our artist claim process (see Section 2.1(g)).

3. HOW WE USE YOUR INFORMATION

We use your personal information for the following purposes and on the following legal bases under GDPR:

3.1 To Provide and Operate the Platform Legal basis: Contract performance (Article 6(1)(b) GDPR)

  • Authenticating your account and maintaining your login session
  • Delivering music streaming, HLS audio delivery, and discovery features
  • Displaying your profile, tracks, and releases to other users
  • Processing audio uploads: transcoding to HLS segments and storing in

    • cloud object storage (Cloudflare R2)

  • Operating follow, comment, playlist, library, notification, and

    • Secondary Artist credit features

  • Sending transactional account emails (email confirmation, password reset,

    • notifications)

3.2 To Personalise Your Experience Legal basis: Legitimate interests (Article 6(1)(f) GDPR) — providing a relevant and useful experience without overriding your rights

  • Generating personalised music recommendations using your listening

    • history, Library saves, and playlist plays (collaborative filtering and content-based signals)

  • Building and refreshing the "YourSpace" and "Your Artists Dropped"

    • personalized playlists

  • Ordering discovery feeds and surfacing relevant releases and playlists

3.3 To Improve and Develop the Platform Legal basis: Legitimate interests (Article 6(1)(f) GDPR)

  • Analysing usage patterns and aggregate stream analytics
  • Diagnosing technical issues and improving performance
  • Developing new features and improving recommendation quality

3.4 To Ensure Safety, Security, and Platform Integrity Legal basis: Legitimate interests (Article 6(1)(f) GDPR) / legal obligation (Article 6(1)(c) GDPR)

  • Detecting and preventing fraud, abuse, and unauthorized access
  • Enforcing our Terms of Service and anti-abuse policies
  • Applying rate limiting to protect the Platform against automated abuse

    • (including on registration, login, streaming, and promotion features)

  • Validating stream authenticity using server-side elapsed time comparison
  • Responding to copyright notices and legal requests
  • Enforcing invite code validity and single-use constraints during the

    • Alpha Phase

3.5 Geographic Access Controls Legal basis: Legal obligation / legitimate interests

  • We block access to the Platform from certain geographic regions based on

    • legal or regulatory requirements. Access is denied at the request level using country codes from CDN headers; no persistent geolocation profile is built.

3.6 Track Promotion (Bump System) Legal basis: Contract performance / legitimate interests

  • Artists may "bump" their own tracks to increase their visibility in

    • recommendation feeds for a limited window (48 hours). When a bump is applied, we record the artist's user ID, the track ID, the role at the time of bumping, and the bump expiry time. This data is used solely to enforce bump limits and inject bumped tracks into discovery feeds.

3.7 To Communicate with You Legal basis: Contract performance / legitimate interests

  • Sending account-related notifications (e.g., email confirmation,

    • password reset, claim updates, DMCA notices, follower activity, playlist additions, release saves, Secondary Artist credit requests, and administrative messages)

  • Responding to your support or legal enquiries
  • We use SMTP to deliver emails from [email protected]

3.8 To Comply with Legal Obligations Legal basis: Legal obligation (Article 6(1)(c) GDPR)

  • Retaining records as required by applicable copyright, contract, and

    • data protection law

  • Responding to valid law enforcement requests and DMCA notices

3.9 With Your Consent Legal basis: Consent (Article 6(1)(a) GDPR)

  • Where we rely on consent for any optional feature (including push

    • notifications), you may withdraw it at any time without affecting the lawfulness of prior processing.

3.10 Library Save Notifications Legal basis: Legitimate interests (Article 6(1)(f) GDPR)

  • When you save a Release to your Library, the Release's artist receives

    • an in-Platform notification that includes your display name. This allows artists to understand the reach of their music. We do not disclose your email address, handle, or any other personal information beyond your display name in this notification.

3.11 Push Notifications Legal basis: Consent (Article 6(1)(a) GDPR)

  • If you opt in to push notifications, we use your stored push

    • subscription data to deliver browser notifications about account activity (follows, playlist additions, release saves, and other categories you enable). We implement a deduplication guard to avoid sending the same notification more than once in sequence. Subscriptions that return permanent delivery errors (HTTP 404 or 410) are automatically removed. You may withdraw consent and unsubscribe at any time through your account settings.

3.12 Secondary Artist Credits Legal basis: Contract performance / legitimate interests

  • When a primary artist designates you as a Secondary Artist on a track,

    • we send you an in-Platform notification. Your acceptance or decline is recorded against the track. Accepted credits are displayed publicly on the track's profile page. Declined or pending credits are not shown publicly.

4. HOW WE SHARE YOUR INFORMATION

4.1 Publicly Visible Information. The following is visible to all users and visitors of the Platform:

  • Your display name, handle, profile picture, and biography
  • Your public tracks, releases, playlists (if set to public), and their

    • metadata

  • Your public follow and follower counts; follower lists are visible on

    • your profile page

  • Comments you post on tracks
  • Secondary Artist credits you have accepted on tracks
  • Your artist claim status (approved claims result in profile reassignment)

4.2 With Labels and Distributors. If a label or distributor manages your artist profile, they have access to:

  • Your artist handle and display name
  • Tracks and releases associated with your profile
  • Stream analytics for those tracks (aggregate counts; not raw logs)

4.3 Service Providers. We share personal data with trusted third-party service providers who process it on our behalf under contractual obligations consistent with this Privacy Policy:

  • Cloudflare R2 (Cloudflare, Inc.) — cloud object storage for audio

    • files, HLS segments, images, and signed contract documents. Cloudflare may process data in multiple countries. Privacy policy: https://www.cloudflare.com/privacypolicy/

  • OVHcloud VPS (OVH SAS) — we operate our Platform and self-hosted

    • database on a Virtual Private Server provided by OVHcloud, physically located in Warsaw, Poland (EU). All application data, including user records, track metadata, stream logs, and the MongoDB database, resides on this server. OVHcloud acts as our infrastructure provider and does not have access to the content of your personal data. Privacy policy: https://www.ovhcloud.com/en/personal-data-protection/

  • SMTP mail provider (mail.soundvia.eu) — used to send transactional

    • emails including account confirmation and password reset messages.

4.4 Legal Disclosures. We may disclose your information:

  • To comply with a legal obligation, court order, or valid governmental

    • request;

  • To protect the rights, property, or safety of Soundvia, its users, or

    • the public;

  • In connection with a DMCA counter-notification process.

4.5 Business Transfers. In the event of a merger, acquisition, or sale of substantially all of our assets, your information may be transferred to the acquiring entity, subject to the same privacy protections.

4.6 No Advertising. Soundvia does not serve advertisements and does not share your personal data with advertisers or ad networks.

4.7 No Sale of Personal Data. We do not sell, rent, or trade your personal information to third parties for their own marketing or commercial purposes.

5. INTERNATIONAL DATA TRANSFERS

5.1 Soundvia is operated from Poland (EU), Warsaw. Your data is primarily stored within the European Union on our OVHcloud VPS infrastructure, physically located in Warsaw, Poland. The operator of Soundvia is also based in the Warsaw area.

5.2 Cloudflare R2 storage may process data in countries outside the EU/EEA. Where such transfers occur, Cloudflare relies on Standard Contractual Clauses (SCCs) approved by the European Commission or other appropriate transfer mechanisms under GDPR Chapter V.

5.3 Our database is self-hosted on our OVHcloud VPS located in Warsaw, Poland. Database data is not transferred to or processed by any third-party cloud database provider. We operate and secure this infrastructure directly, and it remains within the EU at all times.

5.4 Email delivery via our SMTP provider may route through servers outside the EU. We take reasonable steps to ensure that any such transfers are subject to appropriate safeguards.

5.5 Push notification delivery uses the standard Web Push protocol and routes through browser vendor infrastructure (e.g., Google FCM for Chrome, Mozilla for Firefox). The payload delivered is encrypted end-to-end using your subscription's public key before transmission. Browser vendor push services may process encrypted payloads in countries outside the EU/EEA; they cannot read the content of the notification.

5.6 When transfers to third countries occur, we ensure that appropriate safeguards are in place (such as SCCs or adequacy decisions) in accordance with GDPR Article 46.

6. DATA RETENTION

6.1 Account Data. We retain your account data for as long as your account remains active. If you delete your account, we delete or anonymize your personal data within a reasonable period (typically within 30 days), except as noted below.

6.2 Content (Audio, Images, Metadata). Audio files, HLS segments, images, and associated metadata are deleted from live storage when you delete the track or release, or when your account is deleted. Residual copies in backups may persist for a short additional period before being overwritten.

6.3 Audio Analysis and Fingerprint Data. BPM, loudness, key, mode, duration, and fingerprint data derived from your audio are stored as part of the track record and deleted when the track is deleted.

6.4 Stream Logs and Analytics. Raw stream event records are retained for operational and anti-abuse purposes for a period proportionate to our legitimate interests (currently up to 24 months unless subject to a legal hold). Aggregate, non-personal analytics may be retained indefinitely.

6.5 Recommendation Cache. Personalized recommendation data and playlist caches are refreshed regularly and are deleted when your account is deleted.

6.6 Rate Limit Records. Temporary rate limit counters expire automatically (typically within minutes to hours) via MongoDB TTL index and are not retained long-term.

6.7 Track Bump Records. Bump records expire automatically after 48 hours (the bump window). Expired records are retained briefly for audit and anti-abuse purposes before deletion.

6.8 DMCA Records. DMCA notices and related records are retained as required by applicable copyright law and our legal obligations.

6.9 Contract Documents. Signed label contracts, signature images, and associated PDFs are retained for the duration of our legal obligations and business relationship. These records are not deleted upon simple account deletion requests where legal retention obligations apply.

6.10 Library and Saved Content Records. Records of your saved Releases and Playlists are deleted when you remove items from your Library or when your account is deleted.

6.11 Push Notification Subscriptions. Push subscription endpoints and keys are retained until you unsubscribe, until a permanent delivery error is received (HTTP 404 or 410), or until your account is deleted, whichever occurs first.

6.12 Invite Code Records. Records of Invite Codes you generated or used, including the inviter's user ID, invitee's user ID, and timestamps, are retained for audit and anti-abuse purposes for the duration of your account.

6.13 Secondary Artist Credit Records. Records of Secondary Artist credits (accepted, declined, or pending) are stored as part of the track record and deleted when the track or your account is deleted.

6.14 Legal Holds. We may retain any data longer when required by law, court order, or to resolve a pending legal dispute, DMCA notice, or claim.

6.15 Backups. Database and storage backups may retain data for a reasonable period after deletion from live systems before being overwritten.

7. AUTOMATED DECISION-MAKING AND PROFILING

7.1 Recommendation Engine. We use automated processing of your listening history, Library saves, and playlist play events to generate personalized track and artist recommendations. This constitutes profiling under GDPR Article 4(4). However, this processing does not produce legal or similarly significant effects on you — it affects only the order and selection of music surfaced in your discovery feed and personalized playlists.

7.2 Anti-Abuse Stream Validation. We use automated logic to compare client- reported listening time against server-elapsed time and per-user/per-track rate limits to determine whether a stream event should be credited as valid. This automated check does not produce legal effects; it affects only whether a stream contributes to a track's stream count.

7.3 Geographic Blocking. Country-level access control is applied automatically based on CDN-supplied country codes. This may result in access being denied. You may contact us at [email protected] if you believe you have been incorrectly blocked.

7.4 Push Notification Deduplication. An automated deduplication guard checks whether a push notification is identical to the most recently sent notification for your account before delivery. Duplicate notifications in sequence are suppressed. This does not produce legal or significant effects.

7.5 Right to Object. You have the right to object to profiling under Section 7.1 based on your particular situation. Contact us at [email protected]. Note that objecting to recommendation profiling may reduce the personalization of your experience.

8. YOUR RIGHTS

Depending on your jurisdiction, you may have the following rights regarding your personal data:

8.1 Right of Access (GDPR Art. 15). You have the right to request a copy of the personal data we hold about you.

8.2 Right to Rectification (GDPR Art. 16). You have the right to request correction of inaccurate or incomplete personal data. You can update much of your information directly through your account settings.

8.3 Right to Erasure / "Right to be Forgotten" (GDPR Art. 17). You have the right to request deletion of your personal data where:

  • it is no longer necessary for the purpose it was collected;
  • you withdraw consent (where consent is the legal basis);
  • you object to processing and there are no overriding legitimate grounds;
  • the data has been unlawfully processed.

    • You can delete your account through your account settings, which triggers deletion of your data subject to retention exceptions in Section 6.

8.4 Right to Restriction of Processing (GDPR Art. 18). You may request that we restrict processing of your data in certain circumstances.

8.5 Right to Data Portability (GDPR Art. 20). Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine- readable format.

8.6 Right to Object (GDPR Art. 21). You have the right to object to processing based on legitimate interests, including profiling for recommendations (Section 7.1) and Library save notifications (Section 3.10). We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

8.7 Rights Related to Automated Decision-Making (GDPR Art. 22). We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing. See Section 7 for details on our automated systems.

8.8 Right to Withdraw Consent. Where we rely on consent for processing (e.g., push notifications), you may withdraw that consent at any time through your account settings or by contacting us. Withdrawal does not affect the lawfulness of processing before withdrawal.

8.9 Right to Lodge a Complaint. You have the right to lodge a complaint with your local supervisory authority:

  • EU users: your national data protection authority — e.g., UODO in Poland

    • (Urząd Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warsaw, Poland; https://uodo.gov.pl/)

  • UK users: the Information Commissioner's Office (ICO);

    • https://ico.org.uk/

  • Other jurisdictions: your relevant national privacy regulator.

8.10 Exercising Your Rights. To exercise any of the above rights, contact us at [email protected]. We will respond within 30 days (extendable to 90 days for complex requests with notice). We may need to verify your identity before processing your request. We will not charge a fee for reasonable requests.

9. SECURITY

9.1 We implement technical and organizational measures to protect your personal data against unauthorized access, loss, destruction, or alteration. These include:

  • Bcrypt password hashing (passwords are never stored in plain text)
  • HTTPS encryption for all data in transit
  • Secure session management with HttpOnly, Secure, and SameSite=Lax cookie

    • flags; sessions expire after 30 days of inactivity

  • Role-based access controls restricting admin and label panel access
  • Cryptographic token hashing for email confirmation and password reset

    • tokens (SHA-256); raw tokens are never stored

  • Secure cloud storage (Cloudflare R2) with access key management
  • Rate limiting on sensitive endpoints (login, registration, streaming,

    • password reset, bump actions) to mitigate brute-force and denial-of- service attacks

  • End-to-end encryption of push notification payloads using subscriber

    • public keys (Web Push / VAPID protocol); we cannot read notification content once transmitted

  • Our server infrastructure (OVHcloud VPS, Warsaw, Poland) is secured

    • with restricted SSH access, firewall rules, and access limited to Soundvia operational personnel only

9.2 No method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security and are not responsible for unauthorized access beyond our reasonable control.

9.3 In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required by law, notify affected individuals without undue delay.

10. COOKIES AND TRACKING TECHNOLOGIES

10.1 We use the following cookies on the Platform:

(a) Strictly Necessary Cookies (no consent required)

  • Session cookie: maintains your authenticated login session. This

    • cookie is set with HttpOnly, Secure, and SameSite=Lax flags. Lifetime: 30 days (permanent session).

  • CSRF protection tokens: protect against cross-site request forgery

    • on form submissions. These cookies are essential for the Platform to function. The Platform cannot operate without them.

(b) Functional Cookies (no consent required)

  • soundvia_tz: stores your local timezone string (e.g.,

    • "Europe/Warsaw"). This is used to display track and release dates in your local timezone. It is not used for tracking or advertising. Lifetime: persistent (browser-managed). You can clear this cookie to revert to UTC display.

10.2 We do not use advertising cookies, third-party tracking pixels, analytics SDKs (e.g., Google Analytics), social media tracking buttons, or any cross- site tracking technologies.

10.3 You can configure your browser to refuse or delete cookies, but doing so may prevent you from remaining logged in to the Platform.

10.4 If we introduce additional cookies in the future that require consent, we will update this section and obtain your consent where required by law.

11. EMAIL AND PUSH COMMUNICATIONS

11.1 Transactional Emails. We send the following transactional emails that are necessary for account operation:

  • Email address confirmation (sent upon registration)
  • Password reset links (sent upon request)
  • Account notifications (claim updates, DMCA notices, follower activity,

    • track added to playlist, administrative messages)

11.2 We do not currently send marketing or promotional emails. If we do so in the future, we will obtain your consent where required and provide a clear unsubscribe mechanism.

11.3 Emails are sent from [email protected] via our SMTP mail server (mail.soundvia.eu). Security tokens included in confirmation and reset emails expire after a defined period (24 hours for confirmation, 2 hours for password reset). Raw tokens are not stored on our servers — only their SHA-256 hash is retained.

11.4 Push Notifications. If you opt in to browser push notifications through your account settings, we may send you notifications about activity on your account. These are delivered using the Web Push protocol (VAPID). Notification payloads are encrypted before transmission and can only be decrypted by your browser. You can manage which notification categories you receive, or disable push notifications entirely, at any time through your account settings. Disabling push notifications does not affect in-Platform notification delivery.

12. CHILDREN'S PRIVACY

12.1 The Platform is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16.

12.2 If you believe a child under 16 has provided us with personal information, please contact us at [email protected] and we will delete such information promptly.

12.3 For users between 16 and 18, we recommend parental oversight. Where local law requires a higher age for data processing consent, we will comply with those requirements.

13. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date at the top of this document and post a notice on the Platform. For significant changes that materially affect how we process your personal data, we may also notify you by email.

Your continued use of the Platform after the effective date of changes constitutes your acceptance of the revised Privacy Policy. If you do not agree, you must stop using the Platform and may delete your account.

14. CALIFORNIA RESIDENTS — CCPA/CPRA DISCLOSURES

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the following rights:

14.1 Right to Know. You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purpose, and the categories of third parties with whom we share it.

14.2 Right to Delete. You have the right to request deletion of your personal information, subject to certain exceptions.

14.3 Right to Correct. You have the right to request correction of inaccurate personal information.

14.4 Right to Opt-Out of Sale or Sharing. We do not sell or share personal information as defined under CCPA/CPRA.

14.5 Right to Limit Use of Sensitive Personal Information. We do not use sensitive personal information for purposes beyond those permitted under CPRA without your consent.

14.6 Right to Non-Discrimination. We will not discriminate against you for exercising your CCPA/CPRA rights.

14.7 Categories of Personal Information Collected. In the preceding 12 months, we have collected the following categories:

  • Identifiers: name, email address, IP address, user ID
  • Internet or electronic network activity: stream events, playback

    • sessions, playlist plays, library saves, page interactions

  • Audio and visual data: uploaded music files, cover artwork, profile

    • images

  • Derived audio analysis data: BPM, key, loudness, duration, fingerprint
  • Professional or employment-related information: label/distributor context
  • Push notification subscription data: endpoint URL and cryptographic keys
  • Inferences drawn from the above: recommendation profiles, listening

    • preferences

14.8 To exercise your California rights, contact us at [email protected] with "California Privacy Request" in the subject line.

15. BRAZIL RESIDENTS — LGPD DISCLOSURES

If you are located in Brazil, the Lei Geral de Proteção de Dados (LGPD) grants you rights including: confirmation of processing, access to data, correction of inaccurate data, anonymization/blocking/deletion of unnecessary data, portability, information about sharing, and the right to object.

To exercise your rights under LGPD, contact [email protected]. Our legal bases for processing under LGPD include contract performance, legitimate interest, legal obligation, and consent where applicable.

16. AUSTRALIA RESIDENTS — PRIVACY ACT DISCLOSURES

If you are located in Australia, we comply with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). You have the right to access and correct your personal information. To make a request, contact [email protected]. If you are unsatisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at https://www.oaic.gov.au/.

17. CANADA RESIDENTS — PIPEDA / PROVINCIAL LAW DISCLOSURES

If you are located in Canada, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws (including Quebec's Law 25 / Law 64). You have the right to access and correct your personal information and to withdraw consent subject to legal or contractual restrictions. To make a request or complaint, contact [email protected]. You may also contact the Office of the Privacy Commissioner of Canada at https://www.priv.gc.ca/.

18. THIRD-PARTY SERVICES AND LINKS

The Platform may contain links to third-party websites. We are not responsible for the privacy practices of those third parties. We encourage you to read their privacy policies. Our key third-party processors are:

  • Cloudflare, Inc. (R2 object storage and CDN):

    • https://www.cloudflare.com/privacypolicy/

  • OVH SAS / OVHcloud (VPS infrastructure, Warsaw, Poland):

    • https://www.ovhcloud.com/en/personal-data-protection/

  • Self-hosted MongoDB (database): operated on our OVHcloud VPS in Warsaw,

    • Poland; no third-party cloud database provider is used.

19. CONTACT US

For any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact:

Soundvia Privacy Team Email: [email protected] Website: soundvia.eu

For DMCA/copyright matters: Email: [email protected] Form: https://soundvia.eu/dmca

We aim to respond to all privacy requests within 30 days.

© 2026 Soundvia. All rights reserved.