Privacy Policy

**Effective date:** 23 May 2026

**Version:** 1.2

This Privacy Policy describes how The Rock God ("Rock God", "we", "us", or "our") collects, uses, and shares information about you when you use our music discovery service via the web app, progressive web app (PWA), or any related interfaces (collectively, the "Service").

By using the Service, you agree to the practices described in this policy. If you do not agree, please do not use the Service.

1. Information we collect

We collect only the information needed to operate the Service. Specifically:

• **Account information** — your email address, an encrypted password hash (if you register with email/password), the language you've chosen, and your account tier (guest, free, or paid).
• **OAuth tokens** — when you connect Spotify, Apple Music, YouTube Music, Amazon Music, Tidal, Deezer, or Pandora, we store the access and refresh tokens issued by that provider so we can pull your favorite artists and tracks and (when you ask us to) create playlists. We never see your provider password.
• **Streaming favorites** — the artists and songs you've pinned in your connected streaming service, retrieved through the provider's own API on your behalf.
• **Recommendation sessions** — the inputs you provided (artists or songs), the recommendations we generated for you, and any title you gave the session. These let you revisit and share past discoveries.
• **Payment information** — if you upgrade to the paid tier, payment is processed entirely by Stripe. We receive a confirmation that the transaction succeeded and a Stripe customer identifier; **we never see or store your full card number**.
• **IP addresses** — for paid accounts, we record up to two IP slots ("ip1" and "ip2") so we can enforce the two-device limit described in our Terms of Service. We mask all but the last octet when displaying these to you. Guest and free accounts do not have IP slots.
• **Push subscription** — if you opt in to push notifications, your browser's push endpoint and keys are stored so we can deliver notifications about your recommendations.
• **Usage data via Heap.io** — Heap.io collects anonymized interaction events (clicks, page views, errors) so we can improve the Service. This analytics runs by default; you can opt out by blocking cookies and local storage for this site in your browser settings.
• **Consent logs** — when you accept or decline marketing communications or data-processing permissions, we record the choice, the timestamp, and the policy version so we can prove your choice if asked.
• **Audit logs** — security-relevant events (admin actions, account deletions, tier changes) are written to an internal audit log accessible only to authorized administrators.

We do **not** collect: phone numbers, real names, postal addresses, dates of birth, precise location, advertising identifiers, biometric data, financial account numbers (beyond the Stripe customer reference above), or any data about users under 13.

2. Why we collect it — lawful bases under GDPR

Under the EU and UK General Data Protection Regulation (GDPR), every collection of personal data needs a lawful basis. Ours are:

• **Performance of contract** (Article 6(1)(b)) — account information, OAuth tokens, streaming favorites, recommendation sessions, payment confirmations, and push subscription. Without these, we cannot deliver the Service you signed up for.
• **Legitimate interest** (Article 6(1)(f)) — IP slot enforcement (protecting the paid tier from sharing abuse), security audit logs, basic operational error logs, and anonymized product analytics (Heap.io) used to understand how the Service is used and improve it. We've weighed these against your rights and concluded that the processing is narrowly scoped and necessary to keep the Service trustworthy. You can object to analytics processing at any time (see Section 5) by blocking cookies and local storage for this site.
• **Consent** (Article 6(1)(a)) — any future marketing communications. You can withdraw consent at any time without losing access to the rest of the Service.

3. How long we keep it

• **Active account data** is retained for as long as your account exists.
• **Soft-deleted account data** is retained for **90 days** after you delete your account, then purged permanently. This window exists in case you change your mind or we need to investigate fraud.
• **Audit logs** are retained for **2 years** to support security investigations and regulatory inquiries.
• **Consent logs** are retained for **3 years** after the consent is given or withdrawn, to comply with our accountability obligations under GDPR.
• **Last.fm cache data** is stored briefly (up to 30 days) to reduce duplicate API calls; it is keyed by a hash of the query, not by user.

When a retention period ends, the data is deleted in full from active systems and from backups during the next backup-rotation cycle (no later than 35 days).

4. Who we share it with

We share information only with third parties who help us operate the Service, and only the minimum data each one needs:

• **Stripe, Inc.** — payment processing. Receives the cardholder data you enter directly into Stripe Checkout, plus your Rock God user id for receipt linking. Stripe's privacy policy.
• **Resend (Resend, Inc.)** — transactional email (verification, receipts, notifications). Receives your email address and the message body. Resend's privacy policy.
• **Heap, Inc. (Heap.io)** — product analytics. Receives anonymized event data. Heap's privacy policy.
• **Amazon Web Services (AWS)** — hosting and storage. Receives all data described above, encrypted at rest and in transit. AWS's privacy notice.
• **Last.fm (Audioscrobbler Ltd.)** — music similarity data. Receives the artist or track name you searched for; receives no information about you personally. Last.fm's privacy policy.
• **Streaming service APIs** (Spotify, Apple Music, YouTube Music, Amazon Music, Tidal, Deezer, Pandora) — only when you explicitly connect that service. Each provider receives the OAuth-scoped requests you authorize.

We do **not** sell or rent personal information to anyone, ever. We do **not** share data with advertising networks.

We may disclose information if compelled by valid legal process (subpoena, court order) — in which case we will notify you unless prohibited by law.

5. Your rights under GDPR (EU/UK users)

You have the right to:

• **Access** — request a copy of the personal data we hold about you. Use _Account → Export my data_ to download a JSON archive at any time.
• **Rectification** — correct inaccurate or incomplete data. Most fields are editable from _Account_; for the rest, email us.
• **Erasure ("right to be forgotten")** — request that we delete your account and all associated data. Use _Account → Delete account_; the 90-day soft-delete window can be cut short by emailing us.
• **Restriction of processing** — ask us to pause processing of your data while a dispute is resolved.
• **Data portability** — receive your data in a structured, commonly-used, machine-readable format. The _Export my data_ download is JSON and includes all data you've provided.
• **Object** — object to processing based on legitimate interest. Email us with the reasons; we'll either stop or explain why we believe the legitimate interest overrides the objection.
• **Withdraw consent** — withdraw marketing consent at any time, without affecting the lawfulness of processing that already happened. To stop analytics, block cookies and local storage for this site in your browser.
• **Lodge a complaint** — with your national data protection authority. We'd appreciate the chance to address concerns first; you can also contact your regulator directly.

We will respond to verified requests within **30 days**.

6. Your rights under CCPA (California users)

California residents have specific rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA:

• **Right to know** — what personal information we've collected about you in the past 12 months, where it came from, why we collected it, and with whom we shared it. The _Export my data_ download covers this.
• **Right to delete** — request deletion of personal information we hold. The _Delete account_ flow does this.
• **Right to correct** — request correction of inaccurate personal information.
• **Right to opt out of sale or sharing** — **we do not sell or share personal information for cross-context behavioral advertising.** A _Do not sell or share my personal information_ button is provided in _Account → Privacy_ for completeness and to record your preference if it is ever relevant.
• **Right to limit use of sensitive personal information** — we do not collect sensitive personal information as defined by the CPRA.
• **Right to non-discrimination** — we will not retaliate against you for exercising any of these rights.

7. Cookies

We use the following cookies and similar storage:

• **Session cookies (essential)** — set by our authentication system to keep you signed in. These cannot be disabled because the Service does not work without them.
• **Refresh-token cookies (essential)** — `HttpOnly`, `Secure`, and `SameSite=Lax` so we can quietly refresh your access token without forcing you to sign in again.
• **Analytics cookies and local storage** — set by Heap.io to measure product usage. They contain a randomly-generated identifier; no personal data is encoded in them. These load by default. You can block or delete them in your browser settings without losing access to any feature.

Most browsers let you block or delete cookies in their settings. Blocking essential cookies may sign you out and require re-authentication; blocking analytics storage only opts you out of Heap.io.

8. How to exercise your rights

The fastest way to exercise any right above is through the Service itself (_Account → Export my data_, _Account → Delete account_, _Account → Privacy_).

If you'd prefer to email us, write to **privacy@rockgod.app**. Please include enough information for us to verify the request — typically the email address on your account. We may ask for additional verification for sensitive requests (deletion, data export to a third party).

9. Data transfers

The Service is hosted in AWS's **us-east-1** region in the United States. If you access the Service from the EU, UK, Switzerland, or another jurisdiction with cross-border transfer rules, your data will be transferred to and processed in the United States.

For EU/UK transfers, we rely on the European Commission's **Standard Contractual Clauses** (2021 module 2) as the lawful transfer mechanism. We've also assessed the surveillance environment in the destination country and concluded that our technical safeguards (encryption at rest and in transit, least-privilege access, audit logging) provide adequate protection.

If you would like a copy of our SCCs, email **privacy@rockgod.app**.

10. Children's privacy

The Service is **not directed at children under 13**, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us personal information, please contact **privacy@rockgod.app** and we will delete it.

If you are between 13 and 16 and live in the EU, please obtain a parent's or guardian's consent before creating an account.

11. Security

We protect data with:

• **TLS 1.2+** for all data in transit.
• **AES-256 encryption at rest** for the production database and object storage.
• **Strict IAM least-privilege roles** for production AWS resources.
• **Encrypted application secrets** in AWS Secrets Manager with role-based access.
• **Audit logs** for security-relevant administrative actions.
• **Regular dependency and image scans** in our CI/CD pipeline.

No system is perfectly secure, but we take reasonable steps and notify affected users without undue delay if a personal-data breach occurs.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes (new categories of data, new sharing relationships, expanded retention) will be communicated:

• via **email** to your account address, **and**
• via an **in-app notification**, **and**
• via an updated effective date and version number at the top of this policy.

We will not retroactively apply a material change to data already collected unless we get fresh consent.

13. Contact

For privacy questions, complaints, or to exercise the rights above:

• **Email:** privacy@rockgod.app
• **Postal:** _(postal address — placeholder until incorporation is finalized)_

If you live in the EU or the UK, you may also contact your national data protection authority.