Privacy Policy

Last updated March 26, 2026

riffDrops ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use the riffDrops website, platform, and services (collectively, the "Service").

By using the Service, you consent to the practices described in this Privacy Policy.

1. Information We Collect

1.1 Information You Provide

  • Account Information: Email address, username, password, date of birth, and country when you create an account.

  • Profile Information: Any additional information you add to your profile, including your display name.

  • Artist/Label Information: Band or label name, biography, country of origin, founded year, genre, social media links, profile images, and hero images when applying as an artist or label.

  • Content: Music files, artwork, photos, song stories, show/tour dates, and other content you upload to the Service.

  • Communication Data: Messages sent through our contact form, forum posts, and comments.

  • Newsletter Preferences: Your email marketing and content subscription choices.

1.2 Information Collected Automatically

  • Usage Data: Pages visited, features used, links clicked, and time spent on the Service.

  • Device Information: Browser type, operating system, device type, screen resolution, and IP address.

  • Play Data: Tracks you listen to, play counts, and listening duration for analytics purposes.

  • Cookies and Similar Technologies: We use cookies and similar tracking technologies as described in Section 7.

1.3 Information from Third Parties

  • Google OAuth: If you sign in with Google, we receive your email address and basic profile information from Google.

  • Stripe: When you make purchases or connect a Stripe account, Stripe provides us with transaction details, account status, and limited payment information. We do not store your full credit card numbers.

2. How We Use Your Information

We use the information we collect to:

  • Provide and Operate the Service: Create and manage your account, process transactions, deliver content, and maintain the platform.

  • Process Payments: Facilitate purchases, manage Stripe Connect accounts for artists and labels, and process refunds.

  • Communicate with You: Respond to inquiries, send purchase confirmations, notify artists/labels of application status, and send team invitation emails.

  • Improve the Service: Analyze usage patterns, identify bugs and errors (via Sentry), and optimize performance.

  • Provide Analytics: Deliver play count statistics, follower data, and other analytics to artists and labels.

  • Send Marketing Communications: With your consent, send newsletters and promotional content via Brevo.

  • Ensure Security: Detect and prevent fraud, abuse, and unauthorized access through rate limiting and monitoring.

  • Comply with Legal Obligations: Respond to legal requests and enforce our Terms of Service.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:

  • Contract Performance: Processing necessary to provide the Service, including account management, payment processing, and content delivery.

  • Legitimate Interests: Analytics, security, fraud prevention, and service improvement, where these interests are not overridden by your rights.

  • Consent: Marketing communications, non-essential cookies, and analytics tracking. You may withdraw consent at any time.

  • Legal Obligation: Processing required to comply with applicable laws and regulations.

4. Information Sharing and Disclosure

We do not sell your personal data. We share information only in the following circumstances:

4.1 Service Providers

We use the following third-party service providers who process data on our behalf:

  • Supabase: Database hosting and authentication (PostgreSQL, hosted in the EU).

  • Stripe: Payment processing, Connect account management, and fraud prevention.

  • Vercel: Website hosting and content delivery.

  • Brevo: Transactional and marketing email delivery (SMTP relay).

  • Cloudflare: Content delivery network (CDN) for images and static assets.

  • Backblaze B2: Image storage (public bucket).

  • Cloudflare R2: Audio file storage (private bucket, zero egress).

  • Google Analytics: Website usage analytics.

  • Sentry: Error tracking and monitoring.

  • Trigger.dev: Background job processing.

4.2 Artists and Labels

When you purchase a release, the artist or label may see your username and the purchase details (not your email or payment information).

4.3 Public Information

Your username, profile activity (such as likes), and any content you post in forums are visible to other users.

4.4 Legal Requirements

We may disclose your information if required by law, court order, or government request, or if we believe disclosure is necessary to protect the rights, property, or safety of riffDrops, our users, or the public.

4.5 Business Transfers

If riffDrops is involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction.

5. Data Retention

We retain your personal data for as long as your account is active or as needed to provide you the Service. Specifically:

  • Account Data: Retained until you delete your account. Upon deletion, we will remove or anonymize your data within 30 days, except where retention is required by law.

  • Purchase Records: Retained for 7 years for tax and accounting compliance.

  • Play Statistics: Aggregated and anonymized play data may be retained indefinitely for analytics.

  • Forum Content: Retained until deleted by you or removed by moderation.

  • Server Logs: Retained for up to 90 days for security and debugging purposes.

6. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

6.1 Access and Portability

You have the right to request a copy of the personal data we hold about you in a structured, commonly used, and machine-readable format.

6.2 Correction

You may update or correct your personal information through your account settings, or by contacting us.

6.3 Deletion

You have the right to request deletion of your personal data, subject to certain legal exceptions (such as retention for tax compliance).

6.4 Objection and Restriction

You may object to or request restriction of the processing of your personal data in certain circumstances.

6.5 Withdrawal of Consent

Where processing is based on your consent, you may withdraw consent at any time without affecting the lawfulness of processing performed prior to withdrawal.

6.6 Cookie Preferences

You may manage your cookie preferences at any time through the "Cookie Settings" button in the website footer.

6.7 Exercising Your Rights

To exercise any of these rights, please contact us using the information in Section 11. We will respond within 30 days.

7. Cookies and Tracking Technologies

7.1 What Are Cookies

Cookies are small text files stored on your device when you visit our website. We use cookies and similar technologies for essential functionality and, with your consent, for analytics.

7.2 Types of Cookies We Use

Essential Cookies (always active):

  • Authentication session cookies (Supabase)

  • CSRF protection tokens

  • Cookie consent preferences

Analytics and Performance Cookies (consent required):

  • Google Analytics _ga, _gid): Helps us understand how visitors interact with the Service. Data is processed by Google.

  • Sentry sentryReplaySession): Records anonymized session replays to help debug errors and improve reliability.

7.3 Cookie Consent

We implement region-aware cookie consent:

  • EU/EEA users: Opt-in consent required before any non-essential cookies are set.

  • US users: Opt-out consent with non-essential cookies enabled by default.

You can change your cookie preferences at any time via the "Cookie Settings" link in the footer.

7.4 Stripe Cookies

Stripe may set cookies on your device when you interact with our payment forms. These cookies are essential for payment processing, fraud prevention, and compliance. For more information, see [Stripe's Cookie Policy](https://stripe.com/legal/cookies-policy).

8. Data Security

We implement industry-standard security measures to protect your personal data, including:

  • Row-level security (RLS) on all database tables

  • Encryption of data in transit (HTTPS/TLS)

  • Rate limiting on authentication and API endpoints

  • Two-factor authentication (TOTP) available for all users, required for administrators

  • HMAC-signed tokens for play verification

  • Automatic redaction of sensitive data in logs

  • Presigned URLs with time-limited access for media files

No method of transmission or storage is completely secure. While we strive to protect your data, we cannot guarantee absolute security.

9. International Data Transfers

Your data may be processed in countries outside your own, including the United States and European Union. When we transfer data internationally, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission

  • Adequacy decisions by the European Commission

  • Data processing agreements with all service providers

10. Children's Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal data from children under 13. If we learn that we have collected data from a child under 13, we will promptly delete it. If you believe a child under 13 has provided us with personal data, please contact us.

Users between 13 and 18 must have parental or guardian consent to use the Service.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the "Effective Date" at the top of this page

  • Post a notification on the Service

  • Maintain a version history accessible through our platform

Your continued use of the Service after changes are posted constitutes acceptance of the updated Privacy Policy.

12. Contact Information

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us:

For EU/EEA residents, you also have the right to lodge a complaint with your local data protection authority.