The Sound Vault — Privacy Policy (DRAFT — requires lawyer review before launch)

Last updated: July 2026 · soundvault.io · Data controller: [ENTITY NAME — TBD] · Contact: privacy@soundvault.io

1. What we collect

Data When Why (legal basis)
Email address Account signup Account access, transactional email (contract)
Instagram handle Account verification via DM Anti-abuse verification, attribution ("unlocked by") (contract / legitimate interest)
Set URLs you submit Each unlock Providing the service (contract)
Usage data: unlocks, Keys spent, clicks on outbound store links Using the service Service operation, cost control, aggregate analytics (legitimate interest)
Technical logs: IP, user agent Automatic Security, rate limiting, abuse prevention (legitimate interest)

We do not collect payment data (the service is free), do not sell personal data, and do not run third-party advertising trackers.

2. What we do NOT keep

Audio downloaded for analysis is deleted immediately after processing — on success and on failure. We store only tracklist metadata (see Terms §2).

3. Instagram DM verification

To activate an account you send a DM to @the.sound.vault. Through Meta's official messaging API we receive that message and your handle, and reply with an activation code. We store your handle and verification status; we do not read other conversations and cannot see anything beyond messages you send to our account. Meta's own privacy policy applies to Instagram itself.

4. Public information

Your chosen display name / IG handle appears publicly on sets you were first to unlock and on receipt cards you share. You can request removal of this attribution at any time.

5. Sharing

Processors we use to run the service: hosting (e.g. Vercel/Cloudflare), managed database (e.g. Neon/Supabase), audio recognition (AudD — receives audio excerpts of the sets you submit, not your personal data), email delivery, error monitoring (e.g. Sentry — IP + technical context). Each is bound by its own data-processing terms. No other sharing except when legally required.

6. Retention

Account data: while the account exists + 30 days after deletion. Logs: up to 12 months. Tracklist metadata is not personal data and is kept indefinitely (it is the product).

7. Your rights

Access, correction, deletion, portability, and objection — write to privacy@soundvault.io. If you are in the EU/EEA you may also complain to your local supervisory authority. Deleting your account removes your email and handle; public tracklists remain (with attribution removed on request).

8. Cookies

Only strictly necessary cookies (session, language preference). If we ever add analytics cookies, we will ask for consent first (GDPR).

9. Children

The service is not directed at children under 16.

10. Changes

Material changes will be announced on the site. Continued use after notice means acceptance.