The Sound Vault — Privacy Policy (DRAFT — requires lawyer review before launch)
Last updated: July 2026 · soundvault.io · Data controller: [ENTITY NAME — TBD] · Contact: privacy@soundvault.io
1. What we collect
| Data | When | Why (legal basis) |
|---|---|---|
| Email address | Account signup | Account access, transactional email (contract) |
| Instagram handle | Account verification via DM | Anti-abuse verification, attribution ("unlocked by") (contract / legitimate interest) |
| Set URLs you submit | Each unlock | Providing the service (contract) |
| Usage data: unlocks, Keys spent, clicks on outbound store links | Using the service | Service operation, cost control, aggregate analytics (legitimate interest) |
| Technical logs: IP, user agent | Automatic | Security, rate limiting, abuse prevention (legitimate interest) |
We do not collect payment data (the service is free), do not sell personal data, and do not run third-party advertising trackers.
2. What we do NOT keep
Audio downloaded for analysis is deleted immediately after processing — on success and on failure. We store only tracklist metadata (see Terms §2).
3. Instagram DM verification
To activate an account you send a DM to @the.sound.vault. Through Meta's official messaging API we receive that message and your handle, and reply with an activation code. We store your handle and verification status; we do not read other conversations and cannot see anything beyond messages you send to our account. Meta's own privacy policy applies to Instagram itself.
4. Public information
Your chosen display name / IG handle appears publicly on sets you were first to unlock and on receipt cards you share. You can request removal of this attribution at any time.
5. Sharing
Processors we use to run the service: hosting (e.g. Vercel/Cloudflare), managed database (e.g. Neon/Supabase), audio recognition (AudD — receives audio excerpts of the sets you submit, not your personal data), email delivery, error monitoring (e.g. Sentry — IP + technical context). Each is bound by its own data-processing terms. No other sharing except when legally required.
6. Retention
Account data: while the account exists + 30 days after deletion. Logs: up to 12 months. Tracklist metadata is not personal data and is kept indefinitely (it is the product).
7. Your rights
Access, correction, deletion, portability, and objection — write to privacy@soundvault.io. If you are in the EU/EEA you may also complain to your local supervisory authority. Deleting your account removes your email and handle; public tracklists remain (with attribution removed on request).
8. Cookies
Only strictly necessary cookies (session, language preference). If we ever add analytics cookies, we will ask for consent first (GDPR).
9. Children
The service is not directed at children under 16.
10. Changes
Material changes will be announced on the site. Continued use after notice means acceptance.