Back

Last updated: June 6, 2026

Privacy Policy

This Privacy Policy explains how Spinshare collects, uses, stores, and shares personal data when you visit spinshare.pro or use the Spinshare service. Spinshare is operated by WantedAudio GmbH, based in Germany. We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). Because Spinshare is operated from the European Union, the GDPR and BDSG protections described here apply to all users worldwide, regardless of where you reside. Section 9 sets out, in detail, how the optional Dropbox integration is handled.

1. Controller

The data controller responsible for processing personal data on this website is:

WantedAudio GmbH
Neue Mainzer Straße 84
60311 Frankfurt am Main
Germany
Email: support@spinshare.pro
Copyright agent: copyright@spinshare.pro

2. Data protection officer

We have determined that we are not required under Art. 37 GDPR or § 38 BDSG to appoint a Data Protection Officer. Spinshare does not carry out the kind of large-scale systematic monitoring of data subjects or large-scale processing of special-category data that triggers the Art. 37 appointment obligation, and we do not currently meet the § 38 BDSG headcount threshold for automated processing. Please direct all privacy enquiries to the controller named in Section 1. We will reassess this determination as the service grows.

3. Categories of personal data we process

Depending on how you use Spinshare, we may process:

  • Account data: email address, hashed password, display name, account role, account creation and login timestamps.
  • Profile data (producers): public slug, display name, bio, avatar/cover image URL, accent colour preferences, verification status, subscriber count.
  • Content data: drop titles, descriptions, prices, external file links (e.g. Dropbox or Google Drive), and metadata you choose to publish.
  • Lab chat data: the text of messages you send to a connected producer (a Spinshare Pro feature), audio files you share in the Lab chat and their metadata (file name, size, type, duration), delivery and read timestamps, emoji reactions, and any reports or blocks you create. See Section 17.
  • Subscription, follow, and unlock records: which producer you follow or subscribe to, which drops you have unlocked, timestamps, and price tier where applicable.
  • Payment data: processed by Stripe (see Section 7). We receive limited Stripe identifiers (Stripe Customer ID, Stripe Connect Account ID, subscription status, charge amount, currency, country, last 4 digits / card brand). We do not store full payment card numbers.
  • Dropbox integration data (producers only): if you choose to connect a Dropbox account, we receive and store: your Dropbox account ID, your Dropbox account email address, an encrypted OAuth refresh token, and an encrypted short-lived OAuth access token with its expiry timestamp. See Section 9 for the full breakdown of what we do and do not read from Dropbox.
  • Communications: emails you send to us, support requests, and feedback you submit through the dashboard.
  • Technical data: IP address (truncated where feasible), user-agent, request timestamps, referrer, and routing cookies necessary for authentication and security.
  • Analytics and product data: if you give consent, anonymised or pseudonymised event data captured by PostHog (see Section 8).

4. Purposes and legal bases of processing

We process personal data on the following GDPR Art. 6 (1) legal bases:

  • Performance of a contract (Art. 6 (1)(b)): creating and operating your account, delivering subscription access, processing payments and payouts, providing producer dashboards, and (for producers who opt in) operating the Dropbox integration so that subscriber-entitled files can be streamed from the producer’s Dropbox account.
  • Legal obligation (Art. 6 (1)(c)): retaining invoices and accounting records under German tax law (HGB / AO), responding to lawful requests from public authorities, and complying with notice-and-takedown obligations under applicable copyright and intermediary-liability law.
  • Legitimate interests (Art. 6 (1)(f)): securing our service against fraud and abuse, rate-limiting, server logs for diagnostics, ensuring platform integrity, and enforcing our Repeat Infringer Policy. We balance these interests against your rights and freedoms.
  • Consent (Art. 6 (1)(a)):non-essential cookies, product analytics, session recording, marketing emails (where applicable), and the producer’s explicit authorisation of the Dropbox OAuth integration. You can withdraw consent at any time without affecting prior processing.

5. Account, authentication, and session cookies

To operate the service, we set strictly necessary cookies:

  • NextAuth session cookies for keeping you signed in.
  • CSRF protection cookies set by NextAuth.
  • Referral / invite cookies (spinshare_ref, spinshare_invite) for attributing sign-ups to invite links you clicked, with a short lifetime.

These cookies are essential to operate the service you requested and do not require consent under § 25 (2) DDG.

6. User content and copyright handling

When you publish a drop, Spinshare processes the metadata you provide (title, description, price, external storage link, file count, and any cover art URL) to deliver the drop to entitled subscribers. We act as a hosting intermediary for metadata and, in the case of the Dropbox integration described in Section 9, as a pass-through delivery layer for the file bytes that remain stored at Dropbox.

Where we receive a valid copyright takedown notice (see the Terms of Service, Section 8), we will process the personal data contained in that notice (the complainant’s name, contact details, and identification of the works) on the legal basis of legal obligation (Art. 6 (1)(c) GDPR) and legitimate interest in operating a lawful service (Art. 6 (1)(f) GDPR). Where required, we forward the takedown notice to the producer whose content is at issue and record the matter in their account history for the purposes of our Repeat Infringer Policy.

7. Payments via Stripe

We use Stripe Payments Europe, Limited (1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland) and, where applicable, Stripe Connect to process subscription payments and producer payouts. When you make a payment, Stripe collects payment-card information and identity verification data directly. We receive only confirmation and limited transaction metadata.

Legal basis: performance of a contract (Art. 6 (1)(b) GDPR) for paying customers and producers receiving payouts. International transfers to Stripe affiliates outside the EEA, where they occur, rely on the EU Standard Contractual Clauses concluded by Stripe.

For Stripe’s own privacy practices, see stripe.com/privacy.

8. Analytics and product telemetry (PostHog)

We use PostHog to understand how producers and subscribers use Spinshare so we can improve the product. PostHog is operated by PostHog Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA.

PostHog may capture pseudonymous event data, including UI clicks, page views, and (with masked input fields) anonymous session replays. A long-lived ph_did cookie is used to keep consistent buckets between server and client for feature experiments.

Legal basis:consent under Art. 6 (1)(a) GDPR and § 25 (1) DDG. We will only place non-essential analytics cookies and load PostHog tracking scripts after you give consent through our cookie banner.

International transfers to PostHog Inc. (USA) rely on the EU Standard Contractual Clauses and any applicable adequacy decision. You can withdraw consent at any time through the cookie settings in our footer.

9. Producer Dropbox integration

Spinshare offers producers the option to connect a Dropbox account so that drop files stored in Dropbox can be streamed or delivered to entitled subscribers through the Spinshare interface. The integration is strictly opt-in. It is never activated for subscribers, and never activated for producers who do not click “Connect Dropbox” in their dashboard.

Scopes requested (read-only). When a producer authorises Spinshare on the Dropbox consent screen, Spinshare requests the following Dropbox API scopes, and only these scopes:

  • files.metadata.read: read file and folder names, paths, sizes, and similar metadata for the specific files or folders the producer chooses to publish through Spinshare.
  • files.content.read: read the bytes of those specific files for the sole purpose of delivering them to a subscriber who is entitled to access them under the producer’s drop configuration.
  • sharing.read: resolve Dropbox shared links a producer pastes into Spinshare to the underlying file path inside the producer’s account.
  • account_info.read: read the producer’s Dropbox account email address and Dropbox account ID, used only to display the “Connected as <email>” label in the Spinshare dashboard and to prevent the same Dropbox account from being silently attached to two different Spinshare accounts. No other profile fields, contacts, or activity are read.

No write capability.Spinshare does not request, and is technically incapable of using, any Dropbox scope that would permit Spinshare to modify, overwrite, rename, move, copy, delete, or otherwise alter any file, folder, comment, or shared link inside a producer’s Dropbox account. Spinshare invokes no write-class Dropbox endpoint, including but not limited to files/upload, files/delete_v2, files/move_v2, files/copy_v2, files/create_folder_v2, sharing/add_file_member, or sharing/create_shared_link_with_settings.

Pass-through delivery.Spinshare acts as a pass-through streaming and download layer between the producer’s Dropbox account and the entitled subscriber. Spinshare does not copy, clone, mirror, or permanently store the underlying file bytes of any Dropbox-hosted drop on its own servers. Files are streamed from Dropbox at the moment a subscriber requests them. Short-lived temporary download URLs minted by Dropbox (typically with a four-hour time-to-live) and lightweight metadata such as file name, file size, and content count may be cached briefly in memory or in our database to keep the in-app player responsive. These caches never contain persistent file content.

Token storage and encryption. When a producer connects Dropbox, we receive an OAuth refresh token and a short-lived access token. Both tokens are encrypted at rest in our database using AES-256-GCM (a NIST-approved authenticated-encryption algorithm) with a fresh 96-bit initialisation vector and an authentication tag generated per stored record. The encryption key is held in a server-side environment variable that is never exposed to client-side code. Tokens are never written to application logs, never emailed, never displayed in the user interface, and never shared with any third party. Decryption fails closed: if any tampering is detected, the producer is required to reconnect their Dropbox account.

Instant revocation.A producer can revoke Spinshare’s access to their Dropbox account, instantly and permanently, by either:

  • Clicking “Disconnect Dropbox” in the Spinshare dashboard. This calls https://api.dropboxapi.com/2/auth/token/revoke on a best-effort basis and deletes the producer’s encrypted refresh and access tokens from our database together with any cached temporary download URLs.
  • Visiting dropbox.com/account/connected_apps and removing “Spinshare” from their list of connected applications. This terminates the OAuth grant at Dropbox’s end and immediately invalidates any token Spinshare still holds.

Following revocation, drops that were configured to stream through the Dropbox integration will gracefully fall back to the producer’s original public shared link (or become unavailable, depending on the producer’s settings) and Spinshare loses all ability to call the Dropbox API on the producer’s behalf.

Independent controllers.Dropbox, Inc. remains the independent controller for any personal data and file content held inside the producer’s Dropbox account. Dropbox’s privacy practices and terms of service apply to data stored at Dropbox and are available at dropbox.com/privacy.

Legal basis. Performance of a contract (Art. 6 (1)(b) GDPR) for delivering subscriber-entitled drops, and explicit consent (Art. 6 (1)(a) GDPR and the Dropbox OAuth consent screen) for the initial authorisation of the integration. International transfers to Dropbox, Inc. (USA) rely on the EU Standard Contractual Clauses and any applicable adequacy decision.

10. Hosting, infrastructure, and processors

We engage the following processors to operate Spinshare. Each processor is bound by a Data Processing Agreement under Art. 28 GDPR.

  • Vercel Inc. (USA) for application hosting and global CDN.
  • Supabase Inc. (USA) for PostgreSQL database hosting in EU regions where supported.
  • Stripe Payments Europe, Ltd. (Ireland) for payment processing and Connect payouts.
  • PostHog Inc. (USA) for product analytics and session replay (consent-based).
  • Resend, Inc. (United States) for transactional emails (sign-up verification, password reset, payout notifications, and similar account communications). Resend acts as our processor under a Data Processing Agreement; international transfers to the United States rely on the EU Standard Contractual Clauses concluded with Resend. See resend.com/legal/privacy-policy.
  • Dropbox, Inc. (USA) where a producer has voluntarily connected a Dropbox account under Section 9. Dropbox stores the underlying file content as an independent controller. Spinshare uses Dropbox only as a read-only pass-through and stores Dropbox-issued OAuth tokens encrypted at rest as described in Section 9.
  • Google LLCwhere a producer has voluntarily shared a Google Drive link as an external storage location for a drop. Drops linked from Google Drive currently rely on the producer’s own public-share configuration at Google; Spinshare does not hold any OAuth token for Google Drive.

Where data is transferred to processors outside the EEA, we rely on the EU Standard Contractual Clauses (SCCs) and supplementary safeguards required by the Schrems II ruling.

11. Data retention

  • Account data is retained while your account is active. After you request deletion (see Section 13), we delete personal data that is not subject to a statutory retention obligation within a reasonable time, typically 30 days.
  • Invoices and accounting recordsare retained for up to 10 years as required under §§ 257 HGB, 147 AO.
  • Server logs are kept for diagnostics for a short period (typically up to 30 days) and then deleted or anonymised.
  • Dropbox OAuth tokens are retained only for as long as the producer keeps the Dropbox integration connected. On disconnect (whether via the Spinshare dashboard, via dropbox.com/account/connected_apps, or as part of account deletion), the encrypted refresh and access tokens, the Dropbox account ID, and any cached Dropbox metadata are deleted from our database.
  • Lab chat messages and files are handled as described in Section 17: files you share are purged from our storage a short time after delivery (roughly five to ten days), while message text and chat records persist while your account is active and are removed when your account is deleted.
  • Analytics events (with consent) are retained according to the PostHog data retention configuration we apply.

12. Your rights under GDPR

You have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR).
  • Right to rectification (Art. 16 GDPR).
  • Right to erasure (Art. 17 GDPR).
  • Right to restriction of processing (Art. 18 GDPR).
  • Right to data portability (Art. 20 GDPR).
  • Right to object to processing based on legitimate interests (Art. 21 GDPR).
  • Right to withdraw consent at any time, without affecting the lawfulness of prior processing (Art. 7 (3) GDPR). For the Dropbox integration, withdrawal is effected by clicking “Disconnect Dropbox” in the dashboard or by revoking access at dropbox.com/account/connected_apps.
  • Right to lodge a complaint with a supervisory authority. The authority responsible for our place of business is:
    Der Hessische Beauftragte für Datenschutz und Informationsfreiheit (HBDI)
    Gustav-Stresemann-Ring 1
    65189 Wiesbaden
    Germany
    Website: datenschutz.hessen.de
    Email: poststelle@datenschutz.hessen.de

13. Account deletion and data deletion requests

You can request deletion of your account and associated personal data at any time from Dashboard → Settings → Profile → Delete Your Account, which opens a confirmation dialog and a one-click support request from the email address registered on your account. You may also email support@spinshare.pro directly from your registered address. We review every deletion request within 24 hours and complete the deletion within one month at the latest, in line with Art. 12 (3) GDPR and subject to the retention obligations in Section 11.

Account deletion automatically revokes any connected Dropbox OAuth tokens under Section 9 and removes the encrypted tokens, the Dropbox account ID, and any cached Dropbox metadata from our database.

Account deletion also removes the Lab chat messages you sent, the audio files you shared in the Lab chat (deleted from our storage), and the reports and blocks you created.

14. Security

We apply technical and organisational measures appropriate to the risks of processing, including:

  • TLS for all traffic to and from Spinshare.
  • Account passwords hashed with industry-standard algorithms.
  • OAuth refresh and access tokens (including Dropbox tokens) encrypted at rest with AES-256-GCM, per-record initialisation vectors, and authentication tags.
  • HMAC-signed OAuth state parameters with short time-to-live values to defend the Dropbox OAuth handshake against cross-site request forgery.
  • Masked form inputs in session recordings.
  • Rate-limiting on sensitive endpoints.

No system can guarantee absolute security, but the measures above are reviewed regularly and updated as appropriate.

15. Children

Spinshare is not directed at children. You must be at least 18 years old (or the age of legal majority in your jurisdiction) to create an account.

16. Third-party services; no affiliation

Spinshare integrates with independent third-party services (including Stripe, Vercel, Supabase, PostHog, Dropbox, and Google Drive) to operate. These providers are separate legal entities, each operating their own services under their own terms and privacy policies. Spinshare is not responsible for the acts, omissions, content, or availability of any third-party service.

Dropbox. Spinshare is an independent application that uses the Dropbox API as a permitted third-party developer. Spinshare is not affiliated with, endorsed by, sponsored by, certified by, or partnered with Dropbox, Inc. The names “Dropbox” and the Dropbox logo are trademarks of Dropbox, Inc., used here solely to identify the third-party service Spinshare integrates with.

17. Lab chat (direct messaging between connected producers)

The Lab includes a private one-to-one chat between producers who are mutually connected (Crew). Producers can send audio files to each other and, with a Spinshare Pro subscription, free-text messages. The chat is only available between two producers who are already connected; it is never a public channel or a broadcast feed.

Data we process. The text content of messages you send, audio files you upload together with their metadata (file name, size, type, and duration), delivery and read timestamps, emoji reactions, and any reports or blocks you create. Uploaded audio files are stored in our Supabase storage (in EU regions where supported) and streamed to the other participant; message text is stored in our database.

Who can access your messages. Only the two producers in a conversation can read it. Spinshare staff do not routinely read private Lab chat messages. A specific message becomes visible to our safety team only when a participant reports it, so that we can review and act on that report.

No automated monitoring. We do not run automated scanning, profiling, or content-recognition over the messages or files you exchange in the Lab chat. Moderation is reactive and depends on the in-chat Report and Block tools described below.

Safety tools. Every participant, on any plan, can report a message and block the other producer from the chat settings. Blocking stops new messages in both directions while keeping the existing history visible. Reported messages are placed in an internal queue where our admins can dismiss the report, remove the message, or block the sender. We process this data on the legal basis of our legitimate interest (Art. 6 (1)(f) GDPR) in keeping the platform safe and acting on abuse.

Retention. Uploaded files are deleted from our storage a short time after delivery (currently within roughly ten days, or roughly five days once the recipient has downloaded them). Message text and chat records are kept while your account is active and are deleted when your account is deleted. See the Data retention and Account deletion sections above.

Legal basis. Performance of a contract (Art. 6 (1)(b) GDPR) to provide the messaging feature you and your Crew use, and our legitimate interests (Art. 6 (1)(f) GDPR) in keeping the platform safe, preventing abuse, and acting on reports.

18. Changes to this policy

We may update this Privacy Policy to reflect changes in our processing or in the law. The “Last updated” date at the top reflects the latest revision. For material changes that affect your rights, we will notify you in advance through the service or by email.

19. Contact

For questions about this Privacy Policy or to exercise any of your rights, please email support@spinshare.pro. For copyright takedown notices, use copyright@spinshare.pro.