Privacy Policy

1. Controller

The data controller responsible for processing personal data on this website is:

WantedAudio GmbH i.G.
TODO: street, postal code, city
Germany
Email: support@spinshare.pro

For full provider details, see our Legal Notice.

2. Data protection officer

TODO: confirm whether a Data Protection Officer is required and, if so, insert name and contact. Otherwise: “A Data Protection Officer has not been appointed. Please direct privacy enquiries to the controller above.”

3. Categories of personal data we process

Depending on how you use Spinshare, we may process:

• Account data: email address, hashed password, display name, account role, account creation and login timestamps.
• Profile data (producers): public slug, display name, bio, avatar/cover image URL, accent colour preferences, verification status, subscriber count.
• Content data: drop titles, descriptions, prices, external file links (e.g. Dropbox or Google Drive), and metadata you choose to publish.
• Subscription, follow, and unlock records: which producer you follow or subscribe to, which drops you have unlocked, timestamps, and price tier where applicable.
• Payment data: processed by Stripe (see Section 6). We receive limited Stripe identifiers (Stripe Customer ID, Stripe Connect Account ID, subscription status, charge amount, currency, country, last 4 digits / card brand). We do not store full payment card numbers.
• Communications: emails you send to us, support requests, and feedback you submit through the dashboard.
• Technical data: IP address (truncated where feasible), user-agent, request timestamps, referrer, and routing cookies necessary for authentication and security.
• Analytics and product data: if you give consent, anonymised or pseudonymised event data captured by PostHog (see Section 7).

4. Purposes and legal bases of processing

We process personal data on the following GDPR Art. 6 (1) legal bases:

• Performance of a contract (Art. 6 (1)(b)): creating and operating your account, delivering subscription access, processing payments and payouts, providing producer dashboards.
• Legal obligation (Art. 6 (1)(c)): retaining invoices and accounting records under German tax law (HGB / AO), responding to lawful requests from public authorities.
• Legitimate interests (Art. 6 (1)(f)): securing our service against fraud and abuse, rate-limiting, server logs for diagnostics, ensuring platform integrity. We balance these interests against your rights and freedoms.
• Consent (Art. 6 (1)(a)): non-essential cookies, product analytics, session recording, marketing emails (where applicable). You can withdraw consent at any time without affecting prior processing.

5. Account, authentication, and session cookies

To operate the service, we set strictly necessary cookies:

• NextAuth session cookies for keeping you signed in.
• CSRF protection cookies set by NextAuth.
• Referral / invite cookies (spinshare_ref, spinshare_invite) for attributing sign-ups to invite links you clicked, with a short lifetime.

These cookies are essential to operate the service you requested and do not require consent under § 25 (2) DDG.

6. Payments via Stripe

We use Stripe Payments Europe, Limited (1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland) and, where applicable, Stripe Connect to process subscription payments and producer payouts. When you make a payment, Stripe collects payment-card information and identity verification data directly. We receive only confirmation and limited transaction metadata.

Legal basis: performance of a contract (Art. 6 (1)(b) GDPR) for paying customers and producers receiving payouts. International transfers to Stripe affiliates outside the EEA, where they occur, rely on the EU Standard Contractual Clauses concluded by Stripe.

For Stripe’s own privacy practices, see stripe.com/privacy.

7. Analytics and product telemetry (PostHog)

We use PostHog to understand how producers and subscribers use Spinshare so we can improve the product. PostHog is operated by PostHog Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA.

PostHog may capture pseudonymous event data, including UI clicks, page views, and (with masked input fields) anonymous session replays. A long-lived ph_did cookie is used to keep consistent buckets between server and client for feature experiments.

Legal basis: consent under Art. 6 (1)(a) GDPR and § 25 (1) DDG. We will only place non-essential analytics cookies and load PostHog tracking scripts after you give consent through our cookie banner. TODO: engineering work required to gate PostHog and theph_did cookie behind explicit consent.

International transfers to PostHog Inc. (USA) rely on the EU Standard Contractual Clauses and any applicable adequacy decision. You can withdraw consent at any time through the cookie settings in our footer.

8. Hosting, infrastructure, and processors

We engage the following processors to operate Spinshare. Each processor is bound by a Data Processing Agreement under Art. 28 GDPR.

• Vercel Inc. (USA) for application hosting and global CDN.
• Supabase Inc. (USA) for PostgreSQL database hosting in EU regions where supported.
• Stripe Payments Europe, Ltd. (Ireland) for payment processing and Connect payouts.
• PostHog Inc. (USA) for product analytics and session replay (consent-based).
• Resend TODO: confirm transactional email provider and entity for transactional emails (sign-up verification, password reset, payout notifications).
• Dropbox / Google Drive— producers may voluntarily connect their Dropbox or Google Drive account to host their drop files. These services are independent controllers for the underlying file content; their privacy terms apply to data stored on their platforms.

Where data is transferred to processors outside the EEA, we rely on the EU Standard Contractual Clauses (SCCs) and supplementary safeguards required by the Schrems II ruling.

9. Data retention

• Account data is retained while your account is active. After you request deletion (see Section 11), we delete personal data that is not subject to a statutory retention obligation within a reasonable time, typically 30 days.
• Invoices and accounting records are retained for up to 10 years as required under §§ 257 HGB, 147 AO.
• Server logs are kept for diagnostics for a short period (typically up to 30 days) and then deleted or anonymised.
• Analytics events (with consent) are retained according to the PostHog data retention configuration we apply.

10. Your rights under GDPR

You have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR).
• Right to rectification (Art. 16 GDPR).
• Right to erasure (Art. 17 GDPR).
• Right to restriction of processing (Art. 18 GDPR).
• Right to data portability (Art. 20 GDPR).
• Right to object to processing based on legitimate interests (Art. 21 GDPR).
• Right to withdraw consent at any time, without affecting the lawfulness of prior processing (Art. 7 (3) GDPR).
• Right to lodge a complaint with a supervisory authority. The authority responsible for our place of business will be TODO: competent state data protection authority.

11. Account deletion and data deletion requests

You can request deletion of your account and associated personal data at any time by emailing support@spinshare.pro from the email address registered on your account. We will confirm receipt and complete deletion within a reasonable time, subject to the retention obligations in Section 9.

TODO: implement a self-service account deletion flow in the dashboard.

12. Security

We use TLS for all traffic to and from Spinshare, hash account passwords with industry-standard algorithms, mask form inputs in session recordings, encrypt OAuth tokens at rest, and apply rate-limiting on sensitive endpoints. No system can guarantee absolute security, but we apply technical and organisational measures appropriate to the risks.

13. Children

Spinshare is not directed at children. You must be at least 18 years old (or the age of legal majority in your jurisdiction) to create an account.

14. Changes to this policy

We may update this Privacy Policy to reflect changes in our processing or in the law. The “Last updated” date at the top reflects the latest revision. For material changes that affect your rights, we will notify you in advance through the service or by email.

15. Contact

For questions about this Privacy Policy or to exercise any of your rights, please email support@spinshare.pro.