Privacy Policy

1. Data Controller

2. Overview of Data Processing

This privacy policy explains what personal data we collect when you use our music discovery service ("DigDeeper"), how we use it, and what rights you have.

3. Legal Basis for Processing

We process your personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable German data protection laws. The legal bases for processing are:

• Art. 6(1)(b) GDPR: Processing necessary for contract performance (providing the service)
• Art. 6(1)(a) GDPR: Your consent (e.g., for optional features)
• Art. 6(1)(f) GDPR: Our legitimate interests (e.g., fraud prevention, service improvement)

4. Data We Collect

4.1 Anonymous Users

For users without an account, we collect:

• Browser Fingerprint: A technical identifier based on your browser configuration to track search credits and prevent abuse
• Search Queries: Music tracks and artists you search for
• Technical Data: IP address, browser type, device information (automatically collected by our server)

4.2 Registered Users

When you create an account via OAuth, we collect:

• Profile Information: Name, email address, profile picture (from your OAuth provider)
• Account Data: User ID, authentication tokens
• Usage Data: Search history, playlists, saved tracks, credit balance
• Payment Information: Subscription status, payment method (processed by our payment provider)

4.3 Automatically Collected Data

• Log Files: Date/time of access, pages visited, referrer URL, HTTP status codes
• Cookies: Session cookies for authentication and functionality

5. How We Use Your Data

• Providing the music discovery service and search functionality
• Managing your account, credits, and subscriptions
• Preventing fraud and abuse (e.g., credit system enforcement)
• Improving our service and developing new features
• Communicating with you about your account and service updates
• Complying with legal obligations

6. Data Sharing and Third Parties

We share your data only in the following cases:

6.1 Service Providers

• YouTube API: For playing music videos (subject to YouTube's Terms of Service and Privacy Policy)
• Database Hosting: PostgreSQL hosting provider (data stored in EU/Germany)
• OAuth Providers: For authentication (e.g., Google, GitHub)
• Payment Processors: For subscription payments (GDPR-compliant EU providers)
• PostHog (EU cluster): Product analytics, heatmaps and session replay. Operated by PostHog Inc. with EU data residency (eu.i.posthog.com). Used only with your consent (or, in jurisdictions where opt-out is sufficient, with notice).
• Microsoft Clarity (beta.digdeeper.fm only): Heatmaps and session replay on our beta environment. Operated by Microsoft Corporation.

6.2 Legal Requirements

We may disclose your data if required by law, court order, or to protect our legal rights.

7. Data Storage and Retention

• Active Accounts: Data stored while your account is active
• Deleted Accounts: Data deleted within 30 days of account deletion
• Anonymous Users: Fingerprint data retained for 90 days for abuse prevention
• Legal Retention: Some data (e.g., payment records) retained for tax/legal requirements (up to 10 years)

All data is stored on servers located in the European Union (Germany/EU data centers) in compliance with GDPR.

8. Your Rights (GDPR)

You have the following rights regarding your personal data:

• Right of Access (Art. 15 GDPR): Request a copy of your personal data
• Right to Rectification (Art. 16 GDPR): Correct inaccurate data
• Right to Erasure (Art. 17 GDPR): Delete your data ("right to be forgotten")
• Right to Restriction (Art. 18 GDPR): Limit how we process your data
• Right to Data Portability (Art. 20 GDPR): Receive your data in a machine-readable format
• Right to Object (Art. 21 GDPR): Object to processing based on legitimate interests
• Right to Withdraw Consent (Art. 7(3) GDPR): Withdraw consent at any time

To exercise these rights, contact us at: hello@softwerk.ai

9. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority:

10. Data Security

We implement appropriate technical and organizational measures to protect your data against unauthorized access, loss, or destruction. This includes:

• HTTPS encryption for all data transmission
• Secure authentication via OAuth providers
• Regular security audits and updates
• Access controls and employee training
• EU-based secure server infrastructure

11. Cookies, Tracking and Analytics

11.1 Cookie Categories

• Essential Cookies: Required for authentication, sign-in sessions, search credits and basic security. Always active — without these the site cannot work. No consent required (§ 25(2) TTDDSG, contract necessity per Art. 6(1)(b) GDPR).
• Browser Fingerprinting: Technical identifier for anonymous users to enforce free-tier search limits and prevent abuse. Legitimate interest per Art. 6(1)(f) GDPR.
• Product Analytics & Session Replay: PostHog (EU-hosted) collects page views, clicks, scroll depth, feature usage, performance metrics and session recordings (mouse, clicks, typed text in form fields). Passwords and payment fields are masked at the source. Once you sign in, events are linked to your account along with your subscription plan and credit balance. Used only with consent (Art. 6(1)(a) GDPR) where required by law.
• Attribution Storage: A localStorage entry (digdeeper_attribution_v1) stores the first marketing campaign you arrived from (UTM parameters and referrer) so we can attribute conversions correctly. Stored locally on your device, never sent without analytics consent.

11.2 Geo-Aware Consent

We determine your country server-side to comply with the law applicable to your visit:

• Opt-in jurisdictions (EU/EEA, UK, Switzerland, Brazil, Peru, Uruguay, South Korea, Thailand, India, China, Vietnam, Indonesia, Turkey, Saudi Arabia, UAE, South Africa, Russia): A consent banner is shown on your first visit. Analytics and session replay only start after you click "Accept all".
• Notice-and-opt-out jurisdictions (United States outside California with GPC, Canada, Mexico, Argentina, Chile, Colombia, Australia, New Zealand, Japan, Singapore, Hong Kong): Analytics start automatically based on this notice. You can opt out at any time via the "Privacy Settings" link in the footer.
• Global Privacy Control (Sec-GPC): If your browser sends the Sec-GPC signal, analytics are disabled regardless of jurisdiction. This satisfies the universal opt-out requirements of California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon and Texas.

11.3 Withdrawing Consent

You can change your decision at any time via the Privacy Settings link in the footer. Withdrawing analytics consent stops further tracking and clears PostHog cookies and localStorage entries from your browser. Past events that were already transmitted with your consent remain in PostHog until retention expires (12 months for analytics events, 30 days for session recordings).

12. Country Detection (IP Geolocation)

To decide whether a consent banner is legally required for your visit, we resolve your country (and, for US visitors, your state) from your IP address server-side. No IP address is sent to a third-party geolocation service. We use one of two sources:

• CDN headers (if available): When traffic is routed through our CDN, the country code is already present in the request headers — no lookup or storage on our side.
• DB-IP IP-to-Country Lite database (db-ip.com), licensed under CC BY 4.0, loaded into our application's memory. Lookups happen entirely on our server.

The resolved country code is used only to gate the consent banner. It is not persisted to your user profile or shared with any third party.

13. YouTube Embedded Content

Our service embeds YouTube videos via the YouTube API. When you play a video, YouTube may collect data about your viewing behavior. This is subject to YouTube's Privacy Policy:https://policies.google.com/privacy

14. Children's Privacy

Our service is not intended for users under 16 years of age. We do not knowingly collect data from children. If you believe we have inadvertently collected data from a child, please contact us immediately.

15. Changes to This Privacy Policy

We may update this privacy policy to reflect changes in our practices or legal requirements. We will notify you of significant changes via email or a prominent notice on our website. The "Last updated" date at the top indicates when the policy was last revised.

16. Contact Us

For questions about this privacy policy or to exercise your rights, contact us:

17. MVP Notice

This service is currently operating as a Minimum Viable Product (MVP) for validation purposes. We are committed to maintaining full compliance with GDPR and German data protection laws during this period. User feedback and data handling practices may be adjusted based on validation results.