Privacy Policy

1. Data Controller

2. Overview of Data Processing

This privacy policy explains what personal data we collect when you use our music discovery service ("Digster"), how we use it, and what rights you have.

3. Legal Basis for Processing

We process your personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable German data protection laws. The legal bases for processing are:

• Art. 6(1)(b) GDPR: Processing necessary for contract performance (providing the service)
• Art. 6(1)(a) GDPR: Your consent (e.g., for optional features)
• Art. 6(1)(f) GDPR: Our legitimate interests (e.g., fraud prevention, service improvement)

4. Data We Collect

4.1 Anonymous Users

For users without an account, we collect:

• Browser Fingerprint: A technical identifier based on your browser configuration to track search credits and prevent abuse
• Search Queries: Music tracks and artists you search for
• Technical Data: IP address, browser type, device information (automatically collected by our server)

4.2 Registered Users

When you create an account via OAuth, we collect:

• Profile Information: Name, email address, profile picture (from your OAuth provider)
• Account Data: User ID, authentication tokens
• Usage Data: Search history, playlists, saved tracks, credit balance
• Payment Information: Subscription status, payment method (processed by our payment provider)

4.3 Automatically Collected Data

• Log Files: Date/time of access, pages visited, referrer URL, HTTP status codes
• Cookies: Session cookies for authentication and functionality

5. How We Use Your Data

• Providing the music discovery service and search functionality
• Managing your account, credits, and subscriptions
• Preventing fraud and abuse (e.g., credit system enforcement)
• Improving our service and developing new features
• Communicating with you about your account and service updates
• Complying with legal obligations

6. Data Sharing and Third Parties

We share your data only in the following cases:

6.1 Service Providers

• YouTube API: For playing music videos (subject to YouTube's Terms of Service and Privacy Policy)
• Database Hosting: PostgreSQL hosting provider (data stored in EU/Germany)
• OAuth Providers: For authentication (e.g., Google, GitHub)
• Payment Processors: For subscription payments (GDPR-compliant EU providers)

6.2 Legal Requirements

We may disclose your data if required by law, court order, or to protect our legal rights.

7. Data Storage and Retention

• Active Accounts: Data stored while your account is active
• Deleted Accounts: Data deleted within 30 days of account deletion
• Anonymous Users: Fingerprint data retained for 90 days for abuse prevention
• Legal Retention: Some data (e.g., payment records) retained for tax/legal requirements (up to 10 years)

All data is stored on servers located in the European Union (Germany/EU data centers) in compliance with GDPR.

8. Your Rights (GDPR)

You have the following rights regarding your personal data:

• Right of Access (Art. 15 GDPR): Request a copy of your personal data
• Right to Rectification (Art. 16 GDPR): Correct inaccurate data
• Right to Erasure (Art. 17 GDPR): Delete your data ("right to be forgotten")
• Right to Restriction (Art. 18 GDPR): Limit how we process your data
• Right to Data Portability (Art. 20 GDPR): Receive your data in a machine-readable format
• Right to Object (Art. 21 GDPR): Object to processing based on legitimate interests
• Right to Withdraw Consent (Art. 7(3) GDPR): Withdraw consent at any time

To exercise these rights, contact us at: hello@softwerk.ai

9. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority:

10. Data Security

We implement appropriate technical and organizational measures to protect your data against unauthorized access, loss, or destruction. This includes:

• HTTPS encryption for all data transmission
• Secure authentication via OAuth providers
• Regular security audits and updates
• Access controls and employee training
• EU-based secure server infrastructure

11. Cookies and Tracking

We use the following cookies:

• Essential Cookies: Required for authentication and basic functionality (no consent needed per § 25 TTDSG)
• Browser Fingerprinting: Technical identifier for anonymous users (legitimate interest for fraud prevention)

We do not use third-party analytics or advertising cookies.

12. YouTube Embedded Content

Our service embeds YouTube videos via the YouTube API. When you play a video, YouTube may collect data about your viewing behavior. This is subject to YouTube's Privacy Policy:https://policies.google.com/privacy

13. Children's Privacy

Our service is not intended for users under 16 years of age. We do not knowingly collect data from children. If you believe we have inadvertently collected data from a child, please contact us immediately.

14. Changes to This Privacy Policy

We may update this privacy policy to reflect changes in our practices or legal requirements. We will notify you of significant changes via email or a prominent notice on our website. The "Last updated" date at the top indicates when the policy was last revised.

15. Contact Us

For questions about this privacy policy or to exercise your rights, contact us:

16. MVP Notice

This service is currently operating as a Minimum Viable Product (MVP) for validation purposes. We are committed to maintaining full compliance with GDPR and German data protection laws during this period. User feedback and data handling practices may be adjusted based on validation results.