Privacy Policy

1. INTRODUCTION

EXVERSIO ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our music subscription platform, including our website and mobile applications (collectively, the "Service").

This Privacy Policy is designed to comply with the General Data Protection Regulation (GDPR) and applicable Dutch data protection laws. By using the Service, you agree to the collection and use of information in accordance with this policy.

This policy applies to two types of users:

• Fans / Subscribers — users who subscribe to access Artist content
• Artists / Creators — content creators who upload music and receive payouts

Where processing differs between these groups, this is noted in the relevant section.

Data Controller:
EXVERSIO, a sole proprietorship (eenmanszaak) registered in the Netherlands.
Contact: privacy@exversio.com

2. INFORMATION WE COLLECT

2.1 Account Information (Fans and Artists)

When you create an account, we collect:

• Email address
• Password (encrypted)
• Display name / username (and, for Artists, public artist name)
• Profile picture (optional)
• Account creation date
• Account type (Fan or Artist)

2.2 Additional Information for Artists

When you become an Artist, we additionally collect or process:

• Genre and biography information you choose to display
• Artist verification information (where requested)
• References to your Stripe Connected Account (account ID and status only — see 2.3)
• Track metadata you upload (track names, artwork, file metadata)
• Earnings statistics and payout history (aggregate, no card details)
• Referral codes and referral relationships you create

2.3 Payment and Payout Information

For Fans: We do not store your payment card details. All payment processing is handled by Stripe, our third-party payment processor. We receive:

• Subscription status (active / cancelled)
• Billing date
• Last four digits of your payment method (for reference)
• Payment confirmation tokens

For Artists: Payouts are processed through Stripe Connect. We receive:

• Stripe Connected Account ID
• Connected account status (e.g. onboarding complete, payouts enabled)
• Aggregated payout history per invoice (amount transferred, timestamp)

We do not store your bank account details, tax IDs, or identity documents — these are held by Stripe under Stripe's privacy policy and applicable financial regulations.

2.4 Usage Data

We collect information about how you use the Service:

• Streaming activity (what you listen to, when, and for how long) — Fans
• Artists you subscribe to — Fans
• Tracks uploaded, edited, or removed — Artists
• Device type and operating system
• IP address (automatically collected)
• App version and build
• Crash reports and error logs

2.5 Device Information (Security Purposes)

To protect against unauthorized access and account sharing, we collect:

• Device unique identifier (UUID)
• Device fingerprint (anonymized hardware characteristics)
• Operating system version
• App install date
• Last login timestamp

Purpose: This data enables us to detect suspicious activity, prevent account sharing, and enforce single-device streaming limits where applicable.

2.6 Technical Data

• Browser type and version
• Time zone setting and location
• Log data (timestamps of actions performed)
• Cookies and similar tracking technologies

2.7 Audio Access Logs (Content Protection)

Each time a Fan requests to stream a track, the Service records a log entry to protect Artists' exclusive Content and detect misuse:

• Track identifier
• Artist identifier
• Access type (preview or full)
• Account identifier and device identifier (see 2.5)
• IP address
• Timestamp

Purpose: enforce subscription gating, attribute leaks, run rate limiting, and detect anomalous behaviour such as unusually high request volume, a single account used from many devices, or one device used by many accounts.

2.8 Screen Capture Attempt Logs

When the mobile app detects a screenshot or screen recording attempt while a Fan is playing a full (unlocked) track, the Service records a log entry:

• Event type (screenshot or recording_detected)
• Track identifier (if applicable)
• Account identifier and device identifier
• Platform (iOS or Android)
• IP address and timestamp

No image or recording of your screen is captured or stored — only the fact that an attempt was made. The Service does not access your photo library, camera roll, or files. Screen capture detection runs locally on your device.

Purpose: protect Artists' Content against unauthorised recording and distribution, and provide an audit trail in the event of a copyright complaint.

2.9 Upload and Content Logs (Artists)

When an Artist uploads, edits, or removes Content, we log:

• Artist account identifier
• Track identifier and metadata
• Upload, edit, or removal timestamp
• IP address from which the action was performed
• Confirmation of rights affirmation (the rights checkbox accepted at upload)

Purpose: maintain an audit trail of Artist actions, support copyright dispute resolution, and demonstrate Artist consent to applicable terms at the time of upload.

3. HOW WE USE YOUR INFORMATION

3.1 To Provide the Service

• Authenticate your account
• Process subscriptions and payments (Fans)
• Process payouts (Artists, via Stripe Connect)
• Enable streaming of content
• Maintain your subscription and listening history
• Calculate supporter value and rewards eligibility
• Operate the Creator Dashboard for Artists

3.2 To Improve the Service

• Analyze usage patterns to optimize performance
• Identify and fix technical issues
• Develop new features based on user behavior
• Monitor app stability through error tracking

3.3 For Security and Fraud Prevention

• Detect and prevent unauthorized access
• Identify suspicious account activity
• Enforce streaming limits and anti-piracy measures
• Investigate potential terms of service violations
• Verify Artist identity and rights claims

3.4 For Legal Compliance and Dispute Resolution

• Respond to copyright takedown notices
• Maintain audit trails for content removal and upload events
• Respond to lawful requests from authorities
• Maintain financial and tax records as required by Dutch law

3.5 For Communication

• Send subscription confirmations and receipts
• Notify you of important account changes
• Send payout notifications (Artists)
• Send service-related announcements
• Respond to your support requests

3.6 With Your Consent

• Marketing communications (only if you opt-in)
• Feature announcements and artist updates
• Surveys and feedback requests

4. LEGAL BASIS FOR PROCESSING (GDPR)

We process your personal data based on the following legal grounds:

5. DATA RETENTION

We retain your personal data only as long as necessary for the purposes outlined in this Privacy Policy:

After the retention period expires, we securely delete or anonymize your data. See Section 8.3 for the in-app deletion path and a summary of what is deleted versus what is retained in anonymised form.

6. DATA SHARING AND THIRD PARTIES

We do not sell your personal data. We only share data with:

6.1 Service Providers

• Stripe (payment processing and Stripe Connect for Artist payouts) — processes Fan payment information and Artist KYC and payout details
• Supabase (database and hosting) — stores all platform data
• Google Analytics (usage analytics) — helps us understand user behavior
• Sentry (error monitoring) — tracks and reports app crashes and bugs

Each service provider is contractually bound to process data only for specified purposes and maintain appropriate security measures.

6.2 Between Fans and Artists

When you subscribe to an Artist:

• The Artist can see your display name
• The Artist can see that you are a subscriber and your subscription duration
• The Artist receives aggregate statistics (total subscribers, total listen time)
• Artists do not see your email address, payment details, or IP address

When you upload as an Artist:

• Your public artist name, biography, and content metadata are visible to Fans and visitors
• Your email address, real name (if different from artist name), and payout details are not disclosed to Fans

6.3 Legal Requirements

We may disclose your data if required to do so by law or in response to valid requests by public authorities (e.g., court orders, law enforcement, or copyright claims supported by valid notice).

6.4 Business Transfers

If EXVERSIO is acquired by or merged with another company, your data may be transferred as part of that transaction. We will notify you before any such transfer.

7. INTERNATIONAL DATA TRANSFERS

Your data is stored on servers located in the European Union (via Supabase). Some of our third-party service providers may process data outside the EU:

• Stripe: Data may be processed in the US under Standard Contractual Clauses
• Google Analytics: Data may be processed in the US under Standard Contractual Clauses
• Sentry: Data may be processed in the US under Standard Contractual Clauses

We ensure appropriate safeguards are in place for all international transfers in compliance with GDPR Chapter V.

8. YOUR RIGHTS UNDER GDPR

As a data subject, you have the following rights:

8.1 Right to Access

You can request a copy of all personal data we hold about you.

8.2 Right to Rectification

You can request that we correct inaccurate or incomplete data.

8.3 Right to Erasure ("Right to be Forgotten") and Account Deletion

You can delete your account at any time:

• In the EXVERSIO mobile app: open Profile → Account → Delete My Account and confirm.
• By email: contact us at privacy@exversio.com and we will action your request within 30 days.

When your account is deleted, we will:

• Immediately cancel any active subscriptions on your behalf via Stripe.
• Permanently delete your account information, profile data, saved tracks, listening history, device records, audio access logs, and screen capture attempt logs.
• For Artists: permanently delete your artist profile, uploaded tracks, and associated content metadata.
• Retain payment and payout records in anonymised form for 7 years where required by Dutch tax and accounting law. After deletion these records no longer link to your name, email, or contact details, only to the originating transaction (see Section 5).
• Retain copyright and rights-affirmation logs for 7 years where required as legal evidence in copyright disputes. These records are tied to the former account identifier but do not contain your contact details.

Account deletion is permanent and cannot be reversed. You can sign up again with the same email address afterwards, but your previous account, subscriptions, listening history, and any Artist content will not be restored.

8.4 Right to Restrict Processing

You can request that we limit how we use your data in certain circumstances.

8.5 Right to Data Portability

You can request your data in a structured, commonly used format.

8.6 Right to Object

You can object to processing based on legitimate interests, including profiling and direct marketing.

8.7 Right to Withdraw Consent

Where we rely on consent, you can withdraw it at any time.

8.8 Right to Lodge a Complaint

You have the right to complain to a data protection authority, specifically the Autoriteit Persoonsgegevens in the Netherlands.

To exercise any of these rights, contact us at: privacy@exversio.com

We will respond to all requests within 30 days. We may need to verify your identity before processing your request.

9. COOKIES AND TRACKING TECHNOLOGIES

9.1 What We Use

• Essential cookies: Required for the Service to function (authentication, security)
• Analytics cookies: Help us understand how users interact with the platform (Google Analytics)
• Functional cookies: Remember your preferences (language, playback settings)

9.2 Third-Party Cookies

Our payment processor (Stripe) and analytics provider (Google) may set cookies. These are governed by their respective privacy policies.

9.3 Your Choices

• You can manage cookie preferences through your browser settings
• You can opt out of Google Analytics tracking using the Google Analytics Opt-out Browser Add-on
• Essential cookies cannot be disabled without affecting Service functionality

10. DATA SECURITY

We implement appropriate technical and organizational measures to protect your data:

• Encryption: All data is encrypted in transit (TLS 1.2+) and at rest
• Access controls: Role-based access to production systems
• Authentication: Secure password hashing (bcrypt)
• Monitoring: Continuous security monitoring and logging
• Backups: Encrypted backups with restricted access
• Device security: Rate limiting, device fingerprinting, and suspicious activity detection
• Audio access controls: Server-side signed URLs scoped to authenticated accounts

Despite these measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

11. CHILDREN'S PRIVACY

The Service is not intended for children under 18 years of age. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at privacy@exversio.com.

12. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. We will notify you of any changes by:

• Posting the new Privacy Policy on this page
• Updating the "Last Updated" date
• Sending an email notification for material changes

We encourage you to review this Privacy Policy periodically. Changes are effective when posted unless otherwise stated.

13. DATA BREACH NOTIFICATION

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours
• Notify affected users without undue delay when required by law

14. CONTACT US

For privacy-related questions, data requests, or concerns:

Email: privacy@exversio.com
Response time: Within 48 hours
Data Protection Officer: Currently handled by the founder; dedicated DPO to be appointed when required by law (as company grows)

Mailing Address:
EXVERSIO
[Business Address]
Netherlands

Supervisory Authority:
Autoriteit Persoonsgegevens
Bezuidenhoutseweg 57
2594 AC Den Haag
Netherlands
https://autoriteitpersoonsgegevens.nl