Privacy Policy | EXVERSIO

Last Updated: April 16, 2026

1. INTRODUCTION

EXVERSIO ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our music subscription platform, including our website and mobile applications (collectively, the "Service").

This Privacy Policy is designed to comply with the General Data Protection Regulation (GDPR) and applicable Dutch data protection laws. By using the Service, you agree to the collection and use of information in accordance with this policy.

Data Controller:
EXVERSIO, a sole proprietorship (eenmanszaak) registered in the Netherlands.
Contact: privacy@exversio.com

2. INFORMATION WE COLLECT

2.1 Account Information

When you create an account, we collect:

Email address
Password (encrypted)
Display name/username
Profile picture (optional)
Account creation date

2.2 Payment Information

We do not store your payment details. All payment processing is handled by Stripe, our third-party payment processor. We only receive:

Subscription status (active/cancelled)
Billing date
Last four digits of your payment method (for reference)
Payment confirmation tokens

2.3 Usage Data

We collect information about how you use the Service:

Streaming activity (what you listen to, when, and for how long)
Artists you subscribe to
Device type and operating system
IP address (automatically collected)
App version and build
Crash reports and error logs

2.4 Device Information (Security Purposes)

To protect against unauthorized access and account sharing, we collect:

Device unique identifier (UUID)
Device fingerprint (anonymized hardware characteristics)
Operating system version
App install date
Last login timestamp

Purpose: This data enables us to detect suspicious activity, prevent account sharing, and enforce single-device streaming limits where applicable.

2.5 Technical Data

Browser type and version
Time zone setting and location
Log data (timestamps of actions performed)
Cookies and similar tracking technologies

3. HOW WE USE YOUR INFORMATION

3.1 To Provide the Service

Authenticate your account
Process subscriptions and payments
Enable streaming of content
Maintain your subscription history
Calculate supporter value and rewards eligibility

3.2 To Improve the Service

Analyze usage patterns to optimize performance
Identify and fix technical issues
Develop new features based on user behavior
Monitor app stability through error tracking

3.3 For Security and Fraud Prevention

Detect and prevent unauthorized access
Identify suspicious account activity
Enforce streaming limits and anti-piracy measures
Investigate potential terms of service violations

3.4 For Communication

Send subscription confirmations and receipts
Notify you of important account changes
Send service-related announcements
Respond to your support requests

3.5 With Your Consent

Marketing communications (only if you opt-in)
Feature announcements and artist updates
Surveys and feedback requests

4. LEGAL BASIS FOR PROCESSING (GDPR)

We process your personal data based on the following legal grounds:

Purpose	Legal Basis
Account creation and management	Performance of contract (Art. 6(1)(b) GDPR)
Payment processing	Performance of contract (Art. 6(1)(b) GDPR)
Service provision (streaming)	Performance of contract (Art. 6(1)(b) GDPR)
Security and fraud prevention	Legitimate interests (Art. 6(1)(f) GDPR)
Service improvement and analytics	Legitimate interests (Art. 6(1)(f) GDPR)
Marketing (with consent)	Consent (Art. 6(1)(a) GDPR)
Legal compliance	Legal obligation (Art. 6(1)(c) GDPR)

5. DATA RETENTION

We retain your personal data only as long as necessary for the purposes outlined in this Privacy Policy:

Data Type	Retention Period	Reason
Account information	Until account deletion + 30 days	Contract fulfillment, legal obligations
Payment records	7 years	Tax and accounting obligations (Dutch law)
Streaming history	2 years from streaming date	Service functionality, rewards calculation
IP addresses and logs	90 days	Security monitoring, fraud prevention
Device identifiers	Until account deletion	Security, device management
Error logs	90 days	Technical troubleshooting
Support tickets	3 years after resolution	Legal defense, quality assurance

After the retention period expires, we securely delete or anonymize your data.

6. DATA SHARING AND THIRD PARTIES

We do not sell your personal data. We only share data with:

6.1 Service Providers

Stripe (payment processing) — processes your payment information
Supabase (database and hosting) — stores all platform data
Google Analytics (usage analytics) — helps us understand user behavior
Sentry (error monitoring) — tracks and reports app crashes and bugs

Each service provider is contractually bound to process data only for specified purposes and maintain appropriate security measures.

6.2 Artists

When you subscribe to an Artist:

The Artist can see your display name
The Artist can see that you are a subscriber
The Artist receives aggregate statistics (total subscribers, total listen time)
Artists do NOT see your email address, payment details, or IP address

6.3 Legal Requirements

We may disclose your data if required to do so by law or in response to valid requests by public authorities (e.g., court orders, law enforcement).

6.4 Business Transfers

If EXVERSIO is acquired by or merged with another company, your data may be transferred as part of that transaction. We will notify you before any such transfer.

7. INTERNATIONAL DATA TRANSFERS

Your data is stored on servers located in the European Union (via Supabase). Some of our third-party service providers may process data outside the EU:

Stripe: Data may be processed in the US under Standard Contractual Clauses
Google Analytics: Data may be processed in the US under Standard Contractual Clauses
Sentry: Data may be processed in the US under Standard Contractual Clauses

We ensure appropriate safeguards are in place for all international transfers in compliance with GDPR Chapter V.

8. YOUR RIGHTS UNDER GDPR

As a data subject, you have the following rights:

8.1 Right to Access

You can request a copy of all personal data we hold about you.

8.2 Right to Rectification

You can request that we correct inaccurate or incomplete data.

8.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your account and associated data, subject to legal retention requirements.

8.4 Right to Restrict Processing

You can request that we limit how we use your data in certain circumstances.

8.5 Right to Data Portability

You can request your data in a structured, commonly used format.

8.6 Right to Object

You can object to processing based on legitimate interests, including profiling and direct marketing.

8.7 Right to Withdraw Consent

Where we rely on consent, you can withdraw it at any time.

8.8 Right to Lodge a Complaint

You have the right to complain to a data protection authority, specifically the Autoriteit Persoonsgegevens in the Netherlands.

To exercise any of these rights, contact us at: privacy@exversio.com

We will respond to all requests within 30 days. We may need to verify your identity before processing your request.

9. COOKIES AND TRACKING TECHNOLOGIES

9.1 What We Use

Essential cookies: Required for the Service to function (authentication, security)
Analytics cookies: Help us understand how users interact with the platform (Google Analytics)
Functional cookies: Remember your preferences (language, playback settings)

9.2 Third-Party Cookies

Our payment processor (Stripe) and analytics provider (Google) may set cookies. These are governed by their respective privacy policies.

9.3 Your Choices

You can manage cookie preferences through your browser settings
You can opt out of Google Analytics tracking using the Google Analytics Opt-out Browser Add-on
Essential cookies cannot be disabled without affecting Service functionality

10. DATA SECURITY

We implement appropriate technical and organizational measures to protect your data:

Encryption: All data is encrypted in transit (TLS 1.2+) and at rest
Access controls: Role-based access to production systems
Authentication: Secure password hashing (bcrypt)
Monitoring: Continuous security monitoring and logging
Backups: Encrypted backups with restricted access
Device security: Rate limiting, device fingerprinting, and suspicious activity detection

Despite these measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

11. CHILDREN'S PRIVACY

The Service is not intended for children under 18 years of age. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately.

12. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. We will notify you of any changes by:

Posting the new Privacy Policy on this page
Updating the "Last Updated" date
Sending an email notification for material changes

We encourage you to review this Privacy Policy periodically. Changes are effective when posted unless otherwise stated.

13. DATA BREACH NOTIFICATION

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority within 72 hours
Notify affected users without undue delay when required by law

14. CONTACT US

For privacy-related questions, data requests, or concerns:

Email: privacy@exversio.com
Response time: Within 48 hours
Data Protection Officer: Currently handled by the founder; dedicated DPO to be appointed when required by law (as company grows)

Mailing Address:
EXVERSIO
[Business Address]
Netherlands

Supervisory Authority:
Autoriteit Persoonsgegevens
Bezuidenhoutseweg 57
2594 AC Den Haag
Netherlands
https://autoriteitpersoonsgegevens.nl

By using EXVERSIO, you acknowledge that you have read and understood this Privacy Policy.