Privacy Policy
Last updated: 27 January 2026
1. Controller
The controller within the meaning of the General Data Protection Regulation (GDPR) is:
Bartosz Szega
STREET
ORT
COUNTRY
Email: EMAIL@gmail.com
Phone: PHONE
Data Protection Officer
We are not required to appoint a data protection officer.
2. Hosting and Infrastructure
We operate this website on a dedicated server provided by ZAP-Hosting GmbH (Germany).
3. Logs, Monitoring and Security
When you use our website, technical data may be processed to ensure secure operation, prevent abuse, and troubleshoot errors. Depending on the component, this may include IP address, timestamp, requested URL, status codes, user agent, referrer, and (in authenticated areas) technical account/session identifiers.
We use, in particular:
- Nginx (web server / reverse proxy) access and error logs
- Docker service/container logs (runtime logs)
- Node.js/Express API logs
- Centralized logging via Grafana + Loki
- Monitoring via Prometheus (service/health metrics)
- Certbot / Let’s Encrypt operational logs for certificate automation
Purpose: secure and technically reliable operation, abuse prevention, troubleshooting, performance and stability monitoring.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure and reliable operation).
Retention: Technical logs are stored for up to 90 days and are then deleted or rotated, unless longer storage is required in an individual case to investigate or defend against abuse/attacks or to comply with legal obligations.
4. Cookies and End-Device Access
Our website uses cookies that are necessary to provide core functionality and security.
Legal basis: Section 25(2) No. 2 TDDDG (strictly necessary) and Art. 6(1)(b) GDPR (performance of the service/user relationship).
| Name | Purpose | Category | Retention |
|---|---|---|---|
| tt_access_bootstrap_prod | Short-term authentication bootstrap | Necessary | 15 minutes |
| tt_refresh_prod | Persistent session management | Necessary | 90 days |
| tt_csrf_prod | Security (CSRF prevention) | Necessary | Session |
| locale | Language preference | Preference | 180 days |
We do not use analytics or marketing cookies unless explicitly stated in this policy. The locale cookie is set when you select a language.
5. Google OAuth Login
When you log in via Google OAuth, we receive data from Google which may include your email address, your name, and (depending on configuration/scopes) a profile picture URL.
Purpose: authentication and account provision.
Legal basis: Art. 6(1)(b) GDPR (performance of the user relationship/account).
6. Account Data
When you create and use an account, we store the data required to operate your account (e.g., email address, user identifier, and technical account/session data).
Purpose: account operation and security.
Legal basis: Art. 6(1)(b) GDPR.
Retention: until the account is deleted, unless statutory retention obligations require longer storage.
Stored account data may include account timestamps (e.g., account creation and last login) and, if applicable, an OAuth provider identifier.
7. Demo Submission
When you submit a demo, we process the information you provide (e.g., artist name, email, track info, links/files, messages).
Purpose: review and selection process, contacting you about potential collaboration.
Legal basis: Art. 6(1)(b) GDPR (pre-contractual steps) and/or Art. 6(1)(f) GDPR (legitimate interest in evaluating submissions).
Retention: up to 12 months, unless you request deletion earlier or legal obligations require longer retention. You can request deletion at any time by contacting us at EMAIL.
8. Recipients
Access to your data is limited to persons who need it for reviewing demos and operating the platform. We may use service providers who process data on our behalf, in particular:
- ZAP-Hosting GmbH (hosting/infrastructure)
- Google (OAuth login)
9. Your Rights
You have the right to: access your personal data, rectification, deletion, restriction of processing, data portability, and to object to processing (where applicable).
To exercise your rights, you can contact us at EMAIL.
You also have the right to lodge a complaint with a data protection supervisory authority, in particular in your place of residence, place of work, or where the controller is located (Germany). In Baden-Württemberg, the competent authority is the State Commissioner for Data Protection and Freedom of Information (LfDI BW).
10. International Transfers
The processing of your data generally takes place in the EU/EEA. For Google OAuth, Google Ireland Limited may process data and a transfer to Google LLC (USA) may occur. Google may rely on appropriate safeguards (e.g., adequacy decision under the EU-U.S. Data Privacy Framework and/or standard contractual clauses), where applicable.
We do not use automated decision-making or profiling within the meaning of Art. 22 GDPR.