Privacy & data.

"Droploud", "we", "us", and "our" refer to the operator of the droploud.com platform ("the Website"). "Service" refers to the Website and all related tools, features, and functionality. "User", "you", and "your" refer to any person who accesses or uses the Service. "Personal Data" means any information relating to an identified or identifiable natural person.

We are committed to the following data protection principles:

• We collect Personal Data only for identified, specific, and legitimate purposes
• We process data lawfully, fairly, and transparently
• We keep Personal Data accurate and up to date
• We retain data only as long as necessary for the stated purposes
• We implement appropriate security safeguards to protect your data
• We make information about our data practices openly available
• We comply with the General Data Protection Regulation (GDPR) and applicable Italian and EU data protection laws

By accessing the Website or using the Service, you acknowledge that you have read, understood, and agree to the collection and use of your information as described in this Privacy Policy. If you do not agree, please do not use the Service.

We may update this Privacy Policy from time to time. Material changes will be communicated to registered users via email. Changes take effect 30 days after posting to the Website. Continued use of the Service after that period constitutes acceptance.

When you create an account, we collect: email address, username, display name, password (stored as a bcrypt hash — we never store plain-text passwords), account role (artist or creator), and optionally your bio, location, genres, and profile avatar.

If you connect social accounts, we collect: Instagram handle, SoundCloud URL, Spotify artist ID, YouTube channel ID, TikTok handle, Twitter/X handle, Beatport URL, and Bandcamp URL. We may periodically fetch public follower/subscriber counts from these platforms to display on your profile.

If you sign in via Google OAuth, we receive your Google account ID, email address, and display name. We do not receive or store your Google password.

Music files (WAV, AIFF, MP3), cover artwork, and associated metadata (title, BPM, key, genre, type) that you upload to the Service.

When users complete download gates, we collect: email address, session identifier, which gate steps were completed (email, Instagram follow, SoundCloud follow/repost, Twitter follow), IP address (anonymized for analytics), and approximate geographic location (city, country) via GeoIP lookup.

We record transaction amounts, points purchased, and payment status. All payment card details are processed and stored exclusively by Stripe — card numbers, CVVs, and billing details never touch our servers.

We automatically collect: IP address, browser type and version, device type, operating system, pages visited, referral source, session duration, and interaction data (downloads, plays, chart views).

• To create, maintain, and secure your account
• To process downloads and operate download gates
• To calculate chart rankings, analytics, and platform statistics
• To process point purchases via Stripe
• To operate the Shop and promotional campaign features
• To send transactional emails (welcome emails, download confirmations, new release notifications)
• To share your email with artists whose tracks you download via gates (with your consent)
• To detect, prevent, and address fraud, abuse, and security issues
• To improve the Service based on anonymized usage data
• To comply with legal obligations
• To enforce our Terms and Conditions

• Contract performance — processing necessary to provide the Service (account management, downloads, points, payments).
• Consent — email marketing, sharing your email with artists via download gates, optional cookie tracking.
• Legitimate interest — fraud prevention, platform security, anonymous analytics, service improvement.
• Legal obligation — tax records for payments, responding to law enforcement requests.

Under the GDPR and applicable law, you have the right to:

To exercise any of these rights, contact privacy@droploud.com. We will respond within 30 days. You may also manage your profile information, social connections, and notification preferences directly through your account settings.

We share Personal Data with the following categories of third parties, solely for the purposes described:

Stripe's Privacy Policy applies to all card processing. We may also disclose your information without prior notice if required to do so by law, to comply with legal process, to protect our rights, to prevent fraud or copyright violations, or to protect public safety.

We do not sell your Personal Data to third parties.

We use essential cookies and browser local storage for authentication and session management. Optional cookies may be used for analytics if you consent. For full details, see our Cookie Policy.

Session tracking may record: session identifiers, session duration, pages visited, and browser/device specifications. IP addresses are logged for security diagnostics and anonymized trend analysis. You can decline non-essential cookies via the consent banner, but disabling essential storage may prevent you from using certain features.

We implement the following security measures to protect your data:

• All connections encrypted via TLS (HTTPS)
• Passwords hashed using bcrypt with salt rounds
• JWT-based authentication with 7-day token expiry
• Rate limiting on sensitive endpoints (downloads, authentication)
• Anonymization of IP addresses in download logs
• Payment processing handled entirely by PCI-compliant Stripe
• Access to production systems restricted to authorized personnel

No method of electronic transmission or storage is 100% secure. While we strive to protect your Personal Data, we cannot guarantee absolute security. Email communications are not encrypted end-to-end.

Some of our service providers (Stripe, Cloudflare, Vercel, Railway) may process data outside the European Economic Area (EEA). These transfers are protected by Standard Contractual Clauses (SCCs), adequacy decisions, or equivalent safeguards as required by GDPR.

• Account data — retained while your account is active; deleted within 30 days of account deletion request.
• Uploaded content — removed from storage within 30 days of account deletion or content removal.
• Download logs — IP addresses anonymized after 90 days; anonymized records retained for analytics.
• Payment records — retained for 7 years to comply with Italian tax and accounting obligations.
• Fan email lists — retained until the artist or fan requests deletion.
• Log files — retained briefly for security and diagnostic purposes, then purged.

The Service does not currently respond to browser "Do Not Track" (DNT) signals. If you decline optional cookies via our consent banner, non-essential tracking will be disabled regardless of your DNT setting.

Droploud does not send unsolicited marketing emails. You may receive:

• Transactional emails — welcome messages, download confirmations, payment receipts, security alerts (cannot be opted out while account is active).
• New release notifications — emails from artists whose download gates you completed (opt-out available via unsubscribe link).
• Platform updates — material changes to Terms, Privacy Policy, or the Service (opt-out available).

Email addresses collected through download gates are shared with the respective artist. Droploud is not responsible for how artists use these email addresses outside of the platform. Artists who abuse email lists may have their accounts suspended.

You may withdraw your consent at any time by:

• Unsubscribing from email communications via the unsubscribe link in any email
• Changing your cookie preferences by clearing your browser data and revisiting the site
• Updating your account settings and disconnecting social media integrations
• Requesting account deletion by contacting privacy@droploud.com

Please note that account deletion is permanent and cannot be undone. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.