CartSign inJoin Droploud

Privacy Policy

Last updated: April 1, 2026

1. Definitions

"Droploud", "we", "us", and "our" refer to the operator of the droploud.com platform ("the Website"). "Service" refers to the Website and all related tools, features, and functionality. "User", "you", and "your" refer to any person who accesses or uses the Service. "Personal Data" means any information relating to an identified or identifiable natural person.

2. General Principles

We are committed to the following data protection principles:

  • We collect Personal Data only for identified, specific, and legitimate purposes
  • We process data lawfully, fairly, and transparently
  • We keep Personal Data accurate and up to date
  • We retain data only as long as necessary for the stated purposes
  • We implement appropriate security safeguards to protect your data
  • We make information about our data practices openly available
  • We comply with the General Data Protection Regulation (GDPR) and applicable Italian and EU data protection laws

3. Agreement

By accessing the Website or using the Service, you acknowledge that you have read, understood, and agree to the collection and use of your information as described in this Privacy Policy. If you do not agree, please do not use the Service.

4. Modifications

We may update this Privacy Policy from time to time. Material changes will be communicated to registered users via email. Changes take effect 30 days after posting to the Website. Continued use of the Service after that period constitutes acceptance.

5. The Information We Collect

Account Registration Data

When you create an account, we collect: email address, username, display name, password (stored as a bcrypt hash — we never store plain-text passwords), account role (artist, fan, club, promoter), and optionally your bio, location, genres, and profile avatar.

Social Media Information

If you connect social accounts, we collect: Instagram handle, SoundCloud URL, Spotify artist ID, YouTube channel ID, TikTok handle, Twitter/X handle, Beatport URL, and Bandcamp URL. We may periodically fetch public follower/subscriber counts from these platforms to display on your profile.

Authentication Data

If you sign in via Google OAuth, we receive your Google account ID, email address, and display name. We do not receive or store your Google password.

Content Data

Music files (WAV, AIFF, MP3), cover artwork, and associated metadata (title, BPM, key, genre, type) that you upload to the Service.

Download Gate Data

When users complete download gates, we collect: email address, session identifier, which gate steps were completed (email, Instagram follow, SoundCloud follow/repost, Twitter follow), IP address (anonymized for analytics), and approximate geographic location (city, country) via GeoIP lookup.

Payment Data

We record transaction amounts, points purchased, and payment status. All payment card details are processed and stored exclusively by Stripe — card numbers, CVVs, and billing details never touch our servers.

Automatically Collected Data

We automatically collect: IP address, browser type and version, device type, operating system, pages visited, referral source, session duration, and interaction data (downloads, plays, chart views).

6. How We Use Your Information

  • To create, maintain, and secure your account
  • To process downloads and operate download gates
  • To calculate chart rankings, analytics, and platform statistics
  • To process point purchases via Stripe
  • To operate the Shop and promotional campaign features
  • To send transactional emails (welcome emails, download confirmations, new release notifications)
  • To share your email with artists whose tracks you download via gates (with your consent)
  • To facilitate booking requests and messaging between artists and clubs
  • To detect, prevent, and address fraud, abuse, and security issues
  • To improve the Service based on anonymized usage data
  • To comply with legal obligations
  • To enforce our Terms and Conditions

7. Legal Basis for Processing (GDPR)

  • Contract performance: processing necessary to provide the Service (account management, downloads, points, payments, bookings)
  • Consent: email marketing, sharing your email with artists via download gates, optional cookie tracking
  • Legitimate interest: fraud prevention, platform security, anonymous analytics, service improvement
  • Legal obligation: tax records for payments, responding to law enforcement requests

8. Your Rights & Preferences

Under the GDPR and applicable law, you have the right to:

  • Access: request a copy of the Personal Data we hold about you
  • Rectification: correct inaccurate or incomplete data via your account settings or by contacting us
  • Erasure: request deletion of your data ("right to be forgotten")
  • Restriction: request that we limit how we process your data
  • Portability: receive your data in a structured, machine-readable format
  • Objection: object to processing based on legitimate interest
  • Withdraw consent: withdraw consent at any time without affecting the lawfulness of prior processing
  • Automated decisions: not be subject to solely automated decision-making that significantly affects you

To exercise any of these rights, contact privacy@droploud.com. We will respond within 30 days. You may also manage your profile information, social connections, and notification preferences directly through your account settings.

9. Sharing Information with Third Parties

We share Personal Data with the following categories of third parties, solely for the purposes described:

  • Artists (via download gates): your email address when you complete a download gate, with your consent
  • Stripe: payment processing — their Privacy Policy applies
  • Resend: transactional email delivery
  • Cloudflare: content delivery, storage (R2), and security
  • Vercel: frontend hosting
  • Railway: backend hosting
  • Supabase: database hosting
  • Upstash: Redis caching
  • MaxMind: GeoIP lookups (IP addresses are not shared; lookups are performed locally)

We may also disclose your information without prior notice if required to do so by law, to comply with legal process, to protect our rights, to prevent fraud or copyright violations, or to protect public safety.

We do not sell your Personal Data to third parties.

10. Cookies & Local Storage

We use essential cookies and browser local storage for authentication and session management. Optional cookies may be used for analytics if you consent. For full details, see our Cookie Policy.

Session tracking may record: session identifiers, session duration, pages visited, and browser/device specifications. IP addresses are logged for security diagnostics and anonymized trend analysis. You can decline non-essential cookies via the consent banner, but disabling essential storage may prevent you from using certain features.

11. Security

We implement the following security measures to protect your data:

  • All connections encrypted via TLS (HTTPS)
  • Passwords hashed using bcrypt with salt rounds
  • JWT-based authentication with 7-day token expiry
  • Rate limiting on sensitive endpoints (downloads, authentication)
  • Anonymization of IP addresses in download logs
  • Payment processing handled entirely by PCI-compliant Stripe
  • Access to production systems restricted to authorized personnel

No method of electronic transmission or storage is 100% secure. While we strive to protect your Personal Data, we cannot guarantee absolute security. Email communications are not encrypted end-to-end.

12. International Transfers

Some of our service providers (Stripe, Cloudflare, Vercel, Railway) may process data outside the European Economic Area (EEA). These transfers are protected by Standard Contractual Clauses (SCCs), adequacy decisions, or equivalent safeguards as required by GDPR.

13. Data Retention

  • Account data: retained while your account is active; deleted within 30 days of account deletion request
  • Uploaded content: removed from storage within 30 days of account deletion or content removal
  • Download logs: IP addresses anonymized after 90 days; anonymized records retained for analytics
  • Payment records: retained for 7 years to comply with Italian tax and accounting obligations
  • Fan email lists: retained until the artist or fan requests deletion
  • Log files: retained briefly for security and diagnostic purposes, then purged

14. Children's Privacy

Droploud is not intended for children under 16. We do not knowingly collect Personal Data from children under 16. If you are a parent or guardian and believe your child has provided us with Personal Data, please contact us at privacy@droploud.com and we will promptly delete it. Minors under 18 may request removal of publicly posted information by contacting us or deleting their account.

15. Do Not Track

The Service does not currently respond to browser "Do Not Track" (DNT) signals. If you decline optional cookies via our consent banner, non-essential tracking will be disabled regardless of your DNT setting.

16. Email Communications

Droploud does not send unsolicited marketing emails. You may receive:

  • Transactional emails: welcome messages, download confirmations, payment receipts, security alerts (cannot be opted out while account is active)
  • New release notifications: emails from artists whose download gates you completed (opt-out available via unsubscribe link)
  • Platform updates: material changes to Terms, Privacy Policy, or the Service (opt-out available)

Email addresses collected through download gates are shared with the respective artist. Droploud is not responsible for how artists use these email addresses outside of the platform. Artists who abuse email lists may have their accounts suspended.

17. Withdrawing Consent

You may withdraw your consent at any time by:

  • Unsubscribing from email communications via the unsubscribe link in any email
  • Changing your cookie preferences by clearing your browser data and revisiting the site
  • Updating your account settings and disconnecting social media integrations
  • Requesting account deletion by contacting privacy@droploud.com

Please note that account deletion is permanent and cannot be undone. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

18. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) at www.garanteprivacy.it, or with the supervisory authority in your country of residence.

Contact

For any privacy-related questions, data access requests, or to exercise your rights, contact us at: privacy@droploud.com