Privacy Policy

How Droploud collects, uses, stores and shares personal data, written in plain English, mapped to GDPR and the UAE PDPL, last reviewed by a human on 28 May 2026.

VERSION 4.0LAST UPDATED 28 MAY 2026JURISDICTION UAELANG ENGDPR · PDPL

Who we are & scope.

DROPLOUD FZ-LLC · RAKEZ

Droploud operates droploud.com, an underground electronic-music platform for free download gates, paid sample packs, paid project templates and artist promotion. This Policy explains how Droploud FZ-LLC (the "controller", "we", "us") collects, uses, stores, shares and protects personal data, and your rights as a data subject. It applies to artists, creators, fans, buyers and visitors.

Principles.

GDPR ART. 5 · PDPL ART. 5

We are committed to the following data-protection principles, drawn from GDPR Art. 5 and UAE PDPL Art. 5:

  • We collect personal data only for identified, specific and legitimate purposes (purpose limitation).
  • We process lawfully, fairly and transparently.
  • We collect the minimum data needed (data minimisation).
  • We keep personal data accurate and up to date.
  • We retain data only as long as necessary for the stated purposes.
  • We implement appropriate security safeguards.
  • We make our data practices openly available.

The data we collect.

3 SOURCES · GIVEN · AUTO · 3RD-PARTY
3.1 Data you give us
  • Account data: email, username, display name, password (stored as a bcrypt hash; we never store plain-text passwords), account role (artist, creator, admin).
  • Profile data: bio, location, genres, profile artwork, label names.
  • Social handles: Instagram, SoundCloud URL, Spotify artist ID, YouTube channel ID, TikTok, Twitter/X, Beatport, Bandcamp.
  • Content: music files (WAV, AIFF, MP3), cover artwork, sample packs, project templates, metadata (title, BPM, key, genre, license type).
  • Payment data: for purchases, processed and stored exclusively by Stripe or PayPal; card numbers, CVVs and billing details never touch Droploud servers. We retain transaction identifiers, amounts and status.
  • Creator payout data: the payout details you provide (PayPal email, IBAN, limited to what your chosen method needs).
  • Support communications: any messages you send to support@droploud.com.
3.2 Data we collect automatically
  • Technical data: IP address (anonymised in logs after 90 days), browser type and version, device type, operating system, pages visited, referral source, session duration.
  • Behavioural data: downloads, plays, points earned and spent, chart views.
  • Approximate location: city / country via GeoIP lookup (MaxMind, performed locally; the IP itself is not transmitted to MaxMind in real time).
  • Cookies & local storage: see §10 and the Cookie Policy.
3.3 Data we receive from third parties
  • SoundCloud OAuth: when you connect your SoundCloud account we receive your SoundCloud user ID, public profile, permalink URL, public follower count and an OAuth access token. We use the token to perform the specific actions you authorise (see §4). We re-fetch public stats periodically.
  • Google OAuth (sign-in): Google account ID, email address, display name.
  • Gate completions: when a fan completes one of your gates we receive the fan's email and the social actions they performed.
  • Platform stats: public follower / subscriber counts from connected services (Instagram, Spotify, YouTube, TikTok, Beatport, Bandcamp) where available.

We do not knowingly collect special-category personal data (racial / ethnic origin, political opinions, religious beliefs, trade-union membership, genetic or biometric data, health data, sexual-orientation data). Do not submit it.

SoundCloud actions we perform on your behalf.

OAUTH · GATE FLOW ONLY

When you connect your SoundCloud account via OAuth, Droploud is granted an access token in line with the SoundCloud Developer Terms. Droploud uses that token only to perform the specific actions you have configured or authorised:

Artist on connect

Read public profile, ID, permalink, follower count, at connect plus periodic refresh.

Artist (gate config)

No SoundCloud writes for the artist's own account. Ever.

Fan completing a gate
  • Follow the artist's SoundCloud account(s) (if the artist's gate config has it).
  • Follow the @droploud SoundCloud account (enabled by default; artist-configurable).
  • Like the gated track (if the artist's gate config has it).
  • Repost the gated track to the fan's SoundCloud profile (if the artist's gate config has it).
  • Comment the gated track with a timestamp comment (if the artist's gate config has it).

These actions occur only during a gate flow the fan has explicitly started. The fan sees the list of actions before they authorise SoundCloud. Refusing the SoundCloud OAuth prompt blocks the gate but does not prevent the fan from continuing on other platforms or leaving the page.

Droploud does not post audio, follow third-party accounts the gate configuration does not list, or read fans' private SoundCloud data beyond what the SoundCloud OAuth scope returns.

How we use data: purposes & legal basis.

GDPR ART. 6 · PDPL
  • Create & operate your account: Contract (GDPR Art. 6(1)(b)) / Contract performance (PDPL).
  • Process Shop purchases & creator payouts: Contract / Contract performance.
  • Deliver gated downloads & record gate completions: Contract / Consent.
  • Make gate fan-data available to the artist whose gate was completed: Consent + legitimate interest / Consent.
  • Perform SoundCloud actions you authorised at a gate: Consent / Consent.
  • Charts, recommendations, platform analytics: Legitimate interest (Art. 6(1)(f)) / Legitimate interest.
  • Security, fraud and abuse prevention, anti-bot: Legitimate interest / Legal obligation.
  • Transactional email (receipts, takedowns, account, security): Contract / Contract performance.
  • Marketing email from Droploud (not from artists): Consent (opt-in).
  • Show third-party advertising on gate pages: Consent (where applicable).
  • Comply with law, tax, copyright & FTA bookkeeping: Legal obligation.
The download gate: consent model

Completing a gate is voluntary. You choose to provide your email and / or to authorise the social actions (SoundCloud follow / like / repost / comment + other platforms) in exchange for a free promotional download. We rely on your consent for that collection and for passing your contact data to the artist whose gate you completed. You can withdraw consent at any time (see §16); withdrawal does not affect a download already delivered or actions already performed.

Who we share data with.

SUB-PROCESSORS · ARTISTS · LAW

We do not sell personal data. We share it with the categories below, strictly for the purposes described and under written contract.

6.1 Sub-processors

Processors under GDPR Art. 28 / UAE PDPL Art. 26. DPA status is tracked internally; copies of signed DPAs are stored offline.

Stripe
Card payments, Points purchases. USA / Ireland. SCCs · EU-US DPF.
PayPal
Card / wallet payments. USA / Luxembourg. SCCs.
Cloudflare R2
File & media storage, CDN. EU + global edge. SCCs · DPA.
Railway
Backend hosting, database compute. USA. SCCs.
Vercel
Frontend hosting / CDN · Vercel Analytics (aggregate, consent-gated). USA / global edge. SCCs · DPF.
PostHog
Product analytics (consent-gated; loads only after you accept optional cookies). EU region (EU Cloud). DPA.
Supabase
PostgreSQL database hosting. EU region. DPA.
Upstash
Redis caching / queues. EU region. DPA.
Resend
Transactional & marketing email. EU region. DPA.
MaxMind
GeoIP lookups (offline DB). USA. DPA.
SoundCloud
OAuth · audio embeds · server-side actions you authorised. USA / Germany. SoundCloud's own policy.
Google
Sign-in (OAuth) · AdSense (if/when active). USA. DPF.
Sentry
Error monitoring. Germany (EU region). SCCs · DPA.
Healthchecks.io
Cron heartbeat monitoring. USA. SCCs.
6.2 Artists as independent controllers

When you complete an artist's gate, that artist becomes an independent controller of your contact data for their own promotional use. The artist is bound by the Creator Agreement to use it lawfully, restrict use to reasonable artist-to-fan communication, honour unsubscribe and erasure requests, comply with anti-spam law (CAN-SPAM, EU ePrivacy Directive, UAE TDRA TRA rules), and not transfer the data to unrelated third parties or use it to train machine-learning models. Droploud is not responsible for an artist's separate use of fan data but will act on complaints and may terminate accounts that misuse it.

6.3 Other disclosures

We may also disclose data: (a) where required by law, court order, or a government request validated through legal channels; (b) to enforce these Terms or other companion documents; (c) to handle copyright or DMCA notices; (d) in connection with a corporate transaction (merger, acquisition, sale of assets), subject to equivalent protection of the data; (e) to detect or prevent fraud, abuse, security incidents or threats to public safety.

International transfers.

SCC · ADEQUACY · DPF

Droploud is established in the UAE; sub-processors operate in the USA, EU and elsewhere. Transfers of EU/EEA personal data outside the EEA rely on Standard Contractual Clauses, EU adequacy decisions, the EU-US Data Privacy Framework where applicable, or your explicit consent. Transfers under the UAE PDPL rely on the PDPL's adequacy / appropriate-safeguards mechanism (Art. 23). You may request details of the safeguard applied to a specific transfer at privacy@droploud.com.

Your rights & preferences.

9 DATA-SUBJECT RIGHTS

Under GDPR, UK GDPR, UAE PDPL and applicable law you may:

Access
Request a copy of the personal data we hold about you.
Rectification
Correct inaccurate or incomplete data.
Erasure
Request deletion ("right to be forgotten"), subject to legal retention requirements (§11).
Restriction
Limit how we process your data while a query is being resolved.
Objection
Object to processing based on legitimate interest.
Portability
Receive your data in a structured, machine-readable format.
Withdraw consent
At any time, without affecting prior lawful processing.
No auto decisions
Not be subject to solely automated decision-making that significantly affects you. Droploud does not currently run any such automated decisions.
Complaint
Lodge a complaint with your supervisory authority (EU/EEA national DPA, UK ICO, UAE Data Office).

To exercise a right, email privacy@droploud.com with proof of identity. We respond within 30 days (GDPR / UAE PDPL standard), extendable for complex requests with notice. No fee unless the request is manifestly unfounded or excessive.

Account deletion & data export.

SOFT-DELETE · 30D ERASE
  • Deletion: you may request account deletion at any time. We soft-delete the account immediately (it stops being usable). Within 30 days we erase or irreversibly anonymise personal data, except records we must keep by law (see §11). Internally this is recorded with a deleted_at timestamp.
  • Export: you may request a machine-readable export of your personal data. The request is recorded with an export_requested_at timestamp and fulfilled within 30 days.
  • Fan-side deletion: a fan who completed an artist's gate may also email the artist directly to request the artist erase their fan-side copy of the email. The artist is bound by the Creator Agreement to honour the request.

Cookies & local storage.

SEE COOKIE POLICY

Droploud uses:

  • Strictly necessary: authentication session, cart state (droploud_cart_v2 in localStorage), download-gate session, cookie-consent record, security. No consent required.
  • Analytics / advertising: product analytics (PostHog, Vercel Analytics), aggregate usage, advertising delivery and measurement on gate pages (Google AdSense if/when active). Loaded only after you accept optional cookies in the consent banner.

Full inventory (names, purposes, lifetimes) is in the Cookie Policy.

Data retention.

8 RETENTION RULES
  • Account & profile data: while the account is active; deleted/anonymised within 30 days of an account-deletion request.
  • Uploaded content: removed from storage within 30 days of account deletion or content removal.
  • Download logs (IP): IP anonymised after 90 days; anonymised records retained for analytics.
  • Gate-completion / fan data: while the artist's account is active or until fan consent is withdrawn.
  • Purchase, payout & tax records: 5 years after the transaction (UAE FTA bookkeeping requirement).
  • Copyright-notice & strike records: duration of the account + 3 years for legal defence.
  • Marketing-consent records: until withdrawn + 3 years (proof of consent).
  • Security / fraud logs: up to 12 months.

Records we must keep by law (tax, copyright defence, payment-processor contracts) are retained even after account closure and then deleted.

Security.

TLS · BCRYPT · JWT

We protect data with:

  • All connections encrypted via TLS (HTTPS).
  • Passwords hashed using bcrypt with salt rounds.
  • JWT-based authentication with rotating refresh tokens.
  • Rate limiting on sensitive endpoints (downloads, authentication, gate submission).
  • Anonymisation of IP addresses in download logs after 90 days.
  • Payment processing handled entirely by PCI-DSS certified processors (Stripe, PayPal); card data never touches Droploud servers.
  • Access to production systems restricted to authorised personnel and audited.
  • Sentry error monitoring with PII filtering rules.
  • Security headers (HSTS, X-Content-Type-Options, X-Frame-Options, CSP).

No method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security. Email communications are not encrypted end-to-end.

Breach notification: we will notify affected users and the relevant authority of a personal-data breach as required by GDPR (within 72 hours of becoming aware) and UAE PDPL.

Children.

16+ · 18+ FOR SHOP/CREATOR
Min. age
16+
Droploud is offered to individuals aged 16 or older. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, contact privacy@droploud.com and we will promptly delete it. Minors under 18 may not purchase Shop items, hold a creator account or accept the Creator Agreement.

Marketing & email communications.

3 EMAIL TYPES

Droploud does not send unsolicited marketing emails. You may receive:

  • Transactional emails: welcome, download confirmation, payment receipt, security alert (cannot be opted out while the account is active).
  • Artist-to-fan emails: emails from artists whose gates you completed (opt-out via the unsubscribe link in each email).
  • Platform updates: material changes to Terms or this Policy (opt-out available; you must still receive notice of material changes).

Email addresses collected through gates are shared with the respective artist (see §6.2). Droploud is not responsible for how artists use those addresses outside the platform. Artists who abuse email lists may have their account suspended.

Do Not Track.

DNT NOT HONOURED

The Service does not currently respond to browser "Do Not Track" (DNT) signals. If you decline optional cookies via our consent banner, non-essential tracking is disabled regardless of your DNT setting.

Withdrawing consent.

UNSUBSCRIBE · COOKIES · DISCONNECT

You may withdraw your consent at any time by:

  • Unsubscribing from email communications via the unsubscribe link in any email.
  • Changing your cookie preferences by clearing your browser data and revisiting the site, or by using the consent-banner re-open control.
  • Disconnecting social-media integrations from your account settings.
  • Requesting account deletion by emailing privacy@droploud.com.

Account deletion is permanent and cannot be undone. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

Supervisory authority.

EU · UK · UAE
EU / EEA users: your national supervisory authority (a complete list is at edpb.europa.eu/about-edpb/members_en). UK users: the Information Commissioner's Office (ico.org.uk). UAE users: the UAE Data Office under the PDPL. You may also contact the supervisory authority in your country of residence.

EU representative.

GDPR ART. 27

Droploud is established outside the EU but offers services to EU residents, so a representative under GDPR Art. 27 is required. [TO BE APPOINTED: name and EU address inserted here.] Until appointed, EU residents may contact privacy@droploud.com.

Changes to this Policy.

30-DAY NOTICE

We may update this Policy. Material changes will be communicated by email or in-app notice and posted at least 30 days before they take effect, except where a shorter notice period is required by law or operational necessity. The "Effective date" shows the current version.

Contact.

PRIVACY · SECURITY · DMCA
  • Privacy / data-subject requests: privacy@droploud.com
  • Security incidents: security@droploud.com
  • Copyright takedowns: dmca@droploud.com
  • General: support@droploud.com
  • Operator: Droploud FZ-LLC.
  • Registered address: Droploud FZ-LLC, VUNE3361, Compass Building, Al Hulaila, Al Hulaila Industrial Zone-FZ, Ras Al Khaimah, United Arab Emirates. Commercial Register No. 0000004089442 · RAKEZ Licence No. 17008872.
  • EU representative (Art. 27 GDPR): [TO BE APPOINTED]

Privacy questions or DSAR?

We respond to data-access requests within 30 days. Use the channel below; it routes directly to the data team.

privacy@droploud.com