Privacy Policy
How Droploud collects, uses, stores and shares personal data, written in plain English, mapped to GDPR and the UAE PDPL, last reviewed by a human on 28 May 2026.
Who we are & scope.
Droploud operates droploud.com, an underground electronic-music platform for free download gates, paid sample packs, paid project templates and artist promotion. This Policy explains how Droploud FZ-LLC (the "controller", "we", "us") collects, uses, stores, shares and protects personal data, and your rights as a data subject. It applies to artists, creators, fans, buyers and visitors.
Principles.
We are committed to the following data-protection principles, drawn from GDPR Art. 5 and UAE PDPL Art. 5:
- We collect personal data only for identified, specific and legitimate purposes (purpose limitation).
- We process lawfully, fairly and transparently.
- We collect the minimum data needed (data minimisation).
- We keep personal data accurate and up to date.
- We retain data only as long as necessary for the stated purposes.
- We implement appropriate security safeguards.
- We make our data practices openly available.
The data we collect.
- Account data: email, username, display name, password (stored as a bcrypt hash; we never store plain-text passwords), account role (artist, creator, admin).
- Profile data: bio, location, genres, profile artwork, label names.
- Social handles: Instagram, SoundCloud URL, Spotify artist ID, YouTube channel ID, TikTok, Twitter/X, Beatport, Bandcamp.
- Content: music files (WAV, AIFF, MP3), cover artwork, sample packs, project templates, metadata (title, BPM, key, genre, license type).
- Payment data: for purchases, processed and stored exclusively by Stripe or PayPal; card numbers, CVVs and billing details never touch Droploud servers. We retain transaction identifiers, amounts and status.
- Creator payout data: the payout details you provide (PayPal email, IBAN, limited to what your chosen method needs).
- Support communications: any messages you send to support@droploud.com.
- Technical data: IP address (anonymised in logs after 90 days), browser type and version, device type, operating system, pages visited, referral source, session duration.
- Behavioural data: downloads, plays, points earned and spent, chart views.
- Approximate location: city / country via GeoIP lookup (MaxMind, performed locally; the IP itself is not transmitted to MaxMind in real time).
- Cookies & local storage: see §10 and the Cookie Policy.
- SoundCloud OAuth: when you connect your SoundCloud account we receive your SoundCloud user ID, public profile, permalink URL, public follower count and an OAuth access token. We use the token to perform the specific actions you authorise (see §4). We re-fetch public stats periodically.
- Google OAuth (sign-in): Google account ID, email address, display name.
- Gate completions: when a fan completes one of your gates we receive the fan's email and the social actions they performed.
- Platform stats: public follower / subscriber counts from connected services (Instagram, Spotify, YouTube, TikTok, Beatport, Bandcamp) where available.
We do not knowingly collect special-category personal data (racial / ethnic origin, political opinions, religious beliefs, trade-union membership, genetic or biometric data, health data, sexual-orientation data). Do not submit it.
SoundCloud actions we perform on your behalf.
When you connect your SoundCloud account via OAuth, Droploud is granted an access token in line with the SoundCloud Developer Terms. Droploud uses that token only to perform the specific actions you have configured or authorised:
Read public profile, ID, permalink, follower count, at connect plus periodic refresh.
No SoundCloud writes for the artist's own account. Ever.
- Follow the artist's SoundCloud account(s) (if the artist's gate config has it).
- Follow the @droploud SoundCloud account (enabled by default; artist-configurable).
- Like the gated track (if the artist's gate config has it).
- Repost the gated track to the fan's SoundCloud profile (if the artist's gate config has it).
- Comment the gated track with a timestamp comment (if the artist's gate config has it).
These actions occur only during a gate flow the fan has explicitly started. The fan sees the list of actions before they authorise SoundCloud. Refusing the SoundCloud OAuth prompt blocks the gate but does not prevent the fan from continuing on other platforms or leaving the page.
Droploud does not post audio, follow third-party accounts the gate configuration does not list, or read fans' private SoundCloud data beyond what the SoundCloud OAuth scope returns.
How we use data: purposes & legal basis.
- Create & operate your account: Contract (GDPR Art. 6(1)(b)) / Contract performance (PDPL).
- Process Shop purchases & creator payouts: Contract / Contract performance.
- Deliver gated downloads & record gate completions: Contract / Consent.
- Make gate fan-data available to the artist whose gate was completed: Consent + legitimate interest / Consent.
- Perform SoundCloud actions you authorised at a gate: Consent / Consent.
- Charts, recommendations, platform analytics: Legitimate interest (Art. 6(1)(f)) / Legitimate interest.
- Security, fraud and abuse prevention, anti-bot: Legitimate interest / Legal obligation.
- Transactional email (receipts, takedowns, account, security): Contract / Contract performance.
- Marketing email from Droploud (not from artists): Consent (opt-in).
- Show third-party advertising on gate pages: Consent (where applicable).
- Comply with law, tax, copyright & FTA bookkeeping: Legal obligation.
Completing a gate is voluntary. You choose to provide your email and / or to authorise the social actions (SoundCloud follow / like / repost / comment + other platforms) in exchange for a free promotional download. We rely on your consent for that collection and for passing your contact data to the artist whose gate you completed. You can withdraw consent at any time (see §16); withdrawal does not affect a download already delivered or actions already performed.
Who we share data with.
We do not sell personal data. We share it with the categories below, strictly for the purposes described and under written contract.
Processors under GDPR Art. 28 / UAE PDPL Art. 26. DPA status is tracked internally; copies of signed DPAs are stored offline.
When you complete an artist's gate, that artist becomes an independent controller of your contact data for their own promotional use. The artist is bound by the Creator Agreement to use it lawfully, restrict use to reasonable artist-to-fan communication, honour unsubscribe and erasure requests, comply with anti-spam law (CAN-SPAM, EU ePrivacy Directive, UAE TDRA TRA rules), and not transfer the data to unrelated third parties or use it to train machine-learning models. Droploud is not responsible for an artist's separate use of fan data but will act on complaints and may terminate accounts that misuse it.
We may also disclose data: (a) where required by law, court order, or a government request validated through legal channels; (b) to enforce these Terms or other companion documents; (c) to handle copyright or DMCA notices; (d) in connection with a corporate transaction (merger, acquisition, sale of assets), subject to equivalent protection of the data; (e) to detect or prevent fraud, abuse, security incidents or threats to public safety.
International transfers.
Droploud is established in the UAE; sub-processors operate in the USA, EU and elsewhere. Transfers of EU/EEA personal data outside the EEA rely on Standard Contractual Clauses, EU adequacy decisions, the EU-US Data Privacy Framework where applicable, or your explicit consent. Transfers under the UAE PDPL rely on the PDPL's adequacy / appropriate-safeguards mechanism (Art. 23). You may request details of the safeguard applied to a specific transfer at privacy@droploud.com.
Your rights & preferences.
Under GDPR, UK GDPR, UAE PDPL and applicable law you may:
To exercise a right, email privacy@droploud.com with proof of identity. We respond within 30 days (GDPR / UAE PDPL standard), extendable for complex requests with notice. No fee unless the request is manifestly unfounded or excessive.
Account deletion & data export.
- Deletion: you may request account deletion at any time. We soft-delete the account immediately (it stops being usable). Within 30 days we erase or irreversibly anonymise personal data, except records we must keep by law (see §11). Internally this is recorded with a
deleted_attimestamp. - Export: you may request a machine-readable export of your personal data. The request is recorded with an
export_requested_attimestamp and fulfilled within 30 days. - Fan-side deletion: a fan who completed an artist's gate may also email the artist directly to request the artist erase their fan-side copy of the email. The artist is bound by the Creator Agreement to honour the request.
Cookies & local storage.
Droploud uses:
- Strictly necessary: authentication session, cart state (
droploud_cart_v2in localStorage), download-gate session, cookie-consent record, security. No consent required. - Analytics / advertising: product analytics (PostHog, Vercel Analytics), aggregate usage, advertising delivery and measurement on gate pages (Google AdSense if/when active). Loaded only after you accept optional cookies in the consent banner.
Full inventory (names, purposes, lifetimes) is in the Cookie Policy.
Data retention.
- Account & profile data: while the account is active; deleted/anonymised within 30 days of an account-deletion request.
- Uploaded content: removed from storage within 30 days of account deletion or content removal.
- Download logs (IP): IP anonymised after 90 days; anonymised records retained for analytics.
- Gate-completion / fan data: while the artist's account is active or until fan consent is withdrawn.
- Purchase, payout & tax records: 5 years after the transaction (UAE FTA bookkeeping requirement).
- Copyright-notice & strike records: duration of the account + 3 years for legal defence.
- Marketing-consent records: until withdrawn + 3 years (proof of consent).
- Security / fraud logs: up to 12 months.
Records we must keep by law (tax, copyright defence, payment-processor contracts) are retained even after account closure and then deleted.
Security.
We protect data with:
- All connections encrypted via TLS (HTTPS).
- Passwords hashed using bcrypt with salt rounds.
- JWT-based authentication with rotating refresh tokens.
- Rate limiting on sensitive endpoints (downloads, authentication, gate submission).
- Anonymisation of IP addresses in download logs after 90 days.
- Payment processing handled entirely by PCI-DSS certified processors (Stripe, PayPal); card data never touches Droploud servers.
- Access to production systems restricted to authorised personnel and audited.
- Sentry error monitoring with PII filtering rules.
- Security headers (HSTS, X-Content-Type-Options, X-Frame-Options, CSP).
No method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security. Email communications are not encrypted end-to-end.
Breach notification: we will notify affected users and the relevant authority of a personal-data breach as required by GDPR (within 72 hours of becoming aware) and UAE PDPL.
Children.
Marketing & email communications.
Droploud does not send unsolicited marketing emails. You may receive:
- Transactional emails: welcome, download confirmation, payment receipt, security alert (cannot be opted out while the account is active).
- Artist-to-fan emails: emails from artists whose gates you completed (opt-out via the unsubscribe link in each email).
- Platform updates: material changes to Terms or this Policy (opt-out available; you must still receive notice of material changes).
Email addresses collected through gates are shared with the respective artist (see §6.2). Droploud is not responsible for how artists use those addresses outside the platform. Artists who abuse email lists may have their account suspended.
Do Not Track.
The Service does not currently respond to browser "Do Not Track" (DNT) signals. If you decline optional cookies via our consent banner, non-essential tracking is disabled regardless of your DNT setting.
Withdrawing consent.
You may withdraw your consent at any time by:
- Unsubscribing from email communications via the unsubscribe link in any email.
- Changing your cookie preferences by clearing your browser data and revisiting the site, or by using the consent-banner re-open control.
- Disconnecting social-media integrations from your account settings.
- Requesting account deletion by emailing privacy@droploud.com.
Account deletion is permanent and cannot be undone. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
Supervisory authority.
EU representative.
Droploud is established outside the EU but offers services to EU residents, so a representative under GDPR Art. 27 is required. [TO BE APPOINTED: name and EU address inserted here.] Until appointed, EU residents may contact privacy@droploud.com.
Changes to this Policy.
We may update this Policy. Material changes will be communicated by email or in-app notice and posted at least 30 days before they take effect, except where a shorter notice period is required by law or operational necessity. The "Effective date" shows the current version.
Contact.
- Privacy / data-subject requests: privacy@droploud.com
- Security incidents: security@droploud.com
- Copyright takedowns: dmca@droploud.com
- General: support@droploud.com
- Operator: Droploud FZ-LLC.
- Registered address: Droploud FZ-LLC, VUNE3361, Compass Building, Al Hulaila, Al Hulaila Industrial Zone-FZ, Ras Al Khaimah, United Arab Emirates. Commercial Register No. 0000004089442 · RAKEZ Licence No. 17008872.
- EU representative (Art. 27 GDPR): [TO BE APPOINTED]
Privacy questions or DSAR?
We respond to data-access requests within 30 days. Use the channel below; it routes directly to the data team.