Privacy Policy
This Privacy Policy explains how Treble ("we", "us", "our") collects, uses, shares and protects personal information through Treble (the "Service"). It covers our obligations under the EU/UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), and other applicable laws.
Contents
1.Who we are (data controller)
The data controller responsible for your personal information is:
Treble
Wyoming, United States
Email: privacy@treble.popit.marketing (privacy matters)
General contact: hello@treble.popit.marketing
If you are in the EU or UK and we are required to designate a representative, see Section 11 below.
2.What information we collect
2.1 Information you provide as an artist (account holder)
- Account data: email address, password (hashed with Argon2id — never stored in plain text), display name.
- Profile data: any artist information you choose to add.
- User Content: songs you upload (audio files, title, artist name, optional metadata).
- Communications: emails you send us, support tickets, copyright takedown notices, counter-notifications.
- Marketing preferences: opt-in/opt-out status for product newsletters.
2.2 Information collected from voters
When someone listens to a public song link and submits a rating, we collect:
- Rating data: music rating, lyrics rating, intent to add to Spotify, intent to recommend, "is this your style" answer.
- Demographic categories: age range (15–25 / 25–35 / 35+) and self-selected gender. Voters may decline to provide accurate values.
- Listening behavior: percentage listened, total play seconds, replays, seeks, completions, "short listen" flag.
- Technical data for deduplication only: IP address, browser fingerprint hash, persistent cookie token.
- Approximate country derived from the IP address.
Voters do not create an account, do not provide their name, email or any other identifier. We treat the IP address and browser fingerprint as personal data under GDPR (because they could, in theory, identify a household or device) and apply the same protections.
2.3 Information collected automatically (technical / log data)
- Server access logs (timestamp, request path, status code, IP, referrer, user-agent).
- Application audit log (account actions, admin operations).
- Cookies set by us — see our Cookie Policy.
2.4 Information from third parties
We do not currently buy data, enrich profiles or import data brokers' lists.
3.How we collect it
- Directly from you when you sign up, upload songs, submit forms, or contact us.
- Automatically as you use the Service (cookies, server logs, technical request metadata).
- From voters who interact with your public song links.
4.Why we use it & legal bases (GDPR)
| Purpose | Categories | GDPR legal basis |
|---|---|---|
| Provide the Service (host audio, generate dashboard, send links) | Account, User Content, vote data | Contract performance (Art. 6(1)(b)) |
| Authenticate you and protect your account | Email, password hash, session cookie, IP | Contract / Legitimate interest (Art. 6(1)(b)/(f)) |
| Vote integrity (dedup IP + fingerprint + cookie) | IP, fingerprint, cookie token | Legitimate interest in fraud prevention (Art. 6(1)(f)) |
| Email verification & password reset | Email, name | Contract performance (Art. 6(1)(b)) |
| Trust & safety, abuse investigation, DMCA | Account data, audit logs, IPs | Legitimate interest & legal obligation (Art. 6(1)(f), 6(1)(c)) |
| Service improvement (aggregated, anonymized analytics) | De-identified usage data | Legitimate interest (Art. 6(1)(f)) |
| Product communications (newsletter, optional) | Consent, withdrawable any time (Art. 6(1)(a)) | |
| Legal compliance (tax, court orders, takedowns) | As required | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interest, we have conducted a balancing test and concluded that our interest does not override your fundamental rights. You may object at any time (Section 9).
5.How we share data
We do not sell your personal information and we do not "share" it for cross-context behavioral advertising as defined under the CPRA. We share limited data with the following processors / sub-processors strictly to operate the Service:
| Recipient | Purpose | Region |
|---|---|---|
| Amazon Web Services (EC2, SES) | Hosting, transactional email delivery | United States (us-west-2) |
| Domain & DNS providers (Route 53, registrar) | Domain operation | United States |
| Hosting control panel (cPanel) | Server administration | United States |
We also disclose information when required by law (subpoena, court order, lawful request from a public authority), to enforce our Terms, to protect our rights or the rights or safety of others, in connection with a merger, sale, or restructuring (with notice to you and continued protections), or with your consent.
6.International transfers
Our infrastructure is located in the United States. If you access the Service from outside the United States, your personal information will be transferred to and processed in countries that may have different data-protection laws than your own. When transferring data from the EU/UK to the US or other "third countries", we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses (SCCs) and supplementary measures where required (Schrems II). You can request a copy of the SCCs by emailing privacy@treble.popit.marketing.
7.Retention
We retain personal information only as long as necessary for the purposes set out in Section 4 and to comply with legal obligations:
- Account data & User Content: for the lifetime of the account, plus up to 30 days after closure for backup rotation.
- Vote data linked to a song: for as long as the song exists; if the song is deleted, votes are deleted with it.
- Server access logs: 30–90 days, depending on type.
- Audit log of admin/security actions: up to 24 months.
- Email logs (transactional emails sent): up to 12 months.
- DMCA takedown records: up to 7 years (legal-defense purposes).
- Tax / accounting records (if applicable): as required by tax law (typically 7–10 years).
8.Security
We implement technical and organizational measures appropriate to the risk:
- Passwords hashed with Argon2id (memory-hard, salted).
- Sessions over HTTPS with HttpOnly & SameSite cookies.
- CSRF tokens on all state-changing requests.
- Audio streams served via HMAC-signed temporary URLs (no direct file access).
- Rate limiting on login and vote endpoints; cPHulk brute-force protection on infrastructure.
- Regular software updates, principle of least privilege, encrypted storage at rest by hosting provider.
No method is 100% secure. If we become aware of a breach affecting your personal data, we will notify you and applicable supervisory authorities within 72 hours where required by GDPR.
9.Your rights (GDPR / EU / UK)
Subject to applicable law, you have the right to:
- Access your personal data and obtain a copy (Art. 15);
- Rectify inaccurate or incomplete data (Art. 16);
- Erase your data ("right to be forgotten") (Art. 17);
- Restrict processing in certain circumstances (Art. 18);
- Receive your data in a portable, machine-readable format (Art. 20);
- Object to processing based on legitimate interest, including profiling (Art. 21);
- Withdraw consent for processing based on consent (Art. 7(3)), without affecting the lawfulness of prior processing;
- Lodge a complaint with a supervisory authority. In the EU, find yours at edpb.europa.eu/members. In the UK, contact the Information Commissioner's Office.
To exercise any right, email privacy@treble.popit.marketing. We will respond within 30 days (extendable by 60 days for complex requests with notice). We will not discriminate against you for exercising your rights and we will not charge a fee unless your request is manifestly unfounded or excessive.
10.California rights (CCPA / CPRA)
If you are a California resident, you have the following rights regarding your personal information:
- Right to know the categories and specific pieces of personal information we collect, sources, business purposes, and categories of third parties we share with.
- Right to delete personal information we have collected from you, subject to exceptions (legal obligation, security, free speech, internal uses reasonably aligned with your expectations).
- Right to correct inaccurate personal information.
- Right to opt-out of sale or sharing. We do not sell or share your personal information for cross-context behavioral advertising.
- Right to limit use of sensitive personal information. We do not use sensitive personal information beyond what is necessary to provide the Service (we don't profile, target, or infer characteristics).
- Right to non-discrimination for exercising your rights.
To exercise California rights, email privacy@treble.popit.marketing with the subject "California Privacy Request". We will verify your identity through your account email and may require additional confirmation. Authorized agents may submit requests with proof of authorization. Response within 45 days (extendable by 45 days with notice).
Categories of personal information collected in the past 12 months: identifiers (account email, IP), commercial information (uploads, usage), internet/network activity (logs), audio recordings (User Content), inferences are not generated. We have not sold personal information in the past 12 months.
11.Other jurisdictions
Residents of other US states with comprehensive privacy laws (e.g., Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA) have similar rights of access, deletion, correction and opt-out where applicable. The same contact email applies.
Residents of Canada (PIPEDA), Australia (Privacy Act), Brazil (LGPD) and other countries with privacy laws have analogous rights; contact us to exercise them. We treat all good-faith privacy requests under the most protective applicable standard.
12.Children's privacy
The Service is not directed to children under 13, and we do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has provided us with personal information, contact us and we will delete it promptly. For ages 13–16 in the EU/UK, processing based on consent requires verifiable parental consent under GDPR Art. 8.
13.Cookies & tracking
We use a minimal set of cookies (session, CSRF, language, vote-dedup). We do not use advertising or cross-site tracking cookies. Full details, names, and management instructions are in our Cookie Policy.
14.Automated decision-making & profiling
We do not make decisions producing legal or similarly significant effects based solely on automated processing or profiling. The "Spotify success score" we display is a transparent weighted formula based on votes you collect — it is informational and does not result in automated decisions about voters or third parties.
15.Changes
We may update this Privacy Policy. Material changes will be notified by email and/or through the Service at least 14 days before they take effect (or longer if required by law). Non-material changes will simply update the "Last updated" date.
16.How to contact us
For privacy questions, requests, or to exercise your rights:
privacy@treble.popit.marketing
For everything else: hello@treble.popit.marketing
Postal: Treble, Wyoming, United States