Privacy Policy

At song.so, we take the protection of your personal data very seriously. In this privacy policy, you will learn what data we collect, how we use it, and what rights you have.

By using our WebApp, you consent to the processing of your data in accordance with this privacy policy.

We process the following types of data, among others:

• Personal information (e.g., name, email address during registration)
• Information about your device and internet connection
• Usage data and technical logs
• With consent: Device data for user recognition (fingerprinting)

We use your data to:

• Provide and improve our services
• Measure clicks on smartlinks and provide anonymized statistics to artists
• Communicate with you about your account
• Ensure the security of our platform
• Process payments and subscriptions
• Send transactional and, with consent, marketing emails
• Measure advertising performance and attribution (with consent)

We use cookies and similar technologies to collect usage data and improve functionality. For pseudonymous device recognition we use FingerprintJS Pro and ThumbmarkJS — only with your express consent, which you can revoke at any time through our cookie settings.

4.1 Data Controller

The controller responsible for data processing on this website is:

SwipeUp Marketing

Philipp Lützenburger

Äußere Münchener Straße 78
83026 Rosenheim
Germany

Tel.: +498031 9075997

Email: info@swipeup-marketing.com

VAT ID: DE330019410

4.2 General Information on Data Processing

We process personal data of our users only to the extent necessary to provide a functional website and our content and services. The processing of personal data regularly occurs only with the consent of users or when processing is permitted by statutory provisions.

4.3 Hosting and Content Delivery Network

Our website is hosted by Netlify. The provider is Netlify, Inc., 44 Montgomery Street, Suite 300, San Francisco, California 94104, USA. Data processing may occur in a third country (USA). Netlify is certified under the EU-U.S. Data Privacy Framework.

We also use Cloudflare as our CDN and security service provider. The provider is Cloudflare Inc., 101 Townsend St, San Francisco, CA 94107, USA. Cloudflare is also certified under the EU-U.S. Data Privacy Framework.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure and high-performance website provision)

4.4 Database: Supabase

For the storage and management of user data, we use Supabase, a service provided by Supabase Inc., 970 Toa Payoh North, #07-04, Singapore. Our data is stored exclusively in a data center in Frankfurt am Main, Germany.

Legal basis: Art. 6(1)(b) GDPR (contract fulfillment) or Art. 6(1)(a) GDPR (consent)

4.5 User Identification: FingerprintJS Pro

We use FingerprintJS Pro for pseudonymized user recognition, bot filtering and abuse prevention. The provider is FingerprintJS, Inc., 2261 Market Street #4010, San Francisco, CA 94114, USA. The generated visitor identifiers are pseudonymized and only linked to other data where strictly necessary for the contracted service (e.g. tracking accuracy, fraud prevention).

Legal basis: Art. 6(1)(a) GDPR (consent)

4.6 User Identification: ThumbmarkJS

In parallel to FingerprintJS Pro we use the open-source library ThumbmarkJS for browser-based device fingerprinting. The fingerprint is calculated locally in the browser and only a hashed identifier is transmitted to our servers. No personal data is sent to any third party by ThumbmarkJS itself.

Legal basis: Art. 6(1)(a) GDPR (consent)

4.7 Google Sign-In (OAuth)

For registration and login, we use the authentication function of Google Sign-In. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

When using Google Sign-In, we receive access to certain profile information (e.g., email address) if you have consented to this.

Legal basis: Art. 6(1)(a) GDPR (consent)

4.8 Forwarding to third-party providers for marketing purposes

With the express consent of the user, we send certain data (e.g. interactions, registrations) on the server side to the following platforms:

• Meta Platforms Ireland Ltd. (Conversion API)
• TikTok Technology Limited (TikTok Events API)

This serves to measure campaign performance and optimize our advertising.

Legal basis: Art. 6(1)(a) GDPR (consent)

4.9 Payment Processing: Stripe

For subscription billing, artist payouts (Stripe Connect) and card payments in artist stores we use Stripe. The provider for European customers is Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. Stripe processes payment data (e.g. card details, billing address, transaction amount) on our behalf. Card data is entered directly on Stripe’s PCI-DSS compliant infrastructure and is not stored on our servers.

Legal basis: Art. 6(1)(b) GDPR (contract fulfillment)

4.10 Payment Processing: PayPal

We offer PayPal as a payment method in artist stores. The provider is PayPal (Europe) S.à r.l. et Cie, S.C.A., 22–24 Boulevard Royal, 2449 Luxembourg. When you pay with PayPal, the data required for the transaction (e.g. name, email, address, order details) is transferred to PayPal. Artists who connect their own PayPal business account via PayPal OAuth additionally authorize us to create orders and capture payments on their behalf.

Legal basis: Art. 6(1)(b) GDPR (contract fulfillment)

4.11 Email Delivery: Mailgun

For transactional and marketing emails we use Mailgun Technologies Inc., 112 E. Pecan St. #1135, San Antonio, TX 78205, USA. Mailgun processes recipient email addresses, message content and technical delivery metadata on our behalf.

Legal basis: Art. 6(1)(b) GDPR (contract fulfillment) and Art. 6(1)(a) GDPR (consent, for marketing emails)

4.12 Merchant Integrations: Shopify & Zettle (PayPal POS)

If an artist connects their own Shopify store or Zettle (PayPal) point-of-sale account, we exchange data with these providers on the artist’s behalf in order to sync products, orders and purchases. The providers are Shopify International Limited, 2nd Floor, Victoria Buildings, 1–2 Haddington Road, Dublin 4, Ireland, and iZettle AB (a PayPal company), Regeringsgatan 59, 111 56 Stockholm, Sweden. We only access the data required for the connected features and only for artists who actively enable the integration.

Legal basis: Art. 6(1)(b) GDPR (contract fulfillment)

4.13 Streaming & Music Platform APIs

To power smartlinks and analytics we query public APIs of music platforms such as Spotify AB, Apple Inc., YouTube / Google Ireland Limited, SoundCloud Global Limited & Co. KG and Deezer S.A. These requests are made server-side and typically do not transfer personal data of end users. When an artist connects their own Spotify or similar account via OAuth, the associated account data is processed to provide the connected feature.

Legal basis: Art. 6(1)(b) GDPR (contract fulfillment) and Art. 6(1)(f) GDPR (legitimate interest in providing smartlink functionality)

4.14 Embedded Content from Third-Party Providers

Our website may embed content from third-party providers such as YouTube, Vimeo, or SoundCloud. When loading this content, personal data (e.g., IP address, browser data) may be transferred to these providers.

Legal basis: Art. 6(1)(a) GDPR (consent via cookie banner / content blocker)

4.15 Marketing Data Processing and Sharing with Partners

Data of account users (artists and their teams) may be processed for marketing purposes. Additionally, personal data voluntarily and expressly provided by visitors (such as name, email address, and/or mobile number, for example via newsletter opt-in) may be forwarded to the respective user's partners (e.g., record labels, management companies) and used by them for marketing purposes.

In the event of unwanted contact via external mailing software or newsletter tools of the user or their partners, the opt-out must be made directly with the respective partner. song.so is not responsible for the marketing communications sent by third-party partners.

Legal basis: Art. 6(1)(a) GDPR (consent) and Art. 6(1)(f) GDPR (legitimate interest in enabling artists to communicate with their audience and partners)

We store personal data only for as long as is necessary to achieve the purposes stated or as required by law.

According to the GDPR, you have the right at any time to:

• Access information about your stored data
• Rectify incorrect data
• Delete your data ("Right to be forgotten")
• Restrict processing
• Data portability
• Object to processing
• Withdraw your consent with effect for the future

To exercise your rights, you can contact us anytime via email:
privacy@song.so