Privacy Policy

This Privacy Policy (the “Policy”) describes how Hernas OÜ, operating Music24 (“Music24”, “we”, “us”, and “our”) collects, uses, protects, and shares your personal data on our website at https://music24.com (the “Site”), and through our mobile and desktop applications (collectively, the “Platform”).

We are committed to protecting your privacy and personal data in accordance with applicable legislation, including the EU General Data Protection Regulation (GDPR) 2016/679, the Estonian Personal Data Protection Act, and other applicable data protection laws.

1. Data Controller

The controller responsible for processing your personal data is:

Hernas OÜ
Kentmanni 4
10116 Tallinn
Estonia

Contact for data protection inquiries:
Email: [email protected]

2. Personal Data We Collect

We collect the following categories of personal data:

2.1 Information You Provide

• Account information: Email address, name (optional), password
• Payment information: Billing address, payment method details (processed by our payment provider Paddle)
• Support communications: Messages and attachments you send to our support team
• Music service credentials: OAuth tokens to access your music streaming accounts (we do not store your passwords)

2.2 Information Collected Automatically

• Usage data: Features used, actions taken, transfer history
• Device information: Device type, operating system, app version
• Log data: IP address, browser type, access times, referring URLs
• Playlist metadata: Song titles, artist names, album information (for transfer purposes only)

2.3 Information from Third Parties

• Music streaming services: Playlist and library data when you authorize access
• Payment providers: Transaction confirmations and subscription status
• Analytics providers: Aggregated usage statistics

3. Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Contract performance (Art. 6(1)(b) GDPR): Processing necessary to provide our Services, including playlist transfers and account management.
• Legitimate interests (Art. 6(1)(f) GDPR): Analytics, fraud prevention, service improvement, and security. Our legitimate interests do not override your fundamental rights.
• Consent (Art. 6(1)(a) GDPR): Marketing communications and optional cookies. You may withdraw consent at any time.
• Legal obligation (Art. 6(1)(c) GDPR): Tax records, fraud prevention, and compliance with legal requirements.

4. How We Use Your Data

We use your personal data for the following purposes:

1. Providing and maintaining our Services, including playlist transfers
2. Processing payments and managing subscriptions
3. Communicating with you about your account and our Services
4. Providing customer support
5. Analyzing usage to improve our Platform
6. Detecting and preventing fraud and abuse
7. Complying with legal obligations
8. Sending marketing communications (with your consent)

5. Data Sharing

We may share your personal data with:

• Music streaming services: To perform playlist transfers you request
• Payment processors: Paddle.com for secure payment processing
• Cloud service providers: For hosting and infrastructure (within the EU/EEA)
• Analytics providers: For aggregated, anonymized usage analysis
• Legal authorities: When required by law or to protect our rights

We do not sell your personal data. We require all third parties to respect the security of your personal data and to treat it in accordance with applicable law.

6. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA). When we transfer data outside the EEA, we ensure appropriate safeguards are in place:

• EU Standard Contractual Clauses (SCCs) approved by the European Commission
• Transfers to countries with an EU adequacy decision
• Other legally approved transfer mechanisms

You may request a copy of the safeguards we use by contacting us at [email protected].

7. Data Retention

We retain your personal data for the following periods:

• Account data: Duration of your account plus 30 days after deletion request
• Transaction records: 7 years (legal requirement for tax purposes)
• Support communications: 3 years after resolution
• Usage logs: 12 months
• Marketing consent records: Duration of consent plus 3 years

After the retention period expires, we securely delete or anonymize your data.

8. Your Rights Under GDPR

You have the following rights regarding your personal data:

• Right of access (Art. 15): Request a copy of your personal data
• Right to rectification (Art. 16): Correct inaccurate or incomplete data
• Right to erasure (Art. 17): Request deletion of your data ("right to be forgotten")
• Right to restrict processing (Art. 18): Limit how we use your data
• Right to data portability (Art. 20): Receive your data in a machine-readable format
• Right to object (Art. 21): Object to processing based on legitimate interests or for marketing
• Right to withdraw consent (Art. 7): Withdraw consent at any time without affecting prior processing
• Right regarding automated decisions (Art. 22): Not be subject to solely automated decisions with legal effects

To exercise your rights, contact us at [email protected]. We will respond within one month. You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (www.aki.ee) or your local supervisory authority.

9. Cookies and Tracking

We use cookies and similar technologies for:

• Essential cookies: Required for the Platform to function (no consent needed)
• Analytics cookies: Help us understand how you use our services (with consent)
• Marketing cookies: Track effectiveness of our marketing (with consent)

You can manage cookie preferences through your browser settings or our cookie consent banner. Disabling certain cookies may affect Platform functionality.

10. Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption of data in transit (TLS) and at rest
• Regular security assessments and updates
• Access controls and authentication requirements
• Employee training on data protection

If you discover a security vulnerability, please report it to [email protected].

11. Children's Privacy

Our Platform is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data, please contact us at [email protected]. If we learn that we have collected personal data from a child under 16, we will delete that information promptly.

12. Third-Party Services

Our Platform integrates with the following third-party services:

• YouTube API Services: Subject to Google Privacy Policy
• Spotify: Subject to Spotify Privacy Policy
• Apple Music: Subject to Apple Privacy Policy
• Paddle: Payment processing, subject to Paddle Privacy Policy

Please review these privacy policies before connecting your accounts.

13. Changes to This Policy

We may update this Policy from time to time. We will notify you of significant changes by email or through the Platform. The "Last updated" date at the top indicates when the Policy was last revised. Continued use of our Platform after changes constitutes acceptance of the updated Policy.

14. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Hernas OÜ
Kentmanni 4
10116 Tallinn
Estonia

Email: [email protected]

We aim to respond to all inquiries within 30 days.