Privacy Policy

Account Information: When you create an account, we collect your name, email address, password (hashed), and role selection (Creator or Artist). If you sign up with Google OAuth, we receive your name and email from Google.

Profile Information: Depending on your role, you may provide a display name, artist name, bio, website URL, social media links, content niche, follower count, and platform preferences.

Content Data: Artists upload music files (WAV format), cover art, and track metadata including titles, genres, credits, and copyright information. Creators store licensing records and video URLs.

Usage Data: We collect information about how you interact with the Platform, including pages visited, features used, and actions taken (e.g., tracks played, licenses created).

Technical Data: We automatically collect your IP address, browser type, device information, and operating system when you access the Platform. This data is used for security and analytics purposes.

We use your personal data to:

• Provide, maintain, and improve the Platform
• Process licensing transactions between Creators and Artists
• Send notifications about account activity, licenses, and contracts
• Verify your identity and prevent fraud or unauthorized access
• Generate license certificates and maintain audit trails for contracts
• Respond to support requests and communicate important updates
• Comply with legal obligations and enforce our Terms of Service

We do not sell your personal data to third parties. We do not use your data for advertising purposes.

We use the following third-party services to operate the Platform. Each has its own privacy policy governing their use of your data:

• Supabase — Authentication, database, and file storage. Your account data, profile information, and uploaded files are stored on Supabase infrastructure.
• Resend — Email delivery. We use Resend to send transactional emails including notifications, license confirmations, and account-related communications.
• Cloudflare — Hosting and CDN. The Platform is deployed on Cloudflare Pages, which processes request data for content delivery and security.
• Google — OAuth authentication. If you choose to sign in with Google, your basic profile information is shared with us by Google.

We use the following types of cookies:

• Essential Cookies: Required for authentication and session management. These cannot be disabled as the Platform cannot function without them.
• Preference Cookies: Store your preferences such as cookie consent choices and UI settings. These are stored in your browser's localStorage.
• Analytics Cookies: Help us understand how users interact with the Platform. These are only loaded with your explicit consent.

You can manage your cookie preferences at any time through the cookie consent banner or by clearing your browser data. See our cookie consent banner for detailed controls.

Active Accounts: Your data is retained for as long as your account is active.

Deleted Accounts: When you request account deletion, your personal data is anonymized within 30 days. Financial records (earnings, licensing transactions) are anonymized but retained for legal and accounting compliance.

Financial Records: Transaction data is retained in anonymized form for up to 7 years as required by tax and financial regulations.

Audit Logs: Contract signing records and license verification data are retained for the duration required by law.

Under the General Data Protection Regulation (GDPR) and similar privacy laws, you have the following rights regarding your personal data:

• Right of Access: You can request a copy of all personal data we hold about you. Use the "Download My Data" button in your account settings to generate an export.
• Right to Rectification: You can update or correct your personal data at any time through your account settings.
• Right to Erasure: You can request deletion of your account and personal data through the "Delete My Account" option in your settings. Some data may be anonymized rather than deleted for legal compliance.
• Right to Data Portability: You can export your data in a machine-readable JSON format through your account settings.
• Right to Restrict Processing: You can request that we limit how we process your data in certain circumstances.
• Right to Object: You can object to processing of your data for certain purposes, including marketing communications. You can manage notification preferences and unsubscribe from emails at any time.

To exercise any of these rights beyond what is available in your account settings, please contact us at privacy@roylo.io. We will respond within 30 days.

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption of data in transit (TLS/HTTPS)
• Secure password hashing (via Supabase Auth)
• Row-level security policies on database tables
• Regular security reviews and access controls

While we take reasonable precautions, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security of your data.

Your data may be processed in countries outside your country of residence, including the United States, where our service providers operate. We ensure appropriate safeguards are in place for international data transfers in compliance with applicable data protection laws.

The Platform is not intended for users under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a minor, we will take steps to delete that information promptly.

We may update this Privacy Policy from time to time. We will notify users of material changes via email or through the Platform. The "Last updated" date at the top of this page reflects the most recent revision.

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us:

• Email: privacy@roylo.io
• General inquiries: support@roylo.io