Privacy Policy

1. Introduction

RhetoricSound (“we,” “us,” or “our”) is committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our website and platform (the “Platform”).

We are the data controller for the personal data we process through the Platform. We are based in Scotland, United Kingdom, and comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

If you have any questions about this Privacy Policy or our data practices, you can contact us at: support@rhetoricsound.com

2. Personal Data We Collect

We collect different categories of personal data depending on how you interact with the Platform:

2.1 Account Information

When you create an account, we collect:

• Full name
• Email address
• Avatar/profile picture (optional)
• Account type (radio station, advertiser)
• Station name (for radio station accounts)

2.2 Music Submission Data (Artists)

When artists submit music through the Platform, we collect:

• Artist name and song name
• Email address
• Social media handles
• Genre and city/location
• Audio file (music track)
• Digital signature, timestamp, and IP address (when agreeing to station contract terms)

2.3 Listener Analytics Data

When radio stations embed our listener tracking widget on their websites, we collect the following anonymised data from listeners:

• Anonymised session tokens
• Hashed browser fingerprints (we do not store the raw fingerprint)
• Geographic data derived from IP addresses (country, region, city — we do not store listener IP addresses)
• Device type (mobile or desktop)
• Referrer URL
• User agent string
• Session duration and listening patterns

2.4 Payment and Transaction Data

When you make purchases or receive payouts, we collect:

• Stripe customer ID and subscription ID
• Transaction history (credit purchases, ad campaign spending, payouts)
• Stripe Connect account ID (for stations receiving payouts)

We do not store your full payment card details. All payment processing is handled securely by Stripe, who acts as an independent data controller for payment data. Please refer to Stripe's Privacy Policy for more information.

2.5 Technical and Usage Data

When you visit and use the Platform, we automatically collect:

• IP address
• Browser type and version
• Operating system
• Pages visited and time spent on each page
• Referring website or search terms
• Date and time of access
• Device information

2.6 Advertising Data

When you use the Ad Marketplace, we collect:

• Ad campaign details (title, description, targeting criteria)
• Audio advertisement files
• Campaign performance data (impressions, claims, completion rates)
• Proof of playback recordings

3. How We Use Your Data and Our Lawful Bases

Under the UK GDPR, we must have a lawful basis for processing your personal data. The table below sets out how and why we use your data, along with the legal basis for each purpose:

4. Cookies and Tracking Technologies

We use the following cookies and tracking technologies on the Platform:

4.1 Essential Cookies

These cookies are strictly necessary for the Platform to function and cannot be switched off. They include authentication cookies managed by Supabase to keep you signed in and maintain your session.

4.2 Analytics Cookies

We use Vercel Analytics and Speed Insights to understand how users interact with the Platform, including page views, load times, and navigation patterns. This data is collected in an aggregated and anonymised form.

4.3 Session Recording

We use Hotjar for session recording and heatmap analysis to understand user behaviour and improve the Platform experience. Hotjar may collect mouse movements, clicks, scroll behaviour, and form interactions. Hotjar suppresses sensitive data entry by default. For more information, please refer to Hotjar's Privacy Policy.

4.4 Managing Cookies

You can control and manage cookies through your browser settings. Please note that disabling essential cookies may affect the functionality of the Platform. Most browsers allow you to:

• View what cookies are stored and delete them individually.
• Block third-party cookies.
• Block cookies from specific websites.
• Block all cookies.
• Delete all cookies when you close your browser.

5. Who We Share Your Data With

We may share your personal data with the following categories of recipients:

5.1 Service Providers (Data Processors)

We use trusted third-party service providers who process data on our behalf under appropriate data processing agreements:

• Supabase — database hosting, authentication, and real-time services (data stored in their cloud infrastructure).
• Stripe — payment processing, subscription management, and payouts.
• Amazon Web Services (AWS) S3 — secure storage of uploaded audio files.
• Vercel — website hosting, analytics, and performance monitoring.
• Upstash — Redis-based rate limiting and data caching.
• Hotjar — session recording and heatmap analytics.
• ipapi.co — IP-based geolocation for listener analytics.

5.2 Other Platform Users

Certain data is shared between users as part of the Platform's core functionality:

• Music submission details (artist name, song name, genre, social media handles) are shared with the radio station to which the music is submitted.
• Aggregated and anonymised listener analytics may be visible to advertisers through the Ad Marketplace.
• Station names and verified listener counts are visible to advertisers browsing the Ad Marketplace.

5.3 Legal and Regulatory Disclosures

We may disclose your personal data where required to do so by law, in response to a valid legal request (such as a court order, search warrant, or regulatory demand), or where necessary to protect our rights, property, or safety, or the rights, property, or safety of others.

5.4 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your data.

6. International Data Transfers

Some of our service providers are based outside the United Kingdom. Where we transfer your personal data outside the UK, we ensure that appropriate safeguards are in place in accordance with the UK GDPR, including:

• Transferring data to countries that the UK Government has determined provide an adequate level of data protection.
• Using the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses with our service providers.
• Ensuring our service providers maintain appropriate technical and organisational security measures.

If you would like more information about the specific safeguards applied to international transfers of your data, please contact us at support@rhetoricsound.com.

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our retention periods are as follows:

• Account data: Retained for the duration of your account and for up to 12 months after account deletion, unless longer retention is required for legal or regulatory purposes.
• Music submission data: Retained for the duration of the radio station's account or until deleted by the station. Digital signatures and contract records may be retained for up to 6 years for legal compliance.
• Listener analytics data: Hourly data is aggregated into daily rollups and raw session data is retained for up to 90 days. Aggregated analytics data may be retained indefinitely in anonymised form.
• Payment and transaction data: Retained for a minimum of 6 years to comply with HMRC record-keeping requirements and applicable financial regulations.
• Ad Marketplace data: Campaign data and proof of playback are retained for the duration of the campaign plus 12 months. Credit transaction records are retained for 6 years.
• Technical and log data: Retained for up to 12 months.

When data is no longer required, it is securely deleted or irreversibly anonymised.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using TLS/SSL.
• Row-level security (RLS) policies in our database to ensure users can only access their own data.
• Hashing of sensitive identifiers (such as browser fingerprints) using SHA-256.
• Rate limiting on API endpoints to prevent abuse.
• Content Security Policy headers to protect against cross-site scripting attacks.
• Secure file upload validation (MIME type and file size checks).
• Use of presigned URLs for secure file storage and retrieval via AWS S3.
• Regular review of access controls and security practices.

While we take all reasonable precautions, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security but will notify you and the Information Commissioner's Office (ICO) of any personal data breach that poses a risk to your rights and freedoms, in accordance with our legal obligations.

9. Your Rights Under UK GDPR

Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data:

• Right of access (Article 15): You have the right to request a copy of the personal data we hold about you. You can request a data export through your account settings.
• Right to rectification (Article 16): You have the right to request that we correct any inaccurate or incomplete personal data. You can update most information directly through your account settings.
• Right to erasure (Article 17): You have the right to request that we delete your personal data, subject to certain exceptions (such as legal record-keeping obligations). You can request account deletion through your account settings.
• Right to restrict processing (Article 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, for example while we verify the accuracy of contested data.
• Right to data portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller. You can export your data through your account settings.
• Right to object (Article 21): You have the right to object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
• Right to withdraw consent: Where we process your data based on consent (such as marketing communications), you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Rights related to automated decision-making (Article 22): You have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you. We do not currently use fully automated decision-making of this nature.

To exercise any of these rights, please contact us at support@rhetoricsound.com. We will respond to your request within one month. In certain circumstances, we may extend this period by a further two months, in which case we will inform you of the extension and the reasons for it.

We may ask you to verify your identity before processing your request to ensure the security of your data.

10. Children's Data

The Platform is not directed at children under the age of 13, and we do not knowingly collect personal data from children under 13. If you are aged 13 to 17, you may only use the Platform with the involvement and consent of a parent or legal guardian. If we become aware that we have collected personal data from a child under 13 without appropriate consent, we will take steps to delete that data as soon as reasonably practicable.

If you believe we have inadvertently collected data from a child under 13, please contact us immediately at support@rhetoricsound.com.

11. Marketing Communications

We may send you marketing communications about our services, features, and promotions where you have given your consent or where we have a legitimate interest to do so (for example, if you are an existing customer). You have the right to opt out of marketing communications at any time by:

• Clicking the “unsubscribe” link in any marketing email.
• Adjusting your notification preferences in your account settings.
• Contacting us at support@rhetoricsound.com.

Opting out of marketing communications does not affect service-related communications (such as account notifications, security alerts, or payment confirmations), which are necessary for the operation of your account.

12. Third-Party Links

The Platform may contain links to third-party websites, services, or applications that are not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party websites or services you visit. This Privacy Policy applies only to information collected through the Platform.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Where changes are material, we will notify you by email or by posting a prominent notice on the Platform at least 30 days before the changes take effect. The “Last updated” date at the top of this policy indicates when it was most recently revised.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

14. Complaints

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:

We would appreciate the opportunity to address your concerns before you approach the ICO. Please contact us first at support@rhetoricsound.com and we will do our best to resolve the issue.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us: