Privacy Policy

This policy explains, in plain language, what personal data Trackdeck handles, why we handle it, where it lives, and the rights you have over it. Trackdeck is a secure album-sharing platform for record labels, and it is currently an invite-only private beta. We have tried to keep this honest and specific rather than dense — if anything is unclear, just email us.

Who we are & how to contact us

Trackdeck is built and run by an individual, not a company. The person responsible for your data — the data controller under the GDPR — is:

• David Jaspers, sole operator of Trackdeck
• Contact: info@trackdeck.de

Throughout this policy, "we", "us" and "the operator" all refer to David Jaspers operating Trackdeck. There is no separate legal company entity behind the service.

What data we collect and why

We try to collect as little as possible, and only what the service genuinely needs. There are four categories.

1. Waitlist & access requests

When you ask to join the beta, we collect the details you give us: your name, email address, and optionally your label or company and a short message or pitch. Alongside this we store a small amount of coarse technical metadata — your browser's user-agent string and a hashed version of your IP address — purely to rate-limit the form and prevent abuse. We use this information to evaluate and respond to your request, and to let you know when access opens up.

2. Accounts

If you are given access, we create an account for you. Authentication is handled by Firebase Auth, so we store your email address and an authentication identifier. You can sign in with Google or with an email and password. We do not store your password — that is managed by Firebase Auth on Google's infrastructure.

3. Product usage inside the app

To run the service, we store the content and activity you create: the Trackdecks, tracks and comments you upload or write, and engagement counters tied to your share links — how many times a link was opened, how many plays it received, and how many downloads occurred. This is the operational data that makes Trackdeck work and gives you the insight the product is built to provide.

4. Optional, consent-based analytics

Analytics are off by default. We do not load third-party tracking cookies unless you explicitly allow them. If you do opt in, we may collect aggregate, privacy-first usage signals to understand how the marketing site and app are used. You are never tracked across other websites, and declining changes nothing about your access to the service.

Legal bases for processing

Under the GDPR we rely on the following legal bases:

• Contract / legitimate interest — to run the service for you: hosting your Trackdecks, accounts, comments and share links, and providing the engagement data the product exists to deliver.
• Legitimate interest — to keep the service and your unreleased music secure and to prevent abuse: access gating, audit logging, hashed IPs for rate-limiting, and leak tracing.
• Consent — for optional analytics and for any marketing email beyond directly answering your waitlist request. You can withdraw consent at any time without affecting your use of Trackdeck.
• Legitimate interest — to handle and respond to waitlist and access requests you send us.

Cookies & analytics

Trackdeck is privacy-first about cookies. Strictly necessary cookies — the ones required to keep you signed in and the service functioning — are always set, because the product cannot work without them. Everything else is consent-gated and declined by default. No third-party tracking or advertising cookies load unless you actively choose to allow them, and there is no cross-site tracking. If you never make a choice, the answer stays "no".

How data is stored & secured

Your data is hosted on Google Cloud / Firebase in the EU region (europe-west1). On top of that infrastructure, Trackdeck applies the protections it was built around:

• Server-side access gating on every stream and download — there are no public file URLs.
• Short-lived signed URLs for media, which expire and are never reusable.
• Per-recipient forensic watermarking applied to downloads, so a leaked file can be traced back to the link it came from.
• A download audit log that records IP addresses only as salted hashes, never as raw addresses.
• Revocable and expiring share links, so access can be cut off instantly.

No system is perfectly secure, and we do not claim any certifications we do not hold. But the architecture is designed from the ground up to keep unreleased music private.

Sub-processors

We keep our list of third parties deliberately short. The data above is processed on our behalf by:

• Google (Firebase) — hosting and core infrastructure, including Firebase Auth, Firestore, Cloud Storage, Cloud Functions and Hosting, in the EU (europe-west1).
• Google (Gmail) — used to send email, such as replies to your waitlist request.

We do not sell your personal data, and we do not share it with anyone for advertising.

Data retention

We keep personal data only as long as we genuinely need it. Account and product data is retained for as long as your account is active and the service is being provided to you; when you ask us to delete it, we remove it. Waitlist and access-request data is kept while your request is pending and for a reasonable period afterwards so we can follow up, and is deleted once it is no longer needed. Security and audit logs are retained for a limited period to support leak tracing and abuse prevention. When data is no longer needed for these purposes, it is deleted.

Your rights under the GDPR

Because we process data about people in the EU, you have a set of rights you can exercise at any time:

• Access — ask for a copy of the personal data we hold about you.
• Rectification — have inaccurate or incomplete data corrected.
• Erasure — ask us to delete your data.
• Portability — receive your data in a portable, machine-readable form.
• Objection — object to processing we carry out on the basis of legitimate interest.

To exercise any of these, email info@trackdeck.de and we will handle your request. You also have the right to lodge a complaint with a data-protection supervisory authority. In the Netherlands, that is the Autoriteit Persoonsgegevens.

Children

Trackdeck is a tool for record labels and is not directed at children. We do not knowingly collect data from anyone under the age of 16. If you believe a child has provided us with personal data, contact us and we will remove it.

Changes to this policy

As Trackdeck grows out of its private beta, this policy may change. When it does, we will update the "Last updated" date at the top of this page, and for significant changes we will take reasonable steps to let affected users know. Continuing to use Trackdeck after an update means the revised policy applies to you.

Questions about any of this? Email info@trackdeck.de.