Privacy Policy

1. Who We Are

ArtistOS.studio is an AI-powered music marketing platform for independent artists. This Privacy Policy explains what personal data we collect, why we collect it, and how we use it. ArtistOS.studio does not sell your personal data to third parties.

2. Data We Collect

Artist account data

• Email address (from sign-up via Clerk OAuth or email/password)
• OAuth provider identity (Google, Apple, or TikTok account ID — no passwords stored)
• Artist name and profile slug (set during onboarding)
• Session tokens (managed by Clerk; stored as secure cookies)

Release and content data

• Audio files and artwork you upload (stored in Azure Blob Storage)
• Song metadata: title, genre, mood tags, release date, collaborator names and royalty splits
• AI-generated marketing plans associated with your releases

Fan data (on your behalf)

• Fan email addresses collected via your ArtistOS.studio fan capture page
• Approximate location (city, region, and country) derived from the fan's IP address at the time of sign-up — used to help artists understand where their audience is located
• Subscription timestamp and the fan capture page they signed up through
• Unsubscribe status and timestamp

Performance data

• Spotify stream counts, follower deltas, and discovery source breakdowns (via Spotify for Artists API, read-only, with your consent)
• No Spotify listener personal data is stored — only aggregate counts and percentages

3. How We Use Your Data

• To provide and operate the ArtistOS.studio service
• To generate AI marketing plans for your releases
• To send you transactional emails (plan approval, go-live confirmations, daily action reminders) via Resend
• To send your fans emails on your behalf when you trigger a fan blast
• To show you post-release performance data from Spotify
• We do not use your data for advertising, profiling, or sale to third parties

4. Lawful Basis for Processing (GDPR)

• Contract: processing your account data to provide the service you signed up for
• Consent: Spotify data access (granted at OAuth connection time); fan email collection (fans opt in on your capture page, informed of location data collection via notice at point of capture)
• Legitimate interest: service improvement, security, and fraud prevention

5. Data Processors

We use the following sub-processors to operate the Service:

6. Your Rights

Under GDPR and CCPA, you have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Delete your account and associated data (right to erasure)
• Export your fan subscriber list (CSV export in the dashboard)
• Object to processing based on legitimate interest
• Withdraw consent for Spotify data access at any time from Account Settings

To exercise any of these rights, email privacy@artistos.com. We will respond within 30 days.

7. Data Retention

• Account data is retained for the lifetime of your account
• Fan subscriber data is retained until you delete it or delete your account
• Audio and artwork files are retained until you delete the release or your account
• Performance data (stream counts) is retained for 12 months
• After account deletion, all data is purged within 30 days

8. Children's Privacy (COPPA)

ArtistOS.studio is not intended for children under 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has created an account, contact us at privacy@artistos.com and we will delete the account immediately.

9. Security

All data is encrypted in transit (TLS) and at rest. Secrets are stored in Azure Key Vault and accessed via Managed Identity — no static credentials are stored in code or configuration files. OAuth tokens (including Spotify refresh tokens) are encrypted at rest using AES-256.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you by email or via an in-app banner at least 14 days before material changes take effect.

11. Contact

Privacy questions or data subject requests: privacy@artistos.com