Privacy Policy

1. Introduction

Hernas OU ("we," "us," or "our") operates MusicAPI (musicapi.com), a service that provides API integration with music streaming platforms. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws. By using our Service, you consent to the data practices described in this policy.

2. Information We Collect

2.1 Information You Provide

We collect information that you provide directly to us, including:

• Account Information: Email address, name, company name, and billing information when you register for an account
• Payment Information: Payment details processed through our payment processor, Stripe. We do not store complete credit card information on our servers
• Communications: Information you provide when you contact us for support or inquiries
• OAuth Tokens: Authentication tokens from music streaming services that you authorize for API access

2.2 Information Automatically Collected

When you use our Service, we automatically collect:

• API Usage Data: API calls, endpoints accessed, request/response data, timestamps, and usage metrics
• Log Data: IP addresses, browser type, operating system, referring URLs, access times, and pages viewed
• Analytics Data: Usage statistics and aggregated analytics collected through Plausible Analytics, a privacy-focused analytics service
• Technical Data: Device identifiers, connection information, and performance metrics

2.3 Information from Third Parties

We may receive information from third-party services such as music streaming platforms when you authorize access through OAuth, and from our payment processor Stripe regarding payment transactions.

3. How We Use Your Information

We use the collected information for the following purposes:

• Provide and Maintain the Service: To operate, maintain, and improve our API service and infrastructure
• Process Transactions: To process payments and manage your subscription
• Customer Support: To respond to your inquiries, provide technical support, and communicate with you
• Monitor Usage: To track API usage, enforce rate limits, detect abuse, and ensure compliance with our Terms of Service
• Security: To detect, prevent, and address technical issues, fraud, and security vulnerabilities
• Analytics and Improvement: To analyze usage patterns, improve our Service, and develop new features
• Legal Compliance: To comply with legal obligations and enforce our agreements
• Marketing: To send you service-related announcements, updates, and promotional communications (you may opt out of marketing emails)

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process your personal data under the following legal bases:

• Contract Performance: Processing necessary to provide the Service you requested
• Consent: Where you have given explicit consent for specific processing activities
• Legitimate Interests: For analytics, security, fraud prevention, and service improvement, where such interests are not overridden by your rights
• Legal Obligation: To comply with applicable laws and regulations

5. How We Share Your Information

We may share your information in the following circumstances:

5.1 Service Providers

We share information with third-party service providers who perform services on our behalf:

• Stripe: Payment processing
• Scaleway: Cloud hosting and infrastructure
• PostgreSQL Hosting: Database services
• Plausible Analytics: Privacy-focused website analytics

5.2 Legal Requirements

We may disclose your information if required by law or in response to valid legal requests, including:

• Compliance with legal obligations or court orders
• Protection of our rights, property, or safety
• Investigation of fraud or security issues
• Enforcement of our Terms of Service

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such change in ownership or control.

5.4 With Your Consent

We may share your information for other purposes with your explicit consent.

6. Data Retention

We retain your personal information indefinitely for the following reasons:

• To maintain service continuity and historical API usage records
• To comply with legal and regulatory requirements
• For accounting, tax, and audit purposes
• To resolve disputes and enforce our agreements

However, you have the right to request deletion of your data at any time (see Section 8 - Your Rights).

7. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using TLS/SSL
• Encryption of sensitive data at rest
• Access controls and authentication mechanisms
• Regular security assessments and monitoring
• Secure hosting infrastructure with Scaleway
• Regular backups and disaster recovery procedures

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

8. Your Rights (GDPR)

If you are located in the EEA, you have the following rights regarding your personal data:

• Right to Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data ("right to be forgotten")
• Right to Restriction: Request restriction of processing in certain circumstances
• Right to Data Portability: Request transfer of your data to another service provider in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
• Right to Lodge a Complaint: File a complaint with your local data protection authority

To exercise these rights, please contact us at [email protected]. We will respond to your request within 30 days.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place to protect your data in accordance with this Privacy Policy and applicable data protection laws.

Our hosting infrastructure is provided by Scaleway, and data may be stored and processed in their data centers. We ensure that all service providers comply with applicable data protection requirements.

10. Cookies and Tracking Technologies

We use Plausible Analytics, a privacy-focused analytics service that does not use cookies or collect personal data. Plausible is GDPR, CCPA, and PECR compliant.

We may use session cookies for authentication and maintaining your logged-in state. These are essential for the Service to function properly.

11. Third-Party Services

Our Service integrates with third-party music streaming platforms. When you authorize access to these platforms, their privacy policies apply to the data they collect and process. We are not responsible for the privacy practices of third-party services.

We recommend reviewing the privacy policies of:

• Music streaming platforms you connect (Spotify, Apple Music, etc.)
• Stripe (payment processing)

12. Children's Privacy

Our Service is not intended for individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete such information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last Updated" date. We encourage you to review this policy periodically.

Your continued use of the Service after changes become effective constitutes acceptance of the revised Privacy Policy.

14. Data Controller

For the purposes of GDPR, the data controller is:

15. Contact Us

If you have any questions about this Privacy Policy or our data practices, or if you wish to exercise your rights, please contact us: