Privacy Policy

This Privacy Policy describes how Rekordcloud B.V. ("we", "us", "our") handles personal data when you use MixID at www.mixid.fm (the "Service"). Rekordcloud B.V. is the data controller for the purposes of the EU General Data Protection Regulation (GDPR).

1. Definitions

• Service — the MixID website and API operated by Rekordcloud B.V.
• Personal Data — information that identifies a natural person, directly or in combination with other data.
• Usage Data — data automatically generated by your use of the Service (request logs, IP address, browser type, page paths).
• You — the data subject; an individual using the Service.

2. Information we collect

Personal Data

When you create an account we collect:

• Your email address.
• A username and an optional display name.
• An optional profile avatar you choose to upload.
• An encrypted password hash (we never store the plaintext).
• The timestamp at which you accepted these terms.
• Your email preferences (which kinds of MixID email you've chosen to receive or opt out of), and the timestamp of your most recent visit so we can decide whether a we-miss-you reminder is appropriate.

Content you submit

When you use MixID we record:

• The YouTube URLs of mixes you submit, and the resulting track identifications.
• Your contributions to identification quality: track suggestions, transition edits, votes, highlights, and similar annotations.
• Per-track Beatport / Spotify / Apple Music links you claim or correct.

Usage Data

Like any web service, MixID logs IP addresses, user-agent strings, request paths, and timestamps. We use these to operate the service, debug failures, and detect abuse.

Audio fingerprints (not personal data)

To identify the tracks in a mix, MixID computes audio fingerprint hashes from the public YouTube audio you submit. These hashes are short numerical descriptors of the audio itself — they do not contain or reveal any information about you, and we do not treat them as Personal Data.

3. How we use this information

We process the data above to:

• Operate the core Service: identifying tracks in submitted mixes, returning results to you, and showing public mix pages.
• Authenticate you and keep your account secure.
• Send transactional emails (account verification, security notifications, password resets). These are required for the Service to function and you cannot opt out while you have an active account.
• Send occasional product emails: weekly digests of new mixes we think you'll like (based on tracks in mixes you've already enjoyed), an occasional we-miss-you reminder if you've been away for a while, and announcements about meaningful product updates. Each kind is opt-out — you can disable any channel from your email preferences in your profile, or by clicking the unsubscribe link in any product email. Transactional emails are unaffected.
• Improve track-identification accuracy. Annotations and corrections you contribute may be used to train and refine models that power MixID and other Rekordcloud products.
• Detect, prevent, and investigate abuse, fraud, and breaches of our Terms of Service.
• Comply with legal obligations.

4. Legal basis under GDPR

We process your Personal Data on the following legal bases:

• Performance of a contract — to provide the Service you signed up for, including transactional emails (verification, password reset, security notifications).
• Consent — for any processing where you have explicitly opted in (e.g. accepting these terms at registration).
• Legitimate interests — to keep the Service running, secure, and improving, and to send you occasional product emails (digests, we-miss-you reminders, announcements) about a Service you actively use, where your rights and freedoms do not override those interests. You can opt out of these product emails at any time without affecting your account.
• Legal obligation — where required to comply with applicable law.

5. Retention

We keep your Personal Data only for as long as needed for the purposes set out in this policy. Account data is retained while your account exists; if you delete your account (DELETE /v1/me), your profile is anonymised and your tokens are invalidated. Mix submissions and the corresponding track identifications may remain on the Service after account deletion, displayed under an anonymised handle. Usage Data and request logs are retained for a shorter period unless required for security or to comply with the law.

6. Disclosure of data

We may disclose Personal Data:

• To service providers acting on our behalf (hosting, email delivery, analytics) under written data-processing agreements.
• In aggregated, anonymised form that cannot be linked back to you.
• When required by law, court order, or to enforce our Terms of Service.
• In the event of a merger, acquisition, or asset sale, in which case the acquirer is bound by this policy or an equivalent.

We do not sell your personal data. We may share aggregated, non-identifying statistics about mix submissions and track identifications with third parties.

7. International transfers

Your Personal Data is processed in the European Union. We do not transfer Personal Data outside the EU/EEA without adequate safeguards (such as Standard Contractual Clauses or an adequacy decision).

8. Your rights under GDPR

If you are in the EEA you have the following rights regarding your Personal Data:

• The right to access, correct, or delete your data.
• The right to object to or restrict processing.
• The right to data portability — to receive your data in a structured, commonly used format.
• The right to withdraw consent at any time, where consent is the legal basis.
• The right to opt out of product emails at any time, either from your email preferences or via the unsubscribe link in every product email. We honour Gmail and Yahoo one-click unsubscribe headers.
• The right to lodge a complaint with a supervisory authority (in the Netherlands: the Autoriteit Persoonsgegevens).

To exercise any of these rights, contact us at the address in section 13.

9. Service providers

We use a small number of third-party processors to run the Service, including hosting (Vercel for the website, Hetzner for the API), email delivery (AWS Simple Email Service), and source-content access (YouTube via yt-dlp). Each is bound by appropriate contractual terms.

10. Security

We use commercially reasonable measures to protect your data: TLS in transit, password hashing with bcrypt, principle-of-least-privilege access to production systems, and isolated network boundaries. No method of storage or transmission is 100% secure, and we cannot guarantee absolute security.

11. Cookies

MixID uses a small number of strictly necessary cookies to operate sessions and protect against cross-site request forgery. We do not currently use advertising or third-party tracking cookies. You can refuse cookies via your browser settings, but the Service may not function properly without session cookies.

12. Children's privacy

The Service is not directed at children under 16. We do not knowingly collect Personal Data from anyone under 16. If you believe we have collected data from a child under 16, contact us and we will delete it.

13. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes will be communicated via email or a notice on the Service before they take effect.

14. Contact us

For privacy questions, data-access requests, or to delete your account, contact hi@rekord.cloud.