Legal
Privacy Policy
Effective date: 2026-04-27 · Last updated: 2026-04-27
This Privacy Policy explains how DistroShield ("we", "us", "our") collects, uses, and protects information when you use our API and customer portal (the "Service").
1. What we collect
| Category | Examples | Source |
|---|---|---|
| Account info | Name, work email, company name, volume estimate | Signup form / Google OAuth |
| Authentication | API key (stored hashed), session cookie tokens | Generated by us |
| Customer Content | Audio files (via URL you provide), track metadata (title, artist, ISRC) | Submitted by you to /v1/analyze |
| Analysis results | AI scores, classifications, duplicate matches, metadata issues | Generated by us |
| Usage logs | API request timestamps, endpoints, status codes, IP addresses | Auto-collected for billing & abuse prevention |
| Billing info | Stripe customer ID, subscription state | Stripe (we do not store card numbers) |
2. How we use it
- Service operation: authenticate API calls, run analyses, deliver results, send transactional emails (welcome, billing, trial reminders).
- Billing: meter usage and invoice via Stripe.
- Abuse prevention: rate-limit, detect anomalous traffic, suspend abusive accounts.
- Model improvement: we may use anonymized, aggregated signals (e.g., "track had AI score 0.87, reviewer said human") to improve model accuracy. We do not retain raw audio for model training without explicit opt-in.
- Communication: respond to support requests, share product updates (you can opt out of non-transactional emails).
3. How we share it
We do not sell your data. We share it only with:
- Subprocessors required to run the Service (see below).
- Authorities when required by valid legal process.
- Acquirers in the event of a merger or acquisition (you'd be notified).
4. Subprocessors
| Processor | Purpose | Region |
|---|---|---|
| Contabo | Server hosting | USA / Germany |
| Stripe | Payment processing & billing | USA |
| Resend | Transactional email delivery | USA |
| Cloudflare | DNS, email routing | USA / Global |
| Google (OAuth) | Sign-in | USA |
| Spotify, Deezer, YouTube | Duplicate detection (Module 2) — we send title/artist/ISRC to query their public APIs | USA / Global |
5. Data retention
- Audio files: we don't store them. We fetch from your CDN URL only during analysis, process in memory, and discard.
- Analysis results & metadata: retained while your account is active and for 90 days after termination.
- Usage logs: 12 months for billing reconciliation and security audit.
- Account info: until you request deletion.
6. Security
- API keys stored as SHA-256 hashes; raw keys shown only once at creation/regeneration.
- HTTPS-only with TLS 1.2+ on all endpoints.
- Database access restricted to localhost; no public exposure.
- Stripe handles card data per PCI-DSS — DistroShield never sees full card numbers.
- Sessions are httpOnly + sameSite=lax cookies, signed with a server secret.
7. Your rights
Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Delete your data ("right to be forgotten")
- Export your data in a portable format
- Object to or restrict certain processing
- Withdraw consent (where processing is consent-based)
To exercise any of these rights, email contact@distroshield.com. We respond within 30 days.
8. International transfers
The Service is operated from the USA. If you access from outside the USA, your data is transferred to and processed in the USA under standard contractual clauses where applicable.
9. Children
The Service is for B2B use and is not directed at individuals under 16. We do not knowingly collect data from minors.
10. Changes to this Policy
We'll notify registered users of material changes by email at least 30 days before they take effect.
11. Contact
Privacy questions: contact@distroshield.com