Privacy Policy

Account information. When you sign up, we collect the email address, password (stored as a one-way hash), display name, and role you choose. For vendor accounts we also collect an organization domain or a no-domain attestation. For provider accounts we collect a self-attested annual revenue tier (which sets your subscription cost).

Payment information. Subscription and transaction payments are processed by Stripe. Vinylaunch does not store your card number, expiration date, or CVV — Stripe holds those directly under PCI-DSS-compliant infrastructure. Vinylaunch receives only the identifiers Stripe issues (customer ID, subscription ID, payment intent ID) and the amount of each transaction.

Profile and content you create. Anything you publish on the platform — campaign details, profile biography, uploaded media, reviews you write, comments you make, band-lineup credits — is content you control. Public profiles are public; private profiles default to private until you opt in.

Usage data. We log basic request data (URL, response status, timestamp, user agent, IP address) for operational and security purposes — debugging issues, detecting abuse, rate-limiting endpoints. We do not run third-party analytics, ad-network pixels, or behavioral profiling.

Sensitive identity data. If we ever collect EIN, SSN, or other sensitive identity information (e.g. for Stripe Connect onboarding or 1099 generation), it is encrypted at rest and accessible only to a service-role-authenticated server process. It is never displayed in admin interfaces without an explicit unlock action, and never exported to third parties outside the specific compliance context that required its collection.

Automated content moderation. Images and other visual content you upload to the platform — including profile photos, campaign cover art, and (when Phase 4 ships) any video content — are scanned by an automated content moderation service before publication to detect policy-violating content (CSAM indicators, explicit material, violence, weapons, hate symbols, drugs). The scanning service receives the image only for the duration of the scan and is not authorized to use uploaded images for any purpose other than returning a moderation decision to Vinylaunch. See § 3 for the specific processor used. The moderation decision (approved, rejected, flagged for human review) and confidence scores are logged alongside your account for audit and appeal purposes.

We use the information you provide to operate the platform — running your account, processing payments, delivering email notifications you’ve opted into, calculating royalty distributions, generating tax forms required by law, and fulfilling the specific features you use (campaigns, bidding, streaming, profile pages, etc.).

We use aggregated usage data to debug problems, identify abuse, and prioritize product improvements. We do not build behavioral profiles, sell aggregated data, or share it with advertisers.

Vinylaunch uses the following third-party services as data processors. Each holds only the data needed to perform a specific function and is contractually bound by its own privacy and security commitments.

• •Stripe — payment processing. Holds card and payout details.
• •Supabase — database, authentication, and file storage infrastructure.
• •Resend — outbound transactional email (account confirmations, notifications).
• •Cloudflare — DNS, email routing, and CDN-level protection.
• •Mapbox — venue autocomplete on tour campaigns (queries leave the platform with the search string only; no user identifier attached).
• •Amazon Web Services (Rekognition) — automated content moderation on uploaded images. Receives the image only for the duration of a single scan and returns a moderation decision (approved, rejected, flagged for review). AWS's contractual terms do not permit the use of customer-submitted content to train AWS models.
• •Vercel — application hosting and serverless function execution.

We do not use Google Analytics, Facebook Pixel, Mixpanel, Segment, or any other third-party tracking, advertising, or behavioral analytics service.

Vinylaunch uses cookies only for functional purposes — keeping you signed in, remembering your operating context (for vendor team members), and any future feature that fundamentally requires a cookie to work. We do not set tracking cookies, advertising cookies, or third-party cookies.

Other users of the platform. Your public profile (and anything you publish to it) is visible to other users in the way you configured it. Private vendor profiles stay private until you opt in.

Stripe. Payment-relevant information flows to Stripe so transactions can settle. For Stripe Connect (when activated), your tax-ID information passes to Stripe for 1099 generation as required by law.

Legal compliance. We disclose information when required by valid legal process (subpoena, court order, statute). We do not voluntarily share user data with law enforcement and we resist over-broad requests.

We do not sell or rent your data. Not to advertisers, not to data brokers, not to anyone. This commitment is structural — Vinylaunch operates as a sole-owner LLC with no investors pressuring revenue diversification through data monetization.

You can access most of your data through your dashboard. You can edit your profile, delete content you’ve uploaded, and cancel your subscription at any time (we are month-to-month for every role).

You can request a full data export or account deletion by emailing info@vinylaunch.com. We aim to respond within 7 business days.

California residents (CCPA / CPRA). VinyLaunch LLC is a California limited liability company. If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act gives you the right to know what personal information we collect about you and how we use it; the right to request deletion of your personal information (subject to legally required retention); the right to correct inaccurate personal information we hold about you; the right to opt out of the “sale” or “sharing” of your personal information (we do not sell or share personal information for cross-context behavioral advertising, but you have this right regardless); and the right not to be discriminated against for exercising any of these rights. To exercise any of them, email info@vinylaunch.com with “California Privacy Request” in the subject line.

Outside California. If you live elsewhere you may have analogous rights under your local privacy law (for example, GDPR in the EU, the UK GDPR, or other state-level laws in the U.S.). We honor valid requests under those regimes regardless of where you live.

Account data is retained while your account is active. When you delete your account we delete your account profile, content, and direct identifiers.

Financial and ledger records (transactions, royalty distributions, tax forms) are retained as long as required by applicable financial and tax law. These records may be retained in pseudonymized form (linked by Stripe customer ID rather than by direct account identifiers) after account deletion.

Subscription pauses preserve account data for up to 18 months per the subscription pause policy described in our Terms of Service.

Vinylaunch uses Row-Level Security at the database layer so every table enforces owner-only or appropriately-scoped access on every read and write. Sensitive identity data is encrypted at rest with keys held only by the application server. Payment data is held by Stripe under PCI-DSS infrastructure. Email-confirmation flows use single-use tokens with limited validity.

No system is perfectly secure. If a breach affecting your data occurs, we will notify affected users in accordance with applicable breach-notification laws (typically within 72 hours of confirmation).

Vinylaunch is a U.S.-based LLC and primarily processes data in the United States. If you access the platform from outside the U.S., your data will be transferred to and processed in the U.S. By using the platform, you consent to that transfer.

The platform is not directed at children under 13, and we do not knowingly collect personal information from children under 13. Account creation requires age 13 or older. Paid features (subscriptions, crowdfunding pledges, direct artist support) require age 18 or older or, where applicable, parental consent under your local law.

If we discover an account belongs to someone under 13, we delete it.

We may update this policy from time to time. When material changes happen we will notify active users by email and post a notice on the platform. The current effective date is at the top of this page. Continued use of the platform after a change takes effect constitutes acceptance of the new policy.

Privacy questions: info@vinylaunch.com
Copyright / DMCA: dmca@vinylaunch.com (or see our DMCA policy)