Privacy Policy

TrackScore.AI ("we," "us," or "our") operates the TrackScore.AI web application (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. By accessing or using the Service, you agree to the terms of this Privacy Policy.

1. Audio Data & Zero-Storage Architecture

We designed TrackScore.AI with a zero-storage audio architecture. This is the most important thing to understand about how we handle your music:

• Your audio file is streamed directly from your browser to our analysis server over an encrypted connection (TLS).
• The audio is held in volatile memory (RAM) only for the duration of the analysis — typically under 60 seconds.
• Once analysis is complete, the audio data is immediately discarded from memory. It is never written to disk, copied, cached, or backed up.
• We have no ability to play back, reconstruct, or retrieve your audio after analysis completes.
• We do not use your audio files to train machine learning models, improve our algorithms, or for any purpose other than generating your analysis report.

2. Analysis Results & Metadata

While we do not store your audio, we do store the analysis results generated from it. This includes:

• Numerical scores: hit potential, danceability, mix quality, frequency balance, energy, and structure scores.
• Technical metadata: BPM, musical key, loudness (LUFS), duration, dynamic range, crest factor, stereo width, and spectral characteristics.
• Feedback & diagnostics: textual feedback, Klaus™ engineer comments, and actionable recommendations.
• File metadata: file name and artist tag (as embedded in your audio file). We do not extract or store any other ID3/metadata tags.

Analysis results are stored in our database and associated with your account so you can access your track history on the dashboard. You may request deletion of your analysis history at any time by contacting us.

3. Account Information

When you create an account, we collect:

• Email address: used for account authentication, transactional emails (purchase receipts, password resets), and critical service announcements. By creating an account, you are subscribed to our marketing newsletter ("The Mixdown"). You can unsubscribe at any time via the link in every email.
• Password: stored as a cryptographic hash. We never store or have access to your plaintext password.

We do not require your name, phone number, address, or any other personally identifiable information to use the Service.

4. Payment Information

All payment processing is handled by Stripe, Inc. We never receive, process, or store your credit card number, CVV, or full payment details. Stripe provides us with a transaction reference, the amount paid, and a timestamp — nothing more. Stripe's privacy policy is available at stripe.com/privacy.

5. Cookies & Tracking Technologies

We use cookies and similar technologies to operate the Service, measure performance, and deliver relevant advertising. Here is a breakdown by category:

Strictly Necessary

• Authentication cookies: keep you logged in and maintain your session. These cannot be disabled without breaking core functionality.

Analytics & Performance

• Google Analytics 4 (GA4): measures traffic sources, page views, conversion funnels, and aggregate usage patterns. GA4 uses first-party cookies and transmits pseudonymized data to Google. You can opt out via the Google Analytics Opt-out Browser Add-on.
• Mixpanel: tracks product engagement events (e.g., analysis completed, feature used) to help us understand behavioral patterns and improve the user experience. Mixpanel receives pseudonymized event data tied to your account.
• Sentry: captures JavaScript errors and performance data to help us diagnose and fix bugs. Sentry may receive your IP address (which is not stored) and browser/device metadata alongside error reports.

Advertising & Conversion Tracking

• Meta Pixel (Facebook/Instagram): tracks conversions from Meta ad campaigns and may build audience segments for retargeting. The Meta Pixel sends page view and conversion events to Meta Platforms, Inc. You can manage your ad preferences at facebook.com/adpreferences.
• Google Ads Conversion Tracking: measures the effectiveness of our Google search ad campaigns by recording when a user who clicked an ad completes a signup or purchase. Data is sent to Google and subject to Google's Privacy Policy.
• Reddit Pixel: tracks conversions from Reddit ad campaigns. Sends page view and conversion events to Reddit, Inc. You can opt out via Reddit's privacy settings.

Email Marketing

• Klaviyo: powers our marketing email campaigns (welcome series, product updates, re-engagement). Klaviyo tracks email opens and link clicks to measure campaign performance. You can unsubscribe from marketing emails at any time via the link in every email. Transactional emails (receipts, password resets) are sent separately via Resend and are not affected by your marketing preferences.

Referral & Attribution

• UTM parameters & referral links: we use URL parameters (e.g., ?ref=, ?utm_source=) to attribute signups to marketing channels, referral partners, and content creators. These parameters are logged alongside your signup event but do not contain personally identifiable information.

Surveys & Feedback

• In-app surveys: we may display NPS or feedback surveys (powered by Typeform or similar tools) to gather product feedback. Responses are associated with your account and used solely to improve the Service. Survey participation is always optional.

You can control or disable most tracking technologies through your browser settings, platform-specific opt-out tools linked above, or industry opt-out programs such as the Digital Advertising Alliance or Your Online Choices (EU). Disabling non-essential cookies will not affect core Service functionality.

6. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service.
• Process your audio analyses and deliver results to your dashboard.
• Process payments and manage your credit balance.
• Send transactional communications (receipts, password resets, account confirmations).
• Send marketing communications (product updates, tips, promotions) if you have opted in. You can unsubscribe at any time.
• Measure the effectiveness of our advertising campaigns and attribute signups to marketing channels.
• Display relevant ads to you on third-party platforms (Meta, Google, Reddit) based on your interactions with our Service.
• Detect, prevent, and address abuse, fraud, or technical issues.
• Comply with legal obligations.

We do not sell your personal data to data brokers or use it for automated decision-making that produces legal effects.

7. Data Sharing & Disclosure

We do not sell, rent, or trade your personal information. We share data only with the following categories of service providers, and only to the extent necessary to operate the Service:

Infrastructure & Core Services

• Supabase (database & authentication): stores your account information and analysis results.
• Stripe (payments): processes credit purchases.
• Vercel (hosting): serves the web application.
• Railway (compute): runs the audio analysis engine.

Analytics & Error Monitoring

• Google (Analytics & Ads): receives pseudonymized usage data and conversion events.
• Mixpanel: receives pseudonymized product engagement events.
• Sentry: receives error reports and performance telemetry.

Advertising Platforms

• Meta Platforms (Facebook/Instagram): receives pixel events for ad conversion measurement and audience building.
• Reddit: receives pixel events for ad conversion measurement.

Email & Communications

• Klaviyo: receives your email address and engagement segments for marketing campaigns.
• Resend: receives your email address for transactional messages (receipts, password resets).

We may also disclose information if required by law, court order, or governmental regulation, or if disclosure is necessary to protect our rights, property, or safety, or that of our users or the public.

8. Data Retention

• Audio files: not retained. Discarded from memory immediately after analysis.
• Analysis results: retained as long as your account is active, or until you request deletion.
• Account data: retained until you delete your account. Upon deletion, we remove your personal information within 30 days, except where retention is required by law.
• Payment records: transaction references are retained as required for tax and financial reporting obligations.

9. Data Security

We implement industry-standard security measures including encryption in transit (TLS), encrypted data at rest, secure authentication with hashed passwords, and row-level security policies on our database to ensure users can only access their own data. While no system is 100% secure, we take reasonable and appropriate measures to protect your information from unauthorized access, alteration, disclosure, or destruction.

10. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you.
• Correction: request correction of inaccurate or incomplete data.
• Deletion: request deletion of your personal data and analysis history.
• Portability: request an export of your analysis data in a machine-readable format.
• Objection: object to certain processing of your data.

To exercise any of these rights, contact us at the email address below. We will respond within 30 days.

11. International Data Transfers

Our Service is hosted in the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other jurisdictions where our service providers operate. By using the Service, you consent to the transfer of your information to these jurisdictions, which may have different data protection laws than your country of residence.

12. Children's Privacy

The Service is not directed to individuals under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child, we will delete that information promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. If we make material changes, we will notify you by email or by posting a prominent notice on the Service. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at: privacy@trackscore.ai