Privacy Policy - Playlist Pilot

1. Introduction

This Privacy Policy ("Policy") describes how Playlist Pilot, owned and operated by CTRL Music Platforms LLC ("we," "us," "our"), collects, uses, discloses, and protects personal information in connection with our website, application, and related services ("Services"). We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, the California Consumer Privacy Act of 2018 ("CCPA"), and the California Privacy Rights Act of 2020 ("CPRA").

By accessing or using our Services, you acknowledge that you have read, understood, and agree to the terms of this Policy. If you do not agree with this Policy, you should not use our Services.

2. Information We Collect

2.1 Information You Provide Directly

We collect the following information when you create an account, subscribe to a plan, or communicate with us:

Full name
Email address
Password (hashed and salted; never stored in plain text)
Any information you choose to provide when contacting support

2.2 Information Collected Automatically

When you use our Services, we automatically collect:

Token usage data (e.g., number of playlist matches generated, AI pitches created)
Campaign and feature usage activity
Device type, browser type, operating system, and IP address
Date and time of access, login attempts, and in-app activity logs

2.3 Payment Information

We do not collect or store your full payment card details. All payment processing is handled securely by Paddle, our payment provider and merchant of record. Paddle collects billing information, card details, and related payment data subject to its own Privacy Policy (https://paddle.com/legal/privacy).

3. Purpose and Legal Basis of Processing

We process your personal data for the following purposes:

To create and maintain your account
To process subscription payments via Paddle
To allocate and track token usage
To deliver purchased features and Services
To respond to support inquiries
To detect and prevent fraud, abuse, and unauthorized access
To comply with applicable laws and regulations

Legal bases under GDPR include:

Performance of a contract (Article 6(1)(b) GDPR)
Compliance with legal obligations (Article 6(1)(c) GDPR)
Legitimate interests in operating and improving our Services (Article 6(1)(f) GDPR)
Consent, where required (Article 6(1)(a) GDPR)

4. Sharing of Information

We share personal data only with:

Paddle, for payment processing and invoicing
Hosting providers, for service delivery and data storage
Email service providers, for account and transactional communications
Analytics providers, for service monitoring and improvement

We may also disclose personal information if required by law, legal process, or to protect the safety and security of our users or Services.

5. Cookies and Tracking Technologies

We use cookies and similar technologies strictly necessary for authentication, maintaining user sessions, and ensuring platform security. We do not use advertising or behavioral tracking cookies.

6. Data Retention

We retain personal data only as long as necessary for the purposes set out in this Policy or as required by law. Upon account deletion, personal data will be permanently deleted within thirty (30) days, except where retention is necessary for legal compliance, dispute resolution, or fraud prevention.

7. Your Rights

7.1 GDPR Rights (EEA/UK Residents)

You have the right to:

Access your personal data
Request correction of inaccurate data
Request deletion of your data
Request data portability
Object to certain processing activities
Withdraw consent, where applicable

7.2 CCPA/CPRA Rights (California Residents)

California residents have the right to:

Know the categories and specific pieces of personal information collected
Request deletion of personal information
Opt out of the sale or sharing of personal information (we do not sell personal data)

To exercise these rights, contact us at support@playlistpilotapp.com. We will respond within the timeframes required by applicable law.

8. Account Deletion

You may delete your account at any time through the Settings page. Account deletion is permanent and results in the removal of all associated personal data and usage logs, except where retention is legally required.

9. Security Measures

We implement appropriate technical and organizational measures to safeguard personal data against unauthorized access, alteration, disclosure, or destruction. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

10. Children's Privacy

Our Services are not directed to children under the age of thirteen (13). We do not knowingly collect personal data from children under this age. If we become aware that we have collected personal information from a child under 13 without parental consent, we will delete it promptly.

11. International Data Transfers

Your personal data may be transferred to and processed in countries outside your country of residence, including the United States. Where legally required, we implement appropriate safeguards, such as Standard Contractual Clauses, to protect transferred data.

12. Google API Services User Data Policy

Playlist Pilot's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

12.1 What We Access

When you connect your Gmail account to Playlist Pilot, we request access to the following scope:

gmail.send - Allows sending emails on your behalf when you click "Send Pitch"

We do not request access to read, modify, or delete your emails. We cannot access your inbox, drafts, or any other email content.

12.2 How We Use Google User Data

Your Gmail access is used exclusively to:

Send pitch emails to playlist curators that you explicitly initiate by clicking the "Send Pitch" button

We do not use your Google user data for any other purpose, including advertising, market research, or email content analysis.

12.3 How We Store Google User Data

To maintain your Gmail connection:

OAuth access and refresh tokens are encrypted using industry-standard encryption (Fernet/AES) before storage
Tokens are stored securely in our database and are never exposed in logs or to third parties
We do not store any email content, recipient lists, or message history

12.4 Data Sharing

We do not share, transfer, or disclose your Google user data to any third parties, except:

When required by law or valid legal process
To protect against fraud or security threats

12.5 Limited Use Disclosure

Playlist Pilot's use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, we:

Only use Google user data to provide the email sending feature that is prominent in our user interface
Do not transfer Google user data to third parties except as necessary to provide user-facing features or as required by law
Do not use Google user data for advertising or to serve ads
Do not allow humans to read Google user data unless with user consent, for security purposes, or to comply with law

12.6 Revoking Access

You can disconnect your Gmail account at any time from the Settings page. When you disconnect:

Your OAuth tokens are immediately deleted from our database
We lose all ability to send emails on your behalf
You can also revoke access directly from your Google Account permissions page

13. Changes to This Policy

We may amend this Policy from time to time to reflect changes in our practices, legal requirements, or other factors. Material changes will be communicated via email or in-app notice before taking effect. Continued use of our Services after changes take effect constitutes acceptance.