Privacy Policy

TAEON Branding Agency Pte. Ltd. ("we", "us") operates SOUNDRADAR (soundradar.co) and is the data controller for personal data processed through the Service. We comply with the Singapore Personal Data Protection Act 2012 (PDPA) and, where applicable to a given individual, with the Korean PIPA, the EU/UK GDPR, and the California CCPA. This policy explains what we collect, why, how long we keep it, to whom we disclose it, and your rights. It covers three groups of individuals: Customers (workspace members), Fans (visitors to public pages), and Business Contacts (demo recipients, A&R/publisher contacts, press inquirers).

1. Personal Data We Collect

A. Customers (workspace members). Email, name, password (one-way hash only), optional 2FA/TOTP secret, role and permissions, last-login time. Workspace and artist names you create.

B. Fans (public smart-link / bio / newsroom visitors). For analytics we record derived, non-identifying signals: 2-letter country code, device type, browser, language, coarse city (from network headers), store/service clicked, a short anonymised referral token, and an anonymised visitor ID (a random value in the sr_vid cookie, not linked to your identity) used to count unique and repeat visits. We do not store your raw IP address for public-page analytics. If you sign up for a release reminder, an artist newsletter, or a hub/bio email form, we store your email and country.

C. Business Contacts. Names, organisation, email, and phone that a Customer enters for A&R managers/publishers; press/PR inquiry details (name, organisation, email, phone, message); demo-recipient name, company, and email. For private demo/A&R share links accessed by an invited recipient, we log access events for security and audit, including IP address, user-agent, country/city, listen duration, and play position. (This security logging applies to private, invitation-based demo links only — not to public fan pages.)

D. Payments. When you buy a paid plan or domain, Stripe processes your card. We receive and store only non-card data such as a Stripe session/customer reference, amount, currency, and order status. We do not store full card numbers.

E. Connected social accounts. If you connect X, Facebook/Instagram, LinkedIn, or TikTok, we store the account's external ID, username, display name, avatar/profile URL, granted scopes, and OAuth access/refresh tokens needed to publish on your behalf.

F. Cookies & device data. A session cookie (SRSESS) for login, a short-lived country cookie (sr_cc) to cache geolocation, an anonymous visitor-ID cookie (sr_vid, up to 1 year) for unique/repeat-visit analytics, a consent flag, and any retargeting/analytics pixels a Customer enables on a given link.

2. How We Use Personal Data (Purposes)

• To provide and operate the Service — accounts, smart-link routing, campaigns, reminders, newsroom, demo sharing, social publishing, analytics and reporting.
• To send transactional messages (reminders, invitations, security and account notices) and, with consent, newsletters.
• To secure the Service, prevent abuse and fraud, and protect chart integrity.
• To process payments and manage subscriptions and domain orders.
• To measure performance and improve features (aggregate, non-identifying analytics).
• For retargeting/conversion measurement only where a Customer enables a pixel for a link, and subject to your cookie choices.

3. Consent & Legal Basis

We collect personal data with consent, or where another lawful basis applies (performance of a contract, legitimate interests such as security and analytics, or legal obligation). By submitting an email opt-in form you consent to receive the relevant messages; you may withdraw consent at any time. Customers who enter Business Contact details confirm they have a lawful basis to do so.

4. Cookies & Tracking Pixels

We use strictly necessary cookies (login session, security, consent flag) and a functional country cookie. On a given link, a Customer may enable third-party retargeting or analytics pixels — including Meta, TikTok, Google (GA4/Ads/GTM), Snapchat, Pinterest, X, LinkedIn, Reddit, Quora, Microsoft, or AdRoll — which set their own cookies and are governed by those providers' policies. Where server-side Conversions API (Meta / TikTok) is enabled for a link, limited event data may be sent server-to-server, with email hashed (SHA-256) before transmission together with the visitor's IP and user-agent for matching. You can control cookies in your browser; blocking strictly necessary cookies will break login.

5. Disclosure & Service Providers

We do not sell personal data. We disclose it only to providers that help us run the Service, each under its own privacy terms, and only as needed:

• Stripe — payment processing (card data handled by Stripe).
• Meta / TikTok — retargeting pixels and Conversions API (hashed email + IP/UA), when enabled per link.
• X, Meta (Facebook/Instagram), LinkedIn, TikTok — when you connect an account for social publishing.
• Bunny CDN — storage and delivery of media, including demo audio and newsroom images.
• Email delivery — our configured provider (e.g. SMTP / Resend / Mailgun) to send reminders, invitations, and notices.
• Search Atlas (Signal Genesys) — optional press-release syndication; the article content sent may include personal data (e.g. named contacts) where you include it in the release, together with brand/press-contact details.
• Cloudflare — security, bot protection (Turnstile), and country detection.
• Anthropic (Claude) — optional AI translation of newsroom articles; we do not send personal data unless it appears in the article text you choose to translate.
• For geolocation we prefer Cloudflare/local lookups; only as a fallback may a visitor IP be sent to a geolocation API to return a country code.
• We may also disclose data to comply with law or a lawful authority request, or to protect rights and safety.

6. International Transfers

We are based in Singapore and use reputable providers that may process data outside Singapore (for example, Stripe, Meta, TikTok, Google, Anthropic, and Search Atlas operate in the United States, and our CDN/hosting use global infrastructure). Where we transfer personal data abroad, we take reasonable steps so that recipients provide a standard of protection comparable to the PDPA, through contractual or equivalent safeguards.

7. Retention

• Customer accounts — for the life of the workspace; deleted or anonymised after account/workspace deletion, subject to legal/accounting needs.
• Fan analytics events — retained as country/device-level records (including an anonymised visitor ID; no raw IP or personal identifier) and aggregated into statistics.
• Email subscribers (reminders/newsletter) — until the reminder is sent or you unsubscribe.
• Demo share-access logs (incl. IP) — kept while the share link is active and for a limited audit period thereafter, then deleted.
• Business/press contacts & inquiries — until the purpose is fulfilled and no longer required.
• Connected-account tokens — until you disconnect the account or the token expires/revokes.
• Payment/order records — as required for accounting and dispute resolution.

8. Security

We apply technical and organisational measures including one-way password hashing, optional 2FA, HTTPS/TLS in transit, access controls and role-based permissions, bot/abuse protection, and audit logging. No system is perfectly secure, but we work to protect personal data against unauthorised access, loss, or misuse.

9. Data Breach Notification

If a data breach that is likely to result in significant harm to affected individuals, or is of a significant scale, occurs, we will assess it without delay, take remedial steps, and notify the Singapore Personal Data Protection Commission (PDPC) as soon as practicable — and in any event within 3 calendar days of determining the breach is notifiable — and notify affected individuals without undue delay, as required by the PDPA. We will also meet any additional notification duties under other applicable laws.

10. Your Rights

• Access and correction of your personal data.
• Withdrawal of consent and opt-out of marketing — every newsletter includes an unsubscribe link.
• Deletion of your data where no legal retention applies.
• Where the GDPR applies: portability and objection to certain processing. Where the CCPA applies: the right to opt out of "sale"/"sharing" (we do not sell personal data).

To exercise any right, contact contact@soundradar.co. We will verify your identity and respond within the period required by law. If unsatisfied, you may complain to the PDPC or your local data-protection authority.

11. Children

The Service is intended for businesses and professional users aged 18+. Public smart-link and newsroom pages may be viewed by fans of any age, but we collect no identifying personal data from such visitors beyond the anonymous, country/device-level analytics described above. We do not knowingly collect personal data from children. If you believe a child has provided personal data (e.g. an email opt-in), contact us and we will delete it.

12. Data Protection Officer & Contact

Data Protection Officer — SOUNDRADAR Operations, TAEON Branding Agency Pte. Ltd.. Privacy and data-rights inquiries: contact@soundradar.co. Registered office: 9 Raffles Place, #29-05, Republic Plaza, Singapore 048619.

13. Changes

We may update this policy and will post the revised version with a new "last updated" date; material changes will be notified in-Service or by email.