Skip to main content

Legal

Privacy Policy

Effective April 20, 2026. This policy explains the personal data HeyStack processes and the choices you have.

1. Data controller

HeyStack is the data controller for the personal data described in this policy. You can reach us at privacy@heystack.example.

2. Data we collect

We process the following categories of data:

  • Account data— Clerk-issued user ID, username, display name, email address, and (if provided) profile image.
  • Uploaded content— audio files, cover art, track titles, release metadata, and artist profile information you provide.
  • Engagement data— plays, likes, saves, follows, comments, search queries, and discovery feed interactions.
  • Device and log data— IP address, user agent, access times, referrer, and similar request metadata retained in our application logs.
  • Communications— support emails and any feedback you submit.

3. How we use data

  • to operate the service: authenticate you, serve uploads, show your library and discovery surfaces;
  • to rank and recommend content (discovery, following, rising) using your aggregated engagement;
  • to run creator analytics, growth snapshots, and launchpad scoring;
  • to prevent abuse, enforce our Terms, and protect users (fraud detection, rate limiting, moderation review);
  • to comply with legal obligations and respond to valid legal process;
  • to communicate with you about account, product, and (if you opt in) marketing updates.

4. Legal bases (EU/UK users)

We rely on the performance of our contract with you (authentication, serving uploads, saved tracks), legitimate interests (fraud prevention, analytics, discovery ranking), consent (optional marketing emails, optional cookie categories), and legal obligation (responding to lawful requests, retaining records for tax and audit).

5. Sub-processors and sharing

We share data with vetted sub-processors only to provide the service:

  • Clerk— authentication, session management, and identity data.
  • Neon— managed PostgreSQL for product data.
  • Cloudflare R2— object storage for uploads and public media delivery.
  • Email and transactional messaging providers— disclosed in-product before any commercial messages.

We do not sell personal data. We share data with law enforcement only in response to valid legal process, and we will notify affected users where we are legally able to do so.

6. International transfers

HeyStack processes data in the United States and in the regions where our sub-processors operate. Where personal data is transferred out of the EEA, UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (or an adequacy decision where applicable) with our sub-processors.

7. Retention

We retain account and content data while your account is active. When you delete your account, we delete or anonymize personal data within 30 days, except where we must retain records for legal, audit, tax, or security reasons (for example, abuse investigations, DMCA notices, or active disputes). Application logs are retained for up to 90 days; aggregated analytics may be retained indefinitely in a non-identifying form.

8. Your rights

Depending on your jurisdiction, you may have the right to access, correct, delete, export, or object to certain processing of your personal data, and to withdraw consent at any time. You can exercise most of these rights directly from settings, and for anything not self-serve, email privacy@heystack.example. EU/UK users can lodge a complaint with their local supervisory authority. California users can exercise CCPA rights to know, delete, and opt out of “sale” or “sharing” (we do neither).

9. Security

We use industry-standard measures, including TLS in transit, encryption at rest for the database and object storage, access control and audit logs, and a least-privilege policy for production credentials. No system is perfectly secure; we will notify affected users and, where required, regulators of a personal-data breach within applicable legal deadlines.

10. Children

HeyStack is not directed to children under 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact privacy@heystack.example and we will delete it.

11. Cookies and similar technologies

We use strictly necessary cookies for authentication and security (set by Clerk), and limited functional cookies for remembering preferences. We do not use advertising trackers. Where required by law, we will surface a consent banner before any non-essential cookie is set.

12. Changes to this policy

We may update this policy as the product evolves. Material changes will be announced in-product or by email at least fourteen (14) days before taking effect.

13. Contact

Email privacy@heystack.example for privacy questions or to exercise any of the rights above. You can also reach us through the Help section.