Privacy Policy
Effective date: 16 February 2026 Last updated: 22 February 2026
KosmoSonica Ltd ("KosmoSonica", "we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our website at kosmosonica.com, our mobile applications, and related services (collectively, the "Service").
This policy is written in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Data Controller
KosmoSonica Ltd is the data controller responsible for your personal data.
- Email: privacy@kosmosonica.com
- Address: KosmoSonica Ltd, United Kingdom
If you have questions about this policy or wish to exercise your data rights, contact us at the address above.
2. Personal Data We Collect
2.1 Data You Provide to Us
When you create an account, use our services, or contact us, we may collect:
- Account data: username, email address, password (hashed — we never store plaintext passwords)
- Profile data: display name, avatar, biography, social media links
- Content data: tracks, releases, events, and other content you upload or create
- Transaction data: purchase history, subscription plan, payment method (processed by Stripe — we do not store card numbers)
- Communication data: messages, support tickets, feedback you send to us
- Consent records: your choices regarding Terms of Service acceptance, Privacy Policy acceptance, marketing opt-in, and cookie preferences — including the timestamp, policy version, and source of each consent action
2.2 Data We Collect Automatically
When you use the Service, we automatically collect:
- Usage data: pages visited, features used, actions taken, session duration
- Device data: browser type, operating system, screen resolution, device identifiers
- Device fingerprint: we generate a SHA-256 hash from your browser and hardware characteristics (user agent, platform, language, screen resolution, timezone). This hash is used solely to recognise trusted devices and detect unauthorised access to your account. We never store the raw device characteristics — only the irreversible hash. You can view, trust, or revoke registered devices from your device settings
- Network data: IP address, approximate location (country/region level), referring URL
- Cookie data: see our Cookie Policy for details
2.3 Data from Third Parties
If you sign in via a third-party provider (Google, Apple, Facebook), we receive your name, email address, and profile picture from that provider. We do not receive your password.
3. Lawful Basis for Processing
We process your personal data only where we have a lawful basis under UK GDPR Article 6:
| Purpose | Lawful Basis | Details | |---------|-------------|---------| | Account creation & authentication | Contract (Art. 6(1)(b)) | Necessary to provide the Service you signed up for | | Processing payments & subscriptions | Contract (Art. 6(1)(b)) | Necessary to fulfil your purchase | | Sending transactional emails (password resets, receipts) | Contract (Art. 6(1)(b)) | Necessary for account operation | | Platform security & fraud prevention (including device fingerprinting) | Legitimate interest (Art. 6(1)(f)) | Protecting our users and platform from unauthorised access and fraud. Device fingerprints identify trusted devices and flag suspicious login attempts | | Analytics & service improvement | Legitimate interest (Art. 6(1)(f)) | Understanding usage patterns to improve the Service | | Marketing emails & promotional content | Consent (Art. 6(1)(a)) | Only with your explicit opt-in; you can withdraw at any time | | Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) | Tax records, law enforcement requests, regulatory requirements |
4. How We Use Your Data
We use your personal data to:
- Provide the Service: create and manage your account, process uploads, display your content
- Process payments: handle subscriptions and purchases via Stripe
- Communicate with you: send transactional emails, respond to support requests
- Improve the Service: analyse usage patterns, fix bugs, develop new features
- Ensure security: detect fraud, prevent abuse, enforce our Terms of Service
- Legal compliance: maintain records required by law (e.g., financial transaction records for 7 years)
We will never sell your personal data to third parties.
5. Data Sharing
We share your personal data only in the following circumstances:
| Recipient | Purpose | Safeguards | |-----------|---------|------------| | Stripe | Payment processing | PCI DSS Level 1 certified; data processing agreement in place | | Resend | Transactional email delivery | Data processing agreement; EU/UK adequate servers | | Hosting providers | Infrastructure & storage | Data processing agreements; encrypted at rest and in transit | | Analytics tools | Anonymised usage analytics | Data is pseudonymised before processing | | Law enforcement | Legal obligation or court order | Only when legally required; we will notify you unless prohibited by law |
We do not share personal data with advertisers or data brokers.
6. International Data Transfers
Your data is primarily stored and processed within the United Kingdom and the European Economic Area (EEA). Where data is transferred outside the UK/EEA (e.g., to service providers in the United States), we ensure adequate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the ICO
- Adequacy decisions by the UK government
- Binding Corporate Rules where applicable
7. Data Retention
We retain your personal data only for as long as necessary for the purposes described in this policy:
| Data Category | Retention Period | |--------------|-----------------| | Account data | Lifetime of your account + 30 days after deletion | | Transaction records | 7 years after the transaction (legal requirement) | | Analytics and server logs | 90 days, then anonymised | | Marketing consent records | Lifetime of consent + 3 years | | Support tickets | 2 years after resolution | | Content you upload (tracks, releases) | Until you delete it or your account is deleted |
After the retention period, data is permanently deleted or irreversibly anonymised.
8. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
- Right of access (Art. 15): Request a copy of all personal data we hold about you. You can download your data as a JSON file from your account settings (the "Export my data" feature), or email privacy@kosmosonica.com for a manual export.
- Right to rectification (Art. 16): Correct inaccurate or incomplete data via your profile settings.
- Right to erasure (Art. 17): Request deletion of your account and all personal data from your account settings. We will complete deletion within 30 days, including from backups.
- Right to restrict processing (Art. 18): Request that we limit how we use your data while we resolve a complaint.
- Right to data portability (Art. 20): Download your data in machine-readable JSON format from your account settings. The export includes your profile, consent records, event RSVPs, tribe memberships, and moderation reports. Payment data is held by Stripe and can be accessed via the Stripe billing portal.
- Right to object (Art. 21): Object to processing based on legitimate interest. We will stop unless we have compelling grounds.
- Right to withdraw consent: Where processing is based on consent (e.g., marketing emails, analytics cookies), you can withdraw at any time via your notification settings, the cookie consent banner, or the unsubscribe link in any email.
To exercise any of these rights, email privacy@kosmosonica.com. We will respond within 30 days. If we need more time, we will inform you within the first 30 days.
9. Cookies & Consent
We use cookies and similar technologies to operate the Service. When you first visit our site, a cookie consent banner allows you to accept all cookies or limit to essential cookies only. Analytics cookies are only set if you explicitly opt in via the consent banner. For full details on what cookies we use, why, and how to manage them, see our Cookie Policy. You can change your cookie preferences at any time from the cookie settings link in the website footer.
10. Security
We take the security of your personal data seriously. Measures include:
- All data transmitted over HTTPS/TLS
- Passwords are salted and hashed (never stored in plaintext)
- Database encryption at rest
- Role-based access control for internal staff
- Regular security audits and dependency vulnerability scanning
- Secrets managed via Docker secrets (never in source code or environment variables)
No system is 100% secure. If we become aware of a data breach that affects your rights, we will notify you and the Information Commissioner's Office (ICO) within 72 hours as required by UK GDPR Article 33.
11. Children's Privacy
The Service is not intended for anyone under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us at privacy@kosmosonica.com and we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes:
- We will update the "Last updated" date at the top of this page
- We will notify registered users by email at least 14 days before the changes take effect
- We may ask you to re-accept the updated policy on your next login
Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
13. Complaints
If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Phone: 0303 123 1113
We would appreciate the opportunity to address your concerns directly first — please contact us at privacy@kosmosonica.com.
14. Contact Us
If you have any questions about this Privacy Policy or your personal data, contact us:
- Email: privacy@kosmosonica.com
- General enquiries: hello@kosmosonica.com
Related policies: