Privacy Policy
Last updated: May 24, 2026 · Effective immediately
This Privacy Notice for Stefan Pavlović, operating as Music Tracker ("we", "our", "us") describes how and why we collect, store, use, and share your personal information when you use MusicTracker (musictracker.io) — an AI-powered analytics platform for electronic music producers and DJs (the "Services").
Reading this notice will help you understand your privacy rights and choices. If you have any questions, contact us at privacy@musictracker.io.
1. Information We Collect
The purposes and means of processing are determined by us as the data controller. We process your personal information solely to provide you with the Service — an analytics platform that helps you improve your artistic work as a producer or DJ — and for no unrelated purpose.
Information you provide
When you register or use the Services, we collect: your email address and display name; a password if you sign up with email/password (stored only as a salted bcrypt hash — never in plaintext); contact preferences; and content you create such as search history, monitored tracks, gigs, setlists, and demo analysis results.
Demo audio you submit
Audio you submit to Demo Analyzer is processed to extract technical characteristics (BPM, key, energy, waveform shape). We do not store the audio file itself — only the resulting analysis and a waveform visualisation. If you use the Stem Separator or remix tools, your audio is sent transiently to Replicate (running the Demucs model) to produce stems and is not retained.
Information collected automatically
When you visit the Services we automatically collect technical data such as IP address, browser and device characteristics, operating system, language preferences, referring URLs, and information about how you use the Services. This is collected via log files and similar technologies and is used mainly to operate and secure the Services.
Payment data
If you subscribe, payment is handled and stored entirely by Lemon Squeezy as merchant of record. We never see or store your full card details. See Lemon Squeezy's privacy notice.
Google API
Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
YouTube API Services
Some features use YouTube API Services to fetch public video and comment data (such as view counts, related videos, and top comments) for in-app analytics. Your use of these features is subject to the YouTube Terms of Service, and Google's handling of data is described in the Google Privacy Policy. We use this data only to display results in the app; we do not download, re-host, or sell YouTube content.
We do not knowingly collect sensitive personal information (e.g. racial or ethnic origin, health, or biometric identifiers).
2. How We Use Your Information
- Create and manage your account and authenticate you
- Provide, maintain, and improve the Services
- Respond to your inquiries and offer support
- Send administrative information (security alerts, billing, policy changes)
- Send track-monitoring notifications when milestones are reached
- With your consent, send marketing communications (you can opt out at any time)
- Prevent fraud and abuse, and keep the Services secure
- Analyse usage trends to improve the platform
We never:
- Sell your personal data
- Share your personal data with advertisers
- Use your audio for any purpose other than producing your requested result
- Send marketing emails without your consent
3. Legal Bases for Processing
If you are in the EEA or UK, the GDPR requires a valid legal basis for processing. Depending on the data, we rely on:
- Consent — optional analytics cookies and marketing emails. You can withdraw at any time, and we delete the related data on request, even while your account is active.
- Performance of a contract — your account details (email, name, password) and the content you create (search history, demo analyses, saved profiles, gigs, setlists), which we need to provide the Services. Kept while your account is active.
- Legal obligations — billing and payment records, retained as long as tax and accounting law requires.
- Legitimate interests — keeping the Services secure and preventing fraud or abuse, and improving them through aggregate analysis (balanced against your rights). You may object to this processing.
4. When & With Whom We Share
We share personal data only with vendors who process it on our behalf under a contract (and, where applicable, a Data Processing Agreement):
Authentication
Google Sign-In and email/password via NextAuth.js
Hosting
Vercel
Database
Supabase (PostgreSQL, EU — Frankfurt)
Infrastructure & Backup
Cloudflare (DNS, email routing, Turnstile, R2 backup storage)
Transactional Email
Resend
Payments & Invoicing
Lemon Squeezy (merchant of record)
Analytics (opt-in)
Microsoft Clarity — loaded only with your consent
AI & Audio Processing
Groq, Voyage AI, Replicate, ACRCloud (EU region)
Music Metadata & Search
Discogs, Last.fm, YouTube Data API, MixesDB, Google Custom Search. These lookups use track/artist names — we do not send your personal account data to them.
We may also share data in connection with a business transfer (merger, acquisition, or sale of assets). Our processors are contractually bound to protect your data and use it only as we instruct.
5. Cookies & Tracking
We use essential cookies (login session, CSRF token, Cloudflare Turnstile, and your cookie choice) that are required for the Services to work.
Optional analytics(Microsoft Clarity) load only if you click "Accept all" in our cookie banner. If you choose "Essential only", they are never loaded.
We do not use advertising or retargeting cookies. Full details are in our Cookie Policy.
6. AI-Based Features
Some features use AI/ML provided by third-party processors (Groq, Voyage AI, Replicate, ACRCloud). When you use them, the relevant input (e.g. extracted audio features, a DJ name, or audio for stem separation) is processed by these providers to generate your result.
AI-generated output (demo feedback, label recommendations, DJ DNA, set suggestions) is advisory only. We do not use it to make decisions that produce legal or similarly significant effects about you. You can avoid AI features by simply not using them.
7. Google Sign-In
You may register or log in using your Google account. When you do, we receive basic profile information (your name, email address, and profile picture) from Google to create and identify your account. We use this only as described in this notice. We recommend reviewing Google's privacy policy to understand how they handle your data.
8. International Data Transfers
Our database is hosted in the EU (Germany). Some processors operate in the United States or globally, so some data may be processed outside your country:
- Personal data (e.g. your email and name, IP address and usage data) is transferred to hosting, email and analytics providers — Vercel, Cloudflare, Resend, and (with your consent) Microsoft Clarity.
- AI processors (Groq, Voyage AI, Replicate, ACRCloud) receive only the content needed to produce your result — such as extracted audio features or track/artist names — not your account identity.
Where we transfer personal data out of the EEA or UK to a country without an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (SCCs) and equivalent UK safeguards with those processors. Copies can be provided on request.
9. Data Retention
- Account & content data: kept while your account is active
- Search history: last 50 searches, auto-pruned
- Demo audio: never stored — only the analysis results are kept
- Contact form messages: retained for 90 days
- Cached API data: expires after 24 hours
- Billing records: retained as required by tax/accounting law
When you delete your account, your associated data is removed from our active database immediately, and from our encrypted backups within 30 days (except records we must keep by law). You can export all your data at any time from your profile.
10. Data Security
- All data is transmitted over HTTPS (TLS)
- Database encrypted at rest and in transit (Supabase, EU region)
- Passwords stored as salted bcrypt hashes; Google OAuth also supported
- Payment processing via Lemon Squeezy (PCI-DSS compliant)
- Demo audio is never stored — only extracted analysis results are saved
- Daily encrypted database backups; regular security reviews
No method of transmission or storage is 100% secure, so we cannot guarantee absolute security, but we work hard to protect your information.
11. Children's Privacy
The Services are not directed to children. You must be at least 16 years old (or the age of digital consent in your jurisdiction) to create an account. We do not knowingly collect data from children below that age. If you believe a minor has provided us data, contact privacy@musictracker.io and we will delete it.
12. Your Privacy Rights
Depending on where you live (EEA, UK, Switzerland, and others), you may have the right to:
- Access — request a copy of the data we hold about you
- Rectification — correct inaccurate data
- Erasure — request deletion of your account and data
- Portability — export your data in a machine-readable format
- Restriction / objection — limit or object to certain processing
- Withdraw consent — at any time, where processing is based on consent
Exercise these rights from your profile (export and delete are built in) or by emailing privacy@musictracker.io. We respond in line with applicable law. EEA/UK users may also lodge a complaint with their local data protection authority (in Serbia: the Commissioner for Information of Public Importance and Personal Data Protection, poverenik.rs).
13. Do-Not-Track & Global Privacy Control
Because there is no finalised industry standard for Do-Not-Track (DNT) browser signals, we do not currently respond to them.
We do honour Global Privacy Control (GPC)signals where applicable. If your browser sends a GPC signal, we treat it as a valid opt-out of any "sale" or "sharing" of personal information under applicable US state laws.
14. US State Privacy Rights
If you are a resident of California, Colorado, Connecticut, Virginia, or another US state with a privacy law, you may have the right to know, access, correct, delete, and obtain a copy of your personal data, and to opt out of its "sale"/"sharing" for targeted advertising — which we do not do. You also have a right to non-discrimination for exercising these rights.
Categories of personal information we may collect include: identifiers (name, email, IP), commercial information (purchase history), internet activity (search history, usage), geolocation (approximate), audio/electronic information (uploaded for analysis — not retained), professional information, and inferences. We do not collect biometric or sensitive personal information.
To exercise your rights, email privacy@musictracker.io. We will verify your identity before responding and you may appeal a declined request.
15. Updates to This Notice
We may update this notice from time to time. The "Last updated" date at the top reflects the latest version. For material changes, we will notify you by email and/or an in-app notice before they take effect.
16. Contact
Questions or requests about this notice or your data can be directed to us:
- Stefan Pavlović — privacy contact, Serbia
- Email: privacy@musictracker.io
- Contact form: musictracker.io/contact
You can review, update, or delete your data at any time from your profile.
