Privacy Policy

This Privacy Policy explains how Artsoundz International LLC collects, uses, stores, shares, and protects your personal data when you use the Artsoundz platform. It applies to all users worldwide, including Clients (artists and employers) and Creators (Creators).

1. Data We Collect

Data You Provide Directly

Account registration data: name, email address, username, password (stored in hashed form), country of residence, and account type. Profile data (Creators): bio, portfolio samples, audio files, pricing, and social links. Payment data: billing address and payout method (collected and processed by Stripe — Artsoundz does not store raw card numbers). Identity verification data: W-9 or W-8BEN tax forms for IRS compliance. Project data: briefs, uploaded files, messages, revision notes. Reviews and ratings.

Data Collected Automatically

Usage data (pages visited, features used, click patterns), device and technical data (IP address, browser type, OS), log data, and location (country/region inferred from IP address only). See Section 5 for cookie details.

2. How We Use Your Data

To provide the Platform: Creating accounts, facilitating bookings, processing payments, hosting Project communications, and resolving disputes. Legal basis (GDPR): Contract performance.

Legal & regulatory compliance: Issuing 1099-NEC tax forms, collecting W-9/W-8BEN forms, OFAC sanctions screening, AML compliance. Legal basis: Legal obligation.

Legitimate business interests: Fraud detection, platform improvement, policy enforcement. Legal basis: Legitimate interests.

With your consent: Marketing emails and non-essential cookies. You may withdraw consent at any time.

We do not sell your personal data to any third party.

3. Data Sharing

We share data only with: other Users as necessary for Projects (Client profile to assigned Creator; Creator profile publicly visible); service providers under written data processing agreements (Stripe for payments, hosting providers, email delivery, Google Analytics); law enforcement when required by valid legal process; and parties to a business transfer (merger, acquisition) with notice to you.

4. Data Retention

Active account data: retained for the account duration plus 2 years after closure. Financial and transaction records: 7 years (U.S. federal tax law requirement). Project communications and files: 3 years from project completion. Support tickets: 3 years from closure. Website analytics: anonymized after 26 months.

5. Cookies

We use strictly necessary cookies (session management, CSRF protection), functional cookies (language/timezone preferences), and analytics cookies (Google Analytics 4 with IP anonymization). We do not currently deploy advertising or retargeting cookies. You can manage non-essential cookie preferences via the “Manage Cookie Preferences” link in the page footer.

6. Your Privacy Rights

Depending on your location you have rights including: access to your data, correction of inaccurate data, erasure, data portability, restriction of processing, objection to processing, and the right to lodge a complaint with your local data protection authority.

To exercise any right, email Jrosado@artsoundz.com with subject line “Privacy Rights Request.” We respond within 30 days (15 days for Brazilian users under LGPD).

7. International Jurisdiction Compliance

Artsoundz serves users worldwide. The following sections explain how we comply with major regional privacy and digital-services laws beyond baseline U.S. requirements. Regardless of jurisdiction, we apply the principles of data minimization, purpose limitation, transparency, security, and individual rights globally.

7.1 European Union & EEA (GDPR)

We process EU/EEA personal data under the following GDPR legal bases: Contract performance (Art. 6(1)(b)) for account creation, bookings, and payment processing; Legal obligation (Art. 6(1)(c)) for tax reporting and AML compliance; Legitimate interests (Art. 6(1)(f)) for fraud detection and platform security; and Consent (Art. 6(1)(a)) for non-essential cookies and marketing communications.

EU/EEA users hold rights under GDPR Arts. 15–22: access, rectification, erasure (“right to be forgotten”), restriction of processing, data portability, objection, and the right to withdraw consent at any time without detriment. Responses are provided within 30 days (extendable to 90 days for complex requests, with written notice). Cross-border data transfers outside the EU/EEA use Standard Contractual Clauses (SCCs, 2021 version) or applicable adequacy decisions. We maintain a processing register and conduct Data Protection Impact Assessments (DPIAs) for high-risk activities.

7.2 United Kingdom (UK GDPR / Data Protection Act 2018)

Post-Brexit, we comply with the UK GDPR and the Data Protection Act 2018. We apply the same lawful bases and data subject rights as under EU GDPR. UK data transfers use the UK International Data Transfer Addendum (UK IDTA) to SCCs or UK adequacy regulations as applicable. UK users may raise complaints with the Information Commissioner’s Office (ICO) at ico.org.uk.

7.3 Brazil (LGPD — Lei Geral de Proteção de Dados)

Brazilian users are protected by Law No. 13,709/2018 (LGPD), enforced by the Autoridade Nacional de Proteção de Dados (ANPD). Our LGPD legal bases mirror our GDPR bases (consent, contract performance, legal obligation, legitimate interest). Key LGPD-specific commitments:

• Response time: Rights requests from Brazilian users are fulfilled within 15 days of verified receipt (Art. 19 LGPD) — shorter than our standard 30-day window.
• Art. 18 rights: Confirmation of processing, access to data, correction of incomplete/inaccurate/outdated data, anonymization or deletion of unnecessary/excessive/unlawful data, portability, deletion of consent-based data, information on third-party sharing, right to deny or revoke consent, and right to human review of automated decisions.
• Sensitive data: No sensitive personal data (health, biometric, racial, religious, political, sexual orientation) is collected without specific, highlighted consent.
• Children: Processing of personal data of minors is carried out only in their best interests and, where required by LGPD, with parental consent.
• Breach notification: We notify ANPD and affected data subjects of material breaches within a reasonable timeframe, currently targeting 72 hours where feasible.
• Data Protection Officer: Contact Jrosado@artsoundz.com with subject “LGPD — DPO” for Brazilian data protection inquiries.

ANPD complaints: gov.br/anpd.

7.4 Canada (PIPEDA / Québec Law 25)

We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and Québec’s Act Respecting the Protection of Personal Information in the Private Sector (Law 25), which imposes GDPR-comparable obligations. Key commitments under PIPEDA’s 10 Fair Information Principles:

• Accountability: A designated Privacy Officer oversees PIPEDA compliance; contact Jrosado@artsoundz.com.
• Identifying purposes: Purposes for data collection are identified before or at the time of collection, in plain language.
• Consent: Meaningful, informed consent is obtained. Implied consent is used only where appropriate under PIPEDA guidance. Consent may be withdrawn at any time with reasonable notice.
• Limiting collection: We collect only what is necessary for identified purposes.
• Access & correction: Canadian residents may request access to their personal information and request corrections; responses within 30 days of verified request.
• Québec Law 25 (in force Sept. 2023): Privacy impact assessments for projects involving personal information; mandatory reporting of confidentiality incidents posing a risk of serious injury to the Commission d’accès à l’information (CAI); enhanced cross-border transfer controls; automated decision-making disclosure with right to human review.

Complaints: Office of the Privacy Commissioner of Canada at priv.gc.ca; or (Québec residents) CAI at cai.gouv.qc.ca.

7.5 South Africa (POPIA)

The Protection of Personal Information Act 4 of 2013 (POPIA) applies to South African data subjects. We comply with POPIA’s 8 conditions for lawful processing:

• Accountability: A designated Information Officer is responsible for POPIA compliance.
• Processing limitation: Data is collected only for specific, defined, lawful purposes and processed in a manner compatible with those purposes.
• Purpose specification: Purposes are disclosed in this Policy. Data is not retained beyond what is necessary.
• Further processing limitation: Further use is compatible with the original collection purpose.
• Information quality: We take reasonable steps to ensure personal information is complete, accurate, not misleading, and updated where necessary.
• Openness: Data subjects are notified of processing at or before collection (this Policy serves as that notice).
• Security safeguards: See Section 8 (Data Security) for technical and organizational measures.
• Data subject participation: South African data subjects may request access, correction, or deletion of their personal information, and may object to processing. Send requests to Jrosado@artsoundz.com with subject “POPIA Request.”

Complaints: Information Regulator (South Africa) at justice.gov.za/inforeg.

7.6 EU Digital Services Act (DSA)

The Digital Services Act (Regulation (EU) 2022/2065) applies to online intermediary services accessible in the EU, including marketplace platforms. As Artsoundz operates as a marketplace connecting Clients and Creators, we are subject to DSA obligations:

• Recommender system transparency: Our browse and search ranking algorithms order Creator listings based on relevance to search terms, response rate, review score, activity level, and profile completeness. Paid promotion does not influence organic search results ordering.
• Illegal content notices: Any person may report illegal content via our DMCA/Report system. We acknowledge notices promptly and communicate outcomes to notifiers.
• Out-of-court dispute settlement: EU users who disagree with our content moderation decisions may use certified out-of-court dispute settlement bodies. Contact Jrosado@artsoundz.com first for internal resolution within 14 business days.
• Trusted flagger mechanism: We cooperate with EU-designated trusted flaggers. Notices submitted by trusted flaggers are prioritized for expedited review.
• Advertising transparency: Artsoundz does not currently deploy behavioral or targeted advertising. If introduced, ads will disclose the advertiser’s identity, principal targeting criteria, and a clear opt-out mechanism.
• Trader identity verification (Art. 30 DSA): Creators operating as traders are required to provide identity information during onboarding. We retain this information and make a contact point available to EU authorities.
• Transparency reporting: We will publish annual transparency reports on content moderation activities once operational volume thresholds under DSA are met.

7.7 Other Jurisdictions

Users in jurisdictions with applicable privacy legislation not specifically listed above — including Australia (Privacy Act 1988), India (DPDP Act 2023), Japan (APPI), South Korea (PIPA), Singapore (PDPA), and others — benefit from our global baseline commitments: lawful collection, defined purposes, data minimization, security safeguards, access/correction/deletion rights responded to within 30 days of verified request, and breach notification within required timelines. To exercise rights under your local law, contact Jrosado@artsoundz.com identifying your jurisdiction.

8. Data Security

We implement HTTPS/TLS encryption for all data in transit, hashed and salted password storage, encryption of sensitive data at rest, role-based access controls, Web Application Firewall (WAF), regular security audits, and automated daily backups. In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by GDPR and similar laws.

9. Contact

Artsoundz International LLC · Privacy & Data Protection · Jrosado@artsoundz.com · artsoundz.com