Privacy Policy
Last updated: 2026-05-28
⚠️ DRAFT — requires legal review before production. Confirm subprocessor list matches actual contracted vendors. Confirm hosting region with Supabase. Confirm DPO appointment status under GDPR.
1. Who we are (data controller)
TouringTunes sp. z o.o., operator of DigiFlipper, is the data controller for personal data processed via the Service.
- Registered office: [ADDRESS, POLAND]
- KRS: [NUMBER]
- Contact for privacy: privacy@digiflipper.com
2. What we collect
2.1 Account data
- Email address (required for sign-up)
- First and last name (optional)
- Hashed password OR third-party identity provider (Google, GitHub) — managed by our auth provider Clerk
- Profile photo, if you upload one
2.2 Discogs integration data
- Discogs username (publicly available)
- Discogs Personal Access Token (PAT) — encrypted at rest
- Your Discogs marketplace inventory (item ids, condition, asking price, description) — only if you connect the integration
- Your Discogs collection (folder ids, release ids, condition) — only if you opt in
2.3 Usage data
- Pages viewed, features used, click events (aggregated)
- API call logs (for security and rate-limiting)
- Device type, browser, IP address (for security)
- Timezone (for scheduling alerts)
2.4 Payment data
We do not store full card numbers. Our payment processor (Stripe and/or Paddle) handles all card data. We store:
- Subscription tier and status
- Last 4 digits of card (for receipt display only)
- Billing address (for VAT)
2.5 Communication
- Emails you send us
- Forms you submit (lead-magnet, contact)
3. Why we process your data (legal basis)
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Provide the Service (sync inventory, send forecasts, dispatch alerts) | Contract performance |
| Authenticate sessions | Contract performance |
| Bill subscriptions | Contract performance + legal obligation (tax) |
| Send transactional email (receipts, password reset, alerts) | Contract performance |
| Send marketing email (digest, new features) | Consent (separate opt-in) |
| Detect fraud and abuse | Legitimate interest |
| Comply with tax and legal obligations | Legal obligation |
| Aggregate analytics for product improvement | Legitimate interest (data minimized) |
4. Who we share data with (subprocessors)
Below is our full list of subprocessors as of the last updated date. You can request the current list at any time at privacy@digiflipper.com.
| Vendor | Purpose | Data shared | Region |
|---|---|---|---|
| Clerk, Inc. (US) | Authentication & user management | Email, profile, session data | EU/US (SCCs in place) |
| Supabase | Primary database + Vault | All product data | EU-Central (Frankfurt) |
| Vercel | Application hosting | Page-level traffic data | Global edge, EU primary |
| Stripe / Paddle | Payment processing | Billing data, card details | EU + US |
| Resend OR Postmark | Transactional email | Email address, content | EU |
| Discogs | Marketplace integration | OAuth handshake, API calls | US |
| Songstats / Viberate / Chartex | Signal sources | None — we query public signals, your data isn't shared | EU |
| Apify | Bandcamp scraping (background) | None — we query public pages, your data isn't shared | EU |
| Cloudflare | DNS, security | IP address (transit) | Global |
We sign Data Processing Agreements (DPAs) with each subprocessor. EU-to-non-EU transfers use Standard Contractual Clauses (SCCs) with supplementary measures.
5. International transfers
Primary data hosting is in the EU (Frankfurt, Germany). Some subprocessors (Clerk, Vercel, Discogs, Cloudflare) operate globally and may process data outside the EEA.
For non-EEA transfers we rely on:
- Standard Contractual Clauses (2021/914) with the subprocessor
- Supplementary technical measures (encryption in transit and at rest)
- Subprocessor's own certification (SOC 2, ISO 27001) where applicable
6. How long we keep your data
| Data type | Retention |
|---|---|
| Account email, profile | While your account is active + 30 days after closure |
| Discogs PAT (encrypted) | Until you disconnect OR account closure (then deleted within 7 days) |
| Synced inventory / forecasts | While your account is active + 30 days after closure |
| Payment / billing records | 6 years (Polish accounting law) |
| Session and log data | 90 days (security) |
| Marketing email opt-in | Until you unsubscribe |
| Lead-magnet form submissions | 24 months (legitimate interest, then deleted) |
After account closure we anonymize any data that must be retained for legal reasons (e.g. invoices keep your name and address, but your forecasts and synced inventory are removed).
7. Your rights under GDPR
You have the right to:
- Access — request a copy of all personal data we hold about you
- Rectification — correct inaccurate data
- Erasure ("right to be forgotten") — request deletion, subject to legal retention obligations
- Restriction — pause processing during a dispute
- Portability — export your data in a structured, machine-readable format (we provide JSON + CSV)
- Object — to processing based on legitimate interest
- Withdraw consent — at any time, for any processing based on consent
- Lodge a complaint with your local supervisory authority
To exercise any right: write to privacy@digiflipper.com. We respond within 30 days (extendable to 60 if the request is complex).
You also have the right to lodge a complaint with the Polish supervisory authority (UODO, https://uodo.gov.pl) or your local EU data-protection authority.
8. How we secure your data
- All data in transit over HTTPS / TLS 1.2+
- Database encrypted at rest (AES-256)
- Discogs PATs encrypted with Supabase Vault (libsodium)
- Role-based access — only authenticated team members can access production data, audited via Supabase audit logs
- Multi-factor authentication required for all team accounts
- Quarterly security review
We will notify affected users and the relevant supervisory authority within 72 hours of a personal data breach that poses a risk to your rights (GDPR Art. 33–34).
9. Cookies
See Cookie Policy for the cookies we set and how to manage your preferences.
10. Children's privacy
The Service is not intended for users under 16. We do not knowingly process data of children under 16. If you believe we have such data, contact privacy@digiflipper.com and we will delete it.
11. Automated decision-making
Our forecasts are automated calculations from public signals. They do not make legal or similarly significant decisions about you within the meaning of GDPR Art. 22. You always have the final decision to buy, hold, or sell.
12. Changes to this policy
We may update this Policy as the Service evolves or laws change. Material changes will be emailed to active users at least 14 days before the effective date.
13. Contact
For privacy questions, requests, or complaints:
- Email: privacy@digiflipper.com
- Postal: TouringTunes sp. z o.o., [ADDRESS, POLAND]
- EU DPO: [TBD — if processing scale triggers Art. 37, appoint a Data Protection Officer]
End of Privacy Policy.