Privacy Policy

1. Information We Collect

We collect only the data needed to operate effectively and deliver high-quality Services.

Account Data

We collect:

(i) Full name, email address, and role (e.g., artist, writer, producer);

(ii) Passwords (encrypted and never stored in plain text);

(iii) Payment details (e.g., PayPal email or ACH info) for royalty payouts; and

(iv) Contact messages or support tickets sent to clientservices@arsontheory.com.

Content Data

We process:

(i) Uploaded audio or video files, cover art, metadata, ISRCs, IPI/CAE codes, and split information;

(ii) Royalty reporting, catalog registration, and distribution activity data; and

(iii) Usage analytics such as plays, views, and monetization events from connected platforms (Spotify, YouTube, TikTok, etc.).

Usage Data

Automatically collected information includes:

(i) IP address, browser type, operating system, and device identifiers;

(ii) Access times, page views, and dashboard interactions; and

(iii) Cookie data and similar tracking technologies (see Section 11).

Financial Data

We collect:

(i) Royalty statements, transaction history, and payout confirmations; and

(ii) Tax information (e.g., W-9/W-8 forms) if required by law.

We do not collect government IDs, social security numbers, or biometric data unless required for payment or verification.

⸻

2. How We Use Your Information

We use your information to:

(i) Operate and deliver Services, including distribution, publishing, and rights management;

(ii) Communicate with you about releases, earnings, technical issues, and account activity;

(iii) Verify your identity for payments, licensing deals, or compliance;

(iv) Detect and prevent fraud, abuse, or unauthorized uploads;

(v) Improve our platform through analytics and feature development; and

(vi) Comply with legal, accounting, and intellectual property regulations.

We may also use aggregated, non-identifiable data for internal reporting, market insights, or performance benchmarking — but never in a way that identifies you personally.

Your data is never sold or rented to third parties.

⸻

3. Data Sharing and Third-Party Integrations

We share limited data with trusted partners solely to deliver our Services, including:

(i) Streaming and digital platforms (e.g., Spotify, Apple Music, TikTok) for content delivery and royalty tracking;

(ii) Publishing societies (e.g., ASCAP, BMI, PRS, SACEM, The MLC) for registration and collection;

(iii) Rights management systems (e.g., YouTube Content ID, Meta Rights Manager) for content protection and monetization;

(iv) Payment processors (e.g., PayPal, Stripe, ACH providers) for payouts;

(v) Cloud infrastructure and analytics providers under strict data-protection agreements; and

(vi) Legal authorities or auditors when disclosure is required by law.

All vendors are contractually obligated to maintain confidentiality and comply with privacy and security standards equivalent to ours.

⸻

4. Data Security and Storage

We implement industry-standard safeguards to protect your information, including:

(i) AES-256 encryption for data at rest and in transit;

(ii) TLS/SSL protection for all sessions;

(iii) Access controls restricting sensitive data to authorized personnel only; and

(iv) Regular audits, backups, and monitoring for unauthorized activity.

Despite best efforts, no online system is entirely risk-free. You are responsible for maintaining secure passwords and protecting your account credentials.

⸻

5. Data Storage Locations and Transfers

Your data may be stored or processed in the United States, the European Union, or other jurisdictions where our partners operate.

For users in the EEA, UK, or Switzerland, international data transfers rely on:

(i) Standard Contractual Clauses (SCCs);

(ii) Adequacy decisions by relevant authorities; or

(iii) User consent, where applicable.

These mechanisms ensure your data receives an equivalent level of protection regardless of location.

⸻

6. Your Rights and Choices

Depending on your location, you may have the following rights:

(i) Access – Request a copy of your personal data;

(ii) Correction – Rectify inaccurate or outdated information;

(iii) Deletion – Request removal of your personal data;

(iv) Portability – Obtain your data in a structured, machine-readable format;

(v) Restriction or Objection – Limit or object to processing in certain contexts; and

(vi) Opt-Out – Decline non-essential communications and marketing emails.

Submit requests by contacting clientservices@arsontheory.com. We verify all requests before action and respond within legally required timelines.

⸻

7. For U.S. Users (CCPA/CPRA Compliance)

California residents have the right to:

(i) Know what personal data we collect, how it’s used, and with whom it’s shared;

(ii) Request deletion of their personal information;

(iii) Correct inaccurate or incomplete data;

(iv) Opt out of any sale or sharing of data (Arson Theory does not sell data); and

(v) Appoint an authorized agent to submit verified requests on their behalf.

We will not discriminate against users for exercising their privacy rights.

⸻

8. For European and UK Users (GDPR Compliance)

Arson Theory acts as a Data Controller for EU and UK users.

Legal bases for processing include:

(i) Your consent (e.g., for marketing communications);

(ii) Contract necessity (e.g., distribution, royalty payments);

(iii) Legal obligations (e.g., tax and accounting compliance); and

(iv) Legitimate interests (e.g., fraud prevention, analytics).

Data retention periods:

(i) Financial and royalty data – 7 years minimum;

(ii) Active accounts – retained while the account remains open; and

(iii) Inactive accounts – deleted after 2 years of inactivity.

EU/UK Data Protection Officer (DPO):

clientservices@arsontheory.com

⸻

9. Automated Decision-Making

Certain Services involve limited automated decision-making, such as:

(i) Royalty calculation and allocation;

(ii) Detection of duplicate or infringing uploads; and

(iii) Content identification and rights-matching via automated systems.

These automated processes support efficient service delivery and do not override your legal rights. You may request human review of any automated decision affecting your account.

⸻

10. Children’s Privacy

Our Services are not designed for or directed toward children under:

(i) 13 years old in the United States; or

(ii) 16 years old in the European Union.

We do not knowingly collect or store data from minors. If we become aware that a child’s data has been collected, we will delete it immediately.

⸻

11. Cookies and Tracking Technologies

We use cookies and similar technologies for performance, analytics, and functionality.

Types include:

(i) Essential cookies for authentication and platform access;

(ii) Analytics cookies to evaluate usage and improve features; and

(iii) Preference cookies to remember language and dashboard settings.

You may adjust cookie settings in your browser. For details, refer to our Cookie Policy.

⸻

12. Data Retention Policy

We retain personal data only as long as necessary for legitimate business or legal purposes:

(i) Active user accounts – retained indefinitely while active;

(ii) Inactive accounts – deleted after 24 months;

(iii) Royalty and financial records – retained for at least 7 years; and

(iv) Backups – rotated and deleted on a scheduled cycle.

When data is deleted, it is securely erased or anonymized.

⸻

13. Updates to This Policy

We may update this Privacy Policy periodically to reflect operational, technical, or legal changes.

(i) The latest version will always be posted at arsontheory.com/privacy.

(ii) Major updates will be announced via email or in your dashboard.

(iii) Continued use of the Services constitutes acceptance of the updated Policy.