Privacy Policy

Last updated: April 2026

This Privacy Policy explains how YARDWAVE ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our platform. YARDWAVE is operated from Norway and Jamaica.

1. Data We Collect

Account Information

  • Email address — required for account creation and login
  • Display name — optional, chosen by you
  • Password — stored as a cryptographic hash, never in plain text

Payment Information

  • Payment details (card number, billing address) are collected and processed exclusively by Stripe, our payment processor
  • YARDWAVE never sees, stores, or has access to your full card details
  • We store only your Stripe customer ID and subscription ID for billing management

Usage Data

  • Listening history — which tracks and mood stations you listen to
  • Mood preferences — your selected favourite moods
  • Session information — login timestamps, IP address, browser/device type

Technical Data

  • Device type and operating system
  • Browser type and version
  • IP address and approximate geographic location
  • Pages visited and features used

2. How We Use Your Data

  • Provide the service — authenticate your account, manage your subscription, stream music
  • Improve the platform — understand listening patterns to improve mood curation
  • Communicate with you — send essential account notifications (billing, security, terms updates)
  • Ensure security — detect and prevent fraud, abuse, and unauthorised access

We do not sell your personal data to third parties. We do not use your data for targeted advertising. YARDWAVE has no advertising.

3. How Data Is Stored

Infrastructure

  • Supabase — database hosting. Account data, track metadata, listening history, and mood assignments are stored in a Supabase PostgreSQL database with row-level security enabled
  • Cloudflare — hosting and content delivery. The frontend is served via Cloudflare Pages. The API runs on Cloudflare Workers. Cloudflare provides DDoS protection and edge caching
  • Stripe — payment processing. All payment data is handled by Stripe's PCI-compliant infrastructure

Security Measures

  • Passwords are hashed using cryptographic algorithms before storage
  • All data transmission uses HTTPS/TLS encryption
  • Database access is restricted by row-level security policies
  • API secrets and keys are stored in encrypted environment variables
  • Session tokens expire after 30 days

4. Cookies and Local Storage

YARDWAVE uses minimal browser storage:

  • localStorage — stores your session token (for staying logged in), user profile cache, and mood preferences. This data stays on your device and is not sent to third parties
  • Essential cookies — Cloudflare may set technical cookies for security and performance purposes

We do not use tracking cookies, analytics cookies, or advertising cookies.

5. Third-Party Services

Service Purpose Data Shared
Supabase Database Account data, listening history
Stripe Payments Email, payment details
Cloudflare Hosting, CDN, security IP address, request metadata

Each of these services maintains their own privacy policies and data protection standards.

6. Your Rights Under GDPR

If you are located in Norway, the European Economic Area, or the United Kingdom, you have the following rights under the General Data Protection Regulation:

  • Right of Access — you may request a copy of all personal data we hold about you
  • Right to Rectification — you may request correction of inaccurate or incomplete data
  • Right to Erasure — you may request deletion of your personal data ("right to be forgotten")
  • Right to Data Portability — you may request your data in a structured, machine-readable format
  • Right to Object — you may object to processing of your data for specific purposes
  • Right to Restrict Processing — you may request that we limit how your data is used
  • Right to Withdraw Consent — where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, use the account deletion or data request feature in your settings page, or submit a written request through the platform.

We will respond to GDPR requests within 30 days. If we need additional time, we will inform you of the reason and the expected timeframe.

7. Data Retention

  • Active accounts: data is retained for as long as your account is active and your subscription is current
  • Cancelled subscriptions: account data is retained for 12 months after cancellation to allow for reactivation, then deleted
  • Account deletion requests: personal data is deleted within 30 days of a confirmed deletion request
  • Anonymised data: aggregated, anonymised usage statistics (with no personally identifiable information) may be retained indefinitely for platform improvement
  • Legal obligations: some data may be retained longer if required by law (such as financial transaction records)

8. Children's Privacy

YARDWAVE is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that a user is under 16, we will take steps to delete their account and data.

9. International Data Transfers

Your data may be processed in the United States (where Supabase and Cloudflare infrastructure is located), the European Union, and Jamaica. Where data is transferred outside the EEA, appropriate safeguards are in place through the service providers' data processing agreements and standard contractual clauses.

10. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated to active subscribers via email at least 14 days before taking effect. The "Last updated" date at the top of this page indicates the most recent revision.

11. Track Ownership and Rights Chain

Music Ownership

All music on the YARDWAVE platform is created by the platform operator. Tracks are produced using Suno AI under a confirmed commercial license, which grants the operator full ownership of the finished audio output. The operator retains 100% of all rights to every track published on the platform.

Ownership Metadata

Every track published on YARDWAVE carries embedded metadata documenting:

  • Creator: the platform operator (ARTIL WAVE / YARDWAVE)
  • License: Suno commercial license confirmed
  • Rights: all rights reserved by operator
  • Mood classification: assigned via YARDWAVE pipeline
  • Processing date and unique YARDWAVE track ID

This metadata is embedded directly in the WAV file (ID3 tags) and recorded in our internal master registry.

TONO Registration

YARDWAVE tracks are registered with TONO (Norsk Toning og Norsk Komponistforening), the Norwegian performance rights organisation, for royalty management and international copyright protection. TONO registration creates a formal record of authorship and enables collection of performance royalties when tracks are played publicly.

TONO registration data (registration date and reference number) is maintained in our internal track registry and is not shared with platform subscribers.

Rights Chain Summary

  1. Track created by operator using Suno AI (commercial license)
  2. Track processed, quality-validated, and mastered by YARDWAVE pipeline
  3. Operator assigns mood classification and approves track for release
  4. Track registered with TONO for copyright protection
  5. Track published on YARDWAVE platform under operator ownership

12. Governing Law

This Privacy Policy is governed by the laws of Norway for users located in the EEA, and the laws of Jamaica for users located outside the EEA. For GDPR matters, the Norwegian Data Protection Authority (Datatilsynet) is the relevant supervisory authority.

13. Contact

For privacy-related enquiries, submit a request through the platform's settings page. For formal data protection requests, submit a written request to YARDWAVE through the platform.