Privacy
policy

"What we collect, what we don't, and what's yours to control. Short version: your email, your subscription status, what you listened to. That's it. We don't sell your data."

This Privacy Policy explains how CTRL+Z and No Doubt Studios ("we") collect, use, and protect your personal information when you use wearectrlz.netlify.app and the CTRL+Z Vault subscription service (the "Service").

By using the Service, you agree to the collection and use of information in accordance with this policy. If you don't agree, don't use the Service.

— 01What we collect

You give us

• Email address — required to sign up, vote, or subscribe
• Payment details — collected and processed by our payment provider Lemon Squeezy. We never see or store your full card number, CVV, or bank details. We receive only your email, plan, status, country, and subscription ID.
• Optional messages — anything you email to hello@ctrlz.world

We collect automatically

• Listening & voting activity — which Vault tracks you played and which songs you voted for, tied to your fan account
• Technical data — IP address, browser type, device type, referring URL, and timestamps. Used for security, debugging, and traffic analysis.
• Cookies & local storage — to keep you signed in and remember your votes. See Cookies below.

We do not collect

• Your name, address, phone number, or government ID (unless you choose to email it to us)
• Your social media accounts or contact lists
• Microphone, camera, or precise location data
• Health, financial, or other special-category data

— 02How we use it

• To provide and operate the Service (sign-ins, voting, subscriptions, audio streaming)
• To send Vault updates, drop alerts, and receipts (you can unsubscribe from non-transactional email anytime)
• To prevent abuse, fraud, and unauthorized access
• To improve the Service based on aggregate usage patterns
• To comply with legal obligations

We do not sell, rent, or trade your personal information to advertisers or data brokers. Period.

— 03Who we share it with

We use a small set of vetted service providers (data processors) who handle data on our behalf under strict contracts. We share only what is necessary for them to do their job.

We may also disclose information when we believe in good faith that disclosure is required by law, regulation, or legal process, or to protect our rights, property, or the safety of others.

— 04How we keep it safe

We protect your information using industry-standard security: HTTPS encryption in transit, encrypted database storage, Row-Level Security policies on every fan record, and admin-only access to the email list. No system is perfectly secure. If we ever experience a breach affecting your data, we will notify you within 72 hours of discovery, as required by applicable law.

— 05How long we keep it

• Account & subscription data — for as long as your account is active, plus up to 7 years for tax and accounting purposes
• Listening & voting logs — up to 24 months
• Technical / server logs — up to 90 days
• Transactional email logs — up to 12 months

You can request earlier deletion at any time (see Your rights below).

— 06Your rights

Depending on where you live, you may have the right to:

• Access — request a copy of the personal data we hold about you
• Correct — fix inaccurate or incomplete data
• Delete — ask us to delete your data ("right to be forgotten")
• Export — receive your data in a machine-readable format
• Object — opt out of certain processing
• Withdraw consent — for any processing based on consent

To exercise any of these rights, email hello@ctrlz.world from the address on your account. We respond within 30 days.

California residents (CCPA / CPRA)

You have the right to know what personal information we collect, the right to delete it, the right to correct it, and the right to opt out of any "sale" or "sharing." We do not sell or share personal information as those terms are defined under California law.

European Economic Area, UK, & Switzerland (GDPR / UK GDPR)

Our legal bases for processing are: (a) contract — to provide the Service you signed up for, (b) legitimate interests — to keep the Service safe and improve it, (c) consent — for marketing email and optional cookies, and (d) legal obligation — to comply with tax and accounting laws.

You may lodge a complaint with your local supervisory authority if you believe we've mishandled your data.

— 07Cookies & local storage

We use only what's necessary to make the Service work:

• Essential — sign-in tokens, fan account state, and Vault access status. Stored in browser localStorage, not cookies.
• Functional — your votes, audio playback state. Local to your browser.

We do not use advertising cookies, tracking pixels, or third-party analytics scripts (no Google Analytics, no Meta Pixel). Embedded players (Spotify, YouTube, etc.) may set their own cookies when activated.

— 08Children

The Service is not directed at children under 13, and we do not knowingly collect personal information from anyone under 13. If you are a parent or guardian and believe your child has provided us with personal information, contact us at hello@ctrlz.world and we will delete it.

— 09International transfers

Our service providers may store and process your data in the United States or other countries. Where required, we rely on Standard Contractual Clauses or other approved transfer mechanisms to protect your data when it crosses borders.

— 10Changes to this policy

If we make material changes to how we handle your data, we will notify you by email or by posting a notice on the Service at least 14 days before the changes take effect. Continued use after the effective date constitutes acceptance.

— 11Contact