Velveteen Privacy Policy

Effective: July 1st, 2025

This Privacy Policy explains how Velveteen Technologies Inc. ("Velveteen," "we," "us," "our") collects, uses, discloses, and protects information in connection with our website, apps, and music collaboration and distribution services (collectively, the "Services").

If you do not agree with this Policy, please do not access or use the Services. Capitalized terms not defined here have the meanings given in our Terms of Service.

1) Who We Are & Scope

Velveteen Technologies Inc., a company organized under the laws of British Columbia, Canada, is the controller of your Personal Data when you use the Services unless stated otherwise.

2) Information We Collect

  • Account Data: name, email, password, artist/label profiles, and settings.
  • User Content: audio files/recordings, artwork, metadata (e.g., writers/splits), comments, and collaboration artifacts you upload or create.
  • Transaction & Payout Data: payment method tokens, billing details, payout details (e.g., PayPal), tax forms (e.g., W-8/W-9), and royalty accounting.
  • Communications: messages to support, feedback, and survey responses.
  • Usage & Device Data: pages viewed, links clicked, session timestamps, approximate location (from IP), device/browser type, crash logs, and similar diagnostics.
  • Cookies & Similar Tech: cookies, SDKs, and pixels for core functionality, analytics, and (where permitted) marketing. See "Cookies & Tracking."
  • Third-Party Sources: we may receive information from stores/streaming platforms, marketing partners, fraud-prevention providers, and identity verification/KYC vendors.

We do not intentionally collect "sensitive" categories unless required for legal compliance (e.g., sanctions/KYC). Please do not submit unnecessary sensitive data.

3) How We Use Personal Data (Purposes & Legal Bases)

  • Provide the Services (account creation, uploads, distribution, royalty accounting, support). Legal bases (EEA/UK): Contract; Legitimate interests.
  • Process payments/payouts & tax. Legal bases: Contract; Legal obligation; Legitimate interests.
  • Safety, security, and fraud prevention (including detection of Artificial Activity). Legal bases: Legitimate interests; Legal obligation.
  • Product analytics and improvement. Legal bases: Legitimate interests; Consent where required (e.g., non-essential cookies).
  • Marketing & communications (news, features, offers). Legal bases: Consent where required; Legitimate interests (you can opt out anytime).
  • Compliance (statutory retention, responding to lawful requests, enforcing terms). Legal bases: Legal obligation; Legitimate interests.

4) How We Share Information

  • Vendors/Processors (hosting, cloud/CDN, storage, analytics, payments, KYC/AML, customer support, email, logging).
  • Digital Platforms you choose (e.g., distribution of recordings, metadata, and artwork to online stores/streaming services).
  • Content Owners/Partners (e.g., artists/labels receiving aggregate or fan-relationship data consistent with your choices and platform rules).
  • UGC/Claiming (content ID/fingerprinting vendors for claims, monetization, and disputes).
  • Legal/Compliance (to comply with law, protect rights, prevent fraud/abuse, or respond to lawful requests).
  • Business Transfers (merger, acquisition, financing, insolvency, or asset sale).
  • With Your Consent (e.g., introductions to third parties).

YouTube API Services: We distribute to YouTube/YouTube Music and may use YouTube API Services to manage claims/monetization and related functionality. Your use is also subject to Google's applicable terms and policies. You can revoke our access via your Google account security settings.

5) Cookies & Tracking

We use cookies, SDKs, and similar technologies for essential operation, analytics (e.g., measuring feature usage), and—where permitted—marketing. You can manage non-essential cookies via our cookie banner/preferences and through your browser or device settings. Declining certain cookies may impact functionality.

6) Advertising & "Sale/Share" (California)

We do not sell Personal Information for money. Some analytics/advertising activities may be considered "sharing" or "selling" under California law. California residents can opt out of such "sale/share" by using our cookie preferences or contacting us as described below.

7) International Transfers

We are based in Canada and may process data in Canada, the U.S., the EEA/UK, and other countries. Where required, we rely on appropriate safeguards for cross-border transfers (e.g., Standard Contractual Clauses, UK Addendum/IDTA). By using the Services, you understand your data may be processed in jurisdictions with different data protection laws.

8) Data Retention

We retain Personal Data only as long as necessary for the purposes described, to comply with legal obligations (e.g., tax/audit), resolve disputes, and enforce agreements. Typical retention includes account records for the life of the account plus a reasonable period, transaction and tax records for statutory periods, and logs/analytics for shorter, rolling windows unless needed longer for security or legal reasons.

9) Your Rights & Choices

  • Access, correction, deletion: You can access certain data in your account and request additional access, correction, or deletion by contacting privacy@velveteen.ai.
  • Portability & restriction/objection (EEA/UK): You may request a portable copy, or ask us to restrict or object to certain processing.
  • Consent withdrawal: Where processing is based on consent (e.g., non-essential cookies/marketing), you can withdraw consent at any time.
  • California (CPRA): Right to know, delete, correct, opt-out of "sale/share," limit use of sensitive Personal Information (we generally don't use sensitive PI beyond permitted purposes).
  • Appeals & complaints: EEA/UK residents may lodge a complaint with a supervisory authority; other regions may have similar rights with local regulators.

We may need to verify your identity and, if applicable, your authority to make a request. Authorized agents may submit requests per applicable law.

10) Security

We implement administrative, technical, and physical safeguards designed to protect Personal Data (e.g., encryption in transit, access controls, monitoring). No system is 100% secure; you're responsible for safeguarding your credentials and logging out of shared devices.

11) Children's Privacy

The Services are not directed to children under 13 (or the age defined by local law). We do not knowingly collect Personal Data from children. If you believe a child has provided Personal Data, contact us and we will take appropriate steps to delete such data.

12) Automated Decision-Making

We do not engage in automated decision-making that produces legal or similarly significant effects without human involvement. We may use automated systems to detect fraud/abuse or for analytics that inform product improvements.

13) Third-Party Sites & Services

Our Services may link to third-party sites, apps, and services. Their privacy practices are governed by their own policies; we are not responsible for them.

14) Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will post the updated Policy with a new effective date and, where required, provide additional notice. Your continued use of the Services after the effective date constitutes acceptance.

15) Contact Us

Questions or requests about this Policy or your Personal Data? Contact: privacy@velveteen.ai or legal@velveteen.ai. Mailing address: Velveteen Technologies Inc. / ATTN: Privacy, 1538 Pinot Gris Drive, West Kelowna, BC, Canada.