Privacy Policy

Last updated: April 23, 2026

DECODED ("we", "us", or "our") respects your privacy. This policy explains what data we collect, how we use it, your rights as a user — including how to delete your account and data — and how we work with advertising partners to keep the platform free for all creators.

Information We Collect
How We Use Your Information
DECODED Integrity Features & Data Processing
Cookies, Advertising & Ad Partners
Third-Party Services
Data Retention
Your Rights & Account Deletion
Children's Privacy (COPPA)
Data Security
Changes to This Policy
Contact Us

1. Information We Collect

Information you provide directly

Account data: email address, display name, and password (stored as a salted hash — we never store plaintext passwords) when you create an account. If you sign up via Google OAuth, we receive your name and email from Google.
Platform handles: social media usernames, artist profiles, and platform links you enter to power presence scanning and royalty checks across 49+ platforms.
Payment data: billing information processed by Stripe. We do not store full card numbers or CVV codes — all payment data is held by Stripe. See Stripe's Privacy Policy.
Files you upload: documents (contracts, creative works, media files) uploaded for AI analysis, copyright sealing, or secure storage. See Section 3 for how each feature handles uploaded files.

Information collected automatically

Usage data: pages visited, features used, button clicks, and session duration — used to improve the platform.
Device & browser info: IP address, browser type, operating system, screen resolution, and device type — used for security, fraud detection, and analytics.
Log data: server logs including request timestamps, HTTP status codes, and referring URLs — retained for up to 90 days for security purposes.
Cookies and local storage: see Section 4 for full details.

2. How We Use Your Information

To provide, maintain, and improve the DECODED platform.
To power your Online Social Net Worth score, presence dashboards, and royalty scanning results.
To manage your account, subscription, and billing via Stripe.
To send transactional emails: account confirmation, password reset, subscription receipts, and deletion confirmation. We do not send marketing emails without your explicit consent.
To display relevant advertising through our ad partners (Google AdMob, AppLixir) — see Section 4.
To detect abuse, prevent fraud, and enforce our Terms of Service.
To comply with applicable laws and regulations.

3. DECODED Integrity Features & Data Processing

DECODED Integrity is a suite of creator-protection tools. Each feature processes data in a specific, limited way:

i-Copyright (Copyright Sealing)

When you use i-Copyright to seal a creative work, we:

Generate a SHA-256 hash of your uploaded file — a unique cryptographic fingerprint. We do not store the file contents, only the hash and metadata you provide.
Record a blockchain timestamp (via OpenTimestamps or equivalent) to establish immutable proof of creation date.
Store the file temporarily in DECODED Vault (Cloudflare R2 encrypted storage) if you choose to keep a vault copy. Files stored in Vault are encrypted at rest and accessible only to your account.
Issue a Certificate of Authenticity (PDF) that you can download and retain. This certificate contains your hash, timestamp, and account metadata — no AI processing is applied to your content.

Contract Decoder (AI Contract Analysis)

When you upload a contract for analysis, we:

Send the document text to an AI language model (OpenAI GPT-4 or equivalent) for analysis. The AI identifies clauses, risks, and plain-language summaries.
Do not retain contract content beyond your active account session. Contract text is processed in memory and is not stored in our database after analysis completes, unless you explicitly save a result to your account history.
Never share your uploaded contract text with other users or third parties beyond the AI processing provider (OpenAI). See OpenAI's Privacy Policy.

Content Protector & DMCA Takedowns

Content Protector monitors the web for unauthorized copies of your content. When you activate this feature:

We store the content identifiers (hashes, titles, URLs) you register for monitoring.
When a potential infringement is detected, we log the infringing URL, platform, and detection timestamp.
If you authorize a DMCA takedown, we submit your contact information (as copyright holder) and the infringing URL to the relevant platform. This data is required by law and disclosed only to the recipient platform's designated DMCA agent.

I-Royalty Reclaimer

I-Royalty Reclaimer scans royalty collection societies and streaming platforms for unclaimed or underpaid royalties. When you use this feature:

We store your artist name, distributor, ISRC/UPC codes, and platform handles to perform the scan.
Scan results — including potential unclaimed royalty amounts and source platforms — are stored in your account for your reference.
We do not submit claims on your behalf without your explicit authorization for each claim.

DECODED Vault (Secure File Storage)

DECODED Vault provides encrypted storage for your creative assets. Files stored in Vault are:

Encrypted at rest using AES-256 encryption within Cloudflare R2.
Accessible only to your account via authenticated, time-limited signed URLs.
Retained as long as your account is active. Files are permanently deleted within 30 days of account deletion.
Never used to train AI models or shared with third parties.

4. Cookies, Advertising & Ad Partners

DECODED uses cookies, local storage, and device identifiers for the following purposes:

Essential cookies

Required for the service to function — for example, keeping you logged in and maintaining your session. These cannot be disabled without breaking the service.

Analytics cookies

We use anonymised usage analytics to understand how creators use DECODED and improve the experience. These are loaded only after you accept our cookie consent banner.

Advertising — Google AdMob

Google AdMob is one of our advertising partners. AdMob may use cookies, device identifiers, and similar tracking technologies to collect data about your activity on DECODED and other sites and apps in order to serve you relevant, personalized advertisements.

Data collected by Google AdMob may include: device identifiers (e.g., Android Advertising ID, Apple IDFA), IP address, browser/app information, and interactions with ads shown on DECODED.

Google uses this data to measure ad effectiveness and to serve ads based on your interests. For more information, see Google's Advertising & Privacy Policy.

Opt out of personalized advertising from Google: visit Google Ad Settings or, for mobile, use your device's "Opt out of Ads Personalization" setting (Android) or "Limit Ad Tracking" setting (iOS).

Advertising — AppLixir (Rewarded Ads)

AppLixir is a rewarded video ad network used to offer free access to certain premium features in exchange for watching a short advertisement.

When you watch a rewarded ad via AppLixir, AppLixir may collect: your IP address, device identifiers, browser/app information, and ad interaction data (e.g., whether you completed viewing the ad). This data is used to verify ad completion and to serve relevant ads.

AppLixir operates under its own privacy policy. For more information, visit AppLixir's Privacy Policy.

Rewarded ads are always optional. You may skip rewarded ad features and use the platform without interacting with AppLixir.

How ad data is used and shared

Ad data collected by Google AdMob and AppLixir is governed by their respective privacy policies, not ours. DECODED does not sell your personal data. We share only the data technically required to deliver and measure ads — such as page context and anonymized identifiers — with these ad network partners.

Managing your ad preferences

Cookie consent: advertising cookies are loaded only after you accept our cookie consent banner. If you decline, no advertising cookies are set.
Google Ad Settings: google.com/settings/ads
NAI Opt-Out: optout.networkadvertising.org
DAA Opt-Out: optout.aboutads.info
Device settings: use your mobile device's "Opt out of Ads Personalization" (Android) or "Limit Ad Tracking" (iOS) setting.

5. Third-Party Services

We share data with the following third parties where necessary to provide our service:

Google AdMob & Google Analytics — advertising, ad measurement, and usage analytics. See Google Privacy Policy.
AppLixir — rewarded video advertising. See AppLixir Privacy Policy.
Stripe — payment processing and subscription billing. Governed by Stripe's Privacy Policy. We share only what is required to process your payment (email, billing name, and address).
OpenAI — AI analysis for Contract Decoder and other AI-powered features. Document content is transmitted to OpenAI for processing and is not retained by OpenAI for model training (subject to OpenAI's API data usage policy).
Cloudflare R2 — encrypted file storage for DECODED Vault and i-Copyright seal storage. Data is stored in Cloudflare's infrastructure under Cloudflare's data processing terms.
Postmark — transactional email delivery (receipts, password resets, account notifications).
Meta (Facebook Pixel) — conversion tracking for marketing campaigns.
Render / Neon — cloud hosting (Render) and database infrastructure (Neon PostgreSQL).

We do not sell your personal data to third parties.

6. Data Retention

We retain your data for as long as your account is active. Specific retention periods by data type:

Account & profile data: retained for the life of your account.
Subscription & billing records: retained for 7 years as required by financial regulations.
i-Copyright seal records (hashes & timestamps): retained indefinitely — these are proofs of ownership and deleting them would defeat their purpose. Hash records do not contain your file content.
Contract analysis results: retained only if you save them to your account history; otherwise purged after the session ends.
DECODED Vault files: retained until you delete them or your account is deleted. Permanently purged within 30 days of account deletion.
Server logs: retained for up to 90 days for security purposes.
Analytics data: anonymized and aggregated; retained indefinitely.

If you delete your account, all personal data is permanently purged within 30 days, except data we are legally required to retain (such as billing records).

7. Your Rights & Account Deletion

Depending on your location, you may have the following rights:

Access: request a copy of the personal data we hold about you.
Correction: update your name, email, or profile information in your account dashboard.
Deletion: permanently delete your account and all associated personal data.
Portability: request an export of your data in a machine-readable format.
Objection / Restriction: object to or restrict certain types of data processing, including personalized advertising.
Withdraw consent: where processing is based on consent (e.g., advertising cookies), you may withdraw consent at any time via our cookie consent settings.

To delete your account: log in to your Dashboard, go to Account Settings → Danger Zone, and click Delete My Account. This permanently deletes your account, all personal data, and Vault files within 30 days. You will receive a confirmation email. This action cannot be undone.

To exercise other rights, or if you need assistance, contact us at the address in Section 11.

8. Children's Privacy (COPPA)

DECODED is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. Users must be at least 13 years old to create an account.

If you are a parent or guardian and believe your child under 13 has created an account or provided us with personal information, please contact us immediately at support@decoded.fm and we will promptly delete the account and all associated data.

If you are between 13 and 18 years old, you should use DECODED only with the knowledge and consent of a parent or guardian.

9. Data Security

We take the security of your data seriously and implement the following protections:

Encryption in transit: all data transmitted between your browser/device and DECODED is encrypted using HTTPS/TLS.
Encryption at rest: files stored in DECODED Vault are encrypted using AES-256.
OAuth tokens: third-party OAuth access tokens are encrypted using AES-256-GCM before storage.
Password hashing: passwords are hashed with a strong one-way algorithm (bcrypt). We never store plaintext passwords.
Access controls: production database access is restricted to authorized infrastructure only. Agent and sandbox code cannot access your credentials.
Parameterized queries: all database queries use parameterized statements to prevent SQL injection.

No system is completely immune to security incidents. If we become aware of a breach affecting your personal data, we will notify you in accordance with applicable law.

10. Changes to This Policy

We may update this policy from time to time as DECODED evolves. We will notify you of significant changes by updating the "Last updated" date at the top of this page. For material changes, we will also send an email notification to registered users.

Continued use of DECODED after changes are posted constitutes your acceptance of the revised policy.

11. Contact Us

If you have questions about this Privacy Policy, want to exercise your data rights, or need to report a privacy concern:

Email: support@decoded.fm

Website: decoded.music

We aim to respond to all privacy inquiries within 30 days.