Privacy policy

tunedr attaches great importance to the protection of your personal data. This policy describes what data is collected, why and how it is used.

1. Data controller

Mathis Ferreira — tunedr
Email: stereo.webapp05@gmail.com

2. Data collected

During registration and use of the service, tunedr collects the following data:

Identity data

• First and last name
• Username (handle)
• Date of birth (to verify the minimum age of 16)

Contact details

• Email address (login identifier)
• Phone number

Profile data

• Profile picture (if uploaded)
• Biography / free text

Published content

• Uploaded audio files (music, up to 500 MB per file)
• Associated metadata: title, musical styles, instruments, tags
• Comments, replies, likes

Usage data

• Saved music and listening history
• Social relationships (subscriptions, follows)
• Connection logs (IP address, timestamp)
• Session remember token (if "Remember me" is enabled)

Payment data (coming soon)

• Payment data will be processed by a secure third-party provider
• tunedr never stores banking information in plain text

Sign in and account linking via Google (OAuth 2.0)

If you use Google sign-in, or if you link your Google account to an existing tunedr account, tunedr receives the following data from Google via the OAuth 2.0 API:

• Google email address — used to create or identify your tunedr account
• Google display name — pre-fills your username during registration
• Google profile picture — proposed as default avatar during registration
• Unique Google identifier (sub) — technical key used to link your account securely and durably

tunedr only requests the openid, email and profile scopes — the most restrictive permissions available in the Google OAuth 2.0 API. tunedr never accesses your Gmail messages, contacts, Google Calendar, Google Drive, files, or any other Google data.

This data is retained for as long as your tunedr account is active. Unlinking your Google account from your settings does not delete data already imported. Permanently deleting your tunedr account results in the complete erasure of this data.

Sign in and account linking via Discord (OAuth 2.0)

If you use Discord sign-in, or if you link your Discord account to an existing tunedr account, tunedr receives the following data from Discord via the OAuth 2.0 API:

• Discord email address — used to create or identify your tunedr account
• Discord username — pre-fills your username during registration
• Discord avatar — proposed as default avatar during registration
• Unique Discord identifier (Discord ID) — technical key used to link your account securely and durably

tunedr only requests the identify and email scopes. tunedr never accesses your private messages, servers, roles, activity, or any other Discord data.

This data is retained for as long as your tunedr account is active. Unlinking your Discord account from your settings does not delete data already imported. Permanently deleting your tunedr account results in the complete erasure of this data.

Technical security services

• Compromised password check (HaveIBeenPwned): at registration, an anonymised prefix (first 5 characters of the SHA-1 hash) of your password is compared against the HaveIBeenPwned database via their public API. Your password in plain text is never transmitted to a third-party service. This mechanism follows the k-anonymity protocol.
• Antivirus scan (ClamAV): every uploaded audio file is scanned in memory by the ClamAV antivirus engine deployed locally on tunedr servers. No data is transmitted to an external service.
• Copyright detection (ACRCloud): a digital acoustic fingerprint is extracted from each audio file and sent to ACRCloud to check for the presence of protected works. The raw audio file is never transmitted. Only the fingerprint, which cannot be reversed to audio, is sent.

3. Legal basis for processing

• Contract performance: data necessary for account operation
• Consent: optional profile data (photo, bio)
• Legitimate interest: security logs, abuse prevention

4. Retention period

• Account data: retained as long as the account is active
• Data deleted on request or upon account deletion
• Connection logs: 12 months maximum

5. Data sharing

tunedr does not sell or rent your personal data to third parties. Data may be transmitted only to technical service providers (hosting, emails) strictly within the scope of the service.

6. Your rights (GDPR)

In accordance with the General Data Protection Regulation (GDPR), you have the following rights:

• Right of access: obtain a copy of your data
• Right to rectification: correct inaccurate data
• Right to erasure: delete your account and data
• Right to portability: retrieve your data in a readable format
• Right to object: object to certain processing

To exercise these rights: stereo.webapp05@gmail.com
You may also lodge a complaint with the CNIL (French data protection authority): www.cnil.fr

7. Security

tunedr implements appropriate technical and organisational measures to protect your data against unauthorised access, loss or disclosure: bcrypt password hashing (adaptive cost factor), exclusively encrypted HTTPS/TLS connections, secure sessions with HttpOnly and SameSite cookies, and CSRF protection on all forms.

8. Contact

For any questions regarding your personal data: stereo.webapp05@gmail.com