Privacy Policy

This Privacy Policy describes how VNYL (“we,” “us,” or “our”) collects, uses, and shares your personal information when you use our podcast hosting platform and related services (the “Service”).

We are committed to protecting your privacy and being transparent about our data practices. As a solo founder project, we take a privacy-first approach while providing you with powerful podcast hosting capabilities.

1. Information We Collect

1.1 Information You Provide to Us

Account Information:

• Email address (required for account creation)
• Name or display name
• Password (encrypted and never stored in plain text)
• Payment information (processed by our payment provider, not stored by us)

Podcast Content:

• Audio files you upload
• Podcast cover art and images
• Episode titles, descriptions, and metadata
• Show notes and other text content
• RSS feed customization settings

Communications:

• Support requests and correspondence
• Feedback and survey responses
• Email preferences for service updates

1.2 Information Collected Automatically

Usage Data:

• Pages you visit on our platform
• Features you use and actions you take
• Time, frequency, and duration of your activities
• Browser type and version
• Operating system and device information

Technical Data:

• IP address (immediately hashed for analytics, see Section 3)
• User agent string
• Referring website URLs
• Access times and dates
• Cookie identifiers (with your consent)

Podcast Download Analytics: When listeners download your podcast episodes, we collect analytics data through OP3 (Open Podcast Prefix Project). See Section 3 for details.

2. How We Use Your Information

We use your personal information for the following purposes, based on these legal grounds:

2.1 To Provide the Service (Legal Basis: Contract Performance)

• Create and manage your account
• Host and deliver your podcast audio files
• Generate and maintain your RSS feed
• Distribute your content to podcast directories
• Process your subscription payments
• Provide customer support
• Send transactional emails (password resets, billing confirmations)

2.2 To Improve and Protect the Service (Legal Basis: Legitimate Interest)

• Monitor and analyze usage trends
• Detect and prevent fraud, abuse, and security threats
• Debug and fix technical issues
• Develop new features and improvements
• Ensure platform stability and performance

2.3 To Communicate With You (Legal Basis: Consent or Legitimate Interest)

• Send service announcements and updates (legitimate interest)
• Respond to your inquiries and support requests (contract performance)
• Send marketing emails about new features (consent - you can opt out anytime)
• Request feedback and conduct surveys (legitimate interest)

2.4 To Comply With Legal Obligations (Legal Basis: Legal Obligation)

• Respond to legal requests and prevent harm
• Comply with applicable laws and regulations
• Enforce our Terms of Service
• Protect our rights and property

3. Third-Party Services and Data Processing

We use carefully selected third-party services to operate our platform. When you use our Service, your data may be processed by these providers:

3.1 OP3 (Open Podcast Prefix Project) - Analytics

What OP3 Does: OP3 is a free, open-source podcast analytics service that measures downloads by prepending https://op3.dev/e/ to your episode URLs. It runs entirely on Cloudflare infrastructure.

Data Collected by OP3:

• Timestamps of downloads
• Episode URLs
• User agents (podcast app information)
• IP addresses (immediately hashed with monthly-rotating keys, never stored raw)
• Geographic data derived from IP addresses (country, region, timezone, metro area, ASN)

Critical Privacy Information:

• IP addresses are hashed immediately upon receipt using private keys that rotate monthly
• No raw IP addresses are ever stored
• No cookies are used by OP3
• Download statistics become publicly accessible through OP3’s API and public stats pages
• Data is processed in the United States on Cloudflare infrastructure
• OP3 does not join data with third-party IP databases or demographic services

Why We Use OP3: OP3 provides privacy-respecting analytics while making podcast measurement data transparent and verifiable. The public nature of OP3 data promotes accountability in the podcast ecosystem.

Your Rights: Because OP3 immediately hashes IP addresses and publishes anonymized data, individual download records cannot be linked back to you after hashing occurs. However, you can choose not to download episodes if you object to this measurement.

Learn More:

• OP3 Privacy Policy: https://op3.dev/privacy
• OP3 Technical Details: https://github.com/skymethod/op3

3.2 Polar.sh - Payment Processing

What Polar Does: Polar.sh acts as our merchant of record, meaning they are the legal seller and handle all payment processing, tax compliance, and billing operations.

Data Processed by Polar/Stripe:

• Payment card information (never seen or stored by us)
• Payment card type and last 4 digits
• Billing name and address
• Email address
• Phone number (if provided)
• Purchase history and subscription status
• Device and IP data for fraud prevention

Payment Data Controller: Polar.sh is the data controller for payment transaction data. Your payment information is processed by Stripe under PCI-DSS standards and is never stored on our servers.

International Transfers: Polar.sh is a Delaware corporation operating in the United States. Payment data is transferred to and processed in the United States.

Your Rights: For payment-related data subject requests (access, deletion, correction), contact Polar at [email protected] or visit their privacy policy.

Learn More:

• Polar.sh Privacy Policy: https://polar.sh/legal/privacy
• Polar.sh Terms: https://polar.sh/legal/terms
• Stripe Privacy Policy: https://stripe.com/privacy

3.3 Cloudflare - Hosting and Infrastructure

What Cloudflare Does: Cloudflare provides our core infrastructure including storage (R2), computing (Workers), databases (D1), caching (KV), and content delivery.

Data Processed Through Cloudflare:

• All podcast audio files and images you upload
• Your account information and podcast metadata
• RSS feeds and website content
• Download request logs
• Application performance and security data

Data Processor Relationship: Cloudflare acts as our data processor. We remain the data controller and Cloudflare processes data only according to our instructions. Cloudflare’s Data Processing Agreement (DPA) automatically applies to our account and includes EU Standard Contractual Clauses.

Data Location:

• Audio files are stored in Cloudflare R2 with global distribution
• Metadata is processed in Cloudflare’s US and EU data centers
• Content is cached globally across 300+ cities worldwide for fast delivery

Security and Certifications: Cloudflare maintains ISO 27001, ISO 27701, SOC 2 Type II, and PCI DSS Level 1 certifications. Data is encrypted at rest (minimum 128-bit AES) and in transit (TLS 1.2+).

International Transfers: Cloudflare is certified under the EU-U.S. Data Privacy Framework and uses Standard Contractual Clauses for GDPR compliance.

Learn More:

• Cloudflare Privacy Policy: https://www.cloudflare.com/privacypolicy/
• Cloudflare DPA: https://www.cloudflare.com/cloudflare-customer-dpa/
• Cloudflare Sub-processors: https://www.cloudflare.com/cloudflare-customer-scc/

3.4 Other Service Providers

We may use additional service providers for:

• Email delivery (transactional and marketing emails)
• Customer support tools
• Analytics and monitoring
• Security and fraud prevention

We will update this policy when adding new significant data processors.

4. Data Retention

We retain your personal information only as long as necessary to provide the Service and fulfill the purposes described in this policy.

Retention Periods:

Data Type	Retention Period
Account information	Duration of account + 30 days after deletion
Podcast content (audio, metadata)	Duration of account + 30 days after deletion
Payment records	7 years (legal requirement for tax/accounting)
Support communications	2 years after last contact
Server logs and IP data	90 days (then permanently deleted)
Analytics data (anonymized)	Indefinitely (cannot be linked to individuals)
Backup data	30 days (then permanently deleted)

Account Deletion: When you delete your account, we immediately remove your data from production systems. Data may remain in encrypted backups for up to 30 days for disaster recovery purposes, after which it is permanently deleted and cannot be recovered.

Legal Holds: We may retain data longer if required by law, regulation, legal process, or to establish, exercise, or defend legal claims.

5. How We Share Your Information

We do not sell your personal information. We share your information only in these limited circumstances:

5.1 With Service Providers (Data Processors)

We share data with third-party service providers who process it on our behalf (OP3, Polar.sh, Cloudflare, email providers). These providers are contractually required to protect your data and use it only for the purposes we specify.

5.2 Public RSS Feeds

Your podcast RSS feed is publicly accessible by design—this is how podcast directories and apps discover and deliver your content. RSS feeds contain:

• Podcast title, description, and artwork
• Episode titles, descriptions, and audio URLs
• Publication dates and metadata
• Any information you choose to include

You control what goes in your RSS feed. Do not include personal information you want to keep private.

5.3 Public Statistics via OP3

Download statistics collected through OP3 are made publicly accessible through OP3’s API. These statistics are anonymized (IP addresses are hashed) and cannot be linked back to individual listeners.

5.4 Legal Requirements

We may disclose your information if required by law, regulation, legal process, or government request, or when we believe disclosure is necessary to:

• Comply with legal obligations
• Protect our rights, property, or safety
• Prevent fraud or security threats
• Enforce our Terms of Service

5.5 Business Transfers

If we are involved in a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email and/or prominent notice on our Service before your information is transferred.

5.6 With Your Consent

We may share your information for other purposes with your explicit consent.

6. Your Privacy Rights

Depending on your location, you may have specific rights regarding your personal information.

6.1 Rights for All Users

Access: Request a copy of the personal information we hold about you

Correction: Request correction of inaccurate or incomplete information

Deletion: Request deletion of your account and personal information

Export: Download your podcast files, metadata, and account data

Opt-out of Marketing: Unsubscribe from promotional emails (transactional emails will continue)

6.2 Additional Rights for EU/EEA Users (GDPR)

Data Portability: Receive your data in machine-readable format (JSON/CSV)

Restriction: Request temporary restriction of processing

Objection: Object to processing based on legitimate interests

Withdraw Consent: Withdraw consent at any time (where consent is the legal basis)

Lodge a Complaint: File a complaint with your local data protection authority

Automated Decision-Making: We do not use automated decision-making or profiling

6.3 Additional Rights for California Users (CCPA/CPRA)

Right to Know: Request disclosure of personal information collected, used, and shared

Right to Delete: Request deletion of personal information we collected

Right to Correct: Request correction of inaccurate personal information

Right to Opt-Out: We do not “sell” or “share” personal information as defined by CCPA

Non-Discrimination: We will not discriminate against you for exercising your rights

6.4 How to Exercise Your Rights

Email: [email protected]

Subject Line: Include “Privacy Request - [Your Request Type]”

Information Needed:

• Your email address associated with your account
• Specific request (access, deletion, correction, export)
• Verification information (we may ask security questions to confirm identity)

Response Time:

• We will respond within 30 days (GDPR) or 45 days (CCPA)
• We may extend by additional 30 days if necessary (with explanation)
• Complex requests may take longer

No Fee: We do not charge fees for privacy requests unless they are manifestly unfounded, excessive, or repetitive.

7. Cookies and Tracking Technologies

We use cookies and similar technologies to provide and improve our Service.

7.1 Essential Cookies (No Consent Required)

These cookies are necessary for the Service to function:

• Authentication cookies: Keep you logged in
• Session cookies: Remember your settings during your visit
• Security cookies: Detect fraud and abuse
• Load balancing cookies: Distribute traffic efficiently

Duration: Session cookies (deleted when you close browser) or up to 30 days

7.2 Analytics Cookies (Consent Required)

These cookies help us understand how you use the Service:

• Usage analytics: Pages visited, features used, time spent
• Performance monitoring: Load times, errors, crashes

We will only set analytics cookies after you consent via our cookie banner.

7.3 Marketing Cookies (Consent Required)

These cookies track you across websites for advertising:

• Advertising networks: Show relevant ads on other sites
• Social media pixels: Measure ad campaign effectiveness

We will only set marketing cookies after you consent via our cookie banner.

7.4 Managing Your Cookie Preferences

Browser Settings: Most browsers allow you to refuse cookies or delete existing cookies

Our Cookie Banner: Click “Cookie Settings” in the footer to change your preferences

Do Not Track: We currently do not respond to Do Not Track signals

Learn More: See our detailed Cookie Policy at vnyl.fm/cookie-policy

8. Security Measures

We implement industry-standard security measures to protect your information:

Technical Safeguards:

• TLS/SSL encryption for all data in transit
• AES-256 encryption for data at rest
• Bcrypt/Argon2 password hashing (never store plain text passwords)
• Regular security patches and updates
• Automated backups with encryption

Administrative Safeguards:

• Limited employee access to personal data
• Security training and awareness
• Incident response procedures
• Regular security audits

Physical Safeguards:

• Data centers with 24/7 monitoring (via Cloudflare)
• Redundant power and cooling systems
• Access controls and video surveillance

No System is 100% Secure: Despite our efforts, no security measures are perfect. We cannot guarantee absolute security. If you believe your account has been compromised, contact us immediately at [email protected].

9. Data Breach Notification

In the event of a data breach affecting your personal information:

What We’ll Do:

• Investigate the incident immediately
• Contain and remediate the breach
• Notify affected users within 72 hours (GDPR requirement)
• Notify relevant data protection authorities if required
• Provide information about what data was affected
• Offer recommendations to protect yourself

What You’ll Receive:

• Email notification to your account email address
• Details about what information was compromised
• Steps we’re taking to address the breach
• Recommendations for protecting your account
• Contact information for questions

10. International Data Transfers

Our Location: We operate from [Your Location]. Our infrastructure is provided by Cloudflare (United States) and Polar.sh (United States).

EU to US Transfers: When we transfer personal data from the EU to the United States, we rely on:

• EU Standard Contractual Clauses (SCCs) with Cloudflare
• EU-U.S. Data Privacy Framework certification (Cloudflare)
• Adequate safeguards as required by GDPR Article 46

Your Rights: If you are in the EU, you have the right to request information about the safeguards we use for international transfers. Contact [email protected] for details.

11. Children’s Privacy

Our Service is not directed to children under 18 years of age.

Age Requirement: You must be at least 18 years old to create an account and use our Service.

No Knowing Collection: We do not knowingly collect personal information from children under 18. If you are under 18, do not use the Service or provide any information to us.

If We Learn of Underage Users: If we discover we have collected information from a child under 18, we will delete that information immediately. If you believe we have information from a child under 18, contact us at [email protected].

COPPA Compliance: We do not collect information from children under 13 and are not subject to the Children’s Online Privacy Protection Act (COPPA).

12. Changes to This Privacy Policy

Updates: We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Notice of Material Changes:

• We will update the “Last Updated” date at the top of this policy
• For material changes, we will provide prominent notice via email or platform notification
• We will provide 30 days notice before material changes take effect
• Continued use after changes take effect constitutes acceptance

Your Rights: If you disagree with changes to this Privacy Policy, you may delete your account before the changes take effect.

Version History: Previous versions of this Privacy Policy are available upon request at [email protected].

13. Contact Information

Privacy Questions and Requests: Email: [email protected] Response time: Within 30 days

Data Protection Officer: Not currently required or appointed (solo founder project)

EU Representative: Not currently appointed (will appoint if we meet GDPR Article 27 thresholds)

Security Issues: Email: [email protected] For urgent security matters, please include “URGENT” in the subject line

14. Supervisory Authority Contact (EU Users)

If you are in the European Union and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection authority.

Find Your Authority: List of EU Data Protection Authorities: https://edpb.europa.eu/about-edpb/about-edpb/members_en

Your Local Authority: Contact the supervisory authority in the EU member state of your residence, place of work, or where you believe a violation occurred.

---

Summary of Key Points

What We Collect: Account info, podcast content, usage data, IP addresses (hashed), payment data (via Polar.sh)

Why: To provide podcast hosting, process payments, improve the service, and comply with law

Who We Share With: OP3 (analytics), Polar.sh (payments), Cloudflare (infrastructure) - we don’t sell your data

Your Rights: Access, delete, correct, export your data - contact [email protected]

Cookies: Essential cookies always on, analytics/marketing require your consent

Security: Industry-standard encryption, hashing, and security practices

Retention: Account data deleted 30 days after account closure

Children: Must be 18+ to use the Service

Contact: [email protected] for questions or requests

---

This policy is effective as of 01 Nov 2025.

By using our Service, you acknowledge that you have read and understood this Privacy Policy.