0:00
0:00

Privacy Policy

Open Music (openmusic.art) Last updated: March 2026

This policy explains what data we collect, why we collect it, and how we handle it. We wrote it in plain language because you deserve to actually understand it.

Who we are

Open Music is an open music streaming platform operated by Open Music ("we," "us," "our"). Our platform is available at openmusic.art. For questions about this policy, contact us at roma@openmusic.art .

What we collect and why

Account information

When you create an account, we collect:

  • Email address — used for authentication (OTP login codes sent via email), account recovery, and essential service communications
  • Username and display name — chosen by you during onboarding, used as your public identity on the platform
  • Avatar and banner images — optional, uploaded by you for your profile
  • Bio, location, and profile links — optional, provided by you and displayed publicly on your profile

If you sign in with Google, we receive your name, email, and profile photo from Google's OAuth service. We do not receive or store your Google password.

Listening data

We track every stream you play. Each listen record includes: which track was played, how long you listened, whether you completed the track, and when the listen occurred. This data is essential to our user-centric payment model, where your subscription is distributed proportionally to the artists you actually listen to. Without accurate listening data, we cannot pay artists fairly.

Payment and subscription data

When you subscribe, payment processing is handled entirely by Stripe. We never see, store, or process your credit card number, bank account details, or other payment credentials. What we do store: your Stripe customer ID, subscription tier, subscription status, and billing cycle dates. This is the minimum we need to know who has an active subscription and how to distribute payments.

For artists receiving payouts, we store: wallet balance, transaction history, withdrawal requests, and (if you choose USDC payouts) your Solana wallet address. If required for tax compliance, artists may submit tax documentation, which is handled through our payment processor.

Audio and content data

When artists upload music, we store the original audio file plus encoded versions (Opus and AAC) on Cloudflare R2. We also generate and store: waveform data for visual playback, loudness measurements, and a 512-dimensional audio embedding vector ("Sonic DNA") using the CLAP AI model. This embedding is a mathematical representation of how your track sounds, used for similarity-based discovery. It cannot be reversed into audio.

We also store track metadata you provide: title, description, genre, tags, lyrics, cover art, ISRC codes, and contributor/collaborator information including royalty split percentages.

Social and interaction data

We store your follows, track likes, saved releases, saved playlists, playlists you create, and comments you post. This data powers your collection, feed, and social features.

AI chat data

If you use the Sonic DNA conversational search feature, we store your chat sessions to provide continuity within a conversation. These sessions are tied to your account.

Technical data

We use standard server logs that may include IP addresses, browser type, and request timestamps. These are used for security, debugging, and abuse prevention.

How we use your data

  • Pay artists: Listening data directly determines how subscription revenue is distributed. This is the core function of the platform.
  • Power discovery: Audio embeddings (Sonic DNA) and your listening profile vector are used to recommend music based on sonic similarity, not editorial curation or paid placement.
  • Provide the service: Account data, social interactions, and content data are used to deliver the streaming experience you expect.
  • Process payments: Subscription and wallet data are used to collect subscription fees and distribute earnings to artists.
  • Communicate with you: Your email is used for login codes, critical account notifications, and (in the future) optional updates about the platform. We don't sell your email or send marketing spam.
  • Maintain and improve the platform: Technical data is used for debugging, performance monitoring, and security.

What we don't do

  • We don't sell your data. Not to advertisers, not to labels, not to anyone.
  • We don't use your listening data for advertising. There are no ads on Open Music.
  • We don't gatekeep discovery behind payments. Sonic DNA-based recommendations work the same for every artist regardless of label affiliation or marketing budget.
  • We don't obscure where your money goes. Artists see exactly who paid them and how much. Listeners see exactly where their subscription went.

Data sharing

We share data with the following third parties, only as necessary to operate the platform:

  • Stripe — payment processing, subscription management, artist payouts. Stripe's privacy policy governs data they collect during checkout and payment flows.
  • Supabase — database hosting and authentication infrastructure. Data is stored in Supabase-managed PostgreSQL.
  • Cloudflare — CDN, DNS, and R2 object storage for audio files and images.
  • HuggingFace — audio data is sent to a CLAP model endpoint for Sonic DNA embedding generation. Only the audio content is sent; no user identity information is included.
  • Vercel — application hosting and serverless function execution.
  • Trigger.dev — background job processing for audio encoding and analysis.
  • Resend — transactional email delivery (login codes).

We do not share your data with data brokers, advertising networks, or any other third parties beyond what's listed above.

Artist-listener transparency

Our payment model is built on transparency. This means:

  • Artists can see which listeners' subscriptions contributed to their earnings, the amount earned per billing cycle, and their listening time breakdown.
  • Listeners can see how their subscription was distributed across artists each billing cycle.

This mutual visibility is a feature, not a bug. It's how we replace the black box with trust. Both parties see anonymized user IDs and aggregate data, not personal contact information, unless you've made your profile public.

Data retention

  • Account data: Retained as long as your account exists.
  • Listening data: Retained indefinitely for payment audit trails and artist earnings transparency. Historical listening data is necessary to verify past payment distributions.
  • Audio files and embeddings: Retained as long as the track exists on the platform. If an artist removes a track, the audio and derived data (embeddings, waveforms) are deleted.
  • Payment records: Retained as required by financial regulations and tax compliance obligations, typically a minimum of 7 years.
  • Technical logs: Retained for a limited period (typically 30-90 days) and then deleted.

Your rights and controls

  • Delete your account: You can delete your account from Settings. This deletes your profile, social data, and personal information. Listening records tied to completed payment distributions may be retained in anonymized form for financial integrity.
  • Update your information: You can edit your profile, username, avatar, bio, and links at any time from Settings.
  • Remove your music: Artists can delete their tracks and releases. Audio files and derived data are removed from storage.
  • Export your data: Contact us to request a copy of your data.
  • Privacy controls: Playlists can be set to public or private.

If you are located in the EU, UK, or other jurisdictions with data protection laws (GDPR, etc.), you may have additional rights including the right to access, correct, port, or erase your personal data, and the right to object to or restrict certain processing. Contact us to exercise these rights.

Cookies and tracking

We use essential cookies for authentication (session management via Supabase Auth). We do not use advertising cookies or third-party tracking pixels. If we integrate analytics in the future (e.g., PostHog), we will update this policy and provide opt-out mechanisms.

Security

  • Payment credentials are handled entirely by Stripe and never touch our servers.
  • Authentication uses OTP (one-time password) codes and OAuth, with no stored passwords in our database.
  • Database access is protected by Row Level Security (RLS) policies ensuring users can only access their own data through client-side queries.
  • Financial operations use database transactions with idempotency guards to prevent double-processing.
  • All data in transit is encrypted via HTTPS/TLS.

Children

Open Music is not intended for users under 13. We do not knowingly collect data from children under 13. If you believe a child under 13 has created an account, contact us and we will delete it.

Changes to this policy

We may update this policy as the platform evolves. Significant changes will be communicated via email or an in-app notice. The "last updated" date at the top reflects the most recent revision.

Contact

For privacy questions, data requests, or concerns:

  • Email: roma@openmusic.art