Catalogus Musicus logo

Privacy Policy

Version 2026-06-07

1. Data Controller

Media Rosenqvist is the data controller for the processing of personal data on this service. Contact for data protection questions: dataskydd@mediarosenqvist.com.

2. Data We Process

  • Account: email, display name, password (hashed), role.
  • Artist profile: name, bio, links, images and uploaded content.
  • Listening data: plays and favorites.
  • Donations: amount, currency, date and payment identifier from Stripe. We never store card details.
  • Consents: your choices in the cookie banner, version and timestamp.
  • Technical: IP address (hashed), browser type and event logs for security.

3. Purpose and Legal Basis

  • Provide the service — contract.
  • Payments and accounting — legal obligation.
  • Security, intrusion detection, incident reporting (NIS2) — legitimate interest.
  • Analysis and marketing — consent (can be revoked at any time).

4. Retention Period

  • Account data: as long as the account is active + 90 days.
  • Accounting records (donations): 7 years under the Swedish Accounting Act.
  • Security logs: 12 months.
  • Consent logs: 3 years after revocation.

5. Recipients and Sub-processors

  • Supabase (EU region) — database, authentication, file handling.
  • Stripe — payments.
  • Spotify, Suno, AzuraCast — only metadata we have entered ourselves.
  • Lovable Cloud — hosting and operations.

6. Your Rights

You have the right to access, rectification, erasure, restriction, data portability and objection. Several of these rights can be exercised directly under Settings → Privacy:

  • Export your data as JSON.
  • Delete your account (irreversible).
  • Revoke consents via the cookie banner.

You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY).

7. Security (NIS2)

We apply appropriate technical and organizational measures: TLS in transit, encryption at rest with Supabase, principle of least privilege, audit logging of administrative actions and an incident handling process in accordance with the NIS2 directive. Serious incidents are reported to the competent authority within 24/72 hours.

8. Changes

When the policy is updated we raise the version number and, for material changes, ask for renewed consent.