1. Controller

Traffic netWorks
Speditionstraße 8
40221 Düsseldorf, Germany
Email: support@track-finder.com
Website: https://track-finder.com

2. Collection and Processing of Personal Data

2.1 Website Visit

When you visit our website, the web server automatically records the following data and temporarily stores it in server log files:

• IP address of the requesting computer
• Date and time of access
• Name and URL of the requested file
• Amount of data transferred
• Browser type and version
• Operating system
• Referrer URL

This data is used exclusively to ensure trouble-free operation and to improve our service (Art. 6(1)(f) GDPR).

2.2 Account Registration & Login

To use the slicer, mix recording, playlists, and public mix features you need to create an account. We process:

• Email address (as username, for verification and service emails)
• Password (stored as a bcrypt hash by our auth provider — never in plain text)
• Display name (optional, shown publicly on comments and shared mixes)
• Account creation timestamp

Legal basis: Art. 6(1)(b) GDPR (contract performance). Data is stored as long as your account exists; see section 9 on deletion.

2.3 Audio Uploads & Slicer Output

When you upload audio for slicing, we process:

• The source audio file you upload (MP3, FLAC, WAV, etc.) — stored under a path namespaced to your user id
• Metadata derived by our audio-analysis pipeline: detected BPM, Camelot key, beat grid, duration, bar count
• The resulting loop files (typically 8-bar FLAC slices) and optional stems (vocals / drums / bass / synth) generated by the Demucs model
• Per-loop user edits: chosen color, display name, mute / solo state, subdivision preference

Legal basis: Art. 6(1)(b) GDPR (contract performance — you ask the slicer to process the file). Your uploaded source audio and derived files are private to your account unless you publish a mix that uses them.

2.4 Playlists, Favorites & Listening History

For logged-in users we store: the list of tracks you marked as favorite, playlists you have created (name + ordered list of track references), and which tracks you have listened to (for the "Hide played tracks" filter). Legal basis: Art. 6(1)(b) GDPR.

2.5 Public Mixes & Comments

If you publish a mix or post a comment on a public mix, your display name and the content of your post become publicly visible to other users of the service. Legal basis: Art. 6(1)(a) GDPR (your explicit publication choice) combined with Art. 6(1)(b).

2.6 Comment Moderation

Comments submitted on public mixes are run through an automated moderation pipeline before being published:

• A rule-based check first (length, URLs, repeated characters, all-caps, email addresses).
• If the rule-based check passes and an AI key is configured, the comment text and the mix title are sent to Mistral AI (Mistral AI SAS, France) for a content-policy evaluation against hate speech, harassment, sexual content, doxxing and spam. No user identifier is sent — only the message text and the title of the mix it relates to.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in keeping the public mix space safe and free of abuse). Mistral acts as a processor under standard contractual clauses; the comment text is not retained by them for training purposes per their API terms.

2.7 AI-Assisted Search

If you use the "Smart search" button, your free-text query plus the list of available genres in the database is sent to Mistral AI to parse into a structured filter (BPM range, Camelot key, genre, artist hint, residual text). Legal basis: Art. 6(1)(a) GDPR — your explicit click on the smart-search affordance constitutes consent. The query is not stored beyond the request lifetime.

2.8 Contact Form

When you use our contact form, we process the data you provide (name, email address, message) to handle your inquiry. The legal basis is Art. 6(1)(b) GDPR. This data will be deleted after your inquiry has been fully processed, unless statutory retention obligations apply.

2.9 Local Data Storage (localStorage / PWA cache)

Several UI preferences are stored locally in your browser (localStorage) and never leave your device: "Hide played tracks" toggle, audio player volume, current playback queue, cookie-banner dismissal. The PWA service worker may also cache static assets for offline use. You can delete this data at any time via your browser settings.

3. Hosting & Infrastructure

3.1 Web Hosting — Vercel

This website is hosted by Vercel Inc. (340 Pine Street, Suite 701, San Francisco, CA 94104, USA). Vercel processes technical data (in particular IP addresses) as part of hosting. Processing is based on our legitimate interest in secure and efficient operation (Art. 6(1)(f) GDPR). Vercel is certified under the EU–US Data Privacy Framework.

3.2 Database & Authentication — Supabase

User accounts, playlists, mix metadata, comments, slice-job records and loop rows are stored in a Postgres database managed by Supabase Inc. (970 Toa Payoh North #07-04, Singapore; EU data region used where available). Supabase also handles authentication (email/password login and Google Sign-In). Legal basis: Art. 6(1)(b) GDPR.

3.3 Object Storage — Cloudflare R2

Audio files (your uploads, the loops and stems we generate from them, mix recordings, cover images) are stored in Cloudflare R2 buckets operated by Cloudflare, Inc. (101 Townsend St, San Francisco, CA 94107, USA). All objects are stored under user-id-namespaced paths and served via short-lived presigned URLs (typically 4 hours). Cloudflare is certified under the EU–US Data Privacy Framework.

3.4 Audio Analysis & Slicing — Own VPS (Netcup, Germany)

The slicer service (madmom for beat / downbeat detection, Demucs for stem extraction, ffmpeg for cutting) runs on a virtual server hosted by netcup GmbH (Daimlerstraße 25, 76185 Karlsruhe, Germany). The server is located in Germany. Audio is pulled from R2 on demand, processed, the result is uploaded back to R2, and the working copy on the VPS is deleted at the end of the job. Legal basis: Art. 6(1)(b) GDPR.

3.5 YouTube Download (admin-only) — Apify

An internal admin tool lets the operator pull audio from YouTube via the Apify platform (Apify Technologies s.r.o., Vodičkova 704/36, 110 00 Praha 1, Czech Republic). This feature is gated to specific email addresses and is not available to regular users. When used, only the YouTube URL is transmitted to Apify; no user identifier is associated with the request.

4. Cookies & Similar Technologies

We use the minimum necessary cookies to operate the service:

• Session cookies set by Supabase to keep you logged in. Strictly necessary, no consent banner shown.
• Preference cookies stored in localStorage (theme, player volume, cookie-banner dismissal). Strictly necessary for UI continuity.
• Analytics cookies — currently NOT in use. We do not run Google Analytics or any third-party tracker on track-finder.com.

See also our Cookie Policy.

5. Fonts (Google Fonts)

We use Google Fonts to display the Roboto and Montserrat typefaces consistently. Fonts are loaded via the Next.js font optimization pipeline, which self-hosts the font files from our Vercel server rather than fetching them directly from Google. Your IP address is therefore NOT transmitted to Google for font display.

6. Google Sign-In

We allow you to register or sign in to track-finder.com using your Google account ("Google Sign-In" / "Sign in with Google"), brokered through Supabase OAuth. The Google provider is Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland), and for users outside the EEA, Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA).

Data Processed

When you click "Sign in with Google," Google transmits an OpenID Connect ID token to Supabase, which verifies it and creates / matches your account. From this token we process and store the following data:

• Google account ID (unique identifier, "sub" claim) — to link login sessions to your track-finder.com account.
• Email address — as username and for account communication (verification, password reset, service emails).
• First and last name — for personal salutation in the app.
• Profile picture URL — display in your profile (optional, can be removed).
• Email verification status ("email_verified" claim) — to avoid duplicate email verification when Google has already confirmed your address.

We do not access your Gmail content, contacts, calendar, Google Drive files, YouTube data, photos, or any other Google services. No OAuth access tokens or refresh tokens are stored on our servers. After the Google ID token has been verified by Supabase, it is discarded and not retained further.

Purpose and Legal Basis

Processing is carried out to provide the login service and fulfill the contract (use of track-finder.com with an account, storage of your playlists, mixes, and slicer output). The legal basis is Art. 6(1)(b) GDPR (contract performance) and your explicit consent under Art. 6(1)(a) GDPR when selecting "Sign in with Google" and confirming the Google consent screen.

Data Transfer to the USA

When using Google Sign-In, data is transmitted to Google and may also be transferred to the USA. Google LLC is certified under the EU–US Data Privacy Framework. EU Standard Contractual Clauses additionally apply. For more information, see Google's Privacy Policy and safety.google/security.

Storage Duration

Data obtained via Google Sign-In is stored for as long as your track-finder.com account exists. When you delete your account, all associated data is fully deleted from our Supabase database and Cloudflare R2 storage within 30 days.

Disconnect / Delete Account

You can disconnect from your Google account at any time:

• Remove third-party access in your Google account at myaccount.google.com/permissions.
• Full deletion of your track-finder.com account by emailing support@track-finder.com.

Limited Use Disclosure

track-finder.com's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We use the data exclusively for the purposes described in this Privacy Policy and do not share it with third parties except where necessary to provide the service.

7. AI Processors (Mistral)

For comment moderation and the optional "Smart search" feature, we send short text snippets (a comment body + its parent mix title; a search query + the list of available genres) to Mistral AI SAS (35 rue Greneta, 75002 Paris, France) over their public API. The data sent:

• Contains no user account identifier, IP, or other identifying metadata.
• Is processed under Mistral's API terms; per their policy, prompt content is not used for model training and is retained only for a short abuse-detection window.
• Mistral is an EU-based processor; no transfer to a third country is involved for this feature.

Legal basis: Art. 6(1)(f) GDPR (moderation) and Art. 6(1)(a) GDPR (smart-search opt-in click).

8. Storage Durations

• Server log files: 14 days, then automatically purged.
• Account data (email, profile, password hash): until you delete the account.
• Uploaded audio + derived loops / stems: until you delete the file, the slice job, or the account. Stale R2 objects with no DB reference may be reaped after 90 days.
• Public mixes + comments: until you delete them, or until your account is deleted (comments under a deleted account are anonymized but not removed, to preserve conversation context).
• Slice job + loop metadata in Supabase: until the parent job or account is deleted.
• Contact-form messages: deleted after the inquiry is closed, unless statutory retention applies.

9. Your Rights

You have the following rights regarding your personal data:

• Access (Art. 15 GDPR): right to information about stored data.
• Rectification (Art. 16 GDPR): right to correction of inaccurate data.
• Erasure (Art. 17 GDPR): right to deletion of your data.
• Restriction (Art. 18 GDPR): right to restrict processing.
• Data portability (Art. 20 GDPR): right to receive your data in a machine-readable format.
• Objection (Art. 21 GDPR): right to object to processing based on legitimate interest.
• Withdraw consent (Art. 7(3) GDPR): for processing based on consent (e.g. Google Sign-In, Smart search), with effect going forward.

To exercise these rights, contact us at support@track-finder.com.

You also have the right to lodge a complaint with a data-protection supervisory authority, in particular in the EU member state of your habitual residence, place of work or place of the alleged infringement.

10. Data Security

We employ technical and organizational security measures to protect your data against accidental or intentional manipulation, loss, or unauthorized access:

• All data transmission between your browser and our servers is encrypted via HTTPS.
• Passwords are stored exclusively as bcrypt hashes by Supabase; the plaintext is never stored or logged.
• Google ID tokens are verified by Supabase and discarded after verification — no OAuth tokens or refresh tokens are kept on our servers.
• R2 audio objects are served via time-limited presigned URLs and namespaced to the uploading user's id at the storage-key level. Cross-user reads are blocked at the API authorization layer.
• Server access to the slicer VPS is gated by SSH keys; the public web traffic is terminated at Caddy on the same machine and proxied to a container bound to localhost.

11. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy as needed. Material changes will be announced via in-app notification or to the email address associated with your account. The current version is always available at track-finder.com/legal/privacy-policy.