NotNoise
Open menu

Privacy Policy

How we collect, use, and protect your personal data

Effective date: March 2026 | Governing law: Spain (GDPR, LOPDGDD, CCPA/CPRA)

1. Who We Are

NotNoise (“NotNoise”, “we”, “us”, or “our”) is a music marketing software platform available at notnoise.co. The data controller responsible for your personal data is:

  • Legal entity: Ezequiel de la Parra
  • NIF: 60394121P
  • Address: C/ Fernando Poo 5, 3º Izq, 28045 Madrid, Spain
  • Contact: hello@notnoise.co

We have not appointed a formal Data Protection Officer (DPO), as we do not meet the mandatory thresholds under GDPR Article 37. For all data protection matters, contact us at hello@notnoise.co.

2. Data We Collect

2.1 Account Data

When you register for NotNoise, we collect: your name, email address, password (stored as a secure hash), profile information (artist name, genre, country), and account preferences. We also record your registration date and account status.

2.2 Usage Data

We automatically collect data about how you interact with the platform: pages visited, features used, click patterns, session duration, device type, operating system, browser type, IP address, and approximate geolocation derived from IP. This data is collected via PostHog analytics.

2.3 Music and Streaming Data

To power Music Stats, we collect and process data about your music releases and streaming performance across platforms, including your Spotify artist ID, artist name, track names, release dates, and streaming metrics. This data is sourced via Songstats and the streaming platforms' public APIs.

2.4 Smart Ads Campaign Data

NotNoise operates Smart Ads campaigns entirely through its own Meta Business Manager infrastructure on your behalf. You do not connect your own Meta account to NotNoise. When you create a Smart Ads campaign, we collect and process: the song or Smart Link you are promoting, the ad creative you upload (video or image), your campaign budget, duration, and target audience preferences, and campaign performance metrics returned by Meta's Marketing API. We do not collect or store your Meta account credentials.

2.5 Payment Data

Payment processing is handled by Stripe. We do not store your full card number, CVV, or bank account details. We receive from Stripe: transaction IDs, payment status, subscription plan and billing period, invoice amounts, and the last four digits of your payment method. All payment data is governed by Stripe's PCI-DSS compliant infrastructure.

2.6 Fan Email Capture via Smart Links

When fans submit their email address via your Smart Link landing page, that email address and associated metadata (timestamp, Smart Link ID, opt-in confirmation) is collected on your behalf as the artist. NotNoise acts as data processor for this fan data; you, the artist, are the data controller. See Section 5 for sub-processor details.

2.7 Sparks Balance and Transaction History

Sparks are NotNoise's in-app credits used for AI Music Video generation. We collect and process: your current Sparks balance, Spark purchase history (date, amount, price paid), Spark usage records (which video generation each Spark was used for), and any Spark refunds issued due to failed AI video generation. Legal basis: performance of contract (GDPR Article 6(1)(b)).

2.8 Distribution Data

If you activate Distribution Services, we collect and process the following additional data to deliver your releases to digital service providers (DSPs) and user-generated content platforms (UGC Platforms):

  • Release and catalogue data: your uploaded audio files, cover artwork, track metadata (titles, artist names, contributors, ISRC and UPC codes, genres, release date, language, explicit flags, lyrics), and any declarations you provide (AI-disclosure, rights warranties, cover-song declarations).
  • Distribution account provisioning data: the identifiers, credentials, and account metadata required to create and operate your child account with our distribution partner (see Section 5).
  • Tax documentation:Form W-9 (US persons) or Form W-8BEN / W-8BEN-E (non-US), including legal name, address, country of residence, tax identification number, and treaty claim information. Required by IRS §1441 before any US- source royalty payout.
  • Payout data: your PayPal account identifier (or other payout method we support), royalty balance, payout history, and any withholding applied.
  • Royalty and streaming data from partners: per-track, per-DSP, per-territory consumption and revenue data reported to us by our distribution partner.

We share release data, metadata, and artwork with our distribution partner and onward to the DSPs and UGC Platforms you select. See the Distribution Terms for the full scope of processing.

2.9 Communications

When you contact us by email or through the platform's support function, we collect the content of your communications, your contact details, and the history of our correspondence. We also send transactional emails (account confirmations, billing receipts, campaign status notifications) and, with your consent, marketing emails about NotNoise features and updates.

3. Legal Basis for Processing (GDPR Article 6)

  • Account creation and management — Performance of contract (Art. 6(1)(b))
  • Providing core services (Smart Links, Smart Ads, Playlist Pitching, Music Stats, AI Music Videos) — Performance of contract (Art. 6(1)(b))
  • Processing Sparks purchases and transaction history — Performance of contract (Art. 6(1)(b))
  • Processing subscription billing via Stripe — Performance of contract (Art. 6(1)(b))
  • Sending transactional emails — Performance of contract (Art. 6(1)(b))
  • Analytics and product improvement (PostHog) — Legitimate interests (Art. 6(1)(f)): improving platform performance and user experience
  • Admin access for support and debugging — Legitimate interests (Art. 6(1)(f)): providing customer support and maintaining service integrity
  • Rate limiting and security (Upstash / IP processing) — Legitimate interests (Art. 6(1)(f)): protecting the platform from abuse
  • Sending marketing emails — Consent (Art. 6(1)(a)); withdraw at any time
  • Analytics cookies (PostHog) and marketing cookies (Meta Pixel/CAPI) — Consent (Art. 6(1)(a))
  • Retaining financial records — Legal obligation (Art. 6(1)(c)): Spanish fiscal law, 7-year retention
  • Distributing your releases to DSPs and UGC Platforms, including provisioning and operating your distribution partner account — Performance of contract (Art. 6(1)(b))
  • Collecting and retaining tax documentation (W-8BEN, W-8BEN-E, W-9) and applying withholding on royalty payouts — Legal obligation (Art. 6(1)(c)): IRS §1441 and related Spanish fiscal obligations
  • Processing royalty payouts and maintaining payout records — Performance of contract (Art. 6(1)(b)) and Legal obligation (Art. 6(1)(c))
  • Anti-fraud monitoring of distribution activity (including stream-manipulation and rights-conflict detection) — Legitimate interests (Art. 6(1)(f)) and contractual obligations to our distribution partner

4. How We Use Your Data

  • To create and manage your account and authenticate your identity
  • To provide Smart Links, Smart Ads campaigns, Playlist Pitching, Music Stats, AI Music Videos, Pre-save campaigns, and Social Cards
  • To run Smart Ads campaigns on your behalf through our own Meta Business Manager infrastructure
  • To process payments and manage your subscription, including Sparks purchases
  • To track and display your Sparks balance, purchase history, and usage
  • To send transactional emails: account confirmations, billing receipts, campaign updates, support responses
  • To send marketing communications where you have consented
  • To analyse platform usage and improve our product through aggregated and pseudonymised analytics
  • To enforce our Terms of Use, detect fraud, and protect platform security
  • To comply with legal obligations under Spanish and EU law
  • To provide customer support, including account access by authorised support personnel

5. Sub-Processors and Third Parties

We share your data with the following sub-processors. We have entered into, or are in the process of entering into, Data Processing Agreements with each as required by GDPR Article 28.

  • Supabase (supabase.io): Database and authentication infrastructure. Stores all user account data, campaign data, Sparks records, and fan email capture data. Privacy: supabase.com/privacy
  • Vercel (vercel.com): Cloud hosting and content delivery for the NotNoise web application. Processes all data transmitted through the platform. Privacy: vercel.com/legal/privacy-policy
  • PostHog (posthog.com): Product analytics. Processes usage data, session recordings, heatmaps, feature flags, and A/B test results. Data stored in the EU. Privacy: posthog.com/privacy
  • Stripe (stripe.com): Payment processing for subscriptions and Sparks purchases. Processes payment card data, billing information, and transaction records. Privacy: stripe.com/privacy
  • Loops (loops.so): Transactional and marketing email delivery. Processes email addresses, names, and email content. Privacy: loops.so/privacy
  • Meta / Facebook (meta.com):NotNoise uses Meta's Marketing API as an authorised agent to create, submit, and manage Smart Ads campaigns through NotNoise's own Meta Business Manager. We share campaign creative assets and targeting parameters with Meta to fulfil this service. We do not share your personal Meta account credentials. Meta also receives data via Meta Pixel and Conversions API (CAPI) for NotNoise's own marketing measurement. Privacy: facebook.com/privacy/policy
  • Songstats (songstats.com): Music analytics data provider. We share your artist name and Spotify artist ID to retrieve multi-platform streaming performance data for Music Stats. Privacy: songstats.com/privacy
  • OpenAI (openai.com): AI model provider for AI Music Video generation and other AI-powered features. Processes AI generation parameters and creative inputs. OpenAI does not use API data to train models. Privacy: openai.com/policies/privacy-policy
  • Anthropic (anthropic.com): AI model provider for certain AI-powered features. Processes AI generation parameters. Anthropic does not use API data for model training. Privacy: anthropic.com/privacy
  • Trigger.dev (trigger.dev): Background job processing platform. Orchestrates ad campaign creation workflows, AI Music Video generation pipeline, analytics data sync, and email notification triggers. Processes campaign details, artist information, email addresses for reminders, Spotify data, and AI generation parameters. Privacy: trigger.dev/legal/privacy
  • Upstash (upstash.com): Redis cache for rate limiting, abuse-prevention, and Smart Links domain-mapping cache. Processes IP addresses, limited request metadata, and session tokens where needed to protect authentication flows and selected public utility endpoints from abuse. Privacy: upstash.com/trust/privacy.pdf
  • Revelator (revelator.com): Music distribution infrastructure partner used exclusively for Distribution Services. Processes your release data, metadata, artwork, audio files, distribution account identifiers, tax documentation, and per-track royalty and consumption reports, and delivers your content to the DSPs and UGC Platforms you select. Revelator operates as a processor under our instructions, with a separate sub-processor chain for delivery to individual DSPs. Data is processed in the United States. Privacy: revelator.com/privacy-policy
  • PayPal (paypal.com): Royalty payout processor. Receives payout amount and recipient PayPal identifier to deliver royalty payments. Privacy: paypal.com/legalhub/privacy-full

We do not sell your personal data to third parties. We do not use your content or data to train AI models.

6. International Data Transfers

Some sub-processors are based outside the EEA, primarily in the United States. We protect international transfers by:

  • Standard Contractual Clauses (SCCs):We rely on the European Commission's approved SCCs for transfers to processors in countries without an adequacy decision.
  • EU-US Data Privacy Framework: Where applicable, we rely on the EU-US Data Privacy Framework as an adequacy mechanism for transfers to certified US processors.

Distribution Services rely on our distribution partner (Revelator) and on PayPal for payout processing, both based in the United States. We rely on the EU-US Data Privacy Framework where the recipient is certified, and on Standard Contractual Clauses combined with a Transfer Impact Assessment otherwise. Where your releases are delivered to DSPs located in the US or other third countries, those onward transfers are governed by the relevant DSP's own transfer mechanisms and published in the DSP's privacy notice.

You may request a copy of the relevant transfer mechanisms by contacting hello@notnoise.co.

7. Your Rights Under GDPR

If you are located in the EEA or the UK, you have the following rights under GDPR:

  • Right of access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): Request deletion of your data, subject to legal retention obligations.
  • Right to restriction of processing (Art. 18): Request that we limit how we use your data in certain circumstances.
  • Right to data portability (Art. 20): Request your data in a structured, machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interests. We comply unless we demonstrate compelling legitimate grounds.
  • Right to withdraw consent (Art. 7(3)): Withdraw consent at any time. Withdrawal does not affect the lawfulness of prior processing.
  • Right to lodge a complaint:Contact the Spanish Data Protection Authority (AEPD) — Agencia Española de Protección de Datos, C/ Jorge Juan 6, 28001 Madrid. Website: aepd.es.

To exercise any of these rights, contact hello@notnoise.co. We respond within 30 days. We may ask you to verify your identity before processing your request.

8. Your Rights Under California Law (CCPA / CPRA)

If you are a California resident, the CCPA as amended by the CPRA grants you additional rights. Approximately 85% of our registered users are US-based, and we are a covered business under CCPA.

Categories of Personal Information Collected

  • Identifiers: name, email address, IP address, account ID
  • Commercial information: subscription plan, billing records, Sparks purchase history, campaign spend
  • Internet/electronic network activity: usage data, session data, feature interactions
  • Inferences: product preferences derived from usage patterns
  • Audio/visual information: ad creative (video/image) uploaded for Smart Ads campaigns; audio files, cover artwork, and lyrics submitted for Distribution Services
  • Financial information (distribution only): royalty balance and payout history, PayPal payout identifier, tax identification numbers provided on W-9 or W-8 forms
  • Professional information (distribution only): credits, contributors, split sheet data, and rights declarations for your releases

Your California Rights

  • Right to Know: Request disclosure of categories and specific pieces of personal information collected, sources, purposes, and third parties we share with.
  • Right to Delete: Request deletion of your personal information, subject to certain exceptions.
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Opt-Out of Sharing:We may “share” personal information with Meta via Meta Pixel and CAPI for cross-context behavioral advertising for our own marketing. Opt out via: (a) the “Manage Cookies” button on our website, or (b) contacting hello@notnoise.co.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights.

To exercise California rights, contact hello@notnoise.co. We respond within 45 days (extendable by 45 days where necessary). We do not sell personal information.

9. Data Retention

  • Account data: Active period plus 3 years following account deletion or closure.
  • Payment and billing records: 7 years from the transaction date, as required by Spanish fiscal law.
  • Analytics and usage data (PostHog): Maximum 14 months from collection.
  • Campaign data (Smart Ads, Playlist Pitching, Smart Links): 2 years following campaign completion.
  • Sparks transaction history: Life of account plus 3 years.
  • Support communications: 3 years from date of correspondence.
  • Release metadata and catalogue data: for as long as your releases are live through NotNoise plus 2 years after takedown, to support partner audit, royalty reconciliation, and clawback windows.
  • Royalty and payout records: 7 years from the payout date, as required by Spanish fiscal law and consistent with IRS Form 1042-S record-keeping obligations.
  • Tax documentation (W-8BEN, W-8BEN-E, W-9): throughout the period the documentation is valid (W-8 forms expire every 3 years) plus 7 years after the last payout to which the documentation applied.
  • Distribution partner account data: for the duration of your distribution service plus a partner-determined retention window. Our distribution partner retains revenue data for up to 2 years and aggregated trend data for up to 90 days after termination.

After retention periods expire, data is securely deleted or anonymised.

10. Children and Minimum Age

NotNoise is not directed at children under the age of 14. In accordance with Spain's LOPDGDD (Article 7), the minimum age to create an account is 14 years. We do not knowingly collect personal data from children under 14. If we become aware that a user is under 14, we will delete their account and associated data. If you believe a child under 14 has created an account, please contact hello@notnoise.co.

11. Admin Access to User Accounts

Authorised NotNoise support personnel may access user accounts for the purposes of providing customer support, investigating reported issues, and debugging platform errors. All such access is logged and auditable. Access is strictly limited to the minimum data necessary to resolve the issue. The legal basis is legitimate interests (GDPR Article 6(1)(f)) in providing effective customer support and maintaining service integrity. We will never access your account to review your content for commercial purposes.

12. Updates to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by email and/or by a prominent notice on the platform at least 30 days before the changes take effect. Your continued use of NotNoise after the effective date constitutes acceptance of the updated policy.

13. Contact

For questions, requests, or concerns about this Privacy Policy:

  • Email: hello@notnoise.co
  • Postal address: Ezequiel de la Parra, C/ Fernando Poo 5, 3º Izq, 28045 Madrid, Spain

For data protection complaints, you may also contact the AEPD (aepd.es), C/ Jorge Juan 6, 28001 Madrid.