NotNoise

Privacy Policy

How we collect, use, and protect your personal data

Effective date: March 2026 | Governing law: Spain (GDPR, LOPDGDD, CCPA/CPRA)

1. Who We Are

NotNoise (“NotNoise”, “we”, “us”, or “our”) is a music marketing software platform available at notnoise.co. The data controller responsible for your personal data is:

  • Legal entity: Ezequiel de la Parra
  • NIF: 60394121P
  • Address: C/ Fernando Poo 5, 3º Izq, 28045 Madrid, Spain
  • Contact: hello@notnoise.co

We have not appointed a formal Data Protection Officer (DPO), as we do not meet the mandatory thresholds under GDPR Article 37. For all data protection matters, contact us at hello@notnoise.co.

2. Data We Collect

2.1 Account Data

When you register for NotNoise, we collect: your name, email address, password (stored as a secure hash), profile information (artist name, genre, country), and account preferences. We also record your registration date and account status.

2.2 Usage Data

We automatically collect data about how you interact with the platform: pages visited, features used, click patterns, session duration, device type, operating system, browser type, IP address, and approximate geolocation derived from IP. This data is collected via PostHog analytics.

2.3 Music and Streaming Data

To power Music Stats, we collect and process data about your music releases and streaming performance across platforms, including your Spotify artist ID, artist name, track names, release dates, and streaming metrics. This data is sourced via Songstats and the streaming platforms' public APIs.

2.4 Smart Ads Campaign Data

NotNoise operates Smart Ads campaigns entirely through its own Meta Business Manager infrastructure on your behalf. You do not connect your own Meta account to NotNoise. When you create a Smart Ads campaign, we collect and process: the song or Smart Link you are promoting, the ad creative you upload (video or image), your campaign budget, duration, and target audience preferences, and campaign performance metrics returned by Meta's Marketing API. We do not collect or store your Meta account credentials.

2.5 Payment Data

Payment processing is handled by Stripe. We do not store your full card number, CVV, or bank account details. We receive from Stripe: transaction IDs, payment status, subscription plan and billing period, invoice amounts, and the last four digits of your payment method. All payment data is governed by Stripe's PCI-DSS compliant infrastructure.

2.6 Fan Email Capture via Smart Links

When fans submit their email address via your Smart Link landing page, that email address and associated metadata (timestamp, Smart Link ID, opt-in confirmation) is collected on your behalf as the artist. NotNoise acts as data processor for this fan data; you, the artist, are the data controller. See Section 5 for sub-processor details.

2.7 Sparks Balance and Transaction History

Sparks are NotNoise's in-app credits used for AI Music Video generation. We collect and process: your current Sparks balance, Spark purchase history (date, amount, price paid), Spark usage records (which video generation each Spark was used for), and any Spark refunds issued due to failed AI video generation. Legal basis: performance of contract (GDPR Article 6(1)(b)).

2.8 Communications

When you contact us by email or through the platform's support function, we collect the content of your communications, your contact details, and the history of our correspondence. We also send transactional emails (account confirmations, billing receipts, campaign status notifications) and, with your consent, marketing emails about NotNoise features and updates.

3. Legal Basis for Processing (GDPR Article 6)

  • Account creation and management — Performance of contract (Art. 6(1)(b))
  • Providing core services (Smart Links, Smart Ads, Playlist Pitching, Music Stats, AI Music Videos) — Performance of contract (Art. 6(1)(b))
  • Processing Sparks purchases and transaction history — Performance of contract (Art. 6(1)(b))
  • Processing subscription billing via Stripe — Performance of contract (Art. 6(1)(b))
  • Sending transactional emails — Performance of contract (Art. 6(1)(b))
  • Analytics and product improvement (PostHog) — Legitimate interests (Art. 6(1)(f)): improving platform performance and user experience
  • Admin access for support and debugging — Legitimate interests (Art. 6(1)(f)): providing customer support and maintaining service integrity
  • Rate limiting and security (Upstash / IP processing) — Legitimate interests (Art. 6(1)(f)): protecting the platform from abuse
  • Sending marketing emails — Consent (Art. 6(1)(a)); withdraw at any time
  • Analytics cookies (PostHog) and marketing cookies (Meta Pixel/CAPI) — Consent (Art. 6(1)(a))
  • Retaining financial records — Legal obligation (Art. 6(1)(c)): Spanish fiscal law, 7-year retention

4. How We Use Your Data

  • To create and manage your account and authenticate your identity
  • To provide Smart Links, Smart Ads campaigns, Playlist Pitching, Music Stats, AI Music Videos, Pre-save campaigns, and Social Cards
  • To run Smart Ads campaigns on your behalf through our own Meta Business Manager infrastructure
  • To process payments and manage your subscription, including Sparks purchases
  • To track and display your Sparks balance, purchase history, and usage
  • To send transactional emails: account confirmations, billing receipts, campaign updates, support responses
  • To send marketing communications where you have consented
  • To analyse platform usage and improve our product through aggregated and pseudonymised analytics
  • To enforce our Terms of Use, detect fraud, and protect platform security
  • To comply with legal obligations under Spanish and EU law
  • To provide customer support, including account access by authorised support personnel

5. Sub-Processors and Third Parties

We share your data with the following sub-processors. We have entered into, or are in the process of entering into, Data Processing Agreements with each as required by GDPR Article 28.

  • Supabase (supabase.io): Database and authentication infrastructure. Stores all user account data, campaign data, Sparks records, and fan email capture data. Privacy: supabase.com/privacy
  • Vercel (vercel.com): Cloud hosting and content delivery for the NotNoise web application. Processes all data transmitted through the platform. Privacy: vercel.com/legal/privacy-policy
  • PostHog (posthog.com): Product analytics. Processes usage data, session recordings, heatmaps, feature flags, and A/B test results. Data stored in the EU. Privacy: posthog.com/privacy
  • Stripe (stripe.com): Payment processing for subscriptions and Sparks purchases. Processes payment card data, billing information, and transaction records. Privacy: stripe.com/privacy
  • Loops (loops.so): Transactional and marketing email delivery. Processes email addresses, names, and email content. Privacy: loops.so/privacy
  • Meta / Facebook (meta.com): NotNoise uses Meta's Marketing API as an authorised agent to create, submit, and manage Smart Ads campaigns through NotNoise's own Meta Business Manager. We share campaign creative assets and targeting parameters with Meta to fulfil this service. We do not share your personal Meta account credentials. Meta also receives data via Meta Pixel and Conversions API (CAPI) for NotNoise's own marketing measurement. Privacy: facebook.com/privacy/policy
  • Songstats (songstats.com): Music analytics data provider. We share your artist name and Spotify artist ID to retrieve multi-platform streaming performance data for Music Stats. Privacy: songstats.com/privacy
  • OpenAI (openai.com): AI model provider for AI Music Video generation and other AI-powered features. Processes AI generation parameters and creative inputs. OpenAI does not use API data to train models. Privacy: openai.com/policies/privacy-policy
  • Anthropic (anthropic.com): AI model provider for certain AI-powered features. Processes AI generation parameters. Anthropic does not use API data for model training. Privacy: anthropic.com/privacy
  • Trigger.dev (trigger.dev): Background job processing platform. Orchestrates ad campaign creation workflows, AI Music Video generation pipeline, analytics data sync, and email notification triggers. Processes campaign details, artist information, email addresses for reminders, Spotify data, and AI generation parameters. Privacy: trigger.dev/legal/privacy
  • Upstash (upstash.com): Redis cache for rate limiting (maximum 15 authentication attempts per 15 minutes per IP address) and domain-mapping cache for Smart Links. Processes IP addresses and session tokens. Privacy: upstash.com/trust/privacy

We do not sell your personal data to third parties. We do not use your content or data to train AI models.

6. International Data Transfers

Some sub-processors are based outside the EEA, primarily in the United States. We protect international transfers by:

  • Standard Contractual Clauses (SCCs): We rely on the European Commission's approved SCCs for transfers to processors in countries without an adequacy decision.
  • EU-US Data Privacy Framework: Where applicable, we rely on the EU-US Data Privacy Framework as an adequacy mechanism for transfers to certified US processors.

You may request a copy of the relevant transfer mechanisms by contacting hello@notnoise.co.

7. Your Rights Under GDPR

If you are located in the EEA or the UK, you have the following rights under GDPR:

  • Right of access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): Request deletion of your data, subject to legal retention obligations.
  • Right to restriction of processing (Art. 18): Request that we limit how we use your data in certain circumstances.
  • Right to data portability (Art. 20): Request your data in a structured, machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interests. We comply unless we demonstrate compelling legitimate grounds.
  • Right to withdraw consent (Art. 7(3)): Withdraw consent at any time. Withdrawal does not affect the lawfulness of prior processing.
  • Right to lodge a complaint: Contact the Spanish Data Protection Authority (AEPD) — Agencia Española de Protección de Datos, C/ Jorge Juan 6, 28001 Madrid. Website: aepd.es.

To exercise any of these rights, contact hello@notnoise.co. We respond within 30 days. We may ask you to verify your identity before processing your request.

8. Your Rights Under California Law (CCPA / CPRA)

If you are a California resident, the CCPA as amended by the CPRA grants you additional rights. Approximately 85% of our registered users are US-based, and we are a covered business under CCPA.

Categories of Personal Information Collected

  • Identifiers: name, email address, IP address, account ID
  • Commercial information: subscription plan, billing records, Sparks purchase history, campaign spend
  • Internet/electronic network activity: usage data, session data, feature interactions
  • Inferences: product preferences derived from usage patterns
  • Audio/visual information: ad creative (video/image) uploaded for Smart Ads campaigns

Your California Rights

  • Right to Know: Request disclosure of categories and specific pieces of personal information collected, sources, purposes, and third parties we share with.
  • Right to Delete: Request deletion of your personal information, subject to certain exceptions.
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Opt-Out of Sharing: We may “share” personal information with Meta via Meta Pixel and CAPI for cross-context behavioral advertising for our own marketing. Opt out via: (a) the “Manage Cookies” button on our website, or (b) contacting hello@notnoise.co.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights.

To exercise California rights, contact hello@notnoise.co. We respond within 45 days (extendable by 45 days where necessary). We do not sell personal information.

9. Data Retention

  • Account data: Active period plus 3 years following account deletion or closure.
  • Payment and billing records: 7 years from the transaction date, as required by Spanish fiscal law.
  • Analytics and usage data (PostHog): Maximum 14 months from collection.
  • Campaign data (Smart Ads, Playlist Pitching, Smart Links): 2 years following campaign completion.
  • Sparks transaction history: Life of account plus 3 years.
  • Support communications: 3 years from date of correspondence.

After retention periods expire, data is securely deleted or anonymised.

10. Children and Minimum Age

NotNoise is not directed at children under the age of 14. In accordance with Spain's LOPDGDD (Article 7), the minimum age to create an account is 14 years. We do not knowingly collect personal data from children under 14. If we become aware that a user is under 14, we will delete their account and associated data. If you believe a child under 14 has created an account, please contact hello@notnoise.co.

11. Admin Access to User Accounts

Authorised NotNoise support personnel may access user accounts for the purposes of providing customer support, investigating reported issues, and debugging platform errors. All such access is logged and auditable. Access is strictly limited to the minimum data necessary to resolve the issue. The legal basis is legitimate interests (GDPR Article 6(1)(f)) in providing effective customer support and maintaining service integrity. We will never access your account to review your content for commercial purposes.

12. Updates to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by email and/or by a prominent notice on the platform at least 30 days before the changes take effect. Your continued use of NotNoise after the effective date constitutes acceptance of the updated policy.

13. Contact

For questions, requests, or concerns about this Privacy Policy:

  • Email: hello@notnoise.co
  • Postal address: Ezequiel de la Parra, C/ Fernando Poo 5, 3º Izq, 28045 Madrid, Spain

For data protection complaints, you may also contact the AEPD (aepd.es), C/ Jorge Juan 6, 28001 Madrid.