Privacy Policy

1. Introduction

McRock ("we", "our", "us") is owned and operated by Differson LLC. We are committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use the McRock app ("Service").

By using McRock, you consent to the data practices described in this policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address (required for Firebase Authentication)
• Display name (username/artist name)
• Profile image (optional, if uploaded)
• Password (securely hashed, never stored in plain text)

2.2 User-Generated Content

We collect and store:

• AI chat conversations (messages exchanged with the AI assistant)
• Music generation prompts (descriptions and parameters for music creation)
• Generated music tracks (audio files, metadata, artwork)
• Custom lyrics (if provided by user)
• Artist profile information (bio, release count, follower/play counts)
• Vinyl track titles and descriptions (AI-generated based on conversations)

2.3 Payment Information

For royalty payments, we collect:

• Stripe Connect Account ID (generated by Stripe)
• Account verification status (pending or verified)
• Connection timestamp

Note: We do NOT store bank account numbers, credit card details, or full payment credentials. All payment processing is handled securely by Stripe.

2.4 Usage Data & Analytics

We automatically collect:

• Device information (iOS version, device model)
• App usage patterns (features used, session duration)
• Music streaming data (plays, skips, completion rates)
• Error logs (crash reports, API failures)
• IP address (for security and fraud prevention)

2.5 Firebase Services Data

We use Firebase services that collect:

• Authentication tokens (managed by Firebase Auth)
• Database operations (Firestore read/write logs)
• Storage access (file upload/download metadata)
• Analytics events (Firebase Analytics, if enabled)

2.6 Third-Party AI Services Data

Your interactions with AI services:

• OpenAI (GPT-4): Chat messages sent to OpenAI for AI responses and music prompt generation
• Music Generation API: Music prompts sent to our music generation service
• Data processed by: OpenAI API, Music Generation API

These services have their own privacy policies (see Section 9).

3. How We Use Your Information

3.1 Service Functionality

• Account Management: Authentication, profile management, account settings
• AI Features: Generate music, chat assistance, vinyl track creation
• Music Library: Store, organize, and distribute your music
• Streaming: Play music from other users
• Analytics: Track plays, followers, and engagement metrics
• Royalties: Calculate and process royalty payments based on streaming counts

3.2 Communication

• Service Updates: Important announcements, feature updates
• Payment Notifications: Royalty payouts, withdrawal confirmations
• Support: Respond to inquiries sent to contact@differson.net
• Security Alerts: Unusual account activity, security issues

3.3 Service Improvement

• Analytics: Understand feature usage and user behavior
• Bug Fixes: Identify and resolve technical issues
• Feature Development: Improve existing features and develop new ones
• Performance Optimization: Enhance app speed and reliability

3.4 Legal & Security

• Fraud Prevention: Detect fake accounts, streaming manipulation
• Copyright Enforcement: Remove infringing content
• Terms Enforcement: Ensure compliance with Terms of Service
• Legal Compliance: Respond to valid legal requests

4. Data Storage & Security

4.1 Cloud Infrastructure

All data stored using Google Firebase:

• Firestore Database: "mcrock-database-real" (hosted by Google Cloud)
• Firebase Storage: Audio files, album artwork, profile images
• Firebase Authentication: User account credentials
• Server Location: United States (Google Cloud US data centers)

4.2 Security Measures

We implement industry-standard security:

• Encryption in Transit: HTTPS/TLS for all data transmission
• Encryption at Rest: Firebase encrypts data on Google Cloud servers
• Access Control: Firestore Security Rules restrict unauthorized access
• Authentication: Firebase Auth with secure password hashing
• API Keys: Stored securely, never exposed in client code

4.3 Access Restrictions

• User Data: Users can only access their own data
• Profile Images: Validated to prevent unauthorized uploads
• Payment Accounts: Manual verification required before payouts
• Admin Access: Limited to essential operations (verification, support)

4.4 Data Backups

• Firestore: Automatic backups by Google Firebase
• Storage Files: Redundant storage across multiple data centers
• Disaster Recovery: Google Cloud handles infrastructure resilience

5. Data Sharing & Third Parties

5.1 Third-Party Services We Use

5.2 We Do NOT Sell Your Data

• We do not sell, rent, or trade your personal information
• We do not share data with advertisers or data brokers
• Third-party services used only for functionality, not monetization

5.3 Legal Disclosures

We may disclose information if required by:

• Law Enforcement: Valid legal requests (subpoenas, court orders)
• Legal Obligations: Compliance with applicable laws
• Safety: Prevent harm, fraud, or illegal activities
• Rights Protection: Enforce our Terms of Service

6. Your Privacy Rights

6.1 Access & Portability

You have the right to:

• Access your personal data stored in McRock
• Download your data (email request to contact@differson.net)
• Export your generated music files

6.2 Correction & Updates

You can:

• Update your profile information via Settings
• Correct inaccurate data by contacting us
• Change your email address through account settings

6.3 Account Deletion & Data Retention

You can request account deactivation:

• Deactivate Account: Via Settings → "Delete Account"
• Request Deactivation: Email contact@differson.net

Important Notice Regarding Data Retention: When you deactivate your McRock account, your account is deactivated and access is immediately revoked, but your data is not permanently deleted from our systems. McRock retains your account information, content, and associated records for a minimum of 5 years following account deactivation, and financial/transaction records for a minimum of 7 years, in accordance with applicable law, financial compliance obligations, fraud prevention, and legal dispute resolution requirements.

What is deactivated immediately:

• Your ability to log in and use the platform
• Your subscription and music generation access
• Your public artist profile visibility
• Your chat and messaging access

What is retained in our systems:

• Account information and profile data (retained for 5 years)
• Released music and streaming records (retained indefinitely per license)
• Transaction records and payment history (retained for 7 years — tax/legal compliance)
• Activity logs and usage data (retained for 5 years — fraud prevention)
• Private conversations (retained for 90 days post-deactivation, then anonymized)

This practice is consistent with industry standards followed by major platforms including Spotify, Apple, Meta, and Google, and is required under U.S. financial regulations (IRS record-keeping), the California Consumer Privacy Act (CCPA), and the EU General Data Protection Regulation (GDPR) legitimate interest and legal obligation bases.

6.4 Opt-Out Rights

You can:

• Email Communications: Unsubscribe via email footer links
• Analytics: Disable analytics in Settings (if implemented)
• AI Services: Stop using AI features to prevent data sharing with OpenAI or our music generation service

6.5 GDPR Rights (EU Users)

If you are in the European Union, you have additional rights:

• Right to Restrict Processing
• Right to Data Portability
• Right to Object to certain data processing
• Right to Withdraw Consent at any time

To exercise GDPR rights: Email contact@differson.net with "GDPR Request" in subject

6.6 CCPA Rights (California Users)

If you are a California resident:

• Right to Know: What data we collect and how we use it
• Right to Delete: Request deletion of your data
• Right to Opt-Out: Of data sales (we do not sell data)
• Right to Non-Discrimination: We will not discriminate for exercising your rights

To exercise CCPA rights: Email contact@differson.net with "CCPA Request" in subject

7. Data Retention

7.1 Account Data

• Active Accounts: Retained indefinitely while account is active
• Inactive Accounts: Retained for 5 years of inactivity, then permanently anonymized
• Deactivated Accounts: Account data retained for a minimum of 5 years after deactivation for compliance, legal, and fraud prevention purposes. The account is deactivated (no login access) but data is preserved in our systems.

7.2 Content Retention

• Unreleased Music: Retained for 5 years after account deactivation, then deleted
• Released Music: Retained indefinitely (per Terms of Service license)
• Chat Conversations: Retained for 90 days post-deactivation, then anonymized
• Cached Audio: Deleted after 24 hours

7.3 Financial Records

• Payment Information: Retained for 7 years (IRS tax compliance / legal obligation)
• Transaction History: Retained for 7 years (financial audits)
• Royalty Calculations: Retained for 5 years (dispute resolution)
• Subscription Records: Retained for 7 years (Stripe compliance)

7.4 Legal Holds

Data may be retained longer if:

• Subject to legal investigation
• Required by court order
• Part of ongoing dispute
• Necessary for legal compliance

8. Children's Privacy

8.1 Age Requirement

• McRock requires users to be 13 years or older
• We do not knowingly collect data from children under 13

8.2 Parental Consent

• Users aged 13-17 should obtain parental permission before using the Service
• Parents may request deletion of minor's data by contacting us

8.3 COPPA Compliance

• We comply with the Children's Online Privacy Protection Act (COPPA)
• If we discover data from a child under 13, we will delete it immediately

To report underage users: Email contact@differson.net

9. Third-Party Links & Services

9.1 External Links

McRock may contain links to:

• OpenAI website
• Stripe payment portal
• Social media platforms (if shared)

We are not responsible for the privacy practices of external websites.

9.2 Third-Party Privacy Policies

Review these policies separately:

• OpenAI: https://openai.com/policies/privacy-policy
• Firebase/Google: https://firebase.google.com/support/privacy
• Stripe: https://stripe.com/privacy

10. International Data Transfers

10.1 Data Location

• Primary Storage: United States (Google Cloud)
• Firebase Services: May process data globally across Google data centers
• AI Services: OpenAI (US), Music Generation API (US)

10.2 Transfer Mechanisms

• EU-US Data Transfers: Firebase complies with GDPR via Standard Contractual Clauses (SCCs)
• Privacy Shield: Google participates in EU-US Privacy Shield frameworks (where applicable)

10.3 Non-US Users

By using McRock, you consent to data transfer to the United States and other countries where our service providers operate.

11. Security Incidents & Breach Notification

11.1 Our Commitment

We take security seriously and monitor for:

• Unauthorized access attempts
• Data breaches
• System vulnerabilities
• Suspicious activity

11.2 Breach Notification

In the event of a data breach, we will:

• Investigate the incident immediately
• Notify Affected Users via email within 72 hours (GDPR requirement)
• Report to Authorities as required by law
• Provide Details: What data was affected, steps we're taking, how to protect yourself

11.3 What You Should Do

If you suspect unauthorized access:

• Change Password immediately
• Sign Out of all devices
• Contact Us: contact@differson.net
• Monitor Account: Check for unusual activity

12. Cookies & Tracking

12.1 Cookies

McRock is a native iOS app and does not use traditional web cookies.

12.2 Local Storage

We store data locally on your device:

• Authentication Tokens: For session management
• Cached Content: For offline access and performance
• User Preferences: Settings and configurations

12.3 Analytics

We may use Firebase Analytics to collect:

• App Usage: Features used, session duration
• Device Info: iOS version, device model
• Crash Reports: Error logs for debugging

You can opt-out by disabling analytics in Settings (if implemented).

13. Changes to This Privacy Policy

13.1 Updates

We may update this Privacy Policy to reflect changes in:

• Our practices
• Legal requirements
• New features or services
• User feedback

13.2 Notification

Material Changes: We will notify you via:

• Email to your registered address
• In-app notification
• Prominent notice in the app

Minor Changes: Updated on this page without notification

13.3 Effective Date

• Changes effective immediately upon posting
• Continued use after changes constitutes acceptance
• Check this page regularly: "Last Updated" date at top

14. Contact Us

For privacy questions, concerns, or requests:

Subject Line Suggestions:

• "Privacy Inquiry"
• "Data Deletion Request"
• "GDPR Request" (EU users)
• "CCPA Request" (California users)
• "Security Concern"

Response Time: We aim to respond within 7 business days

15. Summary of Key Points