Privacy Policy

Last updated: May 7, 2026

This Privacy Policy explains how TrackID GmbH processes personal data when you use TrackID, including our website, iOS app, Electron desktop app, ID Studio companion app, upload and sharing features, profiles, notifications, and support channels.

1. Controller and Contact

The controller responsible for personal data processing under the EU General Data Protection Regulation (GDPR) is:

TrackID GmbH
Mehringdamm 103
10965 Berlin
Germany
Represented by Lorenz Aschoff and Eric Schaefer

Privacy requests: privacy@trackid.com

Legal, copyright, and abuse notices: legal@trackid.com

2. Data We Process

We process data needed to provide, secure, improve, and legally operate TrackID. The exact data depends on how you use the Service.

2.1 Account and Authentication Data

We process:

email address;
one-time password and magic-link authentication events;
session, refresh, and access-token metadata;
account status, onboarding state, account settings, and deletion requests;
support, legal, abuse, copyright, and privacy request history.

TrackID primarily uses email code authentication. We do not need a password for normal TrackID sign-in.

2.2 Profile and Network Data

We process:

username, display name, avatar, bio, social links, and public profile fields;
handle changes, reserved or reclaimed handles, and related moderation records;
network relationships, invitations, follows or connections where available;
likes, comments, notes, replies, timestamps, and notification preferences.

Some profile and content data may be visible to other users or public visitors depending on your settings and sharing choices.

2.3 Audio, Artwork, Metadata, and Collaboration Data

We process User Content and related metadata, including:

uploaded audio, original files, playback files, generated previews, artwork, waveform data, and technical file metadata;
track titles, artist names, credits, labels, descriptions, timestamps, visibility settings, and download settings;
DAW and project metadata supplied by desktop or ID Studio workflows;
comments, notes, collaborator information, access grants, and moderation state;
share links, invite tokens, access tokens, direct grants, and invite recipient email addresses.

We process this data to store, encode, transcode, play, download, cache, share, moderate, secure, and support the Service according to your access choices.

2.4 Usage, Device, and Log Data

We may process:

device type, browser, operating system, app version, locale, IP address, and approximate region;
crash reports, diagnostics, request logs, security logs, and error logs;
play, pause, download, upload, sharing, invitation, like, comment, and other product interaction events;
push notification tokens and delivery metadata;
local/offline cache state and sync metadata in supported apps.

We use this data to operate the Service, troubleshoot issues, prevent abuse, measure reliability, and understand feature usage.

2.5 Communications and Legal Reports

If you contact us or if someone reports content, we process:

names, email addresses, organizations, and contact details;
message content, attachments, notice details, counter-notice details, and supporting evidence;
internal review notes, enforcement actions, appeal outcomes, and related timestamps.

2.6 Payment and Platform Data

If paid features are offered through an app store or payment provider, we may receive limited purchase, subscription, entitlement, and refund metadata. We do not store full payment card details unless a payment provider requires us to process them directly.

3. Purposes and Legal Bases

We process personal data under the following GDPR legal bases:

Contract performance (Art. 6(1)(b) GDPR): account creation, authentication, uploads, streaming, sharing, downloads, profiles, comments, notifications, support, and account deletion.
Legitimate interests (Art. 6(1)(f) GDPR): service reliability, product improvement, security, abuse prevention, fraud prevention, analytics, rightsholder protection, and enforcement of our policies.
Legal obligations (Art. 6(1)(c) GDPR): tax, accounting, regulatory, consumer, copyright, platform, and legal-response obligations.
Consent (Art. 6(1)(a) GDPR): optional marketing, optional analytics, optional device permissions, or other optional features where consent is required.

Where we rely on legitimate interests, we balance our interests against your rights and expectations, especially because TrackID may process unreleased music and collaboration data.

4. Cookies, Local Storage, and Local Cache

We use cookies, local storage, IndexedDB, app storage, keychain or secure storage, and similar technologies to:

keep you signed in;
remember settings and onboarding state;
support playback, uploads, downloads, offline use, and local cache;
prevent abuse, secure sessions, and troubleshoot the Service.

If we introduce non-essential cookies or tracking that legally requires consent, we will request consent where required.

Local or offline copies may remain on your devices until you delete them, sign out, clear app data, remove downloads, or uninstall the app. Other users who had access to content may also retain copies they downloaded or cached.

5. Sharing and Recipients

We share personal data only as needed to operate and protect TrackID, comply with law, or follow your sharing choices.

Recipients may include:

hosting, database, storage, authentication, email, analytics, logging, monitoring, crash-reporting, support, and infrastructure providers;
app stores, payment providers, and platform services where relevant;
users, collaborators, invite recipients, public visitors, and profile viewers according to your visibility, invitation, and access settings;
rightsholders, complainants, uploaders, legal representatives, courts, regulators, law enforcement, or public authorities where required or appropriate under law;
professional advisors, auditors, insurers, acquirers, or successor entities in connection with corporate, legal, security, or accounting matters.

Service providers process data under contracts or equivalent safeguards where required.

6. International Transfers

Some providers may process data outside the EU/EEA. Where required, we rely on adequacy decisions, Standard Contractual Clauses, transfer impact assessments, or other safeguards recognized by applicable law.

7. Retention

We keep personal data only as long as reasonably needed for the purposes in this Policy, including:

account data while your account is active and for a reasonable period after deletion requests;
uploaded audio, artwork, metadata, shares, notes, comments, and profile data until you delete them, your account is deleted, or retention is otherwise no longer needed;
invite, sharing, access, and token records for as long as needed to operate access controls, troubleshoot, secure the Service, and resolve disputes;
logs, diagnostics, analytics, and security records for limited periods based on operational and legal needs;
copyright, abuse, legal, tax, accounting, and enforcement records for the periods required or reasonably necessary to protect rights and comply with obligations;
backups and disaster-recovery copies until they rotate out under our backup practices.

Account deletion generally removes or anonymizes ordinary account data within a reasonable period, but some residual data may remain in backups, logs, legal records, dispute records, support records, accounting records, security records, and copies already accessed or stored by other users.

8. Your Rights

Subject to legal requirements and limitations, you may have the right to:

access your personal data;
correct inaccurate data;
request deletion;
restrict processing;
receive data portability;
object to processing based on legitimate interests;
withdraw consent where processing is based on consent;
lodge a complaint with a data protection supervisory authority.

To exercise rights, contact privacy@trackid.com. We may need to verify your identity and may ask for additional information to process your request.

9. Account Deletion and Export

You can request account deletion or export by contacting privacy@trackid.com. In-app deletion or export tools may also be offered.

Deletion affects your account and content controlled by your account. It may not remove:

content already downloaded, cached, copied, screenshotted, forwarded, or saved by recipients;
comments, notes, or moderation context needed to preserve conversation, safety, legal, or dispute records;
records we must keep for legal, security, accounting, copyright, abuse, or enforcement reasons.

10. Security

We use reasonable technical and organizational measures designed to protect personal data, such as access controls, transport encryption, provider safeguards, monitoring, backups, and internal restrictions. No system is perfectly secure or confidential, and TrackID cannot guarantee that recipients will not copy, record, forward, download, or misuse content they can access.

Report suspicious activity, leaked content, or security concerns to legal@trackid.com.

11. AI and Model Training

TrackID does not use User Content to train AI models, build AI training datasets, or authorize third parties to do so unless the relevant rightsholder has the rights to permit that use and has explicitly opted in through a TrackID-approved process.

We may use automated processing for ordinary service operations, such as encoding, waveform generation, metadata extraction, spam prevention, security, abuse detection, search, diagnostics, and moderation support.

12. Children

TrackID is not directed to children. If you believe a child has provided personal data without required permission, contact privacy@trackid.com.

13. Changes to This Policy

We may update this Policy from time to time. If changes are material, we will use reasonable means to notify users, such as in-product notice, email, or a prominent website notice.

14. Contact

Privacy requests: privacy@trackid.com