Privacy Policy

1. Introduction

PlayThis ("we", "us", or "our") operates www.playthis.pw (the "Service"). This Privacy Policy informs you of our policies regarding the collection, use, and disclosure of personal data when you use our Service and the choices you have associated with that data.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) (EU) 2016/679 and other applicable data protection laws.

2. Data Controller

For the purposes of GDPR, the data controller is:

PlayThis
Email: support@playthis.pw

3. Legal Basis for Processing

We process your personal data under the following legal bases:

• Consent: You have given clear consent for us to process your personal data for specific purposes (e.g., creating an account, receiving tips).
• Contract: Processing is necessary for the performance of a contract with you (e.g., providing DJ session services, processing payments).
• Legal Obligation: Processing is necessary to comply with the law (e.g., tax reporting, payment processing regulations).
• Legitimate Interests: Processing is necessary for our legitimate interests (e.g., fraud prevention, service improvement) where not overridden by your rights.

4. Data We Collect

4.1 Information You Provide

• Account Information: Name, email address, profile picture (via Google OAuth)
• Profile Information: Display name, bio, location, social media handles, DJ genre preferences
• Payment Information: Processed securely by Stripe (we do not store card details)
• Communication Data: Chat messages, song requests, tip messages

4.2 Automatically Collected Data

• Usage Data: IP address, browser type, device information, pages visited, time spent
• Session Data: QR code scans, session attendance, interaction timestamps
• Technical Data: Cookies, authentication tokens, session identifiers

4.3 Financial Data

• Transaction Records: Tip amounts, transaction dates, sender/recipient information
• Payout Information: Bank account details for DJ payouts (processed by Stripe Connect)
• Tax Information: As required by Irish and EU tax regulations

5. How We Use Your Data

We use your personal data for the following purposes:

• Service Provision: To provide and maintain our Service, including session management, chat, and song requests
• Payment Processing: To process tips and payouts securely via Stripe
• Account Management: To manage your account, authenticate users, and provide customer support
• Communication: To send service-related notifications, updates, and security alerts
• Improvement: To analyze usage patterns and improve our Service
• Legal Compliance: To comply with legal obligations, prevent fraud, and enforce our terms
• Security: To detect, prevent, and address technical issues and security incidents

6. Data Sharing and Disclosure

We may share your data with:

6.1 Third-Party Service Providers

• Google (Authentication): For secure login via Google OAuth 2.0
• Stripe (Payments): For payment processing, Apple Pay, Google Pay integration, and payouts (GDPR-compliant, PCI DSS Level 1)
• Supabase (Database): For secure data storage and real-time features (EU-hosted servers available)
• Vercel (Hosting): For application hosting and content delivery

6.2 Legal Requirements

We may disclose your data if required by law, court order, or to protect our rights, safety, or property, or that of our users or the public.

6.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity, subject to the same privacy protections.

7. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA). We ensure such transfers comply with GDPR through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission
• Certifications such as the EU-U.S. Data Privacy Framework (where applicable)

All third-party processors (Google, Stripe, Supabase) are GDPR-compliant and provide appropriate safeguards.

8. Your GDPR Rights

Under GDPR, you have the following rights:

• Right to Access: Request a copy of your personal data we hold
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data
• Right to Restrict Processing: Request limitation of how we process your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests or direct marketing
• Right to Withdraw Consent: Withdraw consent at any time (where processing is based on consent)
• Right to Lodge a Complaint: File a complaint with your national data protection authority

To exercise any of these rights, contact us at: support@playthis.pw

We will respond to your request within one month (extendable by two additional months for complex requests).

9. Data Retention

We retain your personal data for as long as necessary to:

• Provide our services to you
• Comply with legal obligations (e.g., tax records: 6 years)
• Resolve disputes and enforce agreements

Specific retention periods:

• Account data: Until account deletion + 30 days
• Transaction records: 6 years (Irish tax law requirement)
• Chat and song request history: Until session deletion or 1 year of inactivity
• Usage logs: 90 days

After these periods, data is securely deleted or anonymized.

10. Data Security

We implement appropriate technical and organizational measures to protect your data:

• Encryption in transit (TLS/SSL) and at rest
• Secure authentication (OAuth 2.0, row-level security)
• Regular security audits and updates
• Access controls and logging
• PCI DSS Level 1 compliance for payment data (via Stripe)
• Data breach notification procedures (within 72 hours to authorities)

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

11. Cookies and Tracking

We use essential cookies for authentication and session management. We do not use third-party advertising or tracking cookies.

Cookies we use:

• Authentication cookies: To keep you logged in (essential, no consent required under GDPR)
• Session cookies: To maintain your session state (essential)

You can control cookies through your browser settings, but disabling essential cookies may affect functionality.

12. Children's Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us, and we will delete it promptly.

13. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours
• Notify affected users without undue delay if the breach poses a high risk
• Provide information about the nature of the breach and mitigation steps

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by:

• Posting the new Privacy Policy on this page
• Updating the "Last Updated" date
• Sending an email notification (for material changes)

Your continued use of the Service after changes constitutes acceptance of the updated policy.

15. Supervisory Authority

If you have concerns about how we handle your data, you have the right to lodge a complaint with the Data Protection Commission (Ireland):

Data Protection Commission
21 Fitzwilliam Square South
Dublin 2, D02 RD28
Ireland
Phone: +353 (0)761 104 800
Email: info@dataprotection.ie
Website: www.dataprotection.ie

16. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Email: support@playthis.pw
Subject Line: Privacy Inquiry - GDPR