KAI.Productions / Legal

Privacy Policy

Last updated: 5 May 2026

1. Who We Are

KAI.Productions is operated by K.
Address: 123 Music Lane Audio City AC 12345
Email: [email protected]

K is the data controller for personal data processed through this website. This Privacy Policy explains what data we collect, why, and how we protect it, in compliance with the UK GDPR and the Data Protection Act 2018.

2. Data We Collect

2a. If you have an account (registered users)

  • Account data: email address, username, hashed password (bcrypt), account creation date.
  • Usage data: tracks you played, your library contents, playlists you created and their contents.
  • Session data: a session token stored in an HTTP-only cookie named user_session. This is strictly necessary to keep you signed in. Tokens expire after 30 days.
  • Play events: when you play a track, we record the track ID, event type (play, pause, complete, seek), playback position, and duration. This is linked to your account.

2b. Anonymous visitors (no account required)

  • Daily visitor ID (anonId): We compute a privacy-preserving, daily-rotating visitor identifier using a one-way SHA-256 hash of your IP address, country code, browser user-agent, and the current UTC date. This identifier changes every day at midnight UTC — the same person visiting on different days produces different identifiers, so no persistent cross-session profile is built.
    The raw IP address and user-agent are used only to compute this hash and are never stored.
  • Country: We record the two-letter country code (e.g. DE, US) from the country-level IP geolocation provided by our CDN (Cloudflare). Country-level data is not personal data — it is too coarse to identify any individual.
  • Play events: track ID, event type, playback position, and duration. When linked only to a daily-rotating identifier, this data does not constitute personal data.

2c. What we do NOT collect

  • We do not store your raw IP address.
  • We do not store your browser user-agent string in our database.
  • We do not use advertising cookies, tracking pixels, or third-party analytics scripts.
  • We do not build persistent cross-session profiles of anonymous visitors.
  • We do not sell data or share it with third parties for commercial purposes.

3. Legal Basis for Processing

We process data under the following legal bases (UK GDPR Article 6):

  • Contract performance (Art. 6(1)(b)): Account data, session management, library, and playlists — necessary to provide the service you signed up for.
  • Legitimate interests (Art. 6(1)(f)): Play event analytics for registered users (to understand how music is experienced and improve the service); daily-rotating anonymous visitor analytics (audience measurement — we have a genuine interest in understanding which tracks and regions attract listeners, and this interest is not overridden by your rights given the strict privacy-by-design measures described above).
  • Legal obligation (Art. 6(1)(c)): Where required by applicable law.

No analytics consent banner is presented because our default analytics configuration does not require consent: anonymous play events are recorded without persistent personal identifiers, and the daily-rotating fingerprint is designed in accordance with ICO guidance and the Plausible Analytics model reviewed by EU data protection authorities. If you integrate third-party analytics or enable extended tracking, you must add appropriate consent mechanisms.

4. How We Use Your Data

  • To authenticate you and maintain your session.
  • To store and display your library and playlists.
  • To measure music engagement and improve the service (aggregate analytics).
  • To respond to support requests sent to [email protected].

5. Data Retention

  • Account data — retained while your account is active; deleted within 30 days of account deletion.
  • Session tokens — expire after 30 days; purged on sign-out.
  • Play events (registered users) — retained for up to 24 months from the date of recording.
  • Anonymous play events — retained for up to 24 months. The daily-rotating anonId in each record cannot be linked to any individual after midnight UTC of the day it was created.

6. Cookies

We use a single, strictly necessary HTTP-only cookie named user_session, used solely to authenticate signed-in users. We do not use advertising cookies, analytics cookies, or any third-party cookies. No cookie consent banner is required or displayed.

7. Your Rights (UK GDPR)

You have the right to:

  • Access: download all data we hold about you via Account Settings → Download My Data.
  • Rectification: update your username in Account Settings at any time.
  • Erasure: permanently delete your account and all associated data via Account Settings → Delete Account.
  • Portability & restriction: contact [email protected] to request data in a machine-readable format or to restrict processing.
  • Objection: object to processing based on legitimate interests by contacting us.
  • Complaint: lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

We will respond to all valid requests within 30 days.

8. Data Security

We use TLS encryption in transit, bcrypt-hashed passwords, HTTP-only signed session cookies, and server-side session invalidation. No raw IP addresses are stored. Visitor identifiers are one-way SHA-256 hashes that cannot be reversed to recover personal data.

9. International Transfers

Our servers are hosted in the European Economic Area (EEA). Our CDN (Cloudflare) operates globally; only the two-letter country code derived from your IP is retained by us — the IP itself is not stored. No personal data is transferred outside the UK/EEA unless required by law.

10. Children

KAI.Productions is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has provided data, contact us at [email protected].

11. Changes to This Policy

We may update this policy to reflect changes in law or our practices. The "last updated" date at the top of this page reflects the most recent revision. Material changes will be communicated to registered users by email.

12. Contact

For any privacy-related questions, contact:
K[email protected]
123 Music Lane, Audio City, AC 12345