Privacy Policy

1. Scope and Applicability

This Privacy Policy applies to all Users of the Service, including Buyers (Collectors), Artists, and visitors. It covers personal information collected through the XCLSV website, web application, mobile applications, APIs, email communications, and any other interactions with the Service. This Policy does not apply to third-party websites, applications, or services that may be linked to or integrated with the Service, each of which is governed by its own privacy policy.

For the purposes of applicable data protection laws, XCLSV Inc. is the data controller responsible for the processing of your personal information. Our registered address and contact information are provided in Section 18.

2. Categories of Personal Information Collected

2.1 Information You Provide Directly

• Account Registration Data: Full name, email address, and password (stored exclusively in irreversibly hashed form using bcrypt with per-user salt). Artists additionally provide stage name, genre classification, biographical information, commission pricing, and profile imagery.
• Commission Data: Creative briefs submitted in connection with Commission requests, including vision statements, occasion descriptions, musical preferences, and any other information provided in the brief.
• Financial and Transaction Data: Payment card numbers, billing addresses, and related financial information are collected and processed exclusively by our PCI DSS-compliant third-party payment processor(s). XCLSV does not receive, access, transmit, or store full payment card numbers, CVV/CVC codes, or complete bank account numbers on its servers at any time.
• Artist Inquiry Data: If you submit an artist interest registration form, we collect your name, email address, genre, social media handles (e.g., Instagram), streaming platform links (e.g., Spotify), and any message you choose to provide.
• Communications: Messages, feedback, support requests, and any other correspondence you direct to us through the Platform or via email.
• Identity Verification: Where required for high-value transactions, anti-fraud, or regulatory compliance purposes, we may request additional identity documentation.

2.2 Information Collected Automatically

• Usage and Interaction Data: Pages and features accessed, Commission history, listening activity and duration, clickstream data, timestamps of access, referring and exit URLs, and interaction patterns.
• Device and Technical Data: Browser type and version, operating system, device type and model, unique device identifiers, screen resolution, language and locale preferences, and time zone settings.
• Network and Geolocation Data: Internet Protocol (IP) address, approximate geographic location derived from IP address (city and region level only — we do not collect precise GPS coordinates), internet service provider, and network connection type.
• Cookies and Similar Technologies: We deploy cookies, local storage objects, pixel tags, web beacons, and similar technologies as described in Section 10.
• Log Data: Server logs that automatically record information about each request made to the Service, including request timestamps, HTTP methods, response codes, and data transfer volumes.

2.3 Information from Third Parties

• Payment Processors: Transaction confirmation, payment status, and dispute information from our payment processor(s).
• Analytics Providers: Aggregated and de-identified usage data from analytics services that help us understand Platform performance and User behavior.
• Fraud Prevention Services: Risk scores, device fingerprints, and fraud indicators from third-party fraud detection services used to protect the integrity of Platform transactions.

3. Legal Bases for Processing (EEA/UK Users)

If you are located in the European Economic Area (“EEA”) or the United Kingdom (“UK”), our processing of your personal data is based on the following legal grounds under the General Data Protection Regulation (“GDPR”) and UK GDPR:

• Performance of Contract (Art. 6(1)(b)): Processing necessary for the performance of our contract with you, including account management, Commission facilitation, payment processing, and delivery of the Service.
• Legitimate Interests (Art. 6(1)(f)): Processing necessary for our legitimate business interests, including fraud detection and prevention, Platform security, service improvement and optimization, enforcement of our Terms, and direct marketing to existing customers (subject to your right to opt out). We have conducted balancing assessments to ensure these interests do not override your fundamental rights.
• Consent (Art. 6(1)(a)): Where we rely on your consent, including for certain cookie deployments and marketing communications to non-customers. You may withdraw consent at any time without affecting the lawfulness of processing conducted prior to withdrawal.
• Legal Obligation (Art. 6(1)(c)): Processing necessary to comply with applicable laws, including tax reporting, anti-money laundering regulations, and responses to lawful government requests.

4. Purposes of Processing

We process personal information for the following purposes:

• Service Delivery: Account creation and authentication, Commission processing and facilitation, payment transactions, audio delivery and streaming, and collection management.
• Transaction Processing: Processing Deposits and final payments, disbursing Artist payments, generating transaction records, invoices, and tax documentation.
• Communications: Commission status notifications, delivery alerts, payment confirmations, account security notices, and material service announcements. These transactional communications are necessary for the provision of the Service and are not subject to marketing opt-out preferences.
• Platform Improvement: Analyzing usage patterns, conducting A/B testing, debugging technical issues, developing new features, and improving the overall User experience.
• Safety and Security: Detecting, investigating, and preventing fraud, unauthorized access, illegal activity, and violations of our Terms. This includes monitoring for unauthorized distribution of Commission audio and enforcing digital rights protections.
• Legal and Regulatory Compliance: Complying with applicable tax, financial reporting, anti-money laundering, and other regulatory requirements. Responding to lawful subpoenas, court orders, and government requests.
• Dispute Resolution: Managing and resolving disputes between Buyers and Artists, processing refund requests, and administering arbitration proceedings.

5. Disclosure of Personal Information

WE DO NOT SELL YOUR PERSONAL INFORMATION. We do not rent, trade, or otherwise make personal information available to third parties for their direct marketing purposes. We may disclose your personal information in the following limited circumstances:

5.1 Commission Counterparties

When a Commission is initiated, the Artist receives the Buyer’s name, creative brief, and occasion information as necessary to fulfill the Commission. Artists do not receive Buyer email addresses, payment details, mailing addresses, or other personal information unless specifically authorized by the Buyer or required for Commission fulfillment.

5.2 Service Providers and Processors

We engage third-party service providers who process personal information on our behalf to support the Service, including:

• Payment processors (e.g., Stripe, Inc.) for transaction processing;
• Cloud infrastructure and hosting providers for data storage and Platform operation;
• Email delivery services for transactional and marketing communications;
• Analytics providers for usage analysis and Platform optimization;
• Fraud prevention and identity verification services; and
• Customer support tools and services.

All service providers are bound by data processing agreements that restrict their use of personal information to the services performed on our behalf and require them to implement appropriate security measures.

5.3 Legal Requirements and Protection of Rights

We may disclose personal information if we believe in good faith that such disclosure is necessary to: (a) comply with applicable law, regulation, legal process, or governmental request; (b) enforce our Terms of Service or other agreements; (c) protect the rights, property, or safety of the Company, our Users, or the public; (d) detect, prevent, or address fraud, security, or technical issues; or (e) respond to an emergency involving danger of death or serious physical injury.

5.4 Business Transfers

In connection with, or during negotiations of, any merger, acquisition, sale of assets, financing, reorganization, bankruptcy, receivership, dissolution, or similar transaction, your personal information may be disclosed, transferred, or assigned as part of the Company’s business assets. We will use reasonable efforts to notify you of any such transfer and of any choices you may have regarding your information.

5.5 With Your Consent

We may disclose your personal information for other purposes with your express consent.

6. Data Retention

We retain personal information only for as long as reasonably necessary to fulfill the purposes for which it was collected and to comply with our legal obligations. Our specific retention periods are as follows:

• Account Data: Retained for the duration of your active account and for a period of thirty (30) days following account deletion to allow for account recovery, after which it is permanently deleted or irreversibly anonymized.
• Commission and Transaction Records: Retained for a minimum of seven (7) years following the completion of the transaction to comply with applicable tax, financial reporting, anti-money laundering, and legal record-keeping requirements.
• Audio Files: Commission audio files are retained on our servers for the duration of the Buyer’s Listening License. Upon account deletion, audio files are not automatically deleted, as the Artist retains intellectual property rights in the work. Disposition of audio files upon account termination is governed by our Terms of Service.
• Payment Records: Retained for a minimum of seven (7) years in accordance with IRS record-keeping requirements (26 C.F.R. § 1.6001-1) and applicable state regulations.
• Server and Access Logs: Automatically purged after ninety (90) days.
• Artist Inquiry Submissions: Retained for twelve (12) months, after which they are deleted unless the inquiry results in an active Artist relationship.
• Support Communications: Retained for three (3) years following resolution of the inquiry.

7. Data Security

We implement administrative, technical, and physical security measures designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:

• Encryption of data in transit using Transport Layer Security (TLS 1.2 or higher) and encryption of sensitive data at rest using AES-256 or equivalent encryption standards;
• Password hashing using bcrypt with unique per-user cryptographic salts, rendering stored passwords computationally infeasible to reverse;
• Strict role-based access controls (RBAC) limiting access to personal information to authorized personnel on a need-to-know basis;
• Regular security assessments, penetration testing, and vulnerability scanning;
• Secure, access-controlled cloud infrastructure with SOC 2 Type II certified hosting providers;
• Automated intrusion detection and monitoring systems; and
• Incident response procedures for the timely identification, containment, and notification of security breaches.

Notwithstanding the foregoing, no method of electronic transmission or storage is completely secure. While we strive to use commercially reasonable means to protect your personal information, we cannot guarantee absolute security. In the event of a data breach affecting your personal information, we will notify you and the relevant supervisory authorities in accordance with applicable law.

8. Your Rights and Choices

Subject to applicable law and certain exceptions, you may have the following rights with respect to your personal information:

• Right of Access: Request confirmation of whether we process your personal information and obtain a copy of such information.
• Right to Rectification: Request correction of inaccurate or incomplete personal information.
• Right to Erasure (“Right to be Forgotten”): Request deletion of your personal information, subject to legal and contractual retention obligations and the rights of third parties (including Artists who retain intellectual property rights in Commissions).
• Right to Data Portability: Request a copy of your personal information in a structured, commonly used, and machine-readable format.
• Right to Restrict Processing: Request that we limit the processing of your personal information in certain circumstances, such as when you contest the accuracy of the data.
• Right to Object: Object to processing of your personal information based on our legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
• Right to Withdraw Consent: Where processing is based on consent, withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing conducted prior to withdrawal.
• Right to Opt Out of Marketing: Opt out of marketing communications at any time by clicking the “unsubscribe” link or contacting us. This does not affect transactional communications necessary for the Service.

To exercise any of these rights, submit a verifiable request to privacy@xclsv.com. We will respond within thirty (30) days (or such shorter period as required by applicable law). We may request additional information to verify your identity before processing your request. We will not discriminate against you for exercising any of these rights.

9. Audio Streaming, Digital Rights Management, and Content Protection

Commission audio files are delivered to Buyers exclusively through the XCLSV Platform using encrypted, access-controlled streaming. We implement the following technical and administrative protections to safeguard the intellectual property rights of Artists and the exclusivity of the Buyer’s experience:

• Audio files are streamed using authenticated, time-limited signed URLs and are not directly downloadable;
• Each streaming session is cryptographically tied to the Buyer’s authenticated session;
• We deploy audio fingerprinting and watermarking technologies to enable detection and attribution of unauthorized copies appearing on external platforms or services;
• We monitor for and take action against unauthorized distribution, reproduction, or sharing of Commission audio, including issuing takedown notices under applicable copyright laws; and
• We may implement additional digital rights management (DRM) technologies as reasonably necessary to protect content.

By using the Service, you acknowledge and agree that these content protection measures are necessary to maintain the exclusivity and value of Commissions and to protect the rights of Artists and Buyers.

10. Cookies, Tracking Technologies, and Do Not Track

10.1 Types of Cookies and Technologies

• Strictly Necessary Cookies: Essential for authentication, session management, security (including CSRF protection), and core Platform functionality. These cookies cannot be disabled without impairing the Service.
• Functional Cookies: Remember your preferences and settings, such as language, theme, and playback volume, to enhance your experience.
• Analytics Cookies: Collect de-identified, aggregated data about how Users interact with the Platform, including page views, feature usage, and error rates. We use privacy-respecting analytics tools and do not use analytics data for advertising purposes.

10.2 What We Do Not Do

We do not deploy advertising or retargeting cookies. We do not sell cookie data or share it with ad networks. We do not engage in cross-site behavioral tracking. We do not build advertising profiles based on your browsing activity.

10.3 Do Not Track Signals

Certain web browsers transmit “Do Not Track” (“DNT”) signals. As there is no universally accepted standard for interpreting DNT signals, the Service does not currently respond to DNT signals. However, our practices already minimize tracking as described in this Section.

10.4 Managing Cookies

You may control and manage cookies through your browser settings. Please note that disabling certain cookies may impair the functionality of the Service.

11. Children’s Privacy

The Service is not directed to, and we do not knowingly collect personal information from, individuals under the age of eighteen (18). We do not knowingly solicit data from or market to children. If we become aware that we have collected personal information from an individual under 18, we will take prompt steps to delete such information. If you believe that a minor has provided us with personal information, please contact us at privacy@xclsv.com, and we will investigate and take appropriate action.

12. International Data Transfers

Your personal information may be transferred to, stored in, and processed in the United States and other countries that may have data protection laws different from those in your country of residence. By using the Service, you acknowledge and consent to such transfers. Where required by applicable law, we implement appropriate safeguards for cross-border transfers, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission for transfers of personal data from the EEA;
• The UK International Data Transfer Agreement or UK Addendum to the EU SCCs for transfers from the UK; and
• Such other transfer mechanisms as may be approved by the relevant data protection authority.

13. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA”):

• Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected, the sources of collection, the business or commercial purposes for collection, and the categories of third parties with whom we share personal information.
• Right to Delete: You may request the deletion of personal information we have collected, subject to certain exceptions permitted by the CCPA.
• Right to Correct: You may request the correction of inaccurate personal information.
• Right to Opt Out of Sale or Sharing: XCLSV does not sell personal information as defined by the CCPA, and does not share personal information for cross-context behavioral advertising purposes.
• Right to Limit Use of Sensitive Personal Information: To the extent we process sensitive personal information (as defined by the CCPA), we do so only for purposes permitted under the CCPA without the need for an opt-out.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To submit a verifiable consumer request, contact us at privacy@xclsv.com. You may designate an authorized agent to make a request on your behalf, subject to identity verification requirements. We will respond to verifiable consumer requests within forty-five (45) days as required by the CCPA.

In the preceding twelve (12) months, we have collected the following categories of personal information as enumerated in Cal. Civ. Code § 1798.140(v): identifiers, commercial information, internet or other electronic network activity information, and inferences drawn from the foregoing.

14. European Privacy Rights (GDPR / UK GDPR)

If you are located in the EEA or UK, you have the rights set forth in Section 8 above, plus the following additional protections:

• Data Protection Officer: You may contact our data protection team at privacy@xclsv.com for any inquiries regarding the processing of your personal data.
• Supervisory Authority: You have the right to lodge a complaint with your local supervisory authority if you believe that the processing of your personal data violates applicable data protection law. A list of EEA supervisory authorities is available at https://edpb.europa.eu.
• Automated Decision-Making: We do not engage in solely automated decision-making (including profiling) that produces legal or similarly significant effects on individuals, except as necessary for the performance of our contract with you or with your explicit consent.
• Data Protection Impact Assessments: We conduct data protection impact assessments for processing activities that are likely to result in a high risk to the rights and freedoms of natural persons, in accordance with Article 35 of the GDPR.

15. Other U.S. State Privacy Laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other states with comprehensive privacy legislation may have additional rights, including the right to access, correct, delete, and obtain a portable copy of their personal data, as well as the right to opt out of targeted advertising, sale of personal data, and profiling in furtherance of decisions producing legal or similarly significant effects. XCLSV does not engage in the sale of personal data or targeted advertising as defined by these statutes. To exercise your rights, contact us at privacy@xclsv.com. If your request is denied, you may appeal by contacting us at legal@xclsv.com.

16. Third-Party Links and Integrations

The Service may contain links to third-party websites, services, or applications that are not operated or controlled by the Company, including payment processors, social media platforms, and streaming services. This Privacy Policy does not apply to any third-party services. We are not responsible for the privacy practices, content, or security of any third party. We encourage you to review the privacy policies of any third-party services before providing personal information.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. We will provide notice of material changes by posting the revised Policy on the Platform with an updated “Effective Date” and, where required by applicable law, by sending notice to the email address associated with your account at least thirty (30) days before the changes take effect. Your continued use of the Service after the revised Policy becomes effective constitutes your acceptance of the updated terms. If you do not agree to the revised Policy, you must cease use of the Service and close your account.

18. Contact Information

For questions, concerns, data subject requests, or complaints regarding this Privacy Policy or our data practices, contact:

We will acknowledge receipt of your inquiry within two (2) business days and provide a substantive response within thirty (30) days (or such shorter period as required by applicable law).