Legal
Privacy policy.
DSP Watch processes catalog metadata, evidence packages, billing details and audit logs so we can deliver duplicate detection and §512(c)(3)-compliant takedowns. This page tells you exactly what we collect, why, who we share it with, how long we keep it, and the rights you have under GDPR and CCPA.
- Effective date
- June 6, 2026
- Last updated
- June 6, 2026
On this page
1. Who we are
DSP Watch is the rights-ops inbox for music duplicate detection and court-ready DMCA takedowns. The data controller for personal data processed in connection with this site and the DSP Watch product is DSP Watch (the "Company", "we", "us"), operating from Australia.
For privacy questions, GDPR or CCPA requests, or data protection inquiries, write to privacy@dspwatch.com. We respond within 30 days.
2. What we collect and why
We collect only the data we need to deliver the service. Each category below lists what we collect, the lawful basis under Article 6 of the GDPR, and what we use it for.
Account and identity data
- Name, work email, workspace role, and password hash for the people you invite to your DSP Watch workspace.
- Multi-factor authentication factors (TOTP secrets and recovery codes) used to gate evidence signing under §512(c)(3) attestation.
- Session metadata — IP address, user-agent, login timestamps — retained for security and audit purposes.
Lawful basis
Contract (Art. 6(1)(b) GDPR) — required to provide the service.
Catalog metadata
- ISRC, UPC, release title, artist name, label, distributor, territory, rights chain and any ownership proofs you upload (master licence, split sheets, distributor receipts).
- Tier rules, scan cadence overrides and workspace-level configuration that determines what we scan and how often.
- Reconciled catalog snapshots from your distributor feed (where you connect one) so we can detect drift between your stated catalog and what DSPs see.
Lawful basis
Contract (Art. 6(1)(b)) — your catalog is the input to the detection service.
Evidence packages and audit logs
- Generated §512(c)(3)-compliant takedown PDFs, attached ownership proofs, signer attestations, and the hash-chained audit log that proves who did what, when, and under which MFA freshness window.
- Adapter responses from each DSP (case IDs, claim IDs, counter-notice payloads, reinstatement confirmations) so the action timeline is complete end to end.
- Counter-notice content received under §512(g), including counter-notifier name, address, and statement, retained for the duration of the dispute and the legally required defensibility window.
Lawful basis
Legal obligation (Art. 6(1)(c)) for §512(c)(3) record-keeping; legitimate interest (Art. 6(1)(f)) for defending takedowns against bad-faith counter-notices.
Billing information
- Stripe customer ID, subscription ID, plan tier, invoices, and tax IDs. Card details and bank account information are collected and stored by Stripe — DSP Watch never sees raw payment instruments.
- Billing email and company name, used for invoicing and dunning.
Lawful basis
Contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) for tax and accounting record-keeping.
Product telemetry
- Page views, feature usage events, error reports and performance metrics scoped to the authenticated workspace. We do not run third-party tracking pixels on this marketing site.
- Aggregated, non-identifying metrics about scan throughput, detection rates and adapter outcomes used to improve the service.
Lawful basis
Legitimate interest (Art. 6(1)(f)) — operating, securing and improving the service.
Support communications
- Emails, attachments and ticket history you send to hello@dspwatch.com, support@dspwatch.com or legal@dspwatch.com.
Lawful basis
Contract (Art. 6(1)(b)) and legitimate interest (Art. 6(1)(f)) — responding to and improving customer support.
3. How we use your data
Every use of personal data at DSP Watch maps to one purpose: providing the service. Specifically, we use the data above to:
- Run nightly tier-weighted scans across Spotify, Apple Music, YouTube, Tidal, Deezer and Amazon Music against the catalog you import.
- Generate and file §512(c)(3)-verbatim takedown notices through the 5 live adapters (dmca_generic, spotify_form, apple_form, youtube_cid, distributor_forward).
- Track the §512(g) counter-notice clock and warn signers at T-3 business days before the reinstatement window closes.
- Authenticate users, gate evidence signing under MFA freshness, and prevent unauthorized access to workspace data.
- Process subscription payments, calculate tax, issue invoices and operate the Stripe billing relationship.
- Respond to support requests and improve the service through aggregated, non-identifying telemetry.
- Comply with legal obligations, including §512(c)(3) record-keeping and tax record retention.
We do not use personal data for advertising, do not sell it, and do not engage in automated decision-making with legal or similarly significant effects.
4. Sub-processors
We use a small set of carefully chosen sub-processors to operate the service. Each is bound by a data processing agreement and processes only the personal data necessary for its function. The current list is below; a canonical, versioned list lives on the sub-processors page.
| Sub-processor | Purpose | Location | Policy |
|---|---|---|---|
| Supabase | Postgres database, authentication, file storage for catalog and evidence | United States (AWS us-east-1) and EU (AWS eu-west-1) regions, per workspace residency choice | Privacy policy |
| Cloudflare | CDN, DNS, WAF, Pages hosting, Workers API edge runtime, DDoS protection | Global edge network; primary region selected per workspace | Privacy policy |
| Fly.io | Scan worker fleet and adapter runners (Spotify, Apple Music, YouTube, Tidal, Deezer, Amazon Music) | United States (iad, sjc) and EU (fra, ams) regions | Privacy policy |
| Stripe | Subscription billing, payment processing, tax compliance, invoicing | United States and Ireland | Privacy policy |
| Google (Gemini API) | Optional AI-assisted metadata normalization and evidence drafting; never trained on customer data | United States and EU multi-region | Privacy policy |
We notify customers at least 30 days before adding or replacing a sub-processor that processes personal data, giving you time to object before the change takes effect.
5. Retention windows
We keep personal data only as long as we need it. The retention window for each data category, and the reason behind it, is below.
7 years from filing
Evidence packages, audit logs and takedown PDFs
DMCA defensibility — §512(c)(3) takedowns can be challenged years later via counter-notice litigation, and a hash-chained audit trail is the standard defense.
For the life of your subscription plus 90 days after termination
Catalog metadata and ownership proofs
Allows reactivation without re-import and gives you time to export before deletion.
7 years
Billing and tax records
Australian and US tax-law record-keeping obligations.
Life of the account plus 30 days after closure
Account and session data
Security investigations and account-recovery support requests.
3 years from last interaction
Support communications
Quality assurance and recurring-issue analysis.
13 months
Product telemetry
Year-over-year comparison for capacity planning; anonymized aggregates may be retained longer.
6. International transfers
DSP Watch supports EU and US data residency for primary storage. When personal data is transferred from the European Economic Area, the United Kingdom or Switzerland to a country without an adequacy decision (typically the United States), we rely on the European Commission's Standard Contractual Clauses (Module 2 controller-to-processor) and equivalent UK and Swiss safeguards.
We have evaluated supplementary measures consistent with the European Data Protection Board's post-Schrems II recommendations, including encryption in transit (TLS 1.3) and at rest (AES-256), and contractual rights to challenge government access requests.
7. GDPR rights
If you are in the European Economic Area, the United Kingdom or Switzerland, you have the following rights under the GDPR (and equivalent UK/Swiss law). To exercise any of them, email privacy@dspwatch.com. We verify identity and respond within 30 days.
Right to access
Request a copy of the personal data we hold about you. We respond within 30 days and ship a portable export.
Right to rectification
Correct inaccurate personal data. Most fields are directly editable in your workspace settings; email privacy@dspwatch.com for anything you can't reach.
Right to erasure (right to be forgotten)
Request deletion of personal data, subject to our retention obligations for §512(c)(3) evidence and tax records. We confirm in writing within 30 days.
Right to restrict processing
Pause processing of your personal data while a dispute is resolved.
Right to data portability
Receive your catalog, evidence packages and audit logs in a structured, machine-readable format (JSON + PDF bundle).
Right to object
Object to processing based on legitimate interest, including any direct marketing (we send none without opt-in).
Right to withdraw consent
Where processing is based on consent (e.g. optional AI features), withdraw it at any time without affecting prior lawful processing.
Right to lodge a complaint
EU users may complain to their local supervisory authority. UK users may complain to the ICO. We hope you'll write to us first at privacy@dspwatch.com.
8. California rights (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, gives you the following rights. To exercise any of them, email privacy@dspwatch.com with the subject line "CCPA request".
- Right to know what categories of personal information we collect, the sources, the business purpose, and the categories of third parties with whom we share it.
- Right to delete personal information, subject to statutory exceptions (security, fraud prevention, legal obligations such as §512(c)(3) record-keeping).
- Right to correct inaccurate personal information.
- Right to opt out of sale or sharing of personal information. DSP Watch does not sell personal information and does not share it for cross-context behavioral advertising.
- Right to limit use of sensitive personal information. We do not use sensitive personal information for any purpose other than providing the service.
- Right to non-discrimination for exercising any CCPA right.
You may designate an authorized agent to make a request on your behalf. We require written proof of authorization and verify your identity before fulfilling the request.
9. Children's data
DSP Watch is a business-to-business service and is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact privacy@dspwatch.com and we will delete it.
10. Security
We encrypt data in transit with TLS 1.3 and at rest with AES-256. Workspace isolation is enforced via Postgres row-level security. Evidence signing requires fresh MFA. Audit logs are hash-chained and tamper-evident.
See the security overview for our full controls catalog, vulnerability disclosure policy and SOC 2 roadmap.
11. Changes to this policy
We may update this policy from time to time. Material changes are notified by email to workspace owners at least 30 days before they take effect. The "Last updated" date at the top of this page always reflects the most recent revision. Prior versions are available on request.
12. Contact
For privacy questions, GDPR or CCPA requests, or to exercise any right described above, email privacy@dspwatch.com.
For legal correspondence and sub-processor objections, use legal@dspwatch.com.
EU users have the right to lodge a complaint with their local supervisory authority; UK users may complain to the ICO. We hope you'll write to us first.
13. Frequently asked questions
Do you sell personal information?
No. DSP Watch does not sell personal information, does not share it for cross-context behavioral advertising, and does not run third-party tracking pixels on this marketing site.
Where is my data stored?
Catalog metadata and evidence are stored in Supabase (Postgres) in the region you select at workspace creation — currently US (AWS us-east-1) or EU (AWS eu-west-1). Stripe stores billing data in the US and Ireland. Cloudflare caches static assets at the edge globally.
Do you train AI models on my catalog?
No. When you opt in to AI-assisted features, prompts and responses are routed through the Google Gemini API under a no-training agreement. Your catalog is never used to train any third-party model.
How long do you keep evidence after I delete a finding?
7 years from the filing date. This is the DMCA defensibility window — §512(c)(3) takedowns can be litigated years later, and the hash-chained audit log is the standard defense. We can delete earlier only when no enforcement action was filed.
How do I exercise my GDPR or CCPA rights?
Email privacy@dspwatch.com with the request. We verify your identity (matching the email on the workspace) and respond within 30 days. EU users may also complain to their local supervisory authority.
Do you transfer data outside the EU?
Where you select EU residency, primary processing stays in EU regions. Where US-based sub-processors are involved (Stripe, Cloudflare global edge), we rely on Standard Contractual Clauses and supplementary measures consistent with Schrems II guidance.