Privacy Policy

1. Introduction

vocumi (“we”, “us”, “our”) is committed to protecting your personal data. This Privacy Policy explains what information we collect, how we use it, and your rights.

1. Who We Are (Controller)

The data controller for all personal data processed in connection with the vocumi platform (“Service”) is:

“i.G.” (in Gründung) indicates that the company is in the process of being formally registered. All legal obligations apply from the moment of commercial activity.

2. Scope of This Policy

This Privacy Policy applies to all personal data processed when you visit our public website (vocumi.com), register for an account, or use the vocumi web application. It applies to individual users and to members of team workspaces.

We process personal data in accordance with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and other applicable data protection laws.

3. Data We Collect and Legal Basis

3.1 Account & Profile Data

When you register, we collect and store the following:

• Email address — required for login and transactional communications
• Full name — displayed within your workspace
• Avatar / profile image URL — optional, synced from Google if you use Sign in with Google
• Password — stored as a secure hash; we never store your plaintext password
• Plan tier & account preferences — including weekly digest opt-out preference

Legal basis: Art. 6(1)(b) GDPR — performance of a contract (the subscription agreement you entered into with us).

3.2 Workspace & Collaboration Data

When you use the platform, we store:

• Artists you add to your roster, including notes and status labels you assign
• Tags and custom labels applied to artists
• Artists you mark as personal favourites
• In-app notifications (e.g., team invitations accepted, access changes)
• Your workspace membership role (owner, admin, member, viewer) and the date you joined

Legal basis: Art. 6(1)(b) GDPR — necessary to deliver the core functionality of the Service.

3.3 Search Query Data

When you use the AI-powered Vibe Search feature, the text of your search query and a timestamp are stored in our database. This data is used solely to enforce your plan's monthly search quota and to display your remaining usage. Search queries are linked to your user account.

Legal basis: Art. 6(1)(b) GDPR — necessary to enforce plan limits and deliver the Service as contracted.

3.4 Billing & Subscription Data

We store your subscription status, plan type, renewal date, and a reference ID linking your account to your Lemon Squeezy customer record. We do not store your payment card details — all payment processing is handled by Lemon Squeezy, which acts as the merchant of record.

Legal basis: Art. 6(1)(b) GDPR — performance of the subscription contract; Art. 6(1)(c) GDPR — compliance with tax and accounting obligations.

3.5 Weekly Digest Emails

We send a weekly summary of your workspace activity (roster updates, metric changes, team activity) to your registered email address. This feature is enabled by default but you can opt out at any time in your account settings. We use your email address and workspace data to generate these digests.

Legal basis: Art. 6(1)(f) GDPR — legitimate interests (keeping you informed about activity in your workspace). You have the right to object to this processing at any time under Art. 21 GDPR by disabling the digest in your account settings.

3.6 Email Communications Log

For operational reliability, we log the type and send status of transactional emails sent to your address (e.g., welcome, password reset, workspace invitation). Email content is not stored in our database.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in ensuring reliable delivery of account-critical communications.

3.7 AI Feature Usage (Organisation Level)

We track the number of AI operations (Vibe Search, Pulse reports) and associated token consumption at the organisation (workspace) level, not at the individual user level. This data is used solely for billing, quota enforcement, and internal cost management. No personal behavioural profile of any individual user is constructed.

Legal basis: Art. 6(1)(b) GDPR — necessary to manage plan limits and billing; Art. 6(1)(f) GDPR — legitimate interest in cost management.

3.8 Public Website Visits

Our public marketing pages (vocumi.com) do not use any analytics tracking, advertising pixels, or behavioural tracking cookies. We do not collect IP addresses, browser fingerprints, or session recordings on our public website.

4. Cookies and Local Storage

We use only strictly necessary cookies. No tracking or advertising cookies are used.

Authentication Cookies (Supabase SSR)

• sb-[project]-auth-token — Encrypted session token, HttpOnly, required for login
• sb-[project]-auth-token-code-verifier — PKCE verification token for secure OAuth flows, HttpOnly

Application Cookie

• active_org — Stores your currently active workspace ID to maintain context between page navigations

These cookies are session-bound or expire after a short period. They are not shared with third-party advertising networks. Because these cookies are strictly necessary for the Service to function, we do not require your consent to set them (§ 25(2) No. 2 TTDSG).

5. Third-Party Processors

We share personal data only with the following trusted sub-processors, each bound by data processing agreements and applicable data protection law. We do not sell your personal data.

5.1 Supabase (Authentication & Database)

Supabase Inc. provides our authentication service and hosts our primary database. vocumi uses the West EU (Ireland) region, meaning your personal data — including your email address, hashed password, and all application data (profile, workspace, artists) — is stored within the European Union. No international transfer to a third country occurs for Supabase-hosted data. Supabase is GDPR-compliant and provides a Data Processing Agreement (DPA).

Supabase Privacy Policy →

5.2 Vercel (Hosting & Edge Network)

Vercel Inc. (USA) serves the vocumi web application and marketing pages. Vercel processes server request logs (including IP addresses) as part of normal infrastructure operation. These logs are retained for a limited period by Vercel for security and debugging purposes. vocumi does not access or store these logs. Vercel is GDPR-compliant via SCCs.

Vercel Privacy Policy →

5.3 Lemon Squeezy (Payment Processing & Merchant of Record)

Lemon Squeezy (a Stripe company, USA) processes all payments and acts as the merchant of record for your subscription. When you purchase a subscription, you enter into a payment relationship directly with Lemon Squeezy. They collect and process your billing name, email address, payment card details, and billing address. We receive only non-sensitive subscription metadata (status, plan type, renewal date, customer reference ID).

Lemon Squeezy Privacy Policy →

5.4 Resend (Transactional Email)

Resend Inc. (USA) delivers transactional emails on our behalf — including welcome emails, password reset links, workspace invitations, access change notifications, and weekly digest emails. To deliver these emails, we transmit your email address and, where applicable, your first name to Resend. Resend processes this data solely to deliver the email and may retain delivery logs for a limited period. Resend is GDPR-compliant via SCCs and acts as a data processor under our instruction.

Resend Privacy Policy →

5.5 Google (Sign In with Google & AI Services)

Sign in with Google (OAuth): If you register or log in using your Google account, Google will share your email address, name, and profile picture with us via the OAuth flow. We use this information to create or update your vocumi profile. We do not receive your Google password.

Google Gemini AI: Our AI-powered features (Vibe Search, Pulse reports) use Google's Gemini API. Artist-related queries are sent to Google's Gemini service for processing. Your personal data is not included in Gemini API requests. AI queries contain only publicly available artist information (names, platform handles). You should review Google's API data policies for information on how Gemini processes inputs.

Google Privacy Policy →

5.6 OpenAI (Vector Embeddings)

vocumi uses OpenAI's text-embedding-3-small model to generate vector embeddings for artist profiles. These embeddings power the similarity matching behind Vibe Search and similar-artist recommendations. Only publicly available artist data (names, genres, tags, platform descriptions) is sent to OpenAI's API — your personal data is never included in embedding requests.

OpenAI Inc. is based in the United States. Data is transferred under Standard Contractual Clauses (SCCs) (Art. 46(2)(c) GDPR). OpenAI's API data usage policy states that API inputs are not used to train models by default.

OpenAI Privacy Policy →

5.7 Brave Search (Web Intelligence)

vocumi uses the Brave Search API to enrich artist profiles with publicly available web information (news, interviews, descriptions). Only artist names and publicly known identifiers are sent as search queries — your personal data is not transmitted.

Brave Software Inc. is based in the United States. Data is transferred under Standard Contractual Clauses (SCCs) (Art. 46(2)(c) GDPR).

Brave Privacy Policy →

5.8 Apify (Social Media Data Collection)

vocumi uses Apify to collect publicly available social media metrics for artists (e.g., Instagram follower counts, engagement data). Only publicly visible artist profile data is collected via Apify — your personal data as a vocumi user is never sent to Apify.

Apify Technologies s.r.o. is incorporated in the Czech Republic (European Union) and is subject to EU data protection law. No international transfer applies for Apify-processed data.

Apify Privacy Policy →

6. Artist Data & Third-Party Music Platforms

The artist intelligence data displayed in vocumi is aggregated from publicly available sources, including Spotify, Instagram, TikTok, YouTube, SoundCloud, Last.fm, and other music platforms. This data relates to artists as public figures, not to our users as private individuals.

vocumi uses automated tools (including Google Gemini grounding, OpenAI embeddings, Brave Search, and Apify social data collection) to collect and update public artist metrics on a regular schedule. We do not use this data to build profiles of individual private persons.

7. International Data Transfers

Our primary database and authentication (Supabase) are hosted in the EU (West EU — Ireland) and do not involve any international transfer. Some other sub-processors — Vercel, Lemon Squeezy, Resend, Google, and OpenAI — are based in the United States. Apify is incorporated in the Czech Republic (EU) and does not require a transfer mechanism. Where personal data is transferred outside the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission (Art. 46(2)(c) GDPR) or other appropriate safeguards to ensure an adequate level of data protection.

8. Data Retention

• Account & profile data: Retained for the duration of your account plus up to 30 days after deletion request, unless legal retention obligations apply.
• Search queries: Retained for the current billing month to enforce plan quotas; subject to periodic automated cleanup.
• Billing data: Retained for 10 years in accordance with German commercial and tax law (§ 147 AO, § 257 HGB).
• Email logs: Retained for up to 2 years; automatically deleted by a scheduled database job thereafter (Art. 5(1)(e) GDPR storage limitation).
• AI usage records (feature_usage): Retained for the current billing month plus 3 months for quota verification; deleted automatically on a monthly schedule.
• Workspace & artist data: Retained until you delete the workspace or close your account. Upon account closure, we will delete or anonymise your personal data within 30 days.

9. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights (Articles 15–22 GDPR):

• Right of access (Art. 15): Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
• Right to erasure / “right to be forgotten” (Art. 17): Request deletion of your personal data where there is no overriding legal basis for continued processing.
• Right to restriction of processing (Art. 18): Request that we restrict processing of your data in certain circumstances.
• Right to data portability (Art. 20): Receive your personal data in a structured, machine-readable format.
• Right to object (Art. 21): Object to processing based on legitimate interests (Art. 6(1)(f) GDPR).
• Right to withdraw consent (Art. 7(3)): Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint (Art. 77): Lodge a complaint with a supervisory authority — in Germany, this is the relevant Landesbeauftragte für Datenschutz. For Bremen: datenschutz.bremen.de.

To exercise any of these rights, contact us at contact@vocumi.com. We will respond within one month as required by GDPR.

Weekly digest opt-out (Art. 21 right to object): The weekly activity digest is sent on the basis of legitimate interests (Art. 6(1)(f) GDPR). You can exercise your right to object at any time by disabling the digest in your account settings — no justification required.

10. Security

We implement industry-standard technical and organisational measures to protect your personal data against unauthorised access, loss, misuse, or disclosure — including encryption in transit and at rest, access controls, and secure credential handling.

For a full overview of our security practices and how to report a vulnerability, see our Security page.

No method of transmission over the internet is 100% secure. If you suspect a security incident affecting your data, please contact us immediately at contact@vocumi.com.

11. Children's Privacy

The Service is intended for professional use by adults. We do not knowingly collect personal data from individuals under the age of 16. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify registered users of material changes via email at least 14 days before the changes take effect. The “Last updated” date at the top of this page reflects the current version. Continued use of the Service after changes constitutes acceptance of the updated Policy.

13. Contact & Data Protection Enquiries

For any privacy-related questions, requests, or complaints, contact us:

We do not currently have a formally appointed Data Protection Officer (DPO) as we do not fall within the mandatory DPO categories under Art. 37 GDPR. Privacy inquiries are handled directly by the company management.