You're offline. Some features may be unavailable.

Privacy Policy

Last updated: February 24, 2026

1. Introduction

MixVibeConnect ("we," "our," or "us") is committed to protecting your personal data in compliance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws. This policy explains what data we collect, why, how long we keep it, and your rights.

2. Data Controller

MixVibeConnect is the data controller responsible for your personal data. For any privacy-related queries, contact our Data Protection Officer:

Email: privacy@mixvibeconnect.com

3. Lawful Basis for Processing (GDPR Article 6)

We process personal data under the following legal bases:

Contract performance: Processing necessary to provide the service you signed up for (account management, event participation, music playback).
Legitimate interest: Analytics to improve our service, fraud prevention, security monitoring.
Consent: Optional analytics cookies, marketing communications (you can withdraw consent at any time).
Legal obligation: Financial record-keeping for tax and regulatory compliance.

4. Information We Collect

Account Information

Email address
Display name and optional profile picture
Account type (Host, DJ, or Guest)
Hashed password (if using email/password login)

Music Service Data

Spotify or Apple Music OAuth tokens (encrypted at rest, used only for playback control)
Music preferences and listening history only while actively using our service

Usage Data

Events created or joined
Song suggestions and votes
Chat messages within events
IP address and user-agent string (for security and rate limiting)

Payment Information

Payment processing is handled exclusively by Stripe. We never store credit card numbers, CVVs, or full card details. We store only: transaction amounts, Stripe payment intent IDs, and Stripe Connect account IDs for payouts. See Stripe's Privacy Policy.

5. How We Use Your Data

To provide and maintain the MixVibeConnect service
To authenticate your identity and secure your account
To process tip/contribution transactions via Stripe
To send transactional emails (password resets, account notifications)
To enforce our terms of service and prevent abuse
To analyze usage patterns and improve our service (with consent)

6. Third-Party Data Sharing

We do not sell your personal data. We share data only with:

Stripe: Payment processing and DJ payouts (PCI DSS Level 1 certified)
Spotify / Apple Music: OAuth tokens for music playback (subject to their privacy policies)
Vercel: Frontend hosting and serverless functions
MongoDB Atlas: Database hosting (data encrypted at rest)
Sentry: Error monitoring (anonymized crash reports, only with consent)
Law enforcement: When required by valid legal process

7. Data Retention

Account data: Retained while your account is active, deleted 30 days after account deletion request.
Chat messages: Retained for the duration of the event plus 90 days.
Financial records: Retained for 7 years as required by tax law.
Security logs: Retained for 90 days for fraud prevention.
Analytics data: Aggregated and anonymized after 12 months.

8. Your Rights (GDPR Articles 15-22)

You have the right to:

Access (Art. 15): Request a copy of all data we hold about you via Settings > Download My Data.
Rectification (Art. 16): Correct inaccurate data via your profile settings.
Erasure (Art. 17): Request deletion of your account and personal data via Settings > Delete Account. A 30-day grace period applies.
Data Portability (Art. 20): Export your data in machine-readable JSON format.
Restrict Processing (Art. 18): Request that we limit how we use your data.
Object (Art. 21): Object to processing based on legitimate interest.
Withdraw Consent: Withdraw consent for optional processing at any time without affecting prior processing.

To exercise any of these rights, use the in-app controls or email privacy@mixvibeconnect.com. We will respond within 30 days.

9. Data Security

All data transmitted over HTTPS (TLS 1.2+)
Passwords hashed with bcrypt (cost factor 12)
JWT tokens with short-lived access tokens (15 minutes)
End-to-end encryption for direct messages (X25519 + XSalsa20-Poly1305)
MongoDB encryption at rest (AES-256)
Rate limiting and account lockout to prevent brute-force attacks

10. Cookies

We use the following cookies:

Essential (always active): access_token, refresh_token — required for authentication. Session management cookies.
Optional (with consent): Analytics cookies from Vercel Analytics for usage statistics.

You can manage your cookie preferences via the cookie consent banner or your browser settings.

11. International Data Transfers

Your data may be processed in the United States where our servers are hosted. We ensure adequate protection through standard contractual clauses and the data processing agreements of our service providers (Vercel, MongoDB Atlas, Stripe).

12. Children's Privacy

Our service is not intended for users under 13 years of age (or 16 in the EU/EEA). We do not knowingly collect personal data from children. If we learn that we have collected data from a child, we will delete it promptly.

13. Changes to This Policy

We may update this policy periodically. Material changes will be communicated via email or an in-app notification. The "Last updated" date at the top indicates the most recent revision.

14. Contact & Complaints

For privacy inquiries or to exercise your data rights:

Data Protection Officer: privacy@mixvibeconnect.com

If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority (supervisory authority).

← Back to Home