Privacy Policy

This Privacy Policy explains how oiid AS collects, uses, stores, shares, and otherwise processes personal data when you use the oiid platform, including our marketing website, web dashboards, iOS and Android apps, and fan apps or branded experiences we operate or provide under the "oiid" or "by oiid" branding (together, the "Services").

This policy is intended to describe how the platform works today. If a specific branded app, merchant, event partner, or embedded third-party service presents its own privacy notice, that notice may apply in addition to this one for that specific interaction.

1. Who We Are

oiid AS, company registration number 981 980 182, registered office Bergenhus 13, 5003 Bergen, Norway, is the controller for the processing described in this policy unless a different controller is identified for a specific feature or branded experience.

You can contact us about privacy matters at contact@oiid.com.

2. Scope

This policy applies when you:

• visit our public website or web dashboard
• create or use an oiid account
• use iOS or Android apps powered by oiid
• buy subscriptions, digital content, or merchandise through the Services
• post, upload, record, stream, comment, message, or otherwise contribute content
• receive notifications or service communications from us
• contact support, send feedback, or exercise privacy rights

The Services are not directed to children under 13. If local law requires a higher minimum age to use an online service without parental consent, that higher age applies.

3. Personal Data We Collect

3.1 Data you provide directly

• account details such as email address, display name, and sign-in details
• profile details such as name, bio, profile image, header image, and affiliations
• content you upload or create, including images, video, audio, text, comments, forum posts, feeds, and custom stems or recordings you choose to submit
• purchase and subscription details, such as selected product, region, currency, and entitlement history
• notification preferences and other in-app settings
• communications with us, including support requests and feedback

3.2 Data we collect automatically

• log, session, and authentication data used to operate and secure accounts
• device and app data such as app version, bundle or package identifier, operating system, locale, and environment
• diagnostic, crash, troubleshooting, and performance data
• usage data such as feature interactions, purchase confirmations, content access, and notification events
• device token and related endpoint information used to deliver push notifications
• request metadata such as IP address, timestamps, and service logs needed for reliability and security

3.3 Data we receive from third parties

• identity and sign-in data from providers such as Apple, Google, or Facebook where those sign-in options are offered
• payment and commerce status data from Stripe, Apple, Google, Shopify, and other merchant or store operators
• app store receipt or purchase token validation results used to confirm purchases and entitlements
• content administration data from artist, label, management, or team users operating branded apps or dashboards

4. How We Use Personal Data

We use personal data for the following purposes:

• to create and manage accounts, authenticate users, and provide the Services
• to host profiles, community features, user-generated content, media uploads, and recordings you choose to submit
• to process subscriptions, purchases, entitlements, refunds, chargebacks, and financial reporting
• to send transactional emails, account notices, and push notifications
• to operate the artist dashboard and related moderation, publishing, and communications tools
• to maintain security, prevent fraud or abuse, enforce our Terms, and investigate incidents
• to diagnose bugs, improve stability and performance, and support users
• to comply with legal obligations, accounting obligations, tax rules, and lawful requests
• to send marketing or product updates where you have consented or where otherwise permitted by law

5. Legal Bases

Depending on the feature and jurisdiction, we rely on one or more of the following legal bases:

• performance of a contract with you, including providing accounts, subscriptions, purchases, uploads, and support
• our legitimate interests in securing, operating, improving, monetizing, and administering the Services and related business relationships
• your consent, for example where you opt in to marketing or enable certain optional device permissions or notifications
• compliance with legal obligations, including accounting, tax, security, and regulatory requirements

6. Important Service-Specific Disclosures

6.1 Accounts and authentication

We use Amazon Web Services ("AWS"), including Amazon Cognito, to create and manage user accounts and sessions. Depending on the app, sign-in options may also involve Apple, Google, or Facebook.

6.2 Purchases, subscriptions, and entitlements

Web subscriptions may be processed through Stripe. Mobile in-app purchases and subscriptions may be processed through Apple App Store or Google Play. Merchandise or external commerce flows may be processed through Shopify or the relevant merchant storefront operator.

We generally do not receive full payment card numbers when payments are processed by Stripe-hosted flows, Apple, Google, Shopify, or another merchant platform. We do, however, receive purchase status information, product identifiers, region or country information, customer or subscription identifiers, entitlement status, and validation data needed to confirm or administer the purchase.

6.3 Receipts, verification, and reporting

When you make certain purchases, we may process store receipts, purchase tokens, or equivalent validation data to confirm that the transaction is legitimate and to grant access to purchased content. We also maintain reporting and accounting records relating to those transactions.

6.4 Uploads, recordings, and media

If you upload profile images, feed images, videos, audio, custom stems, recordings, or other files, those materials may be stored on AWS infrastructure and made available to you, relevant artist or admin users, and other users depending on the feature and visibility settings. If you use device microphone permissions to record content, the recording may remain on your device until you choose to upload, publish, or otherwise submit it through the Services.

6.5 Push notifications

If you enable notifications, we process device tokens, endpoint identifiers, app or artist identifiers, and notification preferences so we can deliver notifications through AWS SNS and platform push services as applicable to your device.

6.6 Diagnostics and analytics

We use operational logs, server monitoring, and diagnostic tools to keep the Services reliable and secure. Certain app builds may also use Firebase services, including Crashlytics and app analytics, for crash reporting, diagnostics, and product measurement.

Clients may also send troubleshooting logs to our backend. Where that logging flow is enabled, those logs are stored in AWS CloudWatch for up to 60 days.

7. Sharing Personal Data

We may share personal data with the following categories of recipients:

• AWS services we use to run the platform, including Cognito, API Gateway, Lambda, S3, DynamoDB, SNS, SES, CloudWatch, and Secrets Manager
• payment, billing, commerce, and app store providers such as Stripe, Apple, Google, Shopify, and merchant storefront operators
• hosting, infrastructure, analytics, crash reporting, customer support, and security providers
• artist, label, management, promoter, moderator, or team users who operate branded apps, dashboards, or community spaces
• other users where your content, profile, or activity is intended to be visible to them
• professional advisers, auditors, insurers, and corporate counterparties
• regulators, law enforcement, courts, or other third parties where required by law or needed to protect rights and safety

We do not sell personal data for money. We also do not use the marketing website for cross-context behavioral advertising based on the codebase reviewed for this policy.

8. International Transfers

Our core backend infrastructure is primarily hosted in AWS regions in the EEA, including Frankfurt and Ireland. Some of our providers, however, may process data outside the EEA, including in the United States or other countries where they or their sub-processors operate.

Where required, we rely on appropriate safeguards such as adequacy decisions, standard contractual clauses, or another lawful transfer mechanism.

9. Data Retention

We retain personal data for as long as reasonably necessary for the purposes described in this policy, including to provide the Services, maintain entitlements, resolve disputes, comply with law, and protect the platform.

Examples of how we currently handle retention include:

• account, profile, and entitlement data are generally kept while your account is active and for a reasonable period afterward unless we must keep them longer for legal, security, fraud-prevention, or audit reasons
• content you submit may remain available until you delete it, an administrator removes it, or your account is deleted, subject to backup and legal retention limits
• purchase, subscription, and accounting records may be retained for the period required by tax, bookkeeping, anti-fraud, and dispute-resolution obligations
• push tokens and notification preferences are kept until they are replaced, expire, are revoked, or are deleted with the associated account
• client troubleshooting logs sent to CloudWatch are retained for up to 60 days where that logging flow is enabled

10. Cookies and Similar Technologies

Based on the current website code reviewed for this policy, the public marketing website does not currently set non-essential analytics or advertising cookies.

We may still use essential technologies needed for site delivery, security, or session management, and our apps and dashboard may use local device storage, tokens, and similar technical mechanisms required to keep you signed in and protect accounts.

If you enter a third-party checkout, merchant storefront, or embedded commerce experience, that provider may use its own cookies or similar technologies under its own privacy and cookie notices.

If we add optional analytics, advertising, or similar non-essential tracking on the website in the future, we will update this policy and request consent where required.

11. Your Rights and Choices

Subject to applicable law, you may have the right to access, correct, delete, restrict, object to, or port your personal data, and to withdraw consent where consent is the legal basis.

You can also:

• manage notification preferences in app settings where those controls are available
• manage marketing preferences through unsubscribe links or by contacting us
• delete your account in app settings where that feature is available, or request deletion by contacting us

To exercise privacy rights, contact contact@oiid.com. We may need to verify your identity before completing your request.

You also have the right to lodge a complaint with the Norwegian Data Protection Authority, Datatilsynet, or your local supervisory authority.

12. Security

We use administrative, technical, and organizational measures designed to protect personal data. No system is perfectly secure, so we cannot guarantee absolute security, but we work to reduce risk through access controls, logging, encryption, service hardening, and incident response procedures.

13. Changes to This Policy

We may update this policy from time to time to reflect changes to the Services, legal requirements, or our processing practices. When we make material changes, we will update the effective date on this page and may provide additional notice in the Services where appropriate.

14. Contact

If you have questions about this Privacy Policy or our data practices, please email contact@oiid.com.