Privacy policy

This website and related services (“Services”) are operated under the name Muted Symphony.

We respect your privacy and are committed to processing personal data lawfully, fairly, and transparently, in accordance with Regulation (EU) 2016/679 (“GDPR”) and other applicable data protection laws.

This Privacy Policy explains what personal data we may collect, how we use it, the legal bases for processing, and the rights available to users of the Services.

Controller: [Your full legal name]

Project / trading name: Muted Symphony

Contact (privacy & GDPR requests): [your-privacy@email.com]

Location: [City, Country] — optional: add a postal address if you choose to publish it.

Website: [https://your-domain.com]

There is no Data Protection Officer (DPO) appointed unless required by law. For any privacy request or question, contact us at the email above.

If a legal entity is formed in the future, this section may be updated to reflect the new controller details.

The Services are provided using:

• A Next.js website and server-side APIs;
• A Payload CMS application that manages content and operational data;
• A PostgreSQL database used by the CMS;
• Hosting on virtual servers (VPS) supplied by IONOS SE (or its applicable affiliate), in the configuration used for our production environment [optional: e.g. EU region — specify if known].

This description is provided for transparency about the main technical environment where personal data is processed.

Depending on how you use the Services, we may process:

• Identity and account data: Patreon user identifier, email address, name/display name, profile image URL, membership tier information.
• Authentication and security data: session information stored in cookies (including HTTP-only session cookies), OAuth-related cookies during login, and related security data.
• Preference data: UI and experience settings stored in cookies or local storage where allowed by your consent choices.
• Consent records: cookie consent choices and category selections (e.g. in browser storage).
• Community and interaction data: comments, votes, and other content you submit.
• Support and contact data: name, email, subject, message content, ticket references, and related correspondence.
• Newsletter data: email address and subscription/consent status.
• Licensing data: data needed to issue and manage digital licenses (see Section 7).
• Public license verification (minimal technical data): when a public certificate check succeeds, we may record a timestamp, a one-way salted hash of the requesting IP address (not the raw IP in verification audit logs), and a short, truncated user-agent string, as described in Section 7.
• Technical and anti-abuse data: IP address and/or user agent for rate limiting, abuse prevention, and service integrity (including on public verification routes).
• Optional analytics/telemetry (consent-based): limited usage events sent to our own API (e.g. session entry/exit and related metadata), only if you enable analytics consent.

We do not intentionally collect special categories of personal data through the Services.

Further detail is in our Cookie policy.

If you request or receive a digital license linked to Patreon membership, we process personal data as reasonably necessary to:

• verify eligibility and membership entitlements;
• create, deliver, and evidence the license (including PDF delivery by email where applicable);
• associate the license with the correct account;
• enforce tier-based limits and reduce misuse;
• provide support and keep records for compliance, auditing, and dispute resolution.

This may include Patreon identifiers, the email address associated with your authenticated session, track/project identifiers, and descriptive project information you provide, as well as license status and delivery metadata.

Public certificate verification (QR and website). Anyone with the public verification link (for example from a QR code on a PDF certificate) can open our website to confirm that a matching certificate exists in our records. The public page shows only a limited, non-identifying set of fields (such as status, license type label, issuance date, track title, and issuer). We do not display licensee personal data on that page (for example we do not show the licensee’s full name or email there).

To run this feature responsibly and to protect the licensing programme, we process minimal technical data about each successful public verification response: a timestamp, a one-way cryptographic hash of the requesting IP address using a server-side secret salt (so we do not store the raw IP address in the verification audit log rows used for this purpose), and a short, truncated user-agent snippet. We use this information for abuse prevention and rate limiting, detecting automated misuse, supporting the integrity of issued certificates, and—for the licensee (the account holder linked to the license)—to show how often the public check succeeded and when it was last used, including an optional per-event history in the private account area. We do not use this information for marketing profiles, and we do not perform geolocation on visitors solely from this feature.

Administrators may export or delete verification event rows within a chosen date range for operational reasons. When deletion is performed through the administrator purge tool, aggregate counters and the “last verification” timestamp on affected licenses are recalculated from the remaining event rows.

The Article 6 summary table in Section 5 includes the legal bases that apply to this processing.

We may share personal data with providers who process data on our instructions, including:

• IONOS — VPS hosting and infrastructure for the website and CMS.
• Resend — email delivery for transactional messages (when enabled), such as support notifications and license-related emails.
• Patreon — if you use Patreon sign-in, Patreon processes personal data under its own policies for the Patreon platform and OAuth flow.

We do not sell personal data.

If any provider processes data outside the UK/EEA, we use appropriate safeguards under GDPR Chapter V (such as Standard Contractual Clauses and supplementary measures where required), consistent with applicable guidance.

We keep personal data only as long as needed for the purposes above, including account operation, licensing, support, security, and legal obligations, then delete or anonymise it where feasible. Retention periods may differ by data type. You may ask for more detail regarding your data by contacting us.

Public verification audit logs: rows that support the public certificate lookup feature (timestamps and the minimal technical fields described in Section 7) are kept according to operational, security, and dispute-resolution needs. They may be removed earlier where permitted by law and our internal policies (including manual deletion by administrators). If you are the licensee and have questions about your verification history, contact us at the privacy email in Section 2.

Subject to applicable law, you may have the right to access, rectify, erase, restrict, object (including to legitimate-interest processing), portability, and to withdraw consent where processing is consent-based.

To exercise these rights, email: [your-privacy@email.com]

We may need to verify your identity before responding. You may also complain to your local supervisory authority.

We do not use solely automated decision-making that produces legal or similarly significant effects.

The Services are not directed at children for independent submission of personal data. If you believe a minor’s data was provided inappropriately, contact us and we will take reasonable steps to review and, where appropriate, delete it.

We apply appropriate technical and organisational measures intended to protect personal data. No online service is perfectly secure; we work to maintain reasonable safeguards for our context.

We may update this Privacy Policy. The “Last updated” date will change accordingly. Material updates may be highlighted where appropriate.

Replace bracketed placeholders with your details before publication. Consider legal review for your jurisdiction (including any national implementation of GDPR).