Privacy policy
Summary
- We run Haystack to help people discover music and to receive track submissions. We do not sell your personal data.
- Optional analytics (Google Analytics) runs only if you accept cookies. You can change that anytime via Cookie settings.
- Submitting a track uses your device’s email app to send information to us; we explain exactly which fields below.
- Playing tracks may load content from SoundCloud and YouTube; those services have their own privacy notices.
- You have rights under UK law (access, correction, deletion, and more). You can complain to the ICO.
Who we are
Haystack (“Haystack”, “we”, “us”, “our”) operates this website. We are the data controller for personal data processed in connection with the site, except where a third party (for example Google as analytics provider) determines how they process certain data. In those cases they are an independent controller or processor as described in their terms.
This policy explains how we collect, use, store, and share personal data when you visit haystack.fm (or the domain where this site is hosted), use the audio player, interact with the cookie banner, or use the track submission flow.
Scope
This policy applies only to this website and the processing we describe here. It does not cover third-party websites, apps, or social networks you reach by following links, including SoundCloud, YouTube, or other platforms where music is hosted.
Definitions
- Personal data means information that relates to an identified or identifiable individual.
- Processing means anything we do with personal data (including collecting, storing, using, and deleting it).
- Consent must be freely given, specific, informed, and unambiguous (for example accepting optional analytics via our banner).
Personal data we process
When you browse the site
- Technical & usage data. Your browser sends standard technical data (for example IP address, user agent, language, and referrer). Our hosting provider may log requests for security and reliability. If you do not accept analytics cookies, we do not load Google Analytics on that visit (after you reject or before you accept).
- Approximate location. If you accept Google Analytics, Google may derive a broad geographic area from your IP. It is not precise GPS.
When you use the music player
Playback uses embedded or linked services (for example SoundCloud’s player and YouTube for video or thumbnails). Those providers may process data according to their own policies when their content loads. We do not receive your SoundCloud or Google account passwords through normal playback.
When you submit a track for consideration
The submit form is designed to open your email app with a pre-filled message to submissions@haystack.fm. That means you send the email from your device; we do not host a separate upload server for that flow in the current implementation.
The email typically includes:
- SoundCloud track URL (required)
- Optional YouTube URL
- Genre and region/location you selected
- Your contact email address
- Confirmation that you agreed to the rights statement
We use this information to assess submissions, respond to you, and operate Haystack. Do not include sensitive special-category data in your submission unless strictly necessary and lawful.
When you contact us
If you email us (including privacy requests), we process your address, message content, and any attachments as needed to reply and keep a proportionate record.
Purposes and lawful bases
Under UK GDPR we must have a lawful basis for each purpose. The table below is a summary.
| Purpose | Typical lawful basis |
|---|---|
| Operate the website, deliver pages and audio features, ensure security and prevent abuse | Legitimate interests (balanced against your rights) |
| Optional measurement with Google Analytics | Consent (via cookie banner) |
| Remember your cookie choice (local storage) | Consent / strictly necessary for the consent mechanism (depending on implementation) |
| Review and respond to track submissions | Legitimate interests and/or steps at your request prior to entering an agreement |
| Comply with law, regulation, or legal process | Legal obligation |
Where we rely on legitimate interests, you may have a right to object in certain circumstances (see Your rights).
Cookies and similar technologies
Cookies are small text files. We also use browser local storage to remember your cookie choice. We do not use optional analytics cookies unless you click Accept on our banner. If you choose Reject, we do not load the Google Analytics script for that choice.
You can reopen choices anytime via on this page, or clear storage in your browser.
| Name / key | Purpose | Provider | Duration |
|---|---|---|---|
haystack_cookie_consent |
Stores whether you accepted or rejected optional analytics (browser local storage). | Haystack | Until you clear site data or change your choice in Cookie settings |
Google Analytics (_ga, _ga_*, and related) |
Aggregated usage statistics (pages, sessions, approximate geography), only after consent. | Google LLC · ID G-7N7CRHQKPB |
Set by Google; see Google’s Privacy Policy and Google Analytics data practices |
You can use Google’s opt-out tools and browser controls as described in Google’s documentation. We do not control Google’s systems.
Third-party services and embedded content
Parts of the site rely on services we do not control. They may set their own cookies or process data when their content loads. You should read their policies.
| Service | Role | More information |
|---|---|---|
| Google Analytics | Optional analytics if you consent | Google Privacy Policy |
| Google Fonts (fonts.googleapis.com / gstatic) | Delivery of font files when you load pages | Google Fonts FAQ |
| SoundCloud | Audio playback and related widgets/APIs | SoundCloud Privacy |
| YouTube (Google) | Optional video/thumbnail content when linked to tracks | Google Privacy Policy |
| Web hosting / infrastructure | Serving the site and logs | Depends on your hosting provider’s terms |
Sharing and processors
We do not sell your personal data. We share data only as needed:
- Service providers (processors) who help us host, secure, or analyse the site under our instructions (for example hosting; Google for analytics if you consent).
- Legal & safety if we believe disclosure is required by law, court order, or to protect rights, safety, or integrity of users or the public.
- Business transfers if we ever reorganise or transfer assets, subject to appropriate safeguards and notice where required.
International transfers
Some providers (including Google) may process data in the United States and other countries. Where personal data is transferred outside the UK, we ensure a valid transfer mechanism under UK law (for example the UK extension to the EU-US Data Privacy Framework where applicable, UK adequacy regulations, or standard contractual clauses), and we assess risks as appropriate.
How long we keep personal data
- Cookie consent record — kept until you change your choice or clear browser storage.
- Analytics — retention in Google Analytics is configured in our Google account; aggregated reports may be retained as allowed by Google’s product terms.
- Submission emails — kept only as long as needed to review and correspond with you, manage our catalogue, and meet legal, tax, or accounting obligations, then deleted or anonymised unless a longer period is required by law.
- Correspondence — kept for a reasonable period to resolve queries and defend legal claims if necessary.
Security
We implement appropriate technical and organisational measures appropriate to the risk (for example secure connections where provided by our host, access controls on accounts we control, and careful handling of submission inboxes). No website can guarantee absolute security; please use strong, unique passwords for your own email and accounts.
Your rights
Depending on your situation, you may have the following rights under UK data protection law:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure — ask us to delete data in certain circumstances.
- Restriction — ask us to limit processing in certain circumstances.
- Objection — object to processing based on legitimate interests or for direct marketing.
- Data portability — receive certain data in a structured, machine-readable format where processing is based on consent or contract and is automated.
- Withdraw consent — where we rely on consent (for example analytics), you can withdraw it at any time; this does not affect lawfulness of processing before withdrawal.
- Complaint — lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority.
To exercise rights, contact us at privacy@haystack.fm. We may need to verify your identity. You will not usually have to pay a fee.
Automated decision-making and profiling
We do not use automated decision-making that produces legal or similarly significant effects solely by automated means in relation to the activities described in this policy. Analytics may produce aggregate statistics only.
Children
The site is not directed at children under 13. We do not knowingly collect personal data from children. If you believe we have, contact us and we will take steps to delete it.
Marketing
We do not send promotional emails or newsletters unless we introduce that service in the future and give you a separate choice to opt in. Submission-related emails are operational, not marketing, unless clearly described otherwise.
Changes to this policy
We may update this policy from time to time (for example when we add features or regulators change guidance). We will post the new version on this page and change the “Last updated” date. For material changes, we may also show a notice on the site or seek consent where required.
Contact and supervisory authority
Privacy & data rights: privacy@haystack.fm
Track submissions: submissions@haystack.fm (as used by the submit form)