Privacy Policy

Effective Date: July 30, 2025
(Last amended: 30 July 2025)

1. Who We Are

The Neptone project, currently operated by its founder in a personal capacity, is the data controller responsible for processing your personal data under Regulation (EU) 2016/679 (GDPR). A dedicated company, NEPTONE SAS, is being incorporated.

2. Scope of This Policy

This Policy applies to all personal data collected through our web application, website and related services (together, the “Service”). It does not apply to third‑party services that we do not own or control.

3. Data We Collect

Category	Examples	Sources
Account Data	name, surname, email, hashed password, Spotify ID	User provided
Contact Data	messages, support tickets	User provided
Technical & Usage Data	IP address, device info, browser type, usage logs	Automatically collected via Firebase & Cookies
Playlist Metadata	track IDs, playlist names, metadata enrichments	Spotify API, Soundcharts API

4. How We Collect Data

When you create an account or authenticate via Spotify (OAuth)
When you interact with the Service
Via cookies, SDKs and similar technologies

5. Purposes & Legal Bases

Purpose	Legal Basis (Art. 6 GDPR)
Account creation & contract performance	Contract (6 (1)(b))
Providing & improving the Service	Legitimate interest (6 (1)(f))
Analytics & crash reporting	Consent (6 (1)(a))
Marketing emails (non‑transactional)	Consent (6 (1)(a))
Fraud prevention & security	Legitimate interest (6 (1)(f))

6. Data Retention

Data Category	Retention Period
Account Data	Until account deletion + 30 days backup
Inactive accounts	Deleted after 24 months of inactivity
Contact/support tickets	12 months after latest interaction
Analytics (pseudonymised)	13 months

7. Sharing & International Transfers

We share data only with service providers acting on our instructions:

Processor	Purpose	Location	Safeguards
Google Firebase	hosting, auth, analytics	EU/US	SCCs + EU Data‑Privacy Framework
Google Analytics 4	web analytics	US	Consent mode + SCCs

Transfers outside the EEA rely on Standard Contractual Clauses and additional safeguards (encryption in transit and at rest).

8. Cookies & Tracking Technologies

We use essential cookies (session, authentication) and non‑essential cookies (analytics, A/B testing). Non‑essential cookies are deployed only after you provide explicit consent via the cookie banner. You can withdraw consent at any time in “Cookie Settings”.

9. Your Rights

You have the right to:

Access your personal data;
Rectify inaccurate data;
Erase data (“right to be forgotten”);
Restrict processing;
Object to processing based on legitimate interests;
Data Portability for data you provided;
Withdraw consent at any time;
Lodge a complaint with the CNIL (https://www.cnil.fr).

Requests may be sent to lisehelene@neptone.io. We will respond within 30 days.

10. Automated Decision‑Making

Neptone does not use your personal data to make decisions producing legal or similarly significant effects.

11. Security Measures

TLS 1.3 encryption in transit
Argon2 password hashing with pepper
Principle of least privilege & MFA for staff
Regular penetration tests and vulnerability scanning
Incident response plan aligned with ISO 27001

12. Data Breach Notification

In the event of a personal‑data breach, we will notify the competent supervisory authority within 72 hours and affected users without undue delay when required by Articles 33–34 GDPR.

13. Children’s Privacy

The Service is not directed to children under 16. If we learn that we have collected personal data from a child, we will delete it promptly.

14. Changes to this policy

We may update this Policy to reflect legal or operational changes. If the changes are material, we will give at least 15 days' notice by email or in‑app message. The revised Policy will be effective on the date indicated at the top.

15. Contact

For privacy questions or to exercise your rights:
Lise-Hélène BITTON
Email: lisehelene@neptone.io
Address: 99A Boulevard Constantin Descat, 59200 Tourcoing, France