Who we are
Sovereign Sign Protocol ("SSP") is the data controller for personal data processed in the application. Contact: privacy@ssp.invalid. EU representative: rep@ssp.invalid.
Data we process
- Account: email, display name, hashed password (managed by our auth provider).
- Masters: audio files you upload to a private bucket, plus SHA-256 hash, ISRC, ISWC, title, artist, duration.
- Splits: contributor names, roles, Polygon wallet addresses, basis-point shares.
- Wallet attestations: the signed EIP-191 message and signature proving you control a wallet.
- Sanctions screening: cached boolean result from the Chainalysis OFAC oracle for each wallet you use.
- Consent ledger: which cookie / policy versions you accepted, when, with a salted-hash of your IP and your user agent.
Legal bases (GDPR Art. 6)
Contract (running the service you asked for), legal obligation (sanctions screening, tax/audit), and consent (analytics cookies, optional marketing). You can withdraw consent any time.
On-chain data
Anything written to Polygon (track hashes, splits, payments) is public and permanent. We cannot delete it. Don't include personal data in fields that get written on-chain.
Your rights
Under GDPR / UK GDPR / CCPA you can request access, rectification, portability, restriction, objection, and erasure. Use the self-service tools at /account/data or email privacy@ssp.invalid. We respond within 30 days.
Retention
Account data until you delete the account. Consent records 6 years (audit). Storage: deleted with the account. On-chain records: permanent.
International transfers
Data is hosted in the EU. Sub-processors outside the EEA are bound by Standard Contractual Clauses.
Sub-processors
Auth/database hosting; Polygon RPC providers; Chainalysis sanctions oracle. Full list: subprocessors@ssp.invalid.
Complaints
You may lodge a complaint with your local supervisory authority (e.g. CNIL in France, ICO in the UK).