Privacy Policy

Version 1.0 · Last updated: 2026-04-21

1. Who We Are

The Mixing Blueprint (operated by The Mixing Blueprint, based in Spain) is the data controller for the personal data collected through this Service. Contact us at support@mixingblueprint.com.

2. Data We Collect

When you use the Service we collect:

  • Account data: email address, username, hashed password, email verification status, registration date.
  • Discogs OAuth tokens (only if you connect Discogs): access tokens stored encrypted. We never see your Discogs password.
  • Collection metadata (only if you connect Discogs): artist, title, year, label, genre, thumbnails — cached from your Discogs account.
  • Analysis results: BPM, key, structure, and visualizations of tracks you analyze. These are tied to your account.
  • Usage data: timestamps of scans and other actions for quota enforcement.
  • Audio files: temporarily stored in RAM (tmpfs) during analysis. Automatically deleted after 30 minutes. Not retained.
  • Technical data: IP address (used for rate limiting, not stored beyond 24h), browser user-agent.

3. How We Use Your Data

  • To provide the Service (analyze tracks, sync collection, generate recommendations).
  • To authenticate you and secure your account.
  • To send transactional emails (verification, password reset, security alerts).
  • To enforce usage limits and prevent abuse.
  • To comply with legal obligations.

We do NOT sell your data, show advertising, or use your data to train AI models.

4. Legal Basis (GDPR)

  • Contract: processing needed to deliver the Service you requested.
  • Consent: for optional integrations like Discogs.
  • Legitimate interest: security, fraud prevention, quota enforcement.
  • Legal obligation: compliance with applicable laws.

5. Your Rights

Under GDPR and similar laws, you have the right to:

  • Access the data we hold about you — export available at Profile → Export My Data.
  • Rectify inaccurate data — update from Profile.
  • Delete your account and all associated data — Profile → Delete Account.
  • Port your data (receive it in JSON format).
  • Object to processing or restrict it.
  • Lodge a complaint with your local data protection authority.

6. Data Retention

  • Account data: kept while your account is active.
  • Uploaded audio: deleted automatically after 30 minutes.
  • Analysis results: kept while your account is active; deleted when you delete the scan or account.
  • IP logs for rate limiting: 24 hours.
  • Backups: encrypted, retained for 30 days after deletion.

7. Third Parties

  • Discogs — when you connect: your Discogs username and collection are accessed via OAuth. See Discogs Privacy.
  • hCaptcha — bot protection on registration. See hCaptcha Privacy.
  • Email provider — used only to send you transactional emails (verification, reset).
  • Hosting — your data is stored on servers located in the EU.

8. Cookies

We use strictly necessary cookies for authentication (session cookie) and CSRF protection. No tracking cookies, no analytics cookies, no advertising cookies.

9. Security

Passwords are hashed (bcrypt/pbkdf2). OAuth tokens are stored encrypted. Connection is HTTPS-only. We apply rate limiting and CSRF protection. We will notify you within 72 hours of any security incident affecting your data.

10. Children

The Service is not directed to children under 16. If we learn we collected data from a child under 16, we will delete it.

11. Changes

We may update this policy. Material changes will be communicated via email. The "Last updated" date above reflects the current version.

12. Contact

For privacy requests or questions: support@mixingblueprint.com. We respond within 30 days.