Privacy
Last updated 2026-05-02. Plain English version of our data practices. The legal version sits below in the same shape.
What we collect, why, and where it goes
| Data | Why | Stored where |
|---|---|---|
| Email + display name + password (hashed) | Signing in, contacting you about your account | SQL Server in our European data centre |
| Set history — track titles, artists, BPM, key, time you played them | Building your tracklist, analytics, recommendations | Same DB |
| 15-second audio samples captured by the desktop client | Sent to ACRCloud for identification only | Held in server memory for the API round-trip, then deleted. Never written to disk on our side |
| Mastered MP3s + merged YouTube videos | Letting you download and publish a finished mix | On our app server, deleted 48 hours after creation |
| OAuth tokens for Mixcloud / YouTube | Posting on your behalf when you press Publish | Encrypted at rest with ASP.NET Core DataProtection. We never see your platform passwords |
| Stripe payment records | Subscription billing | Stripe handles all card data — we never receive it. We only store Stripe's customer + subscription IDs |
Third parties
- ACRCloud — receives 15s audio samples for identification. They have their own privacy policy at acrcloud.com.
- Stripe — receives all card and tax data; we receive only confirmation of payment.
- Mixcloud / Hearthis / YouTube — only when you choose to publish; the upload uses your account's OAuth token (or your Hearthis API key).
Your rights under UK GDPR
You have the right to access, correct, delete, restrict, port or object to the processing of your personal data. You can:
- Export everything we hold about you - email us and we'll send a structured JSON dump within 30 days.
- Delete your account from Account Settings - we wipe it within 30 days (audit + billing records may be retained longer where required by law).
- Correct anything in your Account page directly, or email us if it's something you can't change yourself.
- Withdraw consent for the OAuth platform connections (Mixcloud / YouTube) by clicking Disconnect on the relevant integration - we'll delete the stored tokens immediately.
Email support@makingwaves.live for any of the above. If you're unhappy with how we've handled your data, you can complain to the UK Information Commissioner's Office (ico.org.uk/make-a-complaint).
Cross-DJ analytics
"Trending on platform" charts and the recommendation engine use track-level data aggregated across all DJs whose sets are marked Network or Public. Sets marked Private are completely excluded - they don't surface anywhere except in your own dashboard. The lawful basis for aggregated analytics is legitimate interest (running and improving the service).
Lawful bases
We rely on the following lawful bases under UK GDPR Article 6:
- Contract - account creation, sign-in, billing, set monitoring, mix mastering, publishing on your instruction.
- Legitimate interests - service security, aggregated trend analytics on Network / Public sets, product improvement.
- Consent - connecting third-party platforms via OAuth (Mixcloud / YouTube).
- Legal obligation - retention of billing records for tax purposes (HMRC: 6 years).
International transfers
All MakingWaves servers are in the UK / EEA. Third-party subprocessors who may receive personal data outside the UK include:
- Stripe Payments Europe Ltd (Ireland, with global processing) - payments. Stripe is GDPR-compliant under their Data Processing Addendum.
- ACRCloud (Singapore + USA) - audio fingerprinting. Transfers covered by Standard Contractual Clauses.
- Google LLC (USA) - only when you publish to YouTube. Transfer happens between you and Google directly via OAuth; we relay only the OAuth token and the upload content.
- Mixcloud Ltd (UK) - publishing.
Data controller
MakingWaves is operated by Evolvin Ltd, registered in England and Wales. For data-protection matters: dpo@makingwaves.live.