Privacy Policy

This Privacy Policy explains what personal data VinylCrate collects, how we use it, and your rights over it. We process data in compliance with applicable privacy laws worldwide, including the GDPR (EU/EEA), UK GDPR, Australian Privacy Act 1988, CCPA/CPRA (California), PIPEDA (Canada), and equivalent legislation in other jurisdictions.

Read this alongside our Terms & Conditions.

1. Who Is Responsible for Your Data

VinylCrate is the data controller — we decide how and why your data is processed. Contact us through the application for any privacy enquiries or to exercise your rights.

2. What We Collect

We collect only what is necessary to provide the Service:

• Account data — name, email, username, and hashed password when you register.
• Profile data — optional details such as a profile photo or bio.
• Collection data — vinyl records, wantlists, play logs, and other content you add.
• Technical data — IP address, browser type, device information, and server logs (retained up to 90 days for security and debugging).
• Discogs data — if you connect your Discogs account, we import your collection, wantlist, and ratings via the Discogs API.
• Push notification tokens — only if you explicitly opt in. Withdraw consent at any time in your browser or device settings.

3. Why We Use Your Data

We use your data to:

• Provide and maintain the Service — your account, collection, play history, wantlist, and social features (contract performance).
• Keep your account secure and prevent fraud (legitimate interests).
• Personalise your experience, such as collection matching (legitimate interests).
• Send push notifications — only with your consent, which you may withdraw at any time.
• Monitor and improve Service performance (legitimate interests).
• Comply with legal obligations.

We do not sell your data. We do not use it for advertising or profiling.

4. Public Information

Your username, profile, collection, wantlist, and play activity may be visible to other users or publicly via your profile URL. Manage visibility in your account settings. We are not responsible for how others use information you choose to make public.

5. Who We Share Data With

We do not share your data with third parties except:

• Service providers — vendors who help us run the Service (hosting, email, error monitoring), bound by data processing agreements and permitted to process data only on our instructions.
• Legal requirements — when required by law, court order, or a competent authority.
• Business transfers — if we are acquired or merge with another company. We will notify you before your data is transferred to a different controller.

Where data is transferred outside your country of residence, we use appropriate safeguards (such as standard contractual clauses or adequacy decisions) to ensure it remains protected to an equivalent standard.

6. How Long We Keep Your Data

• Account, profile, and collection data — kept while your account is active, then deleted or anonymised within 30 days of account deletion.
• Server logs — up to 90 days.
• Encrypted backups — purged within 90 days of deletion.
• Push notification tokens — deleted immediately when you revoke permission or delete your account.

Anonymised, aggregated data may be kept indefinitely for analytics. We retain certain data longer where required by law.

7. Security

We use encrypted storage, hashed passwords, HTTPS-only connections, and access controls to protect your data. If a breach occurs that poses a risk to you, we will notify the relevant authority within 72 hours and inform you directly where required by law.

8. Your Rights

Depending on where you live, you have some or all of the following rights over your personal data. We will respond within 30 days and will not charge a fee for reasonable requests.

• Access — request a copy of the data we hold about you.
• Correction — ask us to fix inaccurate or incomplete data (you can update most data directly in settings).
• Deletion — ask us to delete your data where we no longer have a lawful basis to keep it.
• Portability — receive your data in a structured, machine-readable format.
• Restriction or objection — ask us to stop or limit certain processing.
• Withdraw consent — for any processing based on consent (e.g. push notifications), withdraw at any time without affecting prior processing.
• Opt out of sale — we do not sell your data, so this right is not applicable, but you may contact us to confirm.
• Lodge a complaint — you may contact your local data protection authority at any time. We encourage you to reach out to us first so we can resolve it directly.

Exercise any of these rights by contacting us through the application. We may need to verify your identity before acting on your request.

9. Cookies

We use only strictly necessary cookies and local storage to keep you logged in and remember your preferences. We do not use advertising cookies or cross-site trackers. Blocking cookies will prevent you from staying logged in.

10. Children

The Service is not directed at children under 16. Those aged 13–15 may use it only with verifiable parental consent. We do not knowingly collect data from anyone under 13. Contact us if you believe a child has registered without appropriate consent and we will delete that data promptly.

11. Changes to This Policy

For material changes that affect your rights or how we use your data, we will notify you at least 30 days in advance by email or in-app notice. The "Last updated" date above always reflects the current version.