repeat.fan / legal

Privacy Policy.

Last updated · 2026-05-23

This Privacy Policy explains how Repeat (“Repeat,” “we,” “our,” “us”) collects, uses, shares, and protects personal information when you use repeat.fan, any artist site hosted on a *.repeat.fan subdomain, or any product or service we provide (together, the “Service”). By using the Service, you agree to the practices described here.

[01]Who we are

Repeat is an identity and engagement layer for music artists and labels. Artists sign up to host their fan-facing site on Repeat; fans interact with artists through those sites and may create a persistent Repeat account.

For the purposes of GDPR and similar laws, Repeat is the data controller for the Repeat account layer (your identity across artists, your subscriptions, your platform preferences). Each artist or label is the data controller for the content they publish and the communications they send. We act as a data processor on their behalf for those communications.

[02]Information we collect

Information you provide

  • Phone number or email, plus any name or other details you give when you subscribe to an artist or sign in.
  • Verification codes you receive via SMS or email link (we process the verification result, not your full inbox).
  • Subscription preferences (which artists you connect to, which channels you allow, when you unsubscribe).

Information collected automatically

  • Device and connection data: a hashed representation of your IP address (we never store your raw IP), your user agent, browser language, device type (mobile / tablet / desktop), operating system and browser family, and approximate location (country, region, and city) inferred from your IP address. We do not collect your precise location.
  • Behavioral events: page views, marker taps, modal opens, capture submits, drop interactions, referrer URL, and UTM parameters when present. These power the artist's analytics and our service improvement.
  • Cookies and similar technologies — see our Cookie Policy.

Information from third parties

  • Identity verification and bot-mitigation services(including reCAPTCHA, where indicated on the form): verifies your phone or email and screens for abuse.
  • Artist-authorized integrations: when an artist connects a third-party tool to their Repeat workspace (for example, an SMS/email marketing provider or an e-commerce platform), your contact info and capture events may be passed to that tool under the artist's configuration.

[03]How we use information

  • Provide the Service: create and maintain your Repeat account; deliver communications you opted into; render artist sites.
  • Communications on behalf of artists: when you give consent to an artist, we (or the artist's authorized integration) send you SMS or email about that artist's releases, events, merch, and drops.
  • Analytics and product improvement: understand how artists' sites perform, prevent abuse, debug issues.
  • Compliance and safety: comply with legal obligations, enforce our Terms, protect Repeat, artists, and fans.

[04]Legal bases (EEA / UK)

  • Consent — for marketing communications (SMS, email) you can withdraw at any time at repeat.fan/me or via the channel-specific opt-out (Reply STOP / unsubscribe link).
  • Contract — to provide the Repeat account services you signed up for.
  • Legitimate interests — to keep the Service secure and improve it, balanced against your interests.
  • Legal obligation — to comply with law or court orders.

[05]How we share information

We share information only with:

  • Artists and labels you connect with — they receive the contact details you give them and analytics about your engagement with their site. They are the controller for those communications.
  • Service providers (sub-processors) that process data on our behalf, in the following categories:
    • Cloud infrastructure, hosting, and authentication
    • Database, file storage, and backup
    • Bot-mitigation and abuse-prevention services
    • SMS and email delivery providers
    • Error reporting and operational monitoring
    We maintain a current list of named sub-processors and make it available to artists, labels, and data subjects on request to hello@repeat.fan.
  • Artist-authorized integrations — third-party tools an artist or label has connected to their Repeat workspace (for example, marketing-automation, SMS broadcast, or e-commerce platforms). These run under the artist's configuration and only for the purposes the artist enabled.
  • Legal recipients — when required by law, court order, or to defend our rights and the safety of users.

We do not sell personal information as defined by CCPA/CPRA or comparable laws. We do not run a third-party ad network.

[06]How long we keep information

We keep your Repeat account data as long as the account is active. You can soft-delete your account at any time at repeat.fan/me; we will mark the account deleted and stop including you in artist broadcasts. We retain a minimal record (your account ID, deletion timestamp, consent history) for audit and to honor opt-out requests. Hard deletion of all personal data on request typically completes within 30 days, subject to legal retention obligations.

[07]Your rights

Depending on where you live, you have some or all of the following rights:

  • Access — see what data we hold about you (use repeat.fan/me; email us for an export).
  • Correction — update inaccurate data via your account or by emailing us.
  • Deletion — request deletion via repeat.fan/me or email hello@repeat.fan.
  • Opt-out of marketing — reply STOP to any SMS, click the unsubscribe link in any email, or toggle per-artist controls at repeat.fan/me.
  • Portability — receive your data in a machine-readable format (email us).
  • Restrict / object — limit or object to processing in certain cases.
  • Lodge a complaint with your local data protection authority (EU / UK residents).

To exercise these rights, use the controls on repeat.fan/me or contact us at hello@repeat.fan.

[08]Security

We use industry-standard measures to protect your data: HTTPS everywhere, authenticated access, Firestore Security Rules that enforce per-tenant isolation, encrypted at-rest storage, and principle-of-least-privilege server credentials. No system is perfectly secure; if you believe your account has been compromised, contact us immediately.

[09]International data transfers

Repeat's infrastructure providers may process data in the United States or other countries. Where data crosses borders into or out of the EEA / UK, we rely on appropriate safeguards (such as Standard Contractual Clauses).

[10]Children

The Service is not directed to children under 13 (or under 16 in the EEA / UK). We do not knowingly collect personal information from children. If you believe a child has provided data to us, contact us and we will delete it.

[11]Changes to this policy

We may update this Privacy Policy. Material changes will be announced on the Service or by email when we have one. The “Last updated” date at the top reflects the current version.

[12]Contact

For privacy questions or to exercise your rights, email hello@repeat.fan.

PrivacyTermsCookieshello@repeat.fan