Privacy policy

Effective date: 1 August 2026. Data controller: Tahti ry, Finland.

Who we are

Tahti ry (business ID to be registered) is a Finnish nonprofit association (yhdistys) and the data controller for personal data processed through the tahti.live platform. Contact: tietosuoja@tahti.live.

What we collect and why

Account data
Email address, username, display name, optional avatar and bio. Collected when you register. Used to operate your account, authenticate you, and let listeners find you.
Payment data
Stripe processes all card payments. We receive a Stripe customer ID and subscription status. We do not store card numbers or bank details.
Content you upload
Audio files, release metadata, tracklists, images, and newsletter text. Stored to provide the platform service. You retain full copyright.
Usage data
Play counts, download counts, and fan subscription activity. Used to calculate your engagement units for the annual grant distribution. Aggregated totals are published on the transparency page (with your consent for attribution).
Newsletter data
If listeners subscribe to your newsletter, their email addresses are stored on your behalf. You are the data controller for your subscriber list; we are the processor.
Technical logs
Server access logs (IP address, user agent, timestamp) retained for 30 days for security and debugging. Not used for profiling or advertising.

Cookies

We use one session cookie (tahti_session) to keep you logged in. It is strictly necessary for authentication and cannot be opted out while using the platform. We do not use advertising cookies, tracking pixels, or third-party analytics scripts.

Who we share data with

  • Stripe — payment processing. Their privacy policy applies to payment data.
  • Hetzner / UpCloud — infrastructure hosting within the EU/EEA.
  • Revelator — music distribution to DSPs, if you opt in to distribution. Only release metadata (title, ISRC, credits) is shared, not personal account data.

We do not sell data, share data with advertisers, or transfer data outside the EU/EEA without Standard Contractual Clauses.

How long we keep data

  • Account data: kept while your account is active, plus 1 year after deletion.
  • Upload content: deleted within 30 days of account deletion (or immediately on request).
  • Payment records: 7 years (Finnish accounting law).
  • Engagement unit data: 7 years (required for grant audit trail).
  • Server logs: 30 days.

Your rights under GDPR

You have the right to:

  • Access — request a copy of all personal data we hold about you.
  • Rectification — correct inaccurate data.
  • Erasure — delete your account and personal data.
  • Portability — export your data (releases, archive, analytics) in machine-readable format from the dashboard settings.
  • Objection — object to processing for legitimate interests.
  • Restriction — restrict processing while a dispute is resolved.

To exercise any right, email tietosuoja@tahti.live. We respond within 30 days. If you are not satisfied, you may lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi).

Changes to this policy

We will notify registered artists by email of any material changes at least 30 days before they take effect. The current version is always at this URL.