Last Updated: May 2026
myPalco ("we", "us", "our") processes your personal data in accordance with Regulation (EU) 2016/679 (GDPR) and applicable Portuguese law. This Privacy Policy explains what data we collect, how we use it, and your rights. By using the Service, you acknowledge this Policy. For questions: legal@mypalco.com.
You retain ownership of the content you upload (audio, video, images, and other User Content). myPalco does not claim ownership of your content; ownership and the limited operational licence you grant us to run the Service are governed by the Terms of Service.
The "myPalco" service is operated by an individual entrepreneur (empresário em nome individual) established under Portuguese law, trading as "myPalco", who is the data controller responsible for your personal data within the meaning of Article 4(7) GDPR.
Contact details of the data controller:
myPalco
[SERVICE ADDRESS], Portugal
Email: legal@mypalco.com
The full legal identity of the data controller is available on request to data subjects and to competent supervisory or judicial authorities, by contacting legal@mypalco.com.
As of the effective date of this Policy, myPalco does not meet the thresholds requiring the mandatory appointment of a Data Protection Officer under Article 37 GDPR. myPalco will appoint a DPO if and when the scale of its data processing activities requires one. In the interim, all data protection inquiries may be directed to: legal@mypalco.com.
myPalco will update this section to reflect the appointment of a DPO, if applicable, and will publish the DPO's contact details on the platform.
Username, email address, password (hashed), profile information (name, bio, profile picture, banner image or video), and account settings provided at registration or subsequently.
Audio files (stored server-side and delivered via HLS Delivery as encrypted segments), video files, attribution metadata, project titles, session records, collaboration history, track privacy settings, team sharing status, and all other content you upload or create on the Service.
If you register or log in using a third-party authentication provider (currently Google Sign-In and Sign in with Apple), we receive certain personal data from that provider as part of the authentication process. We do not receive your password from these providers.
Google Sign-In: we receive your name, email address, profile photo URL (if available), email verification status, and a unique Google account identifier.
Sign in with Apple: we receive your name (provided at first login only), email address (which may be your real email or an Apple private relay address, depending on your Apple privacy settings), and a unique Apple account identifier.
Source of data: Google LLC (policies.google.com/privacy) and Apple Inc. (apple.com/legal/privacy), as applicable.
Legal basis: Article 6(1)(b) GDPR — processing is necessary for the performance of the contract between you and myPalco, specifically to create and manage your user account. We do not access any other data from your Google or Apple account (such as contacts, calendar, files, or payment information) beyond what is listed above.
You may revoke myPalco's access to your third-party account at any time through your Google or Apple account settings. Revoking access does not delete your myPalco account or the data already received; to delete your account and associated data, use the account deletion feature or contact legal@mypalco.com.
Session tokens, HLS manifest access logs, key delivery request logs. This data is processed for security, authentication, and anti-piracy TPM compliance purposes. Key delivery logs may be used to detect and investigate attempts to circumvent HLS Delivery encryption.
s social and collaboration features.
Content recognition match results; valid rights-holder notices received; counter-notifications submitted; account strike records; attribution metadata submissions; geo-restriction decisions; same-composition Session Post licensing status. This data is processed for legal compliance purposes and may be shared with rights holders and competent authorities as described in Section 4.6.
If you enable push notifications, the myPalco mobile application registers your device with the operating system's push notification infrastructure and receives a device push token. On iOS this token is issued by Apple Push Notification service (APNs), operated by Apple Inc.; on both iOS and Android the token is managed and routed through Firebase Cloud Messaging (FCM), operated by Google. The push token is a pseudonymous device identifier that allows us to deliver notifications to your device. We store the token in secure device storage and on our servers in association with your account. We do not use the token to track you across other apps or services.
Push notifications are sent only after you grant the operating-system permission. You may disable push notifications at any time in your device settings or in the app, which revokes our ability to send them. Legal basis: Article 6(1)(a) GDPR (your consent, given through the operating-system permission prompt) and, for transactional notifications strictly necessary to operate features you have activated, Article 6(1)(b) GDPR.
To detect, diagnose, and fix crashes, errors, and stability problems, the myPalco mobile application uses Firebase Crashlytics, a crash-reporting service operated by Google. When the app crashes or encounters a handled error, we collect: a crash or error stack trace; the type and model of your device; the operating-system version; the app version and build; the state of the app at the time of the event (for example, the screen in use and a limited log of non-personal diagnostic events leading up to the crash); device language and region; the amount of available memory and storage; and a pseudonymous installation identifier (Crashlytics Installation UUID) used to group reports from the same installation and to compute crash-free user metrics. Crash reports are not used to identify you personally and are not combined with your profile for advertising. We do not intentionally collect the content of your audio, video, messages, or files in crash reports.
Legal basis: Article 6(1)(a) GDPR — your consent, requested in the app before diagnostic collection begins. You may withdraw consent at any time in the app's privacy settings, after which diagnostic collection is disabled. See Section 1.13a.
To understand how the Service is used in aggregate and to improve it, the myPalco mobile application uses Firebase Analytics (Google Analytics for Firebase), operated by Google. Where you have consented, we collect events describing your interaction with the app, such as: app opens, screen views, feature usage, session start and duration, and similar interaction events; together with associated technical attributes such as device model, operating-system version, app version, device language and region, and a coarse, IP-derived approximate geographic location (country/region level). Firebase Analytics assigns a pseudonymous app-instance identifier to your installation. We use this data only in aggregated or pseudonymous form to measure usage patterns and product performance. We do not use Firebase Analytics for advertising, do not enable Google Analytics advertising features or Google Signals, and do not collect the Android Advertising ID or iOS IDFA for advertising purposes.
Legal basis: Article 6(1)(a) GDPR — your consent, requested in the app before any analytics collection begins. Analytics is disabled by default and is activated only if you opt in. You may withdraw consent at any time in the app's privacy settings, after which analytics collection is disabled. See Section 1.13a.
The myPalco mobile application uses Firebase Remote Config, operated by Google, to deliver feature flags, maintenance-mode status, and minimum-version (force-update) settings to the app. When the app fetches its configuration, Firebase Remote Config processes a pseudonymous app-instance identifier and basic technical attributes (such as app version, operating-system version, device language, and country) so that the correct configuration can be returned. This processing does not identify you personally. Legal basis: Article 6(1)(f) GDPR — our legitimate interest in operating, configuring, and safely maintaining the Service (including the ability to disable a feature or require an update for security reasons).
We do not sell personal data.
Trusted third-party providers (hosting, CDN, HLS delivery infrastructure, ACR technology, authentication services, analytics, security monitoring, customer support) under data processing agreements requiring appropriate security and confidentiality measures.
The myPalco mobile application relies on the following third-party providers, which act as processors or independent controllers for the purposes described:
These providers receive only the categories of data described in Section 1.3 for the limited purposes stated. They are not authorized to use that data for their own independent advertising or profiling in connection with the Service.
A full list of myPalco's current data sub-processors, including their names, locations, and the processing activities they perform on myPalco's behalf, is available upon request by contacting legal@mypalco.com. myPalco will notify users of material changes to its sub-processor list.
In connection with our DMCA, DSA, and CDSM Directive obligations, we may share: information contained in or related to valid infringement notices; attribution metadata identifying rights holders in Cover Stem uploads; content identifiers and URLs of removed or blocked content; HLS key delivery logs relevant to circumvention investigations; and account information required to comply with court orders or lawful enforcement requests. Processing in this context is based on legal obligation (Article 6(1)(c) GDPR). Attribution metadata collected at upload time may be shared with rights holders in the context of our Article 17 licensing outreach and Transparency Reports.
We may disclose information to the CNPD, IGAC, ANACOM, Portuguese courts, law enforcement, or other competent authorities where required by law, pursuant to a court order, or to protect the rights or safety of users or the public.
If myPalco is involved in a merger, acquisition, or asset sale, user information may be transferred. We will notify you of any such transfer and material changes to data processing.
To exercise these rights, contact legal@mypalco.com:\n
You have the right to lodge a complaint with the CNPD (www.cnpd.pt) if you believe your data has been processed in violation of the GDPR.
We implement appropriate technical, administrative, and organizational security measures including: encryption of all audio content as an anti-piracy measure, with segments delivered via authenticated HLS; authenticated key delivery with server-side token validation; encrypted storage of credentials; access controls; and regular security reviews. No system is impenetrable. You are responsible for maintaining your account credential security.
In the event of a personal data breach within the meaning of Article 4(12) GDPR, myPalco will:
(a) Notify the Comissão Nacional de Proteção de Dados (CNPD) within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of affected individuals. Where notification is delayed beyond 72 hours, myPalco will document the reasons for the delay in accordance with Article 33(1) GDPR.
(b) Notify affected users without undue delay where the breach is likely to result in a high risk to the rights and freedoms of the affected individuals, in accordance with Article 34 GDPR. Notification will be made by email to the address associated with the user
s account, and where appropriate, by in-app notification. The notification will include: the nature of the breach; the likely consequences; the measures taken or proposed by myPalco to address and mitigate the breach; and the contact details of myPalco's data protection contact point.
(c) Notification to affected users is not required where: (i) myPalco has implemented appropriate technical protection measures (such as encryption) that render the affected data unintelligible to unauthorized persons; (ii) myPalco has taken subsequent measures that ensure the high risk is no longer likely to materialize; or (iii) notification would involve disproportionate effort, in which case myPalco will make a public communication or equivalent measure ensuring that affected individuals are informed effectively.
(d) myPalco maintains an internal register of all personal data breaches, including their effects and the remedial actions taken, regardless of whether notification to the CNPD or affected users is required.
Supervisory authority contact:
Comissão Nacional de Proteção de Dados (CNPD)
Av. D. Carlos I, 134 - 1.º
1200-651 Lisboa, Portugal
www.cnpd.pt | geral@cnpd.pt | +351 213 928 400
Where personal data is transferred outside the EEA, we implement appropriate safeguards in accordance with GDPR Chapter V, including standard contractual clauses approved by the European Commission or other recognized transfer mechanisms.
In particular, our use of Firebase services (Cloud Messaging, Crashlytics, Analytics, and Remote Config) and of Apple Push Notification service may involve the transfer of certain data to the United States. Google LLC and Apple Inc. are certified under the EU–U.S. Data Privacy Framework, and transfers are additionally covered by European Commission–approved standard contractual clauses incorporated into the Firebase Data Processing and Security Terms and Apple's data processing terms, as applicable. Copies of the relevant transfer mechanisms are available on request at legal@mypalco.com.
The Service is not directed to children under 13 years of age. In accordance with Article 8 GDPR as transposed into Portuguese law, the minimum age for consent to information society services is 13.
During account registration, all new users are required to confirm whether they are 13 years of age or older. Users who indicate that they are under 13 are not permitted to create an account independently. In such cases, the registration process requires the involvement of a parent or legal guardian, who must complete the registration on the minor's behalf and provide verifiable parental consent in accordance with Article 8 GDPR.
myPalco does not knowingly collect personal data from children under 13 without verifiable parental consent. If we become aware that personal data has been collected from a child under 13 without appropriate parental consent, we will take prompt steps to delete the data and, where appropriate, terminate the associated account.\n
Parents or legal guardians who believe their child has provided personal data to myPalco without consent may contact: legal@mypalco.com.
Non-essential cookies and similar technologies require consent where required by applicable law. You may manage cookies through your browser settings. Disabling certain cookies may affect Service functionality including audio playback and session management. myPalco does not use third-party advertising cookies and does not sell personal data.
The myPalco mobile application does not use browser cookies but does use software development kits (SDKs) that rely on device and installation identifiers. These include: a push notification token (APNs / Firebase Cloud Messaging); a pseudonymous Crashlytics installation identifier; and a pseudonymous Firebase Analytics app-instance identifier. These identifiers are described in Section 1.3 and, except for the strictly necessary push token used to deliver notifications you have enabled, are activated only after you opt in through the in-app consent controls described in Section 1.13a. The application does not access the Android Advertising ID or the iOS Identifier for Advertisers (IDFA) and does not perform cross-app or cross-site tracking for advertising.
For non-essential processing in the mobile application — specifically analytics (Firebase Analytics) and crash/diagnostic reporting (Firebase Crashlytics) — myPalco operates a consent-based model:
Withdrawal of consent does not affect the lawfulness of any processing carried out before withdrawal.
We may update this Privacy Policy from time to time. Material changes will be notified through the Service or by email before taking effect. Continued use after the effective date constitutes acceptance of the updated policy.
Data protection inquiries: legal@mypalco.com
Supervisory authority
Comissão Nacional de Proteção de Dados (CNPD)
www.cnpd.pt
Av. D. Carlos I, 134 - 1.º, 1200-651 Lisboa, Portugal
You have the right to lodge a complaint with the CNPD at any time if you believe your personal data has been processed in violation of the GDPR.