PRIVACY POLICY

Last Updated: March 2026

1.1 Introduction

myPalco ("we", "us", "our") processes your personal data in accordance with Regulation (EU) 2016/679 (GDPR) and applicable Portuguese law. This Privacy Policy explains what data we collect, how we use it, and your rights. By using the Service, you acknowledge this Policy. For questions: legal@mypalco.com.

1.2 Data Controller

The data controller responsible for your personal data is myPalco, operated by myPalco, operating under Portuguese law.

As of the effective date of this Policy, myPalco does not meet the thresholds requiring the mandatory appointment of a Data Protection Officer under Article 37 GDPR. myPalco will appoint a DPO if and when the scale of its data processing activities requires one. In the interim, all data protection inquiries may be directed to: legal@mypalco.com.

myPalco will update this section to reflect the appointment of a DPO, if applicable, and will publish the DPO

s contact details on the platform.

1.3 Information We Collect

Account and profile data

Username, email address, password (hashed), profile information (name, bio, profile picture, banner image or video), and account settings provided at registration or subsequently.

User Content and metadata

Audio files (stored server-side and delivered via HLS Delivery as encrypted segments), video files, attribution metadata, project titles, session records, collaboration history, track privacy settings, team sharing status, and all other content you upload or create on the Service.

Third-party authentication data

If you register or log in using a third-party authentication provider (currently Google Sign-In and Sign in with Apple), we receive certain personal data from that provider as part of the authentication process. We do not receive your password from these providers.

Google Sign-In: we receive your name, email address, profile photo URL (if available), email verification status, and a unique Google account identifier.

Sign in with Apple: we receive your name (provided at first login only), email address (which may be your real email or an Apple private relay address, depending on your Apple privacy settings), and a unique Apple account identifier.

Source of data: Google LLC (policies.google.com/privacy) and Apple Inc. (apple.com/legal/privacy), as applicable.

Legal basis: Article 6(1)(b) GDPR — processing is necessary for the performance of the contract between you and myPalco, specifically to create and manage your user account. We do not access any other data from your Google or Apple account (such as contacts, calendar, files, or payment information) beyond what is listed above.

You may revoke myPalco's access to your third-party account at any time through your Google or Apple account settings. Revoking access does not delete your myPalco account or the data already received; to delete your account and associated data, use the account deletion feature or contact legal@mypalco.com.

Session and authentication data

Session tokens, HLS manifest access logs, key delivery request logs. This data is processed for security, authentication, and anti-piracy TPM compliance purposes. Key delivery logs may be used to detect and investigate attempts to circumvent HLS Delivery encryption.

Usage data

IP address, device type, browser, pages visited, actions taken, session duration, geographic location (for content geo-restriction compliance), and similar technical and behavioral data.

Social interaction data

Follow and follower relationships, track ratings, comments, messages between users, team member lists, and sharing activity. This data is processed to provide the Service

s social and collaboration features.

Video and media processing data

When you upload video content, myPalco's automated systems process the video to generate thumbnail images at multiple sizes (small, medium, and large) for display within the Service. This processing involves extracting a representative frame from the video at an algorithmically selected timestamp. No human reviews video content as part of this automated thumbnail generation process. Audio uploads are similarly processed by automated systems to extract waveform visualization data for display within the Service. Legal basis: Article 6(1)(b) GDPR — processing is necessary for the performance of the contract, specifically to display your uploaded content within the Service as intended.

Private content and team sharing data

When you designate a track as private or share it with team members, myPalco processes the following additional data: the privacy status of each track (public or private), your designated team member list (stored as user IDs, maximum 30 members), and the sharing status of each private track (whether shared with team). This data is used solely to enforce access controls and deliver private content to authorized users. Legal basis: Article 6(1)(b) GDPR — processing is necessary for the performance of the contract, specifically to provide the privacy and team sharing features you have activated.

Rights enforcement data

Content recognition match results; valid rights-holder notices received; counter-notifications submitted; account strike records; attribution metadata submissions; geo-restriction decisions; same-composition Session Post licensing status. This data is processed for legal compliance purposes and may be shared with rights holders and competent authorities as described in Section 4.6.

1.4 How We Use Your Information

to provide, operate, and maintain the Service and its workshop and collaboration features;
to create and manage user accounts;
to enable uploading, discovery, sharing, and creative collaboration;
to operate HLS Delivery, including authentication, key delivery, and encrypted segment serving as anti-piracy measures;
to operate content recognition systems and enforce the Intellectual Property Policy, including pre-publication blocking, stay-down, and repeat-infringer policies;
to compile attribution metadata for Article 17 licensing best-efforts documentation and Transparency Reports;
to enforce territorial licensing restrictions including geo-restriction of Cover Stem content to licensed territories;
to enforce same-composition Session Post public distribution restrictions pending composition-level licensing;
to enforce access controls for private content and team sharing features;
to process video and audio uploads for thumbnail generation and waveform visualization;
to communicate with you regarding your account, the Service, rights enforcement decisions, and legal matters;
to improve and develop the Service;
to ensure security and prevent abuse, fraud, and illegal activity, including circumvention of HLS Delivery TPM;
to comply with DMCA, DSA, CDSM Directive, GDPR, EU AI Act, and all other applicable legal obligations;
to enforce the Terms of Service and Intellectual Property Policy.

1.5 Legal Bases for Processing (GDPR)

Article 6(1)(b) — Performance of contract: processing necessary to provide the Service, including account management, content hosting and delivery, social features, privacy and team sharing controls, and automated media processing;\n
Article 6(1)(c) — Legal obligation: processing necessary to comply with DMCA, DSA, CDSM Directive, GDPR, EU AI Act, and applicable law, including IP enforcement obligations, rights-holder data sharing, and territorial licensing compliance;\n
Article 6(1)(f) — Legitimate interests: processing for platform security, fraud prevention, anti-piracy TPM enforcement, service improvement, and IP policy enforcement, where not overridden by your rights;\n
Article 6(1)(a) — Consent: for non-essential cookies and marketing communications where required. Consent may be withdrawn at any time.

1.6 Sharing of Information

We do not sell personal data.

Service providers

Trusted third-party providers (hosting, CDN, HLS delivery infrastructure, ACR technology, authentication services, analytics, security monitoring, customer support) under data processing agreements requiring appropriate security and confidentiality measures.

Sub-processor list

A list of myPalco's current data sub-processors, including their names, locations, and the processing activities they perform on myPalco's behalf, is available upon request by contacting legal@mypalco.com. myPalco will notify users of material changes to its sub-processor list.

Rights holders, CROs, and IP enforcement

In connection with our DMCA, DSA, and CDSM Directive obligations, we may share: information contained in or related to valid infringement notices; attribution metadata identifying rights holders in Cover Stem uploads; content identifiers and URLs of removed or blocked content; HLS key delivery logs relevant to circumvention investigations; and account information required to comply with court orders or lawful enforcement requests. Processing in this context is based on legal obligation (Article 6(1)(c) GDPR). Attribution metadata collected at upload time may be shared with rights holders in the context of our Article 17 licensing outreach and Transparency Reports.

Regulatory authorities

We may disclose information to the CNPD, IGAC, ANACOM, Portuguese courts, law enforcement, or other competent authorities where required by law, pursuant to a court order, or to protect the rights or safety of users or the public.

Business transfers

If myPalco is involved in a merger, acquisition, or asset sale, user information may be transferred. We will notify you of any such transfer and material changes to data processing.

1.7 Data Retention

Account data: retained for the duration of account activity and a reasonable period thereafter;
Attribution metadata and IP enforcement records: retained for the duration required by applicable IP law, including minimum retention periods under the CDSM Directive and DSA;
Removed User Content: deleted within 24 hours of removal, except where court order, law-enforcement request, or legal proceedings require longer retention;
Technical and usage data: retained in aggregated or anonymized form for analytics;
Third-party authentication data: retained for the duration of your account. Upon account deletion, erased within 30 days.

1.8 Your Rights (GDPR)

To exercise these rights, contact legal@mypalco.com:\n

access: obtain a copy of your personal data;
rectification: correct inaccurate data;
erasure: request deletion, subject to legal retention obligations;
restriction: restrict processing in certain circumstances;
portability: receive data in a structured, machine-readable format;
objection: object to processing based on legitimate interests;
consent withdrawal: withdraw consent where processing is consent-based.\n

You have the right to lodge a complaint with the CNPD (www.cnpd.pt) if you believe your data has been processed in violation of the GDPR.

1.9 Security

We implement appropriate technical, administrative, and organizational security measures including: encryption of all audio content as an anti-piracy measure, with segments delivered via authenticated HLS; authenticated key delivery with server-side token validation; encrypted storage of credentials; access controls; and regular security reviews. No system is impenetrable. You are responsible for maintaining your account credential security.

1.10 Data Breach Notification

In the event of a personal data breach within the meaning of Article 4(12) GDPR, myPalco will:

(a) Notify the Comissão Nacional de Proteção de Dados (CNPD) within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of affected individuals. Where notification is delayed beyond 72 hours, myPalco will document the reasons for the delay in accordance with Article 33(1) GDPR.

(b) Notify affected users without undue delay where the breach is likely to result in a high risk to the rights and freedoms of the affected individuals, in accordance with Article 34 GDPR. Notification will be made by email to the address associated with the user

s account, and where appropriate, by in-app notification. The notification will include: the nature of the breach; the likely consequences; the measures taken or proposed by myPalco to address and mitigate the breach; and the contact details of myPalco's data protection contact point.

(c) Notification to affected users is not required where: (i) myPalco has implemented appropriate technical protection measures (such as encryption) that render the affected data unintelligible to unauthorized persons; (ii) myPalco has taken subsequent measures that ensure the high risk is no longer likely to materialize; or (iii) notification would involve disproportionate effort, in which case myPalco will make a public communication or equivalent measure ensuring that affected individuals are informed effectively.

(d) myPalco maintains an internal register of all personal data breaches, including their effects and the remedial actions taken, regardless of whether notification to the CNPD or affected users is required.

Supervisory authority contact:

Comissão Nacional de Proteção de Dados (CNPD)

Av. D. Carlos I, 134 - 1.º

1200-651 Lisboa, Portugal

www.cnpd.pt | geral@cnpd.pt | +351 213 928 400

1.11 International Data Transfers

Where personal data is transferred outside the EEA, we implement appropriate safeguards in accordance with GDPR Chapter V, including standard contractual clauses approved by the European Commission or other recognized transfer mechanisms.

1.12 Children's Privacy

The Service is not directed to children under 13 years of age. In accordance with Article 8 GDPR as transposed into Portuguese law, the minimum age for consent to information society services is 13.

AGE VERIFICATION

During account registration, all new users are required to confirm whether they are 13 years of age or older. Users who indicate that they are under 13 are not permitted to create an account independently. In such cases, the registration process requires the involvement of a parent or legal guardian, who must complete the registration on the minor's behalf and provide verifiable parental consent in accordance with Article 8 GDPR.

myPalco does not knowingly collect personal data from children under 13 without verifiable parental consent. If we become aware that personal data has been collected from a child under 13 without appropriate parental consent, we will take prompt steps to delete the data and, where appropriate, terminate the associated account.\n

Parents or legal guardians who believe their child has provided personal data to myPalco without consent may contact: legal@mypalco.com.

1.13 Cookies and Tracking Technologies

Strictly necessary: authentication, security, session management, token handling. No consent required.
Preference: user settings and language preferences.
Analytics: platform usage on an aggregated, anonymized basis where possible.
Territorial compliance: IP-based geo-detection to enforce content territorial licensing restrictions and Cover Stem geo-restriction decisions.

Non-essential cookies require consent where required by applicable law. You may manage cookies through your browser settings. Disabling certain cookies may affect Service functionality including audio playback and session management. myPalco does not currently use non-essential tracking cookies or third-party advertising cookies.

1.14 Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be notified through the Service or by email before taking effect. Continued use after the effective date constitutes acceptance of the updated policy.

1.15 Contact

Data protection inquiries: legal@mypalco.com

Supervisory authority

Comissão Nacional de Proteção de Dados (CNPD)

www.cnpd.pt

Av. D. Carlos I, 134 - 1.º, 1200-651 Lisboa, Portugal

You have the right to lodge a complaint with the CNPD at any time if you believe your personal data has been processed in violation of the GDPR.