Plain-language summary (not legally binding). CrateCodex is a DJ library manager. We store the metadata about your music (filenames, tags, BPM, key, cues, waveforms, Box structure) — we do not store the audio files themselves on our servers. If you connect Google Drive, Dropbox or similar, we access those accounts on your behalf only to read file information, never to redistribute your music. We use Supabase to run our infrastructure and Stripe to take payments. We do not sell your personal data, we do not use your music or metadata to train AI models, and we do not show you advertising. You can export or delete your data at any time.
CrateCodex ("CrateCodex", "we", "us") is the data controller for the personal data described in this Privacy Policy.
Contracting entity: [CrateCodex Ltd, New Zealand company number [NZBN], registered office [address]].
For EU / UK users, our representative and data protection contact is reachable at privacy@cratecodex.com. Where we are required to appoint a formal Article 27 GDPR representative, their name and contact details will be listed on this page before the obligation applies.
General privacy contact: privacy@cratecodex.com.
This Policy explains how we collect, use, share and protect personal data when you use the CrateCodex web application, desktop player, and related services (together, the "Service"). It applies globally and is designed to comply with the New Zealand Privacy Act 2020, the EU and UK General Data Protection Regulation (GDPR / UK GDPR), the California Consumer Privacy Act as amended by the CPRA (CCPA), the Australian Privacy Act 1988, the Canadian PIPEDA, Brazil's LGPD and other applicable data protection laws. Where those laws give you additional rights, those rights apply.
This Policy does not cover:
We collect the minimum personal data we need to run the Service.
When you register we collect your email address, a hashed password (or SSO identifier), display name (optional), profile image (optional), language preference, and the date you accepted these terms. Authentication is handled by Supabase Auth on our behalf.
When you subscribe we collect and/or receive from Stripe: your name, billing address (or country and postcode, depending on tax rules), subscription plan, payment status, invoice history, and a Stripe customer identifier. We do not receive or store your full payment card number, expiry date or CVC. Stripe processes these directly.
When you use the library we store metadata describing your music, including: filename, file path or cloud-storage object reference, duration, file size, ID3 / Vorbis / MP4 tags (title, artist, album, year, genre, BPM, key, comments, artwork thumbnails embedded in the file), our computed values (tempo, musical key in Camelot notation, loudness, waveform peak data), your Boxes, smart-crate rules, cue points, memory cues, notes and play history inside the Service.
We do not store the audio files themselves on our servers. Your music stays on your device or in your own connected third-party storage. The metadata above is what we keep server-side so you can sync and work with it across devices.
If you connect a third-party service (Google Drive, Dropbox, iCloud, etc.) we store: an OAuth access token and refresh token (encrypted at rest), the provider identifier, the scopes you granted, and the identifiers of the files and folders you exposed to the Service. We only use these tokens to perform the actions you request.
To compute BPM, key, waveform and similar technical attributes, we may stream short segments of audio from your device or cloud account to an audio analysis subprocessor (see section 6). These segments are processed in memory only for the time needed to produce the analysis result and are not retained by the analysis subprocessor or by us beyond the duration of the job, except for the resulting metadata.
When you use the Service we automatically collect: IP address, approximate location derived from IP (country / region only), user-agent string, device model, operating system, browser, referrer URL, timestamps, diagnostic error logs, crash traces and performance traces. These are used for security, abuse detection, incident response and service reliability.
When you contact us (email, support ticket, feedback form) we keep the content of your message, your contact details and any attachments you send.
We use a small number of first-party cookies and local storage entries that are strictly necessary for sign-in, session state, CSRF protection and remembering your preferences. We do not use advertising cookies or cross-site tracking pixels. Where analytics or error-reporting cookies are used they are described in our Cookie Notice linked from the Service; you can refuse non-essential cookies via the in-product cookie banner.
We do not collect special categories of data (racial or ethnic origin, political opinions, religious beliefs, union membership, genetic or biometric data, health data, sexual orientation) and we ask that you do not store such data in custom fields. The Service is not designed for and should not be used to process any such data.
We process personal data for the purposes listed below. Where GDPR / UK GDPR applies, the legal basis is shown in brackets.
We do not use your music, your metadata, your cue points or your library data to train machine-learning models, and we do not sell or rent personal data.
Because this is the part most users care about, here is the concrete flow:
At no point do we make your music available to anyone else, and we do not create a public library or catalogue of your files.
We share personal data only with:
Companies we engage to help operate the Service, under written data-processing agreements that bind them to confidentiality and security:
| Subprocessor | Role | Data processed | Location |
|---|---|---|---|
| Supabase, Inc. | Authentication, PostgreSQL database, file object storage, realtime sync, hosted infrastructure | Account data, library metadata, device logs, OAuth tokens (encrypted) | USA / EU region (configurable) |
| Stripe, Inc. | Payment processing, subscription billing, tax calculation, invoicing | Name, billing address, email, subscription data, card data (processed directly by Stripe) | USA / EU / global |
| Cloud hosting & CDN provider(s) | Compute, object storage, network delivery | All of the above, in transit and at rest | Per deployment region |
| Audio analysis provider(s) | Ephemeral BPM / key / waveform computation where run outside our own infrastructure | Short audio segments for the duration of the analysis job only | Per deployment region |
| Error and performance monitoring provider | Crash reports, stack traces, performance traces | Device and log data | USA / EU |
| Transactional email provider | Sending account, billing, security and product notification emails | Email address, name, message content | USA / EU |
| Support tooling provider | Handling support tickets and conversations | Contact details, message content, attachments | USA / EU |
An up-to-date list of current subprocessors, including their specific legal names and addresses, is maintained at cratecodex.com/legal/subprocessors. Where required by law we will give advance notice of new subprocessors and give you the opportunity to object.
If you connect Google Drive, Dropbox, iCloud, Spotify, a DJ software export target or similar, those services receive the minimum data needed to perform the connection you request (for example: "list these folders", "read this file's metadata"). They are independent controllers under their own privacy policies.
We may share personal data when reasonably necessary to:
We may share aggregated or anonymised statistics that do not identify any individual. This is not personal data.
CrateCodex is a global service. Your personal data may be transferred to, stored in and processed in countries other than the one in which you live, including jurisdictions that may not provide the same level of data protection as your own.
Where we transfer personal data out of the European Economic Area, the United Kingdom or Switzerland, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses (2021 version) and the UK Addendum, combined with supplementary technical and organisational measures. Copies of the relevant safeguards are available on request at privacy@cratecodex.com.
Where we transfer personal data out of New Zealand, we rely on either the recipient being subject to comparable privacy protections as required under IPP 12 of the New Zealand Privacy Act 2020, or on your informed consent, or on contractual protections equivalent in effect.
We keep personal data only as long as we need it for the purposes described in section 4, and then delete or anonymise it.
| Category | Retention |
|---|---|
| Account data | For the life of your account, then deleted within 30 days of account closure |
| Library metadata (Boxes, cues, tags, waveforms, play history) | For the life of your account, then deleted within 30 days of account closure |
| Billing and invoice records | Up to 7 years after the transaction, to meet tax and accounting obligations |
| Security / audit logs | Up to 12 months, longer if required for an active investigation |
| Support correspondence | Up to 3 years after last contact |
| Marketing preferences and unsubscribe records | For as long as needed to honour your choice |
| OAuth tokens for connected accounts | Until you disconnect the integration or close your account |
Backups containing personal data may persist for a short period after deletion, after which they are overwritten on our standard rotation (no more than 35 days).
We protect personal data using administrative, technical and physical safeguards, including:
No system is perfectly secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant regulator where required by law (including within 72 hours under GDPR / UK GDPR, and as required under the New Zealand Privacy Act 2020 notifiable-privacy-breach rules).
Depending on where you live you have some or all of the following rights. You can exercise them by emailing privacy@cratecodex.com or using the in-product privacy controls. We will respond within the statutory time limit (typically 30 days under GDPR, 20 working days under the NZ Privacy Act 2020, 45 days under CCPA).
California residents additionally have the right to know the categories and specific pieces of personal information we collect, the sources, the purposes, and the categories of third parties with whom we share it; the right to delete; the right to correct; the right to opt out of the "sale" or "sharing" of personal information; and the right to limit the use of sensitive personal information. We do not sell or share personal information as those terms are defined by the CCPA, and we do not process sensitive personal information for purposes requiring a right to limit. California residents will not be discriminated against for exercising any of their rights.
You have the right to lodge a complaint with your local supervisory authority — for example, the UK Information Commissioner's Office (ICO) at ico.org.uk, or the data protection authority of the EU member state where you live, work or where the alleged infringement occurred. We would appreciate the chance to resolve any concerns directly first.
You have the right to complain to the Office of the Privacy Commissioner at privacy.org.nz.
You have the right to complain to the Office of the Australian Information Commissioner at oaic.gov.au.
To protect your data, we may ask for additional information to verify your identity before acting on a request, and we may decline or charge a reasonable fee for requests that are manifestly unfounded or excessive, to the extent allowed by law.
The Service is not directed at and not intended for children under the age of 16 (or the higher age of digital consent in your country). We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, contact privacy@cratecodex.com and we will delete it.
We do not use your personal data, your library metadata, your uploaded waveforms or your music to train, fine-tune or evaluate any generative or predictive artificial-intelligence model, whether ours or a third party's. We do not make decisions producing legal or similarly significant effects about you through solely automated means.
If we ever introduce features that involve automated decision-making or AI training on user data, we will update this Policy in advance, explain the change, provide a meaningful opt-out where required by law, and will not apply the change retroactively to data collected under this version of the Policy without a further lawful basis.
The Service may link to third-party websites or services. We are not responsible for the privacy practices of those third parties. You should read their privacy policies before giving them personal data.
We may update this Policy to reflect changes in our practices or legal obligations. When we do we will change the "Last updated" date at the top of the Policy and, if the changes are material, notify you by email and/or through the Service before the change takes effect. Continued use of the Service after the effective date is acceptance of the updated Policy. A version history is available on request.
If you have any questions about this Privacy Policy or how we handle your personal data, contact:
CrateCodex — Privacy Team
Email: privacy@cratecodex.com
Post: [Registered office address, New Zealand]
For security-related disclosures: security@cratecodex.com.
For copyright notices: copyright@cratecodex.com.
© CrateCodex. All rights reserved.
Crate Codex — Privacy Policy