Privacy Policy

1. Data we collect

Account information

When you sign up we collect your name, email address, and a hashed password (or OAuth credentials if you sign in via a third-party provider). If you create an artist profile we also store your artist name, genre preferences, and optional bio.

Track submissions

When you submit a track we store the track title, artist note, genre tags, source URL or link (e.g. SoundCloud, Spotify, YouTube), and any uploaded audio file. If you upload an MP3 or WAV file directly, the file is stored in cloud object storage (Amazon S3 or Cloudflare R2). We also store artwork images, either uploaded by you or fetched automatically from the linked platform via oEmbed.

Public vs. private tracks

When submitting a track you choose whether it is public or private. Public tracks may appear in the Weekly Discover section on our landing page and within the 3D Discover experience, visible to all visitors — including your track title, artist name, artwork, genre tags, and an embedded player or link to the audio source. Private tracks are only visible to you and the reviewers assigned to your track. You can change a track's visibility at any time from your track settings.

Reviews and feedback

We store the full content of every review, including structured ratings (production, originality, vocal quality, first impression, playlist action, quality assessment, release readiness verdict), free-text feedback (best moment, main feedback, artist note), timestamp annotations, and technical issue flags.

Listening behavior data

While a reviewer listens to a track, we passively capture behavioural signals from the audio player to improve feedback quality. This includes play, pause, and seek events; volume changes; replay and skip zones; tab focus/blur events; and the overall engagement curve. This data is used to compute metrics such as completion rate, attention score, and behavioural-explicit alignment (how well the reviewer's listening patterns match their written feedback). Listening behaviour data is associated with the review, not the reviewer's broader account, and is presented to artists only in aggregate across all reviewers for a given track.

Payment and payout information

We store transaction metadata (package selected, amount, currency, Stripe session and payment IDs) to track order status. For reviewer payouts we store your Stripe Connect account ID and payout history. We do not store full credit card numbers or bank account details — those are held by Stripe.

Subscription data

If you subscribe to MixReflect Pro we store your Stripe customer ID, subscription ID, and subscription status to manage your plan, slot limits, and billing.

Usage and analytics

We use PostHog for product analytics and may optionally use Microsoft Clarity for session replays. These tools collect anonymised interaction data such as page views, clicks, scroll depth, and device information. We also use TikTok Pixel and Reddit Pixel to measure the performance of our advertising campaigns. These tools are only activated with your consent — see section 5 below. Public play counts on tracks are also recorded.

Support tickets

If you contact support, we store the subject, message body, and any follow-up messages to resolve your request.

Cookies and session data

We use cookies to authenticate your session (via NextAuth) and to remember your preferences. Authentication cookies are essential for the service to function. Analytics and advertising tools may set their own cookies only after you give consent — see section 5 below.

2. How we use your data

• Authenticate you and manage your account and artist/reviewer profiles.
• Match reviewers to tracks and manage the review queue (including priority placement for Pro subscribers).
• Process payments for track submissions and reviewer payouts via Stripe and Stripe Connect.
• Display public tracks, artwork, and artist names in the Weekly Discover section and on the landing page.
• Compute feedback quality scores (text specificity, actionability, technical depth) to surface higher-quality reviews.
• Analyse listening behaviour to provide artists with aggregate engagement insights (replay hotspots, drop-off points, attention curves).
• Generate automated feedback synthesis reports that combine multiple reviews into actionable summaries.
• Send transactional emails (review completion notifications, payment receipts, account verification) via Resend.
• Send optional announcement or marketing emails (you can unsubscribe at any time).
• Detect and prevent abuse, fraud, and low-quality reviews.
• Improve product quality through analytics and aggregated usage patterns.
• Enforce slot limits (Free: 1 active slot, Pro: 3 active slots) and subscription status.
• Measure the effectiveness of advertising campaigns on TikTok and Reddit (only with your consent).

3. What we share publicly

If you mark a track as public, the following information may be visible to any visitor on MixReflect, including the Weekly Discover page, the 3D Discover experience, and the landing page:

• Track title and artwork image
• Artist name (from your artist profile)
• Genre tags
• An embedded audio player or link to the external source (SoundCloud, Spotify, YouTube, etc.)
• Public play count

Reviews and detailed feedback are never shown publicly. They are only visible to the track owner and the reviewer who wrote them. Listening behaviour data is only shown to the track owner in aggregate form.

4. Third-party services

We share data with the following third parties only as needed to operate the service:

• Stripe — payment processing for track submissions, Pro subscriptions, and reviewer payouts via Stripe Connect. Stripe receives your email, payment details, and payout account information.
• Resend — transactional and announcement emails. Resend receives your email address and name.
• Amazon S3 / Cloudflare R2 — cloud storage for uploaded audio files and artwork. Files are stored securely and served via signed or public URLs.
• Vercel — hosting and deployment. Vercel processes web requests and may log IP addresses and request metadata.
• Neon — managed PostgreSQL database hosting. All account, track, review, and behavioural data is stored in Neon's infrastructure.
• PostHog — product analytics. PostHog receives anonymised event data about how you interact with the product. Activated only with your consent.
• Microsoft Clarity (optional) — session replay and heatmaps. If enabled, Clarity captures anonymised interaction recordings. Activated only with your consent.
• TikTok Pixel — advertising measurement. If you consent to analytics cookies, the TikTok Pixel fires on page load and sends anonymised event data (page views, conversions) to TikTok to measure the performance of our ads. TikTok may use this data in accordance with their own privacy policy. No personal data you enter on MixReflect is sent to TikTok.
• Reddit Pixel — advertising measurement. If you consent to analytics cookies, the Reddit Pixel fires on page load and sends anonymised event data (page views, conversions) to Reddit to measure the performance of our ads. Reddit may use this data in accordance with their own privacy policy. No personal data you enter on MixReflect is sent to Reddit.

We do not sell your personal data to any third party.

5. Cookies and consent

We use the following types of cookies:

• Essential cookies — authentication session tokens (NextAuth). Required for the service to function. Set immediately on login and cannot be disabled without logging out.
• Analytics cookies — set by PostHog and optionally Microsoft Clarity to understand product usage. These are only set after you accept cookies via the consent banner.
• Advertising cookies — set by TikTok Pixel and Reddit Pixel to measure advertising campaign performance. These are only set after you accept cookies via the consent banner. If you decline, these scripts are never loaded.

When you first visit MixReflect, a banner will ask for your consent to set non-essential cookies. You can decline and the service will still work fully — only the authentication cookie will be set. You can change your preference at any time by clearing your browser's local storage for mixreflect.com.

6. Lawful basis for processing

Where the General Data Protection Regulation (GDPR) applies (including for users in the European Economic Area and United Kingdom), we process your personal data on the following legal bases:

• Performance of a contract — account data, track submissions, review data, payment and subscription data, and transactional emails are processed to fulfil our agreement with you when you use MixReflect.
• Legal obligation — payment records and related data may be retained to comply with financial and tax regulations.
• Legitimate interests — listening behaviour analytics (presented only in aggregate to track owners), fraud detection, abuse prevention, and product improvement through anonymised usage data. We have assessed that these interests are not overridden by your data protection rights.
• Consent — advertising pixels (TikTok, Reddit), session replay (Microsoft Clarity), product analytics (PostHog), and marketing emails. You can withdraw consent at any time — for cookies by clearing your consent preference in browser local storage, and for marketing emails by unsubscribing via the link in any email.

MixReflect is also subject to the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs). Users in Australia have the right to access, correct, and complain about the handling of their personal information.

7. Data retention

We retain your account data, track submissions, reviews, and listening behaviour data for as long as your account is active. If you delete your account, we will remove your personal data within 30 days, except where we are required to retain it for legal, financial, or fraud-prevention purposes (e.g. payment records required by tax law). Uploaded audio files and artwork are deleted when the associated track is removed. Anonymised and aggregated analytics data may be retained indefinitely.

8. Data security

We use industry-standard measures to protect your data, including HTTPS encryption in transit, hashed passwords, secure session tokens, and access-controlled cloud storage with signed URLs for audio uploads. However, no system is perfectly secure and we cannot guarantee absolute security.

9. Your rights

• Access — you can request a copy of the personal data we hold about you.
• Correction — you can update your account information, artist profile, and track details at any time.
• Deletion — you can request deletion of your account and associated data. Some data may be retained as described in section 7.
• Visibility control — you can change any track between public and private at any time from your track settings, immediately removing it from or adding it to the Discover section.
• Opt out of marketing — you can unsubscribe from announcement emails at any time. Transactional emails (e.g. review completion, payment receipts) cannot be opted out of while your account is active.
• Data portability — you can request an export of your reviews and track data in a machine-readable format.
• Withdraw consent — where we process data based on your consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.
• Object to processing — you can object to processing based on legitimate interests. We will stop unless we have compelling legitimate grounds.

To exercise any of these rights, contact us using the details in the Contact section below. If you are in the EEA or UK and are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority. If you are in Australia, you may contact the Office of the Australian Information Commissioner (OAIC).

10. Children

MixReflect is not intended for use by anyone under the age of 13. We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 13, we will delete it promptly.

11. Governing law

This Privacy Policy is governed by the laws of Victoria, Australia. Any disputes relating to this policy that cannot be resolved informally will be subject to the exclusive jurisdiction of the courts of Victoria, Australia.

Where you access MixReflect from the European Economic Area or the United Kingdom, the General Data Protection Regulation (GDPR) or UK GDPR also applies to the processing of your personal data, in addition to Australian law.

12. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the site. Your continued use of MixReflect after any changes constitutes acceptance of the updated policy.

Contact

For privacy questions or to exercise your data rights, contact us at privacy@mixreflect.com.