Privacy Policy

StreamSpindle is operated by Menos Labs LLC, an Illinois limited liability company. This Privacy Policy explains how we collect, use, disclose, and protect information when you use the StreamSpindle platform, including our website at streamspindle.com and our label dashboard at portal.streamspindle.com.

By using StreamSpindle you agree to the practices described in this policy. If you don't agree, please don't use the service.

Account information — when you sign up, we collect your name, label name, email address, phone number, and password (hashed, never stored in plain text). We also collect the plan you select and your distribution territory preferences.

Payment information — billing is handled by Stripe. We store your Stripe customer ID and subscription status. We do not store credit card numbers, CVV codes, or full card details on our servers.

Content and catalog data — audio files, video files, cover artwork, episode thumbnails, track metadata (title, artist, ISRC, genre, album, release date), and any DDEX ERN feed data you provide.

Usage and analytics data — stream counts, watch time, viewer geography, playlist performance, and channel analytics sourced from Roku's reporting API. This data is aggregated at the channel level and does not include personally identifiable viewer data.

Communications — if you contact us via email or support, we retain that correspondence.

Technical data — IP address, browser type, device type, and pages visited, collected via Google Tag Manager and Cloudflare infrastructure logs. This data is used for security, performance monitoring, and aggregate analytics.

Waitlist data — if you submit your email on our coming soon page, we store that email in our Resend audience for pre-launch communications.

We use the information we collect to:

• Create and manage your label account and subscription
• Distribute your content to your Roku channel
• Process payments and manage billing through Stripe
• Send SMS verification codes via Twilio during account setup
• Send transactional emails via Resend — welcome, trial ending, payment failed, payout processed
• Calculate and report royalty earnings
• Provide stream analytics and channel performance data
• Respond to support requests
• Detect and prevent fraud, abuse, and unauthorized access
• Comply with legal obligations
• Improve the platform based on aggregate usage patterns

We do not use your data for advertising, behavioural profiling, or sale to third parties.

StreamSpindle shares data with the following vendors solely to operate the platform:

• Stripe — payment processing and subscription management. Stripe processes card data under their own PCI-compliant privacy policy. streamspindle.com/privacy links to stripe.com/privacy.
• Twilio — SMS delivery for account verification. Your phone number is transmitted to Twilio to send verification codes.
• Resend — transactional email delivery. Your email address is stored in Resend audiences for pre-launch and transactional communications.
• Cloudflare — infrastructure, CDN, DNS, and Workers runtime. Cloudflare processes request data through their network. Your content is stored in Cloudflare R2 object storage and D1 database.
• Roku — content distribution platform. Your catalog, channel settings, and branding assets are transmitted to Roku's platform for distribution. Roku operates under their own privacy policy.
• Google Tag Manager / Google Analytics — aggregate website analytics. No personally identifiable information is shared with Google through these tools.

We do not sell, rent, or trade your personal information with any third party for their own marketing purposes.

Your account data is stored in Cloudflare D1 (SQLite-based database) hosted on Cloudflare's global infrastructure. Your content files (audio, video, artwork) are stored in Cloudflare R2 object storage.

Passwords are hashed using PBKDF2-SHA256 before storage. Authentication uses JWT tokens with expiry. API access requires a valid bearer token on all authenticated endpoints.

We use HTTPS for all data transmission. Cloudflare provides DDoS protection and TLS termination at the edge.

While we implement industry-standard security measures, no system is completely secure. We encourage you to use a strong unique password and to contact us immediately at [email protected] if you believe your account has been compromised.

We retain your account data for as long as your account is active. If you cancel your subscription and request account deletion, we will delete your account data within 30 days, except where we are required to retain it for legal or financial compliance purposes (e.g. payment records, tax records).

Content files uploaded to Cloudflare R2 are deleted within 30 days of account deletion or upon your request through the dashboard.

Waitlist email addresses are retained until you unsubscribe or request deletion.

Aggregate anonymized analytics data (stream counts, viewer geography) may be retained indefinitely as it contains no personally identifiable information.

You have the right to:

• Access — request a copy of the personal data we hold about you
• Correction — request correction of inaccurate data
• Deletion — request deletion of your account and associated data
• Portability — request your data in a machine-readable format
• Objection — object to certain processing of your data
• Withdrawal — withdraw consent for marketing communications at any time

To exercise any of these rights, email [email protected] with the subject line "Data Request." We will respond within 30 days.

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information.

We do not sell personal information. We do not sell, rent, or share your personal information with third parties for their commercial purposes.

Under CCPA you have the right to know what personal information we collect and how it is used, the right to delete personal information, the right to opt out of the sale of personal information (not applicable — we do not sell data), and the right to non-discrimination for exercising your privacy rights.

To submit a CCPA request, email [email protected] with the subject line "CCPA Request." We will verify your identity before processing the request.

StreamSpindle operates in the United Kingdom and the European Union through its Roku distribution territories (GB). If you are located in the UK or EU, the General Data Protection Regulation (GDPR) or UK GDPR applies to our processing of your personal data.

Legal basis for processing: We process your personal data on the following bases — contractual necessity (account management, content distribution, payment processing), legitimate interests (security, fraud prevention, platform improvement), and consent (marketing communications, which you may withdraw at any time).

Data transfers: Your data is processed on Cloudflare's global infrastructure, which may involve transfer outside the UK/EEA. Cloudflare maintains Standard Contractual Clauses and other transfer mechanisms as required.

To exercise your GDPR rights or to lodge a complaint, contact [email protected]. You also have the right to lodge a complaint with your local data protection authority.

StreamSpindle uses browser localStorage (not cookies) to maintain your login session in the label dashboard. This data stays on your device and is cleared when you sign out. We do not use tracking cookies for advertising.

Google Tag Manager and Google Analytics place analytics cookies on our public-facing pages (streamspindle.com). These cookies collect aggregate, anonymized data about page visits and are governed by Google's privacy policy. You can opt out of Google Analytics at tools.google.com/dlpage/gaoptout.

Cloudflare may set technical cookies necessary for security and performance on our infrastructure. These are essential and cannot be opted out of.

StreamSpindle is a business-to-business platform intended for use by music label owners and operators. We do not knowingly collect personal information from anyone under the age of 18. If you believe we have inadvertently collected information from a minor, please contact us at [email protected] and we will delete it promptly.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and via an in-dashboard notice at least 14 days before the changes take effect. The updated policy will always be accessible at streamspindle.com/spindle-privacy.html.

Your continued use of StreamSpindle after the effective date of an updated policy constitutes acceptance of the changes.

For privacy-related questions, data requests, or to exercise your rights under CCPA or GDPR, contact us at:

Email: [email protected]
Entity: Menos Labs LLC
State: Illinois, United States

We respond to all privacy requests within 30 days.