Audio Atlas

Privacy Policy

Last updated: May 2026 ยท Effective: March 2026

The short version: We collect the minimum data needed to run Audio Atlas. We don't sell your data. You can delete your account and data at any time. We're based in Denmark and comply with GDPR.

1. Who We Are

Audio Atlas is an open-source platform for discovering and documenting music genres worldwide. It is developed and operated as a student project at the IT University of Copenhagen (ITU).

Data controller: Audio Atlas Project Team, IT University of Copenhagen, Rued Langgaards Vej 7, 2300 Copenhagen S, Denmark.

For data protection queries, contact: [email protected]

2. What Data We Collect

We only collect data that is necessary for the platform to function. We do not collect any data beyond what is listed below.

DataSourcePurposeStored Until
UsernameYou choose it at signupDisplay name on contributionsAccount deletion
Email addressOAuth provider (GitHub/Google)Account identification and contactAccount deletion
OAuth provider IDGitHub or GoogleAuthentication (logging you in)Account deletion
GDPR consent timestampGenerated at signupRecording your informed consent (legal requirement)Account deletion
Contributed contentYou submit itPlatform content (genre descriptions, sources, etc.)Anonymised on account deletion

What We Do NOT Collect

We do not collect or store: browsing behaviour, location data, IP addresses for tracking purposes, analytics or telemetry data, cookies beyond session authentication, or any data not listed in the table above. Profile picture URLs received from OAuth providers during login are not persisted to our database.

3. Lawful Basis for Processing

Under GDPR Article 6, we process your personal data based on:

  • Consent (Article 6(1)(a)): You explicitly agree to this policy and our contribution guidelines before your account is created. Your consent is recorded with a timestamp.
  • Legitimate interest (Article 6(1)(f)): We maintain platform security and prevent abuse.

4. How We Use Your Data

Your data is used solely to:

  • Authenticate your account via OAuth
  • Attribute your contributions to your chosen username
  • Enable curators to manage submissions and communicate review outcomes
  • Comply with legal obligations under GDPR

We do not use your data for advertising, profiling, analytics, automated decision-making, or any purpose beyond operating the platform.

5. Your Rights Under GDPR

As a user of an EU-based platform, you have the following rights regardless of your location:

  • Right of access (Article 15): Request a complete copy of all data we hold about you.
  • Right to rectification (Article 16): Correct any inaccurate personal data.
  • Right to erasure (Article 17): Delete your account and personal data at any time via your profile settings.
  • Right to data portability (Article 20): Receive your personal data in a structured, machine-readable format.
  • Right to restrict processing (Article 18): Request that we limit how your data is used.
  • Right to object (Article 21): Object to processing of your data based on legitimate interest.

To exercise any of these rights, use the account settings page or email [email protected]. We will respond within 30 days.

6. Account Deletion

You can delete your account at any time from your profile settings. When you delete your account:

  • Your personal data (username, email, OAuth provider ID, consent record) is permanently and irreversibly removed from our database.
  • Your contributed genre content remains on the platform, attributed to "Deleted User" rather than your username.
  • Contributed content is retained because it is licensed under CC BY-SA 4.0 and serves the public knowledge base. By submitting content, you grant this licence, which survives account deletion.
  • Deletion is processed immediately. There is no recovery period or soft-delete.

7. Data Storage and Security

  • Database: Azure SQL Database hosted in EU data centres (West Europe region).
  • Hosting: Azure App Service (EU region).
  • Encryption in transit: All connections use HTTPS/TLS. HTTP requests are redirected to HTTPS.
  • Encryption at rest: Azure-managed encryption for database and backups (AES-256).
  • Access control: Production database access is restricted to platform administrators.
  • Source code: The platform codebase is open source (MIT licence) and does not contain personal data.

8. Cookies

Audio Atlas uses only strictly necessary session cookies for authentication. These cookies:

  • Identify your login session after OAuth authentication
  • Are deleted when you log out or close your browser
  • Cannot be used to track you across other websites

We do not use tracking cookies, analytics cookies, advertising cookies, or any third-party cookies. Because we only use strictly necessary cookies, no cookie consent banner is required under the ePrivacy Directive.

9. Third-Party Services

We share data only with the following third parties, solely for the purposes described:

ServicePurposeData SharedPrivacy Policy
GitHubOAuth authenticationEmail address, display name (received during login only; not retained beyond what is listed in Section 2) github.com/privacy
GoogleOAuth authenticationEmail address, display name, profile picture URL (received during login only; profile picture URL is not stored) policies.google.com/privacy
Microsoft AzureHosting and databaseAll platform data (stored in EU) privacy.microsoft.com

We do not sell, trade, rent, or otherwise share your personal data with any other third party.

10. Google API Services

This section specifically describes how Audio Atlas accesses, uses, stores, and protects data received from Google when you choose to sign in with your Google account. It is provided in accordance with the Google API Services User Data Policy .

Data We Access from Google

When you sign in with Google, we request access only to the following data from your Google account:

  • Your Google account email address
  • Your display name
  • Your Google profile picture URL

We do not request access to Google Drive, Gmail, Google Contacts, Google Calendar, or any other Google service. Our use of Google account data is limited strictly to the scopes listed above.

How We Use Google Account Data

We use your Google account data solely to:

  • Create and uniquely identify your Audio Atlas account
  • Pre-fill your display name during account setup
  • Display your name within the platform (for example, on your contributor profile)

We do not use your Google account data to build advertising profiles, conduct behavioural tracking, or for any purpose beyond authenticating your identity and operating your Audio Atlas account. Google account data is never used for automated decision-making.

Data We Do Not Retain from Google

Your Google profile picture URL is received transiently during the OAuth login flow and is not stored in our database. We store only your email address and OAuth provider ID (see Section 2).

Data Sharing

We do not sell, rent, or share your Google account data with third parties. Your data is not disclosed to any external parties except where required by law, or where strictly necessary to operate the platform. Microsoft Azure, our hosting and database provider, processes data on our behalf under a data processing agreement and is bound by appropriate data protection obligations.

Data Retention and Deletion

Your Google account data is retained for as long as your Audio Atlas account remains active. You may delete your Audio Atlas account at any time from your account settings page. Upon account deletion:

  • Your email address and OAuth provider ID are permanently and irreversibly removed from our database.
  • Any content you contributed is anonymised and dissociated from your identity, in order to preserve the integrity of the platform's collaborative dataset.
  • Deletion is processed immediately upon confirmation.

To request deletion of your data, you may also contact us directly at [email protected].

Compliance Statement

Audio Atlas's use of information received from Google APIs adheres to the Google API Services User Data Policy , including the Limited Use requirements. We do not transfer, use, or sell Google user data for serving advertisements; we do not allow humans to read Google user data unless we have your affirmative consent, it is necessary for security purposes, or it is required by law.

11. Data Breach Notification

In the event of a personal data breach, we will:

  • Notify the Danish Data Protection Agency (Datatilsynet) within 72 hours of discovery, where required under GDPR Article 33.
  • Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms, as required under GDPR Article 34.

12. Children's Privacy

Audio Atlas is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16 without parental consent, we will delete that data promptly.

13. International Data Transfers

All data is stored and processed within the European Economic Area (EEA). We do not transfer personal data outside the EEA. OAuth authentication with GitHub and Google involves communication with servers that may be located outside the EEA; these providers operate under Standard Contractual Clauses approved by the European Commission.

14. Changes to This Policy

We may update this privacy policy to reflect changes in our data practices or legal requirements. When we make changes:

  • The "Last updated" date at the top of this page will be revised.
  • Significant changes will be communicated to registered users via a notice on the platform.
  • Continued use of the platform after changes constitutes acceptance of the revised policy.

15. Complaints

If you believe your data protection rights have been violated, you can contact us at [email protected]. You also have the right to lodge a complaint with the Danish Data Protection Agency:

Datatilsynet
Carl Jacobsens Vej 35, 2500 Valby, Denmark
Website: datatilsynet.dk
Email: [email protected]

16. Contact

For any questions about this privacy policy or your personal data:

Email: [email protected]

Project team: Audio Atlas, IT University of Copenhagen

GitHub: Audio-Atlas