Privacy Policy

What we collect

Information you provide:

• Email address (via waitlist signup or account creation)
• Artist profile information (name, bio, links, cover image)
• Payment information (processed by Stripe — we never store card details)

Information collected automatically:

• Page views and link clicks on published artist pages
• Referring URL and approximate country (from Vercel’s infrastructure)
• Browser type and device (standard server logs)

We do not collect sensitive personal information. We do not use tracking pixels from third-party advertisers.

Page analytics

When someone visits a published artist page, we record the page view, any link clicks, the referring URL, and approximate country. To deduplicate views without identifying individuals, we generate a short-lived session identifier by hashing the visitor’s IP address and browser type with a server-side secret. The hash rotates daily and cannot be reversed to recover the original IP address.

We process this data under the “legitimate interest” legal basis (GDPR Art. 6(1)(f)). Our legitimate interest is providing artists with accurate, anonymous traffic analytics. We have assessed that this processing is proportionate: the data is pseudonymised via HMAC hashing, rotated daily, and never shared with third parties or used for profiling.

Raw page event records are retained for 12 months. After that period, records are aggregated into anonymous counts and the raw data is deleted.

How we use it

• To operate and improve the Grain.fm service
• To send product updates, launch notifications, and onboarding emails
• To process payments via Stripe
• To show artists anonymous analytics about their own pages

We do not sell your data. We do not share it with third parties except the services necessary to run the product.

Third-party services

The following services process data on our behalf:

• Vercel — hosting and infrastructure
• Neon / PostgreSQL — database
• Stripe — payment processing
• WorkOS — authentication
• Kit — email delivery for waitlist and subscriber notifications
• Google Fonts — web font delivery for artist pages (visitor IP is sent to Google when loading fonts)

Each of these services has its own privacy policy. We maintain data processing agreements (DPAs) with each processor as required by GDPR.

Cookies

We use only strictly necessary cookies: a session cookie for authentication (set by WorkOS) and functional cookies set by Vercel to serve the application. We do not use analytics cookies, advertising cookies, or tracking pixels. Our page analytics are cookieless — they use server-side session hashing described above.

Data retention

We retain your data for as long as your account is active. You can delete your account at any time from Settings → Account in the dashboard. This permanently removes your account, all artist profiles, pages, campaigns, subscribers, and analytics data. You can also email info@quietshelf.com and we’ll remove your data within 30 days.

Your rights

You may request access to, correction of, or deletion of your personal data at any time by contacting info@quietshelf.com. If you are located in the EU or UK, you have additional rights under GDPR and UK GDPR.