Privacy Policy

1.1 Information you provide

• Account data: email, phone number, name, stage name (if you are an artist).
• Profile: avatar photo, background image, bio, musical genres, social media links.
• Artist content: audio files, cover art, metadata (title, genre, mood, tags).
• Social interactions: comments, likes, playlists you create, tracks added to playlists.

1.2 Information collected automatically

• Usage data: tracks played, listening duration, completion rate, searches, action sequences (play, pause, seek, skip).
• Device data: device type, operating system (iOS/Android), app version, push notification identifier (FCM token).
• Contextual data: time of day (for recommendations).

1.3 Information we do NOT collect

• Precise GPS location.
• Device contacts.
• Content of other messages or apps.
• Direct payment information (processed by certified third parties).

• App functionality: authentication, music playback, playlist management, artist profiles.
• Personalization: recommendation algorithm (HomeFeedEngine) based on your likes, listening history, and preferences.
• Communication: push notifications about track approvals, comments received, new releases.
• Service improvement: aggregated telemetry to understand feature usage and identify issues.
• Security: detect fraud, abuse, or violations of our terms.

We do not sell your personal information. We share data only with the following providers necessary to operate the service:

• Supabase (authentication & database) — Policy
• Cloudflare R2 (audio & image storage) — Policy
• Google Cloud Run (backend API) — Policy
• Expo Push Notifications (notifications) — Policy
• Vercel (website hosting) — Policy

• All communications use HTTPS/TLS (encryption in transit).
• Passwords stored with secure hashing via Supabase Auth.
• Audio and covers stored in private buckets with temporary signed URLs (30 minutes to 4 hours depending on context).
• Role-based access control (RBAC) with Row Level Security in the database.
• Per-user rate limiting to prevent abuse.
• Periodic access token rotation.

You have the following rights over your data:

• Access: request a copy of all information we hold about you.
• Rectification: correct inaccurate or outdated information.
• Deletion: request we delete your account and all associated data.
• Portability: receive your data in a structured format (JSON).
• Objection: object to the processing of your data for certain purposes.
• Withdraw consent: withdraw your consent at any time.

To exercise these rights, email us at contacto.musmart@gmail.com. We will respond within 15 business days.

You can request deletion of your account and all data by emailing contacto.musmart@gmail.com. Full details about the process, timing, and what data is deleted or retained on our dedicated account deletion page.

Deletion is irreversible and removes:

• Your profile and personal data.
• Your playlists and likes.
• Your comments.
• Your listening history.
• Your uploaded tracks as an artist (if applicable).

• Active accounts: we retain your data while your account is active.
• Inactive accounts: after 24 months of inactivity, we notify you and proceed with deletion.
• Telemetry: aggregated and anonymized data may be retained indefinitely for analytics.
• Legal obligations: some data may be retained longer if required by law.

MÜSMART is designed for users 13 years and older. We do not knowingly collect information from children under 13. If you believe a minor has created an account without parental consent, contact us to have it deleted.

Your data may be processed on servers located in the United States (Supabase, Google Cloud Run) and on Cloudflare's global network. We ensure these providers comply with standards equivalent to Colombian and European (GDPR) legislation.

The mobile app does NOT use cookies. The musmart.co website uses essential cookies for administrative authentication and aggregated analytics (Vercel Analytics, no individual tracking).

This section details which system permissions MÜSMART requests on Android, what they are used for, and why they are necessary. You can revoke these permissions at any time from Settings → Apps → MÜSMART → Permissions. Some features will stop working if you revoke them.

• Internet (android.permission.INTERNET) — communication with our servers and audio streaming. Indispensable for all app functionality.
• Foreground service (android.permission.FOREGROUND_SERVICE and FOREGROUND_SERVICE_DATA_SYNC) — allows music to keep playing when you lock the screen or use another app, and maintains data sync in the background (notification queue, aggregated telemetry).
• Wake lock (android.permission.WAKE_LOCK) — prevents the device from entering deep sleep during music playback.
• Microphone (android.permission.RECORD_AUDIO) — only when you activate the voice assistant to search songs by speech. Voice assistant audio is processed locally on your device (Gemma engine with LiteRT-LM, on-device): it is not uploaded to our servers, not stored, and not shared with third parties. If you never activate the assistant, the permission stays inactive. You can deny it and the app continues to work without voice search.
• Notifications (android.permission.POST_NOTIFICATIONS, Android 13+) — delivery of push notifications (new releases, comments received, track approvals). You can disable them individually in Settings.
• Read media (READ_MEDIA_IMAGES or READ_EXTERNAL_STORAGE on older Android versions) — only so you can pick an image from your gallery when changing your profile photo or artist banner. The app does not scan or index your gallery contents; it only accesses the specific image you select at that moment.
• Vibrate (android.permission.VIBRATE) — haptic feedback in some UI interactions and notifications.
• Receive boot completed (android.permission.RECEIVE_BOOT_COMPLETED) — re-register the push notification token after the device reboots, so you keep receiving notifications without opening the app manually.

Permissions we do NOT use and that are explicitly excluded from the application manifest: camera (CAMERA), precise or approximate location, contacts, calendar, call history, SMS, body sensors, and access to other installed applications.

MÜSMART includes an optional voice assistant (powered by the Gemma engine with LiteRT-LM) that runs entirely on your device. This means:

• The audio you capture with the microphone never leaves your phone.
• Voice recognition, transcription, and interpretation of your request happen locally, without sending data to a cloud service.
• Once your request is processed (for example, "play me something relaxing for studying"), the app sends to our backend only the derived search parameters (mood, tags, genre), never the original audio.
• The AI model and its tensors are loaded into RAM only while you use them; after five minutes of inactivity they are unloaded automatically to free memory.

If the model cannot run on your device due to memory constraints, the app gracefully degrades to standard manual search mode without contacting any external AI service.

We may update this policy occasionally. We will notify material changes via push notification in the app and by updating the "Last updated" date at the top of this document. Continued use of the service after changes constitutes acceptance of the new policy.

If you have questions about this policy or the handling of your data, contact us:

• Company: OC Music S.A.S.
• Email: contacto.musmart@gmail.com
• Website: https://musmart.co