Privacy Policy

We collect information you give us, information generated by your use of the Service, and information from third-party integrations you connect.

• Account information. Name, email, password hash, role, optional company and phone, billing address.
• Customer Data. Artists you add, songs and releases, contacts, deals, tasks, documents you upload, notes, and similar workspace content.
• Email content (optional). If you connect Gmail, we read and store the messages you authorize so the Service can triage and summarize them. You can disconnect at any time.
• OAuth tokens. When you connect Google or Spotify, we store the access and refresh tokens needed to make API calls on your behalf, encrypted at rest.
• Usage data. Pages visited, actions taken, feature usage, IP address, device, browser, and approximate location derived from IP. Used for security, debugging, and product improvement.
• Payment information. Handled directly by Stripe. We never store your card number; we receive a Stripe customer ID, the last four digits of your card, and billing metadata.

• To operate, maintain, and improve the Service.
• To process transactions, send invoices and receipts, and prevent fraud or abuse.
• To provide AI features — processing the relevant subset of your data through our AI provider (Anthropic) to generate summaries, drafts, and analytics. We do not allow the AI provider to train on your data.
• To communicate with you about your account, security, product updates, and (if you opt in) tips and announcements.
• To comply with legal obligations and enforce our agreements.

We do not sell your personal information. We share it only with service providers acting on our behalf and under contractual obligations to protect your data:

• Stripe— payments and subscription billing.
• Anthropic— AI inference for Manager Brain, briefings, and email triage. Anthropic is contractually prohibited from training on your data.
• Soundcharts— receives the artist identifiers needed to fetch streaming and chart data on your behalf.
• Google and Spotify— only when you explicitly connect those accounts; we send each provider only the requests needed to power the integrations you enabled.
• Cloudflare R2— document and file storage.
• Railway and Vercel— hosting infrastructure.
• Sentry— error tracking. We disable PII capture by default.
• Resend / SMTP provider— transactional email delivery.

We may also disclose information when required by law, in response to valid legal process, or to protect the rights, property, or safety of Ondek, our users, or others. If we are ever involved in a merger, acquisition, or asset sale, your information may transfer to the successor entity, subject to this policy or one materially similar to it.

• Access and update. You can review and edit your account profile and most workspace data directly in the Service.
• Export. Email us to request an export of your Customer Data in a common machine-readable format.
• Deletion.Email us to request deletion of your account. We'll confirm by reply and complete the deletion within 30 days, subject to legal retention requirements.
• Marketing opt-out. Every marketing email includes an unsubscribe link. Transactional emails (security, billing, account) cannot be opted out of while your account is active.
• Disconnect integrations.Settings → Integrations lets you disconnect Google or Spotify at any time; we revoke and delete the related tokens.