Privacy Policy

Rytmx collects account, profile, and activity data you provide (including attendance logs, ratings, reviews, and moderation submissions), plus limited technical usage data needed to secure and improve the Service.

We use personal information to operate the product, authenticate users, moderate abuse, and maintain reliability. Optional analytics cookies are controlled through Cookie Preferences and currently power PostHog product analytics only after consent.

Setlist.fm-powered concert lookup is handled with a fetch-on-demand model: Rytmx may temporarily cache artist search results and event payloads for performance and rate-limit protection, but it does not treat those cached responses as permanent canonical data.

Depending on your location, you may have privacy rights such as access, correction, deletion, restriction, objection, portability, or consent withdrawal. Requests can be sent to support@rytmx.com.

Information you provide directly: display name, email, account identifiers, optional profile fields, and user-generated content (attendance, ratings, reviews, and edits).

Authentication data: when you sign in with OAuth, we receive account/profile metadata from your provider needed to create and maintain your Rytmx account.

Automatically collected data: IP address, browser/device details, operating system, timestamps, request diagnostics, and aggregate usage interactions.

When you trigger a Setlist.fm lookup, Rytmx may temporarily cache raw provider responses for short-term operational use only: artist search results up to 24 hours, artist event results up to 24 hours, and event setlist payloads up to 7 days.

For concerts created from that workflow, the fields permanently stored are limited to `setlistfm_id`, `date`, `setlistfm_url`, and `data_source`, with optional artist/venue/city name snapshots used only as lightweight display context rather than canonical provider copies.

We do not intentionally collect special-category sensitive personal data for core platform operation.

To provide and operate core features: authentication, account management, profile display, concert activity, and review publication.

To secure the Service: fraud detection, abuse prevention, moderation, incident investigation, and system integrity controls.

To improve product quality: PostHog-backed product analytics, bug diagnostics, and reliability/performance monitoring (subject to cookie settings where applicable).

To comply with law, enforce our Terms, and protect users, Rytmx, and third parties from harm.

Depending on jurisdiction, we process personal information under one or more legal bases: consent, contract performance, legitimate interests, legal obligation, and vital interests.

Where consent is required (for example, certain optional cookies), you may withdraw consent at any time via Cookie Preferences or by contacting support@rytmx.com.

Service providers and vendors that support hosting, infrastructure, authentication, storage, analytics, moderation tooling, and operations under contractual safeguards. This currently includes PostHog for optional client-side product analytics and Sentry for application error and performance monitoring.

Transactional email is sent through Resend for sign-in, account, product, and moderation-related notifications.

Third-party data sources and integrations (including Setlist.fm and authentication providers) operate under their own terms and privacy policies.

For Setlist.fm specifically, Rytmx uses a fetch-on-demand workflow with short-lived caching and displays source attribution on Setlist.fm-backed records, including records served from cache.

Legal and business transfer contexts: where required by law, to protect rights/safety, or as part of merger/acquisition/reorganization transactions.

Rytmx uses two cookie categories today: necessary cookies for security, sign-in, and core product functionality, plus optional analytics cookies that stay off unless you enable them.

When analytics is enabled, Rytmx loads PostHog in the browser for product analytics, autocapture, and web-vitals measurement. Session replay is not enabled in this rollout.

Marketing or advertising cookies are not active on Rytmx today. If that changes, this Privacy Policy and the Cookie Preferences control will be updated before those tools are enabled.

Your consent selections are stored with version and timestamp and can be changed any time from the Cookie Preferences control in the footer.

Browser controls may also block cookies, but doing so can affect feature availability and account sessions.

If you use OAuth sign-in, we receive account metadata from the provider necessary for login and account linking.

We do not control how OAuth providers independently process your data. Please review each provider’s privacy notice directly.

Personal information may be processed in jurisdictions outside your home region. We apply reasonable transfer safeguards appropriate to provider and legal context.

By using Rytmx, you understand data may be transferred, stored, and processed in multiple regions used by our infrastructure providers.

We retain personal information for as long as needed to operate the Service, satisfy legal obligations, resolve disputes, and enforce agreements.

Setlist.fm cache retention is intentionally short: artist search responses expire within 24 hours, artist event responses expire within 24 hours, and event setlist payloads expire within 7 days. These caches are operational copies only and are not treated as permanent source records.

For Setlist.fm-sourced concerts that a user explicitly logs or saves, Rytmx permanently retains only `setlistfm_id`, `date`, `setlistfm_url`, and `data_source`, plus optional artist/venue/city name snapshots where needed for basic display continuity.

These provider-handling limits are also documented in our internal compliance notes so product, engineering, and support workflows stay aligned with the public policy described here.

When information is no longer necessary, we delete or anonymize it where feasible, or isolate/archive it securely when immediate deletion is not possible.

We use technical and organizational safeguards designed to protect personal information against unauthorized access, alteration, disclosure, or destruction.

No internet or storage system is perfectly secure; users should also protect account credentials and access Rytmx from trusted environments.

Rytmx is not intended for children below the minimum age required by applicable law in your jurisdiction.

If we become aware of ineligible minor data collection, we will take reasonable steps to remove the data and disable affected accounts as appropriate.

Depending on your location, rights may include access, correction, deletion, portability, objection, restriction, and appeal rights where required by law.

You may submit privacy requests to support@rytmx.com. We may verify identity before processing requests and may decline requests where legally permitted.

You may request account updates or deletion through account settings or support channels. Certain records may be retained where required for legal/security purposes.

Because a universal Do Not Track (DNT) standard is not currently adopted across ecosystems, Rytmx does not currently respond to DNT browser signals.

Residents of certain US states may have additional rights related to access, correction, deletion, and opt-out preferences for targeted advertising or certain profiling.

Where required, users may submit requests and appeals through support@rytmx.com. We respond according to applicable state law and permitted exemptions.

Rytmx does not sell personal information for monetary consideration. If this changes, this policy and in-product controls will be updated accordingly.

We may update this Privacy Policy from time to time to reflect legal, operational, or product changes.

Material updates will be reflected by a revised effective date and, where appropriate, additional notice within the Service.

For privacy questions, rights requests, or complaints, contact: support@rytmx.com.

Rytmx will review requests in line with applicable law and respond within legally required timeframes where those obligations apply.