RTST, LLC, an IndieLab company (“RTST,” “we,” “us,” or “our”) operates the RTST platform at rtst.app and the RTST mobile apps for iOS and Android. This Privacy Policy explains what information we collect, how we use it, and the choices you have.
Account and Profile Information
- Email address (required to sign in via magic link or Google OAuth).
- Display name (optional).
- Google OAuth profile data — your Google ID, profile name, and avatar — if you sign in with Google.
- Passkey public keys, if you use passkey/WebAuthn authentication (private keys stay on your device).
- Artist profile fields: avatar, bio, website, and links to social and streaming platforms.
Artist Payout and Tax Information (Artists Only)
- Stripe Connect onboarding data — legal name, date of birth, address, government ID, and bank account details — is collected and stored by Stripe under Stripe's privacy policy. RTST only receives confirmation of onboarding status and payout results.
- Tax forms (W-9 for U.S. artists, W-8BEN for international artists).
- Payout history, transfer IDs, and earnings records.
Content You Upload
- Audio, video, and image files.
- Metadata such as titles, descriptions, release dates, and pricing.
Usage and Streaming Data
- Play events: content ID, timestamp, listen duration, and completion flag.
- Device information parsed from your browser's User-Agent string: device type (mobile, tablet, desktop, TV), operating system family, and browser family.
- IP address and approximate geolocation (country, region, city) derived from a local IP2Location database — your IP address is not sent to any third-party geolocation service.
- Referrer source (how you arrived at a piece of content).
Technical and Security Data
- API access logs for security and abuse prevention.
- Error reports and performance metrics.
We use your information to:
- Provide and operate the platform, including streaming, uploads, and payouts.
- Authenticate you and secure your account.
- Calculate artist earnings and process payouts via Stripe Connect.
- Issue tax forms (IRS 1099-K and W-8BEN reporting).
- Detect and prevent fraud, abuse, bot plays, and Terms of Service violations.
- Screen uploaded content for copyright infringement and prohibited material.
- Provide analytics to artists about their audience (aggregated listener demographics derived from geolocation).
- Send transactional emails (magic links, payout confirmations, subscription receipts, DMCA notices, account alerts).
- Improve the platform.
We use automated systems to screen uploaded content before it goes live.
- OpenAI Moderation API.Titles, descriptions, bios, cover art, and other text and image data are sent to OpenAI for content moderation. OpenAI's terms and privacy practices apply to that processing. See openai.com/policies for details.
- Copyright detection. Uploaded audio files are processed by automated copyright-detection systems that generate fingerprints and match them against a database of known works.
These systems make decisions that may result in content rejection or account action. If you believe a decision was made in error, you can request human review by contacting info@indielab.io.
We use browser storage only for authentication and basic security. We do not use tracking cookies, advertising cookies, or third-party analytics.
- Browser localStoragestores your JWT access and refresh tokens (rtst_access_token, rtst_refresh_token) on your device so you don't have to sign in on every page load.
- A single cookie (rtst_magic_link_ts, SameSite=Lax) rate-limits magic link requests to prevent abuse.
- Mobile apps store equivalent authentication tokens in secure device storage (AsyncStorage on iOS and Android).
We share data with the following service providers so they can perform work on our behalf. Each provider is bound by contractual privacy commitments.
- Stripe — name, email, payout details, KYC information, and card details — for payments, subscriptions, Connect payouts, and tax reporting.
- Google (OAuth) — your Google profile if you sign in with Google — for authentication.
- OpenAI — uploaded text, metadata, and images — for content moderation.
- Copyright detection service — audio fingerprints — for copyright matching.
- Google Cloud Platform — all platform data (database, storage, queues, secrets) — for hosting infrastructure.
- Cloudflare R2 — media files and streaming segments — for storage and delivery.
- Email provider (SMTP) — email address and transactional email contents — for delivery of transactional emails.
- We do not sell your personal information.
- We do not share your data with advertisers.
- We do not use your data for ad targeting or behavioral profiling.
- We do not send unsolicited marketing emails. Emails we send are transactional — magic links, receipts, payout confirmations, DMCA notices, and account alerts.
- We do not use tracking cookies or third-party analytics platforms.
- Account data is retained while your account is active. If you delete your account, we remove your personal information within 30 days.
- Play events tied to your user ID are retained for 13 months; aggregated, non-identifying analytics may be retained longer.
- Financial records are retained for 7 years to comply with tax and accounting requirements.
- DMCA notices and counter-notices are retained as long as required under the DMCA safe harbor.
- Moderation logs are retained as an audit trail for abuse investigation.
- Authentication logs are retained for 90 days for security.
Everyone
You can access and update your account information at any time by signing in. To request deletion, correction, export, or other actions on your data, contact privacy@indielab.io. We aim to respond within 30 days.
California Residents (CCPA / CPRA)
You have the right to:
- Know what personal information we collect and how we use it.
- Request deletion of your personal information.
- Request correction of inaccurate personal information.
- Opt out of the sale or sharing of personal information (not applicable — we do not sell or share personal information for cross-context advertising).
- Limit the use of sensitive personal information.
- Non-discrimination for exercising your rights.
EU and UK Residents (GDPR / UK GDPR)
If applicable, you have rights of access, rectification, erasure, restriction, data portability, objection, and withdrawal of consent. You also have the right to lodge a complaint with your local supervisory authority. Our legal bases are contract performance (providing the service), legitimate interest (analytics, fraud prevention, and security), legal obligation (tax and DMCA compliance), and consent where applicable.
RTST processes data in the United States using Google Cloud, Stripe, and Cloudflare. If you are in the EU or UK, we rely on Standard Contractual Clauses (or the UK International Data Transfer Addendum) with our processors as the legal mechanism for transfer.
RTST is not intended for children under 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected data from a child under 13, we will delete it. Parents or guardians who believe we have collected their child's data should contact privacy@indielab.io.
Artist accounts are limited to users 18 and older; we do not onboard minors as artists.
We use industry-standard security measures to protect your data, including HTTPS for all connections, signed JWT tokens for authentication, signed URLs for streaming segments, access controls, and encryption of data at rest in Google Cloud Platform. While no system is 100% secure, we take reasonable steps to protect your information and will provide breach notifications as required by applicable law.
The platform may contain links to third-party websites and services. Their privacy practices are their own. We encourage you to review their privacy policies.
We may update this Privacy Policy from time to time. For material changes, we will give you at least 30 days' advance notice via email and in-platform notification. Your continued use of RTST after changes take effect constitutes acceptance of the updated policy.