Privacy Policy

Effective date: March 25, 2026 | Version: 2026-03 | Last updated: March 25, 2026

This Privacy Policy explains how Walter de Minicis ("we", "us", "our") collects, uses, stores, shares, and protects personal data across Telia's public website, members hub, admin operations, and mobile API services (together, the "Service"). It is written to reflect the systems we actually operate today, including public commerce, subscriptions, account tools, the fan feed, playlists, music playback, uploads, and gated media access.

1. Controller and scope

The controller for the processing described in this policy is:

Walter de Minicis
Via Mura degli Angeli 25, 16127 Genova, Italy
Email: privacy@teliamusic.com

This policy applies to:

Public: teliamusic.com for marketing pages, releases, help, legal pages, one-off commerce, profile, addresses, orders, and downloads.
Hub: app.teliamusic.com for account access, pricing, subscriptions, billing portal, feed, playlists, and music features.
Admin: admin.teliamusic.com where authorised staff review and operate customer, commerce, entitlement, moderation, and support workflows.
Mobile APIs: the native app endpoints served from the hub surface.

We have not appointed a separate DPO. Privacy requests can be sent to the contact above.

2. Personal data we collect

Account and identity data

When you register, sign in, maintain an account, or interact with support, we may collect your email address, username, display name, hashed password, role claims, user/account identifiers, and the profile details you choose to provide such as name, birthday, phone number, and avatar.

Consent and preference data

We store cookie choices in the telia_consent cookie and record account-level consent or withdrawal events in our database, including purpose, status, timestamp, source, and limited compliance evidence such as a hashed IP when appropriate.

Commerce, subscription, and entitlement data

If you purchase products, subscribe, manage billing, or claim guest orders, we process billing and shipping details, order history, download entitlements, Stripe customer and subscription references, and the entitlement records used to decide access to paid content.

Community, playlist, and media data

When you use the feed, comments, polls, playlists, reactions, or upload media, we process the content you submit, moderation and visibility settings, playlist artwork, avatars, feed comments and likes, playback/listen events, and the metadata needed to deliver locked or unlocked media. For locked content we may generate separate preview derivatives, such as blurred preview images or poster frames, and store them independently from the full asset.

Technical, session, and security data

We process IP-derived request metadata, browser/device information, authentication session records, cookie values such as ti_jwt and ti_claims, media access decisions, signed URL issuance, abuse-prevention telemetry, and internal observability data such as request correlation IDs.

Communications and marketing data

We process newsletter signups, unsubscribe tokens, support or legal emails, transactional email delivery events, and your marketing preference status. Marketing email preferences are mirrored to our email delivery and CRM providers so we can honor unsubscribe requests and maintain suppression state.

Mobile session data

Our mobile app uses bearer-token sessions backed by D1. We may also process optional mobile device/session metadata and app version information so we can secure the session, rotate tokens, and enforce minimum supported versions.

3. Sources of data

We collect data:

directly from you when you create an account, place an order, subscribe, upload content, edit your profile, or contact us;
automatically from your browser, device, or app when you use the Service;
from Stripe and related billing events when you purchase or manage a subscription;
from Cloudflare and our infrastructure providers for delivery, security, and logging;
from Google services when you use address autocomplete or consent to embedded external media;
from internal admin and moderation workflows when staff review support, commerce, entitlement, or abuse issues.

4. Why we use your data and our legal bases

Purpose	Main data used	Legal basis
Create accounts, authenticate users, maintain sessions, and let you use member features	Identity data, session data, profile data	Contract performance; legitimate interests in account security
Process one-off purchases, subscriptions, billing portal access, entitlements, orders, and downloads	Commerce data, payment metadata, entitlement records, addresses	Contract performance; legal obligation for accounting/tax records
Operate the feed, playlists, uploads, comments, reactions, polls, and community moderation	Community content, uploads, playlist data, moderation metadata	Contract performance; legitimate interests in operating and securing the community
Gate locked media, issue short-lived signed URLs, and protect private assets	Entitlements, media access logs, signed URL metadata, preview derivatives	Contract performance; legitimate interests in access control, anti-abuse, and service integrity
Send transactional emails and manage support/legal communications	Email address, order data, account data, support messages	Contract performance; legitimate interests in customer support; legal obligation where required
Manage marketing preferences, newsletters, and unsubscribe/suppression lists	Email address, consent status, unsubscribe token, audience sync metadata	Consent for marketing communications; legal obligation to honor withdrawals
Run analytics, tag management, marketing tools, and external media only when allowed by your cookie choices	Consent state, browser identifiers, cookie data, event data	Consent
Detect fraud, investigate incidents, defend legal claims, and comply with law enforcement or regulatory duties	Security logs, consent audit events, request metadata, order/billing records	Legitimate interests; legal obligation

5. Cookies, analytics, marketing, and external media

We use a consent model with separate categories for necessary, preferences, statistics, marketing, and external media. Your browser-side choice is stored in telia_consent, and a new consent prompt is shown when the policy version changes materially.

Necessary: includes essential session and security cookies such as ti_jwt and ti_claims after login.
Statistics: governs tag-managed analytics such as Microsoft Clarity.
Marketing: governs marketing tooling such as the Meta script path when configured.
External media: governs third-party embeds such as YouTube and similar services.
Functional third-party requests: Google Maps Places is used on address forms to improve address accuracy; this is a service request path, not a general advertising feature.

See our Cookie Policy for the current inventory and management options.

6. How we share personal data

We do not sell your personal data. We share it only with service providers, business partners, and authorised internal personnel when necessary to operate the Service, comply with law, or protect our rights and users.

Recipient	Role	Examples of data involved
Cloudflare	Hosting, delivery, D1, R2, caching, WAF, logging, media infrastructure	IP-derived request data, hosted application data, stored media objects
Stripe	Checkout, subscriptions, invoices, billing portal	Billing details, payment metadata, subscription state, customer IDs
Resend	Transactional email delivery and audience sync	Email address, name, order/account email content, unsubscribe state
Groundhogg	Secondary CRM mirror	Email, name, subscription/marketing status, segmentation tags
Sanity	Editorial CMS and metadata delivery	Content metadata and references; not our source of truth for entitlements
Mux	Video upload, playback, and thumbnail infrastructure for supported video content	Playback IDs, upload metadata, thumbnail/tokenized playback requests
Google	GTM, YouTube embeds, Maps Places autocomplete, and other consented Google services	Consent state, browser/request data, address lookup input, embed requests
Microsoft	Clarity analytics when statistics consent is granted	Usage and browser interaction data captured via Clarity
Meta	Marketing tooling path when marketing consent is granted and the environment is configured for it	Browser/request data and consented marketing events

We may also disclose data if required to comply with law, respond to valid legal process, defend our rights, investigate abuse, or protect the safety of users and the Service.

7. International transfers

Some of our service providers operate outside the EEA, the UK, or Switzerland. Where personal data is transferred internationally, we rely on the provider's applicable transfer mechanism, which may include adequacy decisions such as the EU-US Data Privacy Framework where available, or contractual safeguards such as the European Commission's Standard Contractual Clauses and the UK addendum/IDTA, together with supplementary measures where needed.

8. Retention

We keep data for as long as we need it to provide the Service, comply with law, resolve disputes, and protect the platform. The most important practical rules in our current system are:

Account and profile data: kept while the account remains active. If you delete your account, we delete or anonymise account-linked data where our workflow supports it, including credentials, avatars, and certain community records.
Web sessions and claims: web session cookies are issued with a rolling lifetime of up to 7 days; ti_claims lasts 15 minutes; mobile bearer sessions are issued for up to 30 days unless rotated or revoked sooner.
Cookie consent: telia_consent is stored for 365 days unless replaced earlier by a new decision or policy-version bump.
Orders, invoices, subscription and fulfillment records: retained for legal, tax, accounting, fraud-prevention, and customer-support reasons, typically up to 10 years where required.
Consent audit and unsubscribe records: retained for as long as necessary to prove compliance, honor opt-outs, and defend legal claims.
Support, abuse, and media-access logs: kept as needed for support, moderation, security, and incident investigation, then reviewed, rotated, deleted, or anonymised in the ordinary course of operations.
Uploaded media and preview derivatives: kept while the related content, playlist, avatar, or entitlement-controlled asset remains in use, or until deleted/replaced.

9. Your rights and choices

Depending on where you live, you may have rights to access, correct, delete, export, restrict, or object to certain processing, and to withdraw consent where consent is the basis for processing.

We already provide the following self-service flows in the product:

account preference updates, including marketing consent management;
one-click unsubscribe links in email communications;
account data export;
account deletion;
guest-order claim and account-area access to orders, addresses, and downloads.

If you are in the EEA, UK, or Switzerland, you can also lodge a complaint with your local supervisory authority. If you are in California or another US state with comparable privacy rights, you may request access, correction, or deletion subject to applicable exceptions. We do not sell personal data, but some consent-based advertising or analytics disclosures may be treated as "sharing" under certain US state laws.

To exercise rights or ask a question, email privacy@teliamusic.com.

10. Security and minors

We use layered technical and organisational measures designed to protect personal data, including authenticated access controls, short-lived session/claims tokens, consent logging, and server-side checks before private media is released. No system is perfectly secure, and you are responsible for safeguarding your credentials and devices.

The Service is not directed to children under 13. If you believe a child has provided personal data without the required permission, contact us so we can review and act.

11. Changes to this policy

We may update this Privacy Policy from time to time to reflect legal, technical, or operational changes. When we make a material change, we will update the version/date shown above and, where required, trigger a new consent prompt so you can review the change.

12. Contact

For privacy requests or questions, contact:

Walter de Minicis
Via Mura degli Angeli 25, 16127 Genova, Italy
Email: privacy@teliamusic.com

You can also review and update your settings anytime at Manage Preferences.

Walter de Minicis - Privacy Policy - Version 2026-03 - March 25, 2026