Privacy policy

Last updated: April 2026 · UK GDPR & Data Protection Act 2018

Summary

  • We run Haystack to help people discover music and to receive track submissions. We do not sell your personal data.
  • We only use essential storage needed to operate core site features.
  • Submitting a track uses your device’s email app to send information to us; we explain exactly which fields below.
  • Playing tracks may load content from SoundCloud and YouTube; those services have their own privacy notices.
  • You have rights under UK law (access, correction, deletion, and more). You can complain to the ICO.

Who we are

Haystack (“Haystack”, “we”, “us”, “our”) operates this website. We are the data controller for personal data processed in connection with the site.

This policy explains how we collect, use, store, and share personal data when you visit haystack.fm (or the domain where this site is hosted), use the audio player, or use the track submission flow.

Scope

This policy applies only to this website and the processing we describe here. It does not cover third-party websites, apps, or social networks you reach by following links, including SoundCloud, YouTube, or other platforms where music is hosted.

Definitions

  • Personal data means information that relates to an identified or identifiable individual.
  • Processing means anything we do with personal data (including collecting, storing, using, and deleting it).
  • Consent must be freely given, specific, informed, and unambiguous where we rely on it.

Personal data we process

When you browse the site

  • Technical & usage data. Your browser sends standard technical data (for example IP address, user agent, language, and referrer). Our hosting provider may log requests for security and reliability.

When you use the music player

Playback uses embedded or linked services (for example SoundCloud’s player and YouTube for video or thumbnails). Those providers may process data according to their own policies when their content loads. We do not receive your SoundCloud or Google account passwords through normal playback.

When you submit a track for consideration

The submit form is designed to open your email app with a pre-filled message to submissions@haystack.fm. That means you send the email from your device; we do not host a separate upload server for that flow in the current implementation.

The email typically includes:

  • SoundCloud track URL (required)
  • Optional YouTube URL
  • Genre and region/location you selected
  • Your contact email address
  • Confirmation that you agreed to the rights statement

We use this information to assess submissions, respond to you, and operate Haystack. Do not include sensitive special-category data in your submission unless strictly necessary and lawful.

When you contact us

If you email us (including privacy requests), we process your address, message content, and any attachments as needed to reply and keep a proportionate record.

Purposes and lawful bases

Under UK GDPR we must have a lawful basis for each purpose. The table below is a summary.

Purposes and typical lawful bases
Purpose Typical lawful basis
Operate the website, deliver pages and audio features, ensure security and prevent abuse Legitimate interests (balanced against your rights)
Review and respond to track submissions Legitimate interests and/or steps at your request prior to entering an agreement
Comply with law, regulation, or legal process Legal obligation

Where we rely on legitimate interests, you may have a right to object in certain circumstances (see Your rights).

Third-party services and embedded content

Parts of the site rely on services we do not control. They may process data when their content loads. You should read their policies.

Examples of third-party services
Service Role More information
Google Fonts (fonts.googleapis.com / gstatic) Delivery of font files when you load pages Google Fonts FAQ
SoundCloud Audio playback and related widgets/APIs SoundCloud Privacy
YouTube (Google) Optional video/thumbnail content when linked to tracks Google Privacy Policy
Web hosting / infrastructure Serving the site and logs Depends on your hosting provider’s terms

Sharing and processors

We do not sell your personal data. We share data only as needed:

  • Service providers (processors) who help us host and secure the site under our instructions.
  • Legal & safety if we believe disclosure is required by law, court order, or to protect rights, safety, or integrity of users or the public.
  • Business transfers if we ever reorganise or transfer assets, subject to appropriate safeguards and notice where required.

International transfers

Some providers may process data in the United States and other countries. Where personal data is transferred outside the UK, we ensure a valid transfer mechanism under UK law (for example UK adequacy regulations or standard contractual clauses), and we assess risks as appropriate.

How long we keep personal data

  • Submission emails — kept only as long as needed to review and correspond with you, manage our catalogue, and meet legal, tax, or accounting obligations, then deleted or anonymised unless a longer period is required by law.
  • Correspondence — kept for a reasonable period to resolve queries and defend legal claims if necessary.

Security

We implement appropriate technical and organisational measures appropriate to the risk (for example secure connections where provided by our host, access controls on accounts we control, and careful handling of submission inboxes). No website can guarantee absolute security; please use strong, unique passwords for your own email and accounts.

Your rights

Depending on your situation, you may have the following rights under UK data protection law:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — ask us to delete data in certain circumstances.
  • Restriction — ask us to limit processing in certain circumstances.
  • Objection — object to processing based on legitimate interests or for direct marketing.
  • Data portability — receive certain data in a structured, machine-readable format where processing is based on consent or contract and is automated.
  • Withdraw consent — where we rely on consent, you can withdraw it at any time; this does not affect lawfulness of processing before withdrawal.
  • Complaint — lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority.

To exercise rights, contact us at privacy@haystack.fm. We may need to verify your identity. You will not usually have to pay a fee.

Automated decision-making and profiling

We do not use automated decision-making that produces legal or similarly significant effects solely by automated means in relation to the activities described in this policy.

Children

The site is not directed at children under 13. We do not knowingly collect personal data from children. If you believe we have, contact us and we will take steps to delete it.

Marketing

We do not send promotional emails or newsletters unless we introduce that service in the future and give you a separate choice to opt in. Submission-related emails are operational, not marketing, unless clearly described otherwise.

Changes to this policy

We may update this policy from time to time (for example when we add features or regulators change guidance). We will post the new version on this page and change the “Last updated” date. For material changes, we may also show a notice on the site or seek consent where required.

Contact and supervisory authority

Privacy & data rights: privacy@haystack.fm

Track submissions: submissions@haystack.fm (as used by the submit form)