Privacy Policy

1. Introduction

This Privacy Policy explains how SuperDarkCode Labs (Private) Limited, a company registered in Zimbabwe (D-U-N-S® Number 631177843), trading as Music Localhost("Platform", "we", "us", "our"), collects, uses, shares, stores, and protects your personal information when you use the Music Localhost website, mobile applications, Telegram or WhatsApp bots, APIs, and any related service (the "Service").

It applies to all users of the Service — listeners, artists, producers, studio managers, label operators, and administrators. By creating an account or using the Service, you consent to the collection and processing of your information as described here. If you do not agree, do not use the Service. This Privacy Policy is read together with our Terms of Service.

2. Information We Collect

2.1 Account information

Mobile phone number (primary identifier and login credential), verified by one-time SMS code; email address (if provided); display name; date of birth; profile photo, biography, location, and social media links. Phone numbers are verified to prevent fraudulent registrations.

2.2 Artist / Producer KYC information

If you register as an Artist, Producer, or Studio Manager, we additionally collect: legal full name, national identification or passport number, a photograph of your government-issued ID, a selfie photograph for biometric matching, proof of address (where requested), beneficial-owner information for company accounts, and banking or EcoCash mobile-money details for payouts. KYC documents are encrypted at rest and access is restricted to authorised compliance personnel on a need-to-know basis.

2.3 Content & distribution metadata

Audio masters (tracks, beats, albums), cover artwork and promotional images, lyrics, and distribution metadata: track and album titles, artist and stage names, songwriter and producer credits, genre, release dates, language, and industry identifiers including ISRC, UPC, EAN, and ISWC codes.

2.4 Listening & usage data

Tracks, albums, and playlists you play; listening duration and frequency; tracks and artists you like, follow, or save to your library; playlists you create or follow; search queries; pages and features you access; date and time of activity. This data drives recommendations, trending charts, and aggregated reporting to artists.

2.5 Device & technical data

IP address, browser type and version, device type and identifiers, operating system, screen resolution, language and locale, referring URL, and network connection type. Used to optimise streaming, diagnose technical issues, and maintain security.

2.6 Payment & royalty data

Transaction records (amounts, dates, descriptions, status), subscription and membership history, payout history, royalty statements from DSPs (per-platform per-territory revenue), and invoices. Full payment-card numbers are processed by Pesepay and are not stored on our servers; we retain only truncated card details (e.g. last four digits) for reference.

2.7 Tax & regulatory data

Where applicable, we collect tax forms required to settle royalties (e.g. ZIMRA tax identifiers, US Form W-8BEN/W-8BEN-E for US-source royalties, or treaty-equivalent forms), and any disclosures required to satisfy anti-money-laundering or sanctions-screening obligations.

3. Legal Basis & Purposes

We process personal information on the following legal bases: contract (delivering the Service you signed up for, paying you royalties), legal obligation (KYC, tax, sanctions, court orders), legitimate interest (fraud prevention, anti-streaming-manipulation, security, product improvement, debt recovery), and consent (opt-in marketing communications). The specific purposes are:

• Service provision: account creation, OTP authentication, hosting, streaming, upload, playback, and core features;
• Music distribution: transmitting your masters and metadata through our aggregator partner onward to DSPs (Spotify, Apple Music, Boomplay, Audiomack, YouTube Music, Deezer, Tidal, Amazon Music, and others);
• Royalty & payment processing: calculating splits, issuing payouts via Pesepay, processing chargebacks, computing taxes;
• Analytics & insights: generating aggregated, anonymised analytics on plays, demographics, and trends, and presenting them to artists and the platform;
• Fraud prevention & security: detecting, investigating, and preventing artificial streaming, bot activity, account takeover, payment fraud, and other Terms violations — including via automated detection, machine-learning models, and third-party fraud-screening services;
• KYC, AML & sanctions screening: verifying identity, screening against UN, OFAC, EU, and UK sanctions and PEP lists, and complying with anti-money-laundering obligations;
• Communications: transactional notifications (OTPs, payment confirmations, payout notices, security alerts) and, where you have opted in, marketing communications;
• Legal compliance: responding to lawful requests from authorities, enforcing our Terms of Service, defending claims.

4. How We Share Your Information

We do not sell your personal information. We share it only in the following circumstances:

• Distribution & DSPs. When you submit content for distribution, your stage name, track and album metadata, cover artwork, audio files, and identifiers (ISRC, UPC) are transmitted through our distribution network and on to the DSPs you select (Spotify, Apple Music, Boomplay, Audiomack, YouTube Music, Deezer, Tidal, Amazon Music, and others). Each DSP processes the data under its own privacy policy.
• Payment processor — Pesepay. For EcoCash mobile money, bank transfers, and card payments. We share your name, phone number, EcoCash number, bank details, and transaction amounts. Pesepay processes data per its own privacy policy.
• Cloud storage & CDN — Cloudflare R2. Audio masters, transcoded HLS segments, artwork, and assets are stored in Cloudflare R2 with server-side encryption and signed, time-limited delivery URLs.
• SMS provider — SMS Localhost. We share your phone number solely to deliver OTP verification codes; the provider retains the number only as long as required to complete delivery.
• Fraud & sanctions screening providers. We may share registration and transaction data with third-party fraud-detection and sanctions-screening services to identify high-risk activity. These providers are contractually limited to using the data for those purposes.
• Aggregated analytics to artists. Artists receive aggregated, anonymised analytics about their content's performance — total plays, geographic distribution (by country/region), demographic trends, playlist inclusions. Artists cannot see which specific listeners played their tracks or any personally identifiable listener information.
• Law enforcement & legal obligations. We may disclose information to law-enforcement authorities, regulators, or other third parties where compelled by valid legal process (court order, subpoena, warrant), or where we believe in good faith that disclosure is necessary to prevent fraud, protect safety, defend rights, or comply with applicable law.
• Business transfers. In a merger, acquisition, reorganisation, bankruptcy, or sale of all or part of our assets, your information may be transferred as part of that transaction. We will notify you via the Service or email of any such change in ownership.
• With your consent. We may share your information where you give us specific consent to do so.

5. Current Sub-processors

The following third-party processors handle personal information on our behalf, under data-processing agreements that bind them to use the data only for the purposes we direct and to apply industry-standard security measures:

We will update this list as our sub-processors change. Material changes that affect categories of data will be notified through the Service.

6. Cookies & Local Storage

We do not use third-party advertising cookies, tracking pixels, or retargeting technologies. We do not serve targeted advertisements. The following data is stored locally on your device:

• Authentication tokens (JWTs): to maintain your authenticated session. Tokens expire after a set duration and are refreshed periodically.
• Theme preference: light or dark mode.
• Player state: currently playing track, queue position, and volume, to allow seamless resumption.
• First-party analytics: aggregated usage data to understand how the Service is used. Not shared with advertising networks.

You can clear local storage at any time through your browser settings. Doing so will log you out and reset preferences.

7. Your Rights

Subject to applicable law, you have the following rights regarding your personal information:

• Access: request a copy of the information we hold about you, in a commonly-used machine-readable format;
• Correction: request that inaccurate or incomplete information be corrected; most fields can be edited directly in your profile settings;
• Deletion (right to be forgotten): request that we delete your personal information. Note that we may retain certain data where we have a legal obligation (financial records for tax/AML, KYC under regulatory rules, litigation holds) or a legitimate business interest (fraud prevention, dispute resolution, enforcement of Terms). Content already distributed to DSPs is subject to the Tail Period in our Terms of Service: takedown requests will be submitted at the end of the Tail Period or earlier on payment of the Early Release Fee, and residual copies may persist on those platforms;
• Data portability: request a copy of your data in a structured, machine-readable format;
• Object / restrict processing: object to processing based on legitimate interests, including anti-fraud profiling (subject to our overriding legal obligations);
• Withdraw consent: withdraw consent for any processing based on consent (e.g. marketing communications); this will not affect the lawfulness of prior processing;
• Lodge a complaint: with the relevant data-protection authority in your jurisdiction.

To exercise any right, contact privacy@localhost.co.zw. We will respond within thirty (30) days of receipt and may ask you to verify your identity.

8. Children's Privacy

The Service is not directed at children under sixteen (16). We do not knowingly collect personal information from anyone under 16. Users between sixteen (16) and eighteen (18) may use the listener Service only with verifiable parental or guardian consent. Artist and Producer accounts are restricted to users aged eighteen (18) or over.

If you are a parent or guardian and believe your child has provided personal information to the Service without consent, please contact privacy@localhost.co.zw. On verification we will delete the account and associated personal information.

9. Data Security

We apply technical and organisational measures appropriate to the risk:

• Encryption in transit via TLS / HTTPS;
• Encryption at rest for KYC documents, banking details, and audio masters in cloud storage;
• Signed, time-limited HLS streaming URLs to prevent unauthorised content access;
• Strong, industry-standard hashing for any password material; authentication tokens are signed and time-limited;
• Role-based access controls; access to KYC and financial data is restricted to authorised personnel on a need-to-know basis;
• Continuous monitoring for security incidents, suspicious activity, and vulnerabilities.

No method of transmission or storage is completely secure. While we strive to protect your information, we cannot guarantee absolute security.

10. Breach Notification

In the event of a personal-data breach that is likely to result in a risk to the rights and freedoms of affected users, we will notify affected users without undue delay, and the relevant data-protection authority within seventy-two (72) hours of becoming aware, where required by applicable law. Our notification will describe the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures we have taken or propose to take to address it.

11. Anti-Fraud & Streaming Manipulation Monitoring

We monitor activity on the Service to detect bots, click farms, incentivised streaming, account-takeover attempts, payment fraud, and coordinated chart-gaming. This is performed using a combination of statistical models, machine-learning detectors, and third-party fraud-screening services. Where we identify suspicious activity, we may freeze affected accounts, withhold royalty payouts pending investigation, and — for confirmed violations — terminate the account and forfeit accrued royalties as set out in our Terms of Service.

12. Data Retention

We retain personal information only as long as necessary for the purposes for which it was collected, to comply with our legal obligations, to resolve disputes, and to enforce our agreements:

• Account data: for the duration of your active account plus two (2) years following deletion or termination, to address post-termination queries, disputes, or claims;
• KYC documents: for the duration of your account plus five (5) years following deletion, in line with anti-money-laundering and regulatory obligations;
• Financial & royalty records: seven (7) years from the date of the transaction, in line with applicable tax, accounting, and financial-regulatory requirements;
• Distributed content: audio masters and metadata are retained on our infrastructure for the duration of distribution plus the applicable Tail Period set out in the Terms of Service. Cached or backup copies may persist for up to ninety (90) days after deletion;
• Listening & usage data: individual listening data retained for two (2) years; aggregated and anonymised analytics retained indefinitely as they do not identify individuals;
• Technical & security logs: twelve (12) months;
• Fraud / sanctions records: kept for as long as required by anti-fraud and AML obligations, typically five (5) years from the relevant event.

When personal information is no longer required for any purpose, we securely delete or anonymise it.

13. International Data Transfers

Music Localhost is based in Zimbabwe, but the Service relies on global cloud infrastructure (Cloudflare R2 + CDN) and on internationally-operated DSPs to deliver content. Your personal information and uploaded content may be processed, stored, or transmitted on servers outside Zimbabwe in jurisdictions whose data protection laws may differ.

Where we transfer personal information internationally, we apply appropriate safeguards: data-processing agreements with sub-processors that bind them to an equivalent standard of protection (including, where applicable, the European Standard Contractual Clauses), and encryption in transit and at rest. By using the Service you acknowledge and consent to these transfers.

14. Marketing Communications

We send marketing communications (new features, promotions, content highlights) only where you have opted in. You may opt out at any time by adjusting your notification settings or following the unsubscribe instructions in the relevant message. Opting out of marketing does not affect transactional or service-related communications, which we are obliged to send (OTPs, payment confirmations, payout notices, security alerts, important changes to these documents).

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be notified at least fourteen (14) days in advance via a banner or in-app alert, and where appropriate by SMS or email to the contact details on your account. The version and effective date at the top of this page indicate the most recent revision. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

16. Contact

For privacy enquiries, data-subject requests, or breach reports:

If you are not satisfied with our response, you may have the right to lodge a complaint with the relevant data-protection authority in your jurisdiction.