Kollekt — Privacy Notice

1. Who We Are

This Privacy Notice describes how Kollekt Group Oy (business ID: 3336449-2), a company incorporated under the laws of Finland, with its registered address at c/o WA Yhtiöt Oy, Äyritie 12 C, 01510 Vantaa, Finland (“Kollekt”, “we”, “our”, or “us”), processes personal data in connection with the Kollekt platform (the “Platform”).

Kollekt is the controller of your personal data as defined in the General Data Protection Regulation (Regulation (EU) 2016/679, the “GDPR”), except where this Privacy Notice expressly states otherwise (see Section 6.1 in respect of Artists who export Member data).

For privacy-related questions, please contact us at privacy@kollekt.io or by post at the address above.

2. About This Notice

This Privacy Notice forms part of our Terms of Service. Where a term is capitalised but not defined here, it has the meaning given to it in our Terms of Service. In this Privacy Notice:

• “Personal Data” means any information relating to an identified or identifiable natural person.
• “Processor”means a third party that processes Personal Data on Kollekt’s behalf.
• “Sub-processor” means a third party engaged by a Processor to process Personal Data.

This Privacy Notice applies to Personal Data we process when you use the Platform — whether as a Fan, an Artist, a Member, a Subscriber, or in any other capacity — and when you communicate with us about the Platform.

3. Categories of Personal Data We Process

We process the following categories of Personal Data:

3.1 Account data. Email address, country, language, and the role you use the Platform in (Fan, Artist, or both).

3.2 Authentication data. Authentication tokens used to keep you signed in and identifiers from any third-party login service you choose to use.

3.3 Profile data. Display name and avatar that you choose to add.

3.4 Content data.Messages you send in Direct Line and Chat, voice notes, uploaded photos, videos, and audio files, and reactions you give to others’ messages.

3.5 Subscription and payment data.Transaction identifiers, the subscription tier you hold, the type of payment method used (we do not store full card numbers — these are held by the relevant payment processor or app store), records of the purchases you make, and refund history.

3.6 Notification preferences and tokens. Device tokens used to deliver notifications, and your notification preferences (including opt-in status) with each Artist you have joined.

3.7 Technical data. IP address, user agent, device type, operating system, app version, and language preference.

3.8 Usage data.Information about your interactions with the Platform — such as pages visited, features used, and session duration — collected in anonymised form.

3.9 Error and diagnostic data. Error logs, crash reports, and, on errors only, diagnostic session replays where input fields and personal identifiers are masked.

3.10 Artist-specific data. Where you are an Artist, we additionally process: identity-verification documentation (KYC), payout recipient details, tax residency information and any tax forms required by law, and information about the Artist page (cover photo, name, social links, link groups, etc.).

3.11 Communications. Emails or messages you send to us through support@kollekt.io, privacy@kollekt.io, or in-app feedback.

4. Where We Get Your Personal Data

We obtain Personal Data:

4.1 Directly from you— when you create an Account, complete your profile, post Content, make a payment, contact us, or otherwise interact with the Platform.

4.2 From public artist data sources— to pre-build display-only Artist pages before an Artist has claimed their page on Kollekt, we ingest publicly available artist data (currently from Spotify), including artist name, cover photo, and links to public profiles. This data is associated with the Artist’s own page and is not used to build profiles of any other person.

4.3 Through verification channels— when an Artist verifies their Account through one of Kollekt’s verification channels (which may include third-party platforms such as Instagram), we receive the verification information necessary to confirm the Artist’s identity.

4.4 From app stores— when you make a purchase through one of the Kollekt mobile apps that uses an app store’s in-app billing system, the relevant store shares with us a purchase token and transaction identifier (but not your card details). This currently applies to purchases through the Kollekt iOS app via Apple’s App Store.

4.5 From payment and payout providers— payment metadata, transaction status, and the results of any KYC checks performed on Artists.

5. Why We Process Your Personal Data and on What Legal Basis

We process Personal Data for the following purposes, on the legal bases indicated. References are to Article 6(1) of the GDPR.

5.1 Providing the Platform to Fans. Creating and operating your Account, allowing you to join Artist spaces, delivering Direct Line messages and other notifications from joined Artists, allowing you to take part in Chat, processing your Subscription and Drop payments, and handling refund requests. Legal basis: performance of our contract with you (Art. 6(1)(b)).

5.2 Providing the Platform to Artists.Operating the Artist’s page and space, processing payouts, performing KYC, making the Member-data export described in Section 6.1 available, complying with reporting obligations, and supporting the Artist in running their community. Legal basis: performance of our contract with the Artist (Art. 6(1)(b)) and compliance with legal obligations (Art. 6(1)(c)) for KYC, AML, and tax matters.

5.3 Pre-built Artist pages. Ingesting publicly available artist data to pre-build display-only Artist pages, so that Artists can recognise and claim their own page easily. Legal basis: our legitimate interest in providing seamless onboarding (Art. 6(1)(f)). The data is publicly available through the relevant source.

5.4 Payment processing. Charging your card or App Store / Play Store account, calculating and remitting VAT and equivalent taxes, paying out Artists, and complying with anti-fraud, anti-money-laundering, and tax-reporting obligations. Legal basis: performance of our contract with you (Art. 6(1)(b)) and compliance with legal obligations (Art. 6(1)(c)).

5.5 Notifications and communications from joined Artists.Delivering Direct Line messages and other notifications from Artists whose space you have joined, which may be sent as push notifications, in-app messages, or email. Joining an Artist’s space is itself the request for these communications. Legal basis: performance of our contract with you (Art. 6(1)(b)). You can stop receiving these by leaving the relevant Artist’s space, by adjusting notification settings in the app, or via your device or email settings.

5.6 Service operation, security, and fraud prevention. Detecting and preventing abuse of the Platform, protecting the security of accounts and data, and ensuring the Platform functions correctly. Legal basis: our legitimate interest in operating the Platform safely (Art. 6(1)(f)) and, where applicable, compliance with legal obligations (Art. 6(1)(c)).

5.7 Anonymised product analytics. Understanding how Users interact with the Platform in aggregate so we can improve and develop the Service. Legal basis: our legitimate interest in improving the Platform (Art. 6(1)(f)). Analytics data is processed in anonymised form.

5.8 Compliance with legal obligations. Responding to lawful requests from authorities, complying with tax, accounting, AML, KYC, and reporting laws (including the DAC7 Directive), and exercising or defending legal claims. Legal basis: compliance with legal obligations (Art. 6(1)(c)) and, where applicable, our legitimate interest (Art. 6(1)(f)).

5.9 Operational communications. Sending you operational messages about your Account, your purchases, security alerts, changes to these documents, and other matters necessary to operate the Service. Legal basis: performance of our contract with you (Art. 6(1)(b)).

5.10 Marketing communications. Kollekt does not send marketing emails to Fans. Marketing-style communications you receive on the Platform come from the Artists you have joined, not from Kollekt.

6. Who We Share Your Personal Data With

6.1 With Artists You Have Joined

When you join an Artist’s space, we make the following information about you available to that Artist for the purpose of community management:

• your email address;
• your country;
• your subscription tier (free Member or Subscriber);
• the date you joined the Artist’s space;
• the date you were last active in the Artist’s space;
• the total amount you have spent on that Artist on the Platform; and
• your notification preferences with that Artist.

These are the only fields included in the data export to the Artist. We do not share other personal data about you (such as your real name, postal address, or phone number) with the Artist unless you separately choose to share that information with the Artist.

The Artist becomes an independent data controller of the information we make available under this Section 6.1. The Artist is contractually bound by the Kollekt Terms of Service to use the information only for their own communications with their Members and Subscribers, not to sell it, to honour your opt-out and deletion requests within thirty (30) days, and to notify us of any security incident affecting the information within seventy-two (72) hours.

You retain your GDPR rights both directly against the Artist and through us at privacy@kollekt.io.

6.2 With Service Providers

We share Personal Data with service providers (Processors) that help us operate the Platform. Each is bound by a written data processing agreement compliant with the GDPR and may process Personal Data only on our documented instructions. The current categories of service providers are:

• Cloud infrastructure(compute, storage, database, content delivery, authentication) — Amazon Web Services (AWS)
• Payment processing(web and mobile browser) — Stripe
• App store in-app purchases(currently iOS only) — Apple
• Artist payouts— Wise
• Anonymised first-party product analytics— a third-party analytics provider
• Error monitoring and diagnostic session replay(with input fields and personal identifiers masked) — a third-party error-monitoring provider
• Media delivery and video encoding— a third-party content delivery provider
• Push notification delivery— push notification services operated by Apple and Google
• Public Artist data for pre-built Artist pages— Spotify (data flows to us only)

Where a service provider processes Personal Data outside the European Economic Area, we rely on the safeguards described in Section 7. We may change service providers from time to time. Material changes will be reflected in this Privacy Notice.

6.3 With Authorities

We may share Personal Data with public authorities, regulators, courts, or law enforcement where required to do so by applicable law (for example, in response to a valid court order, a subpoena, or a tax-reporting obligation).

6.4 In Connection With a Business Transfer

If we are involved in a merger, acquisition, sale of assets, financing, restructuring, bankruptcy, or similar transaction, we may transfer Personal Data to the relevant counterparty or successor entity. We will inform you of any such transfer and continue to be bound by the commitments in this Privacy Notice or an equivalent successor notice.

6.5 What We Do Not Do

• We do not sell Personal Data.
• We do not share Personal Data between Artists for cross-promotion. Each Artist receives only the information described in Section 6.1 about Members of their own space.
• We do not target advertising to Fans.

7. International Transfers

The primary infrastructure that holds your Personal Data is located in the European Union. Limited transfers of Personal Data to third countries — including the United States and the United Kingdom — take place where necessary to use the service providers listed in Section 6.2.

Where Personal Data is transferred outside the European Economic Area, we rely on appropriate safeguards under the GDPR, including:

• EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914);
• the EU–US Data Privacy Framework for transfers to recipients in the United States that are certified under it; and
• adequacy decisions adopted by the European Commission, where they apply.

You may request more information about the safeguards in place by contacting privacy@kollekt.io.

8. Cookies and Similar Technologies

We use the following types of cookies and similar technologies:

8.1 Strictly necessary. Cookies and tokens used for authentication, session management, and security. The Platform cannot function without these and they are not subject to consent.

8.2 Service stability. Technologies used for error monitoring, with input fields and personal identifiers masked by default.

8.3 Anonymised first-party analytics. A first-party analytics tool, hosted in the EU, used to understand how Users interact with the Platform in aggregate.

You can manage cookies through your browser or device settings. Blocking strictly necessary cookies will prevent the Platform from working correctly.

9. How Long We Keep Your Personal Data

We retain Personal Data only for as long as we need it for the purposes set out in this Privacy Notice, taking into account our legal and contractual obligations.

• Account data— for as long as your Account is active, plus up to twelve (12) months after deletion to handle disputes, refunds, and legal claims.
• Payment and transaction data— seven (7) years (in line with Finnish accounting legislation).
• KYC documentation— five (5) years from the end of the relationship (in line with anti-money-laundering requirements).
• Tax-reporting data— for the period required by tax authorities (typically up to ten (10) years).
• Content(Direct Line, Chat, uploaded media) — for as long as your Account is active and the Content remains published, after which it is removed in line with our deletion process.
• Anonymised analytics data— indefinitely in aggregate form (no personal identifiers retained).
• Error logs and diagnostic data— ninety (90) days.
• Backups— Personal Data deleted from primary systems is removed from backups within thirty (30) days.
• Notification tokens— while your notification preferences are active and your device is registered; removed on opt-out or when the device is no longer recognised.

Where law requires longer retention than the periods above, we retain the Personal Data for the longer period.

10. Your Rights

Subject to the conditions in the GDPR, you have the following rights in respect of your Personal Data:

• Right of access(Art. 15) — to obtain confirmation that we process your Personal Data and a copy of it.
• Right to rectification(Art. 16) — to have inaccurate Personal Data corrected.
• Right to erasure(Art. 17) — to have your Personal Data deleted in defined circumstances.
• Right to restriction of processing (Art. 18).
• Right to data portability(Art. 20) — to receive your Personal Data in a structured, commonly used, machine-readable format.
• Right to object(Art. 21) — to processing based on legitimate interests, including profiling on that basis.
• Right not to be subject to automated decision-making(Art. 22) — we do not carry out automated decision-making that produces legal effects concerning you or similarly significantly affects you.
• Right to withdraw consent— where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights, please contact us at privacy@kollekt.io. We aim to respond within thirty (30) days, in line with the GDPR.

You also have the right to lodge a complaint with a data protection authority. In Finland, this is the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto), https://tietosuoja.fi. You may also complain to the data protection authority of the EU member state where you live, work, or where the alleged breach occurred.

11. Children

The Platform is open to Users from age thirteen (13), or the higher minimum age for digital consent in your country (for example, sixteen (16) years in Germany). Users between thirteen (13) and seventeen (17) need consent from a parent or legal guardian to use the Platform. Users must be at least eighteen (18) years old to receive payouts as an Artist.

We do not collect your date of birth at signup. By signing up, you confirm that you meet the age requirements set out in our Terms of Service.

If we learn that an Account belongs to a person below the applicable minimum age, we will close the Account.

12. Security

We use reasonable technical and organisational measures to protect Personal Data, including:

• encryption of Personal Data in transit (using TLS) and at rest using industry-standard managed encryption;
• access controls and audit logging across our infrastructure;
• security training for personnel with access to Personal Data;
• a defined incident response process.

If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the Finnish Data Protection Ombudsman within seventy-two (72) hours of becoming aware of it, in line with Article 33 of the GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you, in line with Article 34.

No online platform can guarantee absolute security. You are responsible for keeping your login credentials confidential and for the security of the devices you use to access the Platform.

13. Changes to This Privacy Notice

We may update this Privacy Notice from time to time. If we make material changes, we will notify you through the Platform or by email at least thirty (30) days before the changes take effect. The latest version is always available on the Platform, with the effective and last-updated dates shown at the top.

14. Contact

For any questions, requests, or complaints about this Privacy Notice or about how we process your Personal Data, please contact us:

• Email: privacy@kollekt.io
• Post: Kollekt Group Oy, c/o WA Yhtiöt Oy, Äyritie 12 C, 01510 Vantaa, Finland

You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman at https://tietosuoja.fi or with the data protection authority in your country.