SOUNDSCAPE™ Privacy Policy
2026.06.10
Soundscape (soundscape.club, the 'Service') publishes this privacy policy under Article 30 of the Personal Information Protection Act of Korea (PIPA) to protect users' personal data and handle related concerns promptly. This policy takes effect on June 10, 2026 (version 2026-06-10). This English version is provided for convenience; if it conflicts with the Korean version, the Korean version prevails.
1. What we collect and how
We collect and process the following personal data. Items marked 'optional' are not required to use the core Service.
[Account — email sign-up] Email address, name, password (stored only as a non-reversible one-way hash), language preference.
[Account — social login (GitHub/Google)] The email address, name, and profile (avatar) image the provider passes to us.
[Security · optional] Passkeys (WebAuthn public-key credentials) and two-factor authentication data (TOTP secret, backup codes).
[Profile · optional] @handle, bio, preferred genres/tastes, avatar image.
[Billing] Payment-method details (card numbers, etc.) are collected and processed directly by our payment processor, Polar; the Service does not store them. We keep only your subscription status and period, the token grant/spend ledger, and order-processing records.
[Push · optional] A device push token and platform info for mobile app notifications.
[Usage] Workspace (works/rooms) data, uploaded audio and separation results, token usage history, last-active time, notification state and email preferences.
[Communication] Room chat messages, comments, and reactions — processed in order to display them in the Service.
[Automatic] Access and security logs (IP address, access time, device/browser info) and session cookies.
How we collect: entered directly by you during sign-up and use, received from social login providers, or generated automatically while you use the Service.
2. Why we process it
Member identification, authentication, and account management: sign-up confirmation, email verification, login, password reset, security features (passkeys, two-factor authentication).
Core features: audio (stem) separation, spatial-audio processing, saving/playing/sharing works.
Community features: displaying @handles and profiles, follows, running and joining rooms, showing chat/comments/reactions, the gallery.
Paid services: subscription and token management, payment and refund processing (via our payment processor, Polar), keeping transaction records.
Notices and notifications: service notifications, required transactional email (verification, billing), opt-in news email (e.g., the weekly digest), push notifications (when registered).
Safe operation: preventing fraud and abuse, enforcement actions, security incident response, dispute records, and compliance with legal obligations.
We process personal data only within the stated purposes and obtain separate consent in advance if a purpose changes.
3. Retention and deletion
In principle, we destroy your personal data without delay when you delete your account. You can delete your account yourself from My Page.
Exceptions required by law are stored separately for the stated period and then destroyed: records of contracts and withdrawal of offers, 5 years; records of payment and supply of goods, 5 years; records of consumer complaints and dispute handling, 3 years (Korean E-Commerce Act); access records, 3 months (Protection of Communications Secrets Act).
Accounts whose email has not been verified within 7 days of sign-up may be destroyed.
Uploaded audio and separation results are kept within the scope of processing and provision; result URLs at the external processor expire after a period of time. Items you delete from your library are removed from the Service.
Destruction procedure and method: electronic files are permanently deleted in a non-recoverable way. Data retained under law is stored separately and destroyed the same way without delay once its retention period ends.
4. Disclosure to third parties
We do not provide personal data to third parties except with your consent or where the law requires it, and we do not sell personal data.
5. Outsourcing and cross-border transfers
To provide the Service reliably, we outsource processing to the overseas providers below. Under Article 28-8 of PIPA, we disclose the cross-border transfers as follows.
Our processors are Cloudflare, Neon, Resend, Polar, and Replicate; the table below details each transfer.
| Recipient (contact) | Country | When / how | Data transferred | Purpose | Retention |
|---|---|---|---|---|---|
| Cloudflare, Inc. (cloudflare.com) | USA | Transferred continuously over the network as you use the Service | Data in transit during Service use, access logs, stored files (avatar images, work data) | Infrastructure: hosting, CDN, security | Until the outsourcing contract ends (access logs kept short-term) |
| Neon, Inc. (neon.tech) | USA | Transferred continuously over the network as you use the Service | Database records: account, profile, usage data | Database storage and operation | Until account deletion or the contract ends |
| Resend, Inc. (resend.com) | USA | Transferred when an email is sent | Email address, information included in the message body (e.g., name) | Sending verification, transactional, and news email | Short-term retention per the provider's policy after delivery |
| Polar Software, Inc. (polar.sh) | USA / EU | Transferred when payments or subscriptions are processed | Email address, name, payment-method and transaction data (collected directly by Polar) | Payment processing, subscription/order/tax handling | Statutory retention period or until the contract ends |
| Replicate, Inc. (replicate.com) | USA | Transferred when an audio separation is requested | The uploaded audio file | GPU audio (stem) separation | Short-term after processing (result URLs expire after a time) |
You may refuse the cross-border transfer of your personal data by contacting the privacy officer (support@patrache.com).
However, these transfers are essential infrastructure for the Service, so refusing them may make sign-up or use of the Service impossible or limited.
6. Your rights and how to exercise them
You may at any time request access to, correction or deletion of, or suspension of processing of your personal data.
You can change your profile and email preferences and delete your account directly from My Page. For other requests, email the privacy officer (support@patrache.com); we will act without delay within the statutory period and inform you of the result.
Rights may also be exercised through a legal representative or an authorized agent; we may ask for documents confirming the authorization.
Where another law designates the data for collection, deletion may not be possible, and suspension requests may be limited by law.
7. Children under 14
The Service does not accept sign-ups from children under 14. If we learn we have collected a child's personal data, we destroy it without delay.
8. Cookies and similar technologies
We use a session cookie to keep you signed in. Feature settings such as theme and language are stored in your browser.
We do not use advertising or behavioral-tracking cookies.
You can refuse cookies in your browser settings; refusing the session cookie will prevent sign-in and related features.
9. Security measures
Encryption in transit (TLS) and one-way password hashing.
Data minimization, least-privilege access for processing, and access controls including two-step verification on the admin console.
Audit logs of processing are retained and reviewed for misuse.
10. Privacy officer and remedies
Privacy officer: the Service operator · email: support@patrache.com
The same contact receives and handles access requests and other rights requests. General inquiries: support@patrache.com
For reports or counseling about privacy infringement, you may contact: Personal Information Infringement Report Center (KISA) — 118 (in Korea) · privacy.kisa.or.kr / Personal Information Dispute Mediation Committee — 1833-6972 · kopico.go.kr
11. Changes to this policy
Changes to this policy are announced via the notices page at least 7 days before they take effect; changes material to your rights (collected items, purposes, cross-border transfers, etc.) are announced at least 30 days in advance.
Announced and effective: 2026-06-10 (version 2026-06-10). The previous privacy policy (effective June 1, 2026) is superseded by this one.
Questions about this policy: support@patrache.com.