Legal · Privacy Policy · v1.0 Beta

Privacy Policy

Controller: disruptive gmbh, Vienna · Domains: aiscend.fm, aiscend.wtf · As of: 23 May 2026 · Legal basis: GDPR (EU) 2016/679 and Austrian Data Protection Act (DSG).

1. Controller

Controller within the meaning of Art. 4(7) GDPR:
disruptive gmbh, Lehargasse 7, A-1060 Vienna, Austria.
Data protection email: hello@aiscend.fm
Managing director: Markus Petzl · Company register number: FN 371341 s.

We have not appointed a Data Protection Officer, as we are not required to (no large-scale processing of special categories of data, no public task). For data protection matters, please contact the email address above.

2. Data We Collect and Why

2.1 Waitlist

Data: Email address, optionally organisation.
Purpose: Launch notification and beta invitation.
Legal basis: Art. 6(1)(a) GDPR — consent (active checkbox).
Retention: Until consent is withdrawn, or max. 12 months after official launch.

2.2 Artist Submission Form

Data: Artist name, email, track link, optionally genre, platform, description.
Purpose: Evaluating tracks for the AISCEND chart; communicating submission status.
Legal basis: Art. 6(1)(b) GDPR (pre-contractual steps) and/or Art. 6(1)(a) GDPR (consent).
Retention: Up to 12 months beta duration, then deletion or anonymisation.

2.3 Contact Enquiries

Data: Name, email, message content.
Purpose: Responding to enquiries.
Legal basis: Art. 6(1)(f) GDPR (legitimate interests).
Retention: 6 months after resolution.

2.4 Server Logs

Data: IP address (anonymised after 24 hours), browser type, OS, referrer URL, timestamp.
Purpose: IT security, debugging, infrastructure operation.
Legal basis: Art. 6(1)(f) GDPR.
Retention: 7 days raw, then anonymised or deleted.

2.5 Payment Data (Beta — currently inactive)

No payments are processed during beta. When activated, all payment data is handled exclusively by Stripe, Inc.; disruptive gmbh only receives transaction outcome data. Card data is never stored by disruptive gmbh.

3. Recipients and Data Processors

A data processing agreement (DPA) under Art. 28 GDPR is or has been concluded with each processor before any transfer.

ProcessorPurposeLocationTransfer mechanism
Vercel, Inc.Hosting, CDN, infrastructureUSAEU-US DPF + SCCs
Supabase, Inc.Database (EU region)EU / USAEU server location, DPA
Stripe, Inc.Payment processing (inactive)USASCCs 2021 + DPF
ResendTransactional emailUSASCCs 2021 + DPF

4. International Transfers

For data transfers to the USA we rely on (1) the EU-US Data Privacy Framework adequacy decision under Art. 45 GDPR for Vercel and Resend, (2) the 2021 EU Standard Contractual Clauses (Module 2) for Stripe, and (3) the EU server location of Supabase for the database tier.

5. Your Rights

You have the following rights under Chapter III of the GDPR:

  • Access (Art. 15 GDPR)
  • Rectification (Art. 16 GDPR)
  • Erasure (Art. 17 GDPR)
  • Restriction (Art. 18 GDPR)
  • Portability (Art. 20 GDPR)
  • Objection (Art. 21 GDPR)
  • Withdrawal of consent (Art. 7(3) GDPR)
  • Complaint to a supervisory authority (Art. 77 GDPR): Austrian Data Protection Authority, Barichgasse 40–42, 1030 Vienna, dsb.gv.at

Contact: hello@aiscend.fm. We respond within 30 days (Art. 12(3) GDPR); complex requests may extend by up to 60 days.

6. Data Security

We take appropriate technical and organisational measures under Art. 32 GDPR: HTTPS encryption for all transmissions, access restrictions on a least-privilege basis, regular security reviews, and the security controls of our processors (SOC 2, ISO 27001 at Vercel).

7. Cookies and Tracking

No advertising or tracking cookies are used during beta. Only strictly necessary session cookies may be used.

8. Changes to this Policy

This policy is updated when our data processing changes materially. The current version is always available at aiscend.fm/en/privacy. Where changes affect consent, data subjects are informed separately.