Controller: disruptive gmbh, Vienna · Domains: aiscend.fm, aiscend.wtf · As of: 23 May 2026 · Legal basis: GDPR (EU) 2016/679 and Austrian Data Protection Act (DSG).
1. Controller
Controller within the meaning of Art. 4(7) GDPR:
disruptive gmbh, Lehargasse 7, A-1060 Vienna, Austria.
Data protection email: hello@aiscend.fm
Managing director: Markus Petzl · Company register number: FN 371341 s.
We have not appointed a Data Protection Officer, as we are not required to (no large-scale processing of special categories of data, no public task). For data protection matters, please contact the email address above.
2. Data We Collect and Why
2.1 Waitlist
Data: Email address, optionally organisation.
Purpose: Launch notification and beta invitation.
Legal basis: Art. 6(1)(a) GDPR — consent (active checkbox).
Retention: Until consent is withdrawn, or max. 12 months after official launch.
2.2 Artist Submission Form
Data: Artist name, email, track link, optionally genre, platform, description.
Purpose: Evaluating tracks for the AISCEND chart; communicating submission status.
Legal basis: Art. 6(1)(b) GDPR (pre-contractual steps) and/or Art. 6(1)(a) GDPR (consent).
Retention: Up to 12 months beta duration, then deletion or anonymisation.
2.3 Contact Enquiries
Data: Name, email, message content.
Purpose: Responding to enquiries.
Legal basis: Art. 6(1)(f) GDPR (legitimate interests).
Retention: 6 months after resolution.
2.4 Server Logs
Data: IP address (anonymised after 24 hours), browser type, OS, referrer URL, timestamp.
Purpose: IT security, debugging, infrastructure operation.
Legal basis: Art. 6(1)(f) GDPR.
Retention: 7 days raw, then anonymised or deleted.
2.5 Payment Data (Beta — currently inactive)
No payments are processed during beta. When activated, all payment data is handled exclusively by Stripe, Inc.; disruptive gmbh only receives transaction outcome data. Card data is never stored by disruptive gmbh.
3. Recipients and Data Processors
A data processing agreement (DPA) under Art. 28 GDPR is or has been concluded with each processor before any transfer.
| Processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Vercel, Inc. | Hosting, CDN, infrastructure | USA | EU-US DPF + SCCs |
| Supabase, Inc. | Database (EU region) | EU / USA | EU server location, DPA |
| Stripe, Inc. | Payment processing (inactive) | USA | SCCs 2021 + DPF |
| Resend | Transactional email | USA | SCCs 2021 + DPF |
4. International Transfers
For data transfers to the USA we rely on (1) the EU-US Data Privacy Framework adequacy decision under Art. 45 GDPR for Vercel and Resend, (2) the 2021 EU Standard Contractual Clauses (Module 2) for Stripe, and (3) the EU server location of Supabase for the database tier.
5. Your Rights
You have the following rights under Chapter III of the GDPR:
- Access (Art. 15 GDPR)
- Rectification (Art. 16 GDPR)
- Erasure (Art. 17 GDPR)
- Restriction (Art. 18 GDPR)
- Portability (Art. 20 GDPR)
- Objection (Art. 21 GDPR)
- Withdrawal of consent (Art. 7(3) GDPR)
- Complaint to a supervisory authority (Art. 77 GDPR): Austrian Data Protection Authority, Barichgasse 40–42, 1030 Vienna, dsb.gv.at
Contact: hello@aiscend.fm. We respond within 30 days (Art. 12(3) GDPR); complex requests may extend by up to 60 days.
6. Data Security
We take appropriate technical and organisational measures under Art. 32 GDPR: HTTPS encryption for all transmissions, access restrictions on a least-privilege basis, regular security reviews, and the security controls of our processors (SOC 2, ISO 27001 at Vercel).
7. Cookies and Tracking
No advertising or tracking cookies are used during beta. Only strictly necessary session cookies may be used.
8. Changes to this Policy
This policy is updated when our data processing changes materially. The current version is always available at aiscend.fm/en/privacy. Where changes affect consent, data subjects are informed separately.