Privacy Policy ▓▓ vaporwave.me

In short (TL;DR)
Data controller
What data we collect
Purposes & legal basis
Service providers (data processors)
Audio files you upload
Cookies & local storage
Analytics
Marketing emails
How long we store data
International data transfers
Your rights
Is data provision required?
Automated decision-making
Changes to this policy

1. In short

This is a small one-person side project. We try hard to collect as little personal data as possible.

Audio you upload stays in your browser. We never see it. We never store it on a server.
If you sign up we store your email address and the count of exports you've used this month.
We do not use Google Analytics, Facebook Pixel, or any tracking that profiles you.
We do not sell or share your data with advertisers.
You can delete your account any time by emailing hi@vaporwave.me.

2. Data controller

The party responsible for processing your personal data is:

Name: Tobias Scheid
Address: Im Drosselschlag 5, 66636 Tholey, Germany
Email: hi@vaporwave.me

No data protection officer is appointed since the threshold under § 38 BDSG is not met (less than 20 persons regularly involved in automated processing of personal data).

3. What data we collect

3.1 Data automatically collected when visiting the site

When you visit vaporwave.me, our hosting provider Cloudflare automatically processes the following data in server access logs (technically necessary for security and performance):

IP address (truncated/anonymized after a short period)
Date and time of the request
Browser type and version, operating system
Referring URL
Requested files

3.2 Data when you sign up

If you create an account to export tracks, we store:

Email address (for login + transactional emails)
A hashed password (or, with Google login, your verified Google email address only — no password)
The count of exports you've used in the current calendar month
The tier of your account (Free, Starter, Creator, Producer, or Lifetime)
Account creation timestamp
If you actively opted in: marketing-consent flag, timestamp, and the version of the consent text shown

3.3 Data we do not collect

The audio files you upload (never leave your browser)
Your name (unless you choose to share it with us)
Phone number, address, age, gender
Cross-site tracking cookies
Browsing behaviour outside vaporwave.me

4. Purposes and legal basis

Providing the website and editor: Legal basis: Art. 6 (1) lit. b GDPR (necessary for the performance of a contract / pre-contractual steps).
Account management and export-counter enforcement: Legal basis: Art. 6 (1) lit. b GDPR.
Sending transactional emails (verification, export confirmations): Legal basis: Art. 6 (1) lit. b GDPR.
Sending marketing emails (only if you opt in): Legal basis: Art. 6 (1) lit. a GDPR (consent). You can withdraw consent at any time via the unsubscribe link in any marketing email or by emailing us.
Hosting infrastructure logs and abuse prevention: Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in operating a stable, secure service).
Aggregate usage analytics (page views, conversion funnel): Legal basis: Art. 6 (1) lit. f GDPR. We use Cloudflare Web Analytics, which is cookie-free and does not profile individuals.

5. Service providers (data processors)

We rely on the following providers, each of which has signed a Data Processing Agreement (DPA / Auftragsverarbeitungsvertrag) with us under Art. 28 GDPR:

Supabase (Supabase Inc., USA — EU servers used)

Provides authentication, database storage, and serverless functions. Our Supabase project is hosted in the EU region (Frankfurt). Personal data: email, hashed password, account state. Standard Contractual Clauses apply for the controller relationship with Supabase Inc.

Cloudflare (Cloudflare Inc., USA — EU edge nodes used)

Provides website hosting (Cloudflare Pages), DNS, DDoS protection, and Cloudflare Web Analytics. Personal data: IP address (in access logs only, anonymized after a short period). Cloudflare is a participant in the EU-US Data Privacy Framework.

Google (Google Ireland Limited, EU — when "Continue with Google" is used)

Used optionally for Sign-in with Google (OAuth). If you use this option, Google processes your email address and Google account ID under its own privacy policy. We only receive your email address from Google. If you sign up with email + password, we never contact Google.

Email delivery (provided by Supabase)

Verification emails and account-related transactional emails are sent through Supabase's built-in email service. If we later switch to a dedicated transactional email provider (e.g. Resend or Postmark), this section will be updated.

6. Your audio files

Audio files you drag into the editor or load via "Demo tracks" are processed entirely in your browser using the Web Audio API and a WebAssembly MP3 encoder. No audio data is ever sent to our servers. The exported MP3 file is generated on your device and downloaded directly to your device.

This is a deliberate architectural choice: by never receiving the audio, we cannot listen to it, store it, copy it, or be compelled to hand it over.

7. Cookies & local storage

vaporwave.me uses only strictly-necessary, technical browser storage:

Authentication cookies set by Supabase to keep you logged in. These are first-party, HTTP-only cookies. Without them, you would have to log in on every request.
localStorage for remembering UI preferences and to cache your account state for a few seconds between page navigations.

Pursuant to § 25 (2) TTDSG, no consent is required for these strictly-necessary cookies. We do not use cookies for tracking, advertising, or analytics.

8. Analytics

We use Cloudflare Web Analytics to count page views and basic conversion events (e.g. "track exported"). Cloudflare Web Analytics is privacy-first: it does not use cookies, does not track individuals across sites, and does not build user profiles. The data collected is aggregated and anonymous.

Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in understanding traffic and improving the service). Because no personal data is processed in a way that would require consent, no cookie banner is shown.

9. Marketing emails

We send transactional emails (email verification, password reset, export confirmations, end-of-month resets) based on Art. 6 (1) lit. b GDPR. You cannot opt out of these as long as you have an active account, since they are necessary for the service.

We send marketing emails (product news, offers) only if you actively check the "Send me product updates" box during signup. We log your consent (timestamp, consent-text version) so we can demonstrate it later. You can withdraw consent at any time:

via the "Unsubscribe" link at the bottom of every marketing email (one click), or
by emailing hi@vaporwave.me

10. How long we store data

Account data: until you delete your account or 24 months after your last login, whichever comes first.
Marketing-consent log: as long as the account exists, plus 3 years (to defend against potential claims).
Server access logs: 30 days at Cloudflare, then anonymized.
Analytics events in our database: 12 months, then aggregated/deleted.
Purchase records (relevant for tax law): retained for 10 years pursuant to § 147 AO. Personal identifiers can be anonymized after account deletion; tax-relevant amounts and dates are kept.

11. International data transfers

Some of our service providers (Supabase, Cloudflare) are headquartered in the United States, although our chosen infrastructure runs on EU servers. For any incidental transfers, the following safeguards under Chapter V GDPR apply:

EU-US Data Privacy Framework certification (Cloudflare)
Standard Contractual Clauses (Art. 46 GDPR) with Supabase

12. Your rights

Under the GDPR you have the following rights:

Right of access (Art. 15) — request a copy of your data
Right to rectification (Art. 16) — have inaccurate data corrected
Right to erasure (Art. 17) — have your data deleted ("right to be forgotten")
Right to restriction of processing (Art. 18)
Right to data portability (Art. 20) — receive your data in a machine-readable format
Right to object (Art. 21) — object to processing based on legitimate interest
Right to withdraw consent (Art. 7 (3)) — at any time, without affecting the lawfulness of past processing

To exercise any of these rights, email hi@vaporwave.me. We will respond within 30 days (Art. 12 (3) GDPR).

You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). For the controller's location, the competent authority is:

Unabhängiges Datenschutzzentrum Saarland (UDS)
Fritz-Dobisch-Straße 12, 66111 Saarbrücken, Germany
Email: poststelle@datenschutz.saarland.de
Web: datenschutz.saarland.de

12a. Is data provision required?

Provision of your email address and password (or Google account) is contractually required to use the export functionality of the Service. Without this data we cannot create an account for you, cannot enforce monthly export limits, and cannot deliver export receipts. You may continue to use the editor preview without providing any data — only the export step requires an account.

The marketing-consent checkbox during signup is entirely optional. Declining it has no effect on your ability to use the Service.

12b. Automated decision-making

We do not engage in automated decision-making or profiling within the meaning of Art. 22 GDPR. The export-counter logic is rule-based and does not produce decisions with legal or similarly significant effects on you.

13. Changes to this policy

We may update this policy as the service evolves. Material changes affecting your rights or our processing practices will be communicated by email to active users at least 14 days in advance. The current version is always the one published on this page.

Last updated: 2026-05-02

Privacy Policy

Contents