Legal
Privacy Policy.
1. Scope
This Privacy Policy describes how Hitskope Music Group Inc. (“Hitskope,” “we,” “us,” or “our”) collects, uses, shares, and protects personal information in connection with the website at hitskope.com and any related pages, subdomains, content, and features operated by Hitskope (collectively, the “Site”). This Policy does not apply to app.hitskope.com, the Hitskope artist dashboard, which is governed by a separate Terms of Use and privacy notice; any account, content, or data interactions on that subdomain are outside the scope of this Policy. This Policy also does not apply to third-party sites or services linked from the Site.
2. Information We Collect
2.1 Information Collected Automatically
When you visit the Site, we and our service providers may automatically collect: (a) IP address and approximate geolocation derived from IP; (b) device and browser information (device type, operating system, browser type and version, screen resolution, language); (c) referring URL and exit URL; (d) pages visited, links clicked, search terms entered, and time spent on pages; (e) date and time of access; (f) cookies, pixels, tags, local storage, session identifiers, and similar tracking technologies as described in Section 6; and (g) aggregated analytics data.
2.2 Information You Provide
We collect information that you submit, including: (a) name, email address, telephone number, and links to Spotify artist or profile pages, social-media accounts, and prior distributor information you provide through the Apply for Distribution Form or other contact or inquiry forms; (b) free-form “about you” or similar narrative information you provide through any such form; (c) name and email address submitted to the newsletter signup; (d) information you provide in email correspondence or press and business inquiries; (e) any audio files, links, images, videos, musical compositions, sound recordings, metadata, biographies, press materials, or other content submitted through forms; and (f) information you choose to provide when responding to surveys, promotions, or events.
2.3 Information Collected from Third Parties
We may receive information about you from: (a) analytics providers (for example, Google Analytics 4); (b) advertising platforms (for example, Meta and TikTok, in connection with pixel-based measurement and audience-building); (c) social-media platforms when you interact with our social channels or when you use a social login feature if offered; (d) service providers that assist with CRM, email delivery, spam prevention, fraud prevention, and security (including HubSpot and Resend as described in Section 7); and (e) partners such as Hitskope Publishing, Royalty Solutions Corp, or other Hitskope affiliates, to the extent they share information with us for legitimate business purposes consistent with this Policy.
3. Categories of Personal Information Under the CCPA/CPRA
Consistent with the California Consumer Privacy Act as amended by the California Privacy Rights Act (Cal. Civ. Code §§ 1798.100 et seq.), the table below identifies which statutory categories of personal information we collect and, within the prior twelve months, have collected.
| Category | Examples | Collected? |
|---|---|---|
| A. Identifiers | Name, email, phone, IP address, cookie ID, Spotify/social profile links | Yes |
| B. Customer Records | Name, contact information | Yes |
| C. Protected Classifications | Age, gender, nationality | No (unless voluntarily provided) |
| D. Commercial Information | Services inquired about, current distributor disclosed | Yes |
| E. Biometric Information | Fingerprints, voiceprints | No |
| F. Internet / Network Activity | Browsing history, interaction data, cross-site behavior captured by Meta Pixel, TikTok Pixel, Google Analytics 4, and HubSpot tracking | Yes |
| G. Geolocation | Approximate location from IP | Yes (approximate only) |
| H. Sensory Data | Audio, video submissions | Yes (through inquiry form) |
| I. Professional / Employment Information | Roles, affiliations | Yes (if voluntarily provided) |
| J. Non-Public Education Information | FERPA-covered records | No |
| K. Inferences | Preferences, characteristics derived from analytics and advertising pixels | Yes (limited) |
| L. Sensitive Personal Information | Precise geolocation, account credentials, racial/ethnic origin, religious beliefs, genetic data, health, sexual orientation, immigration status, etc. | No (except inadvertent Submissions) |
Sale and Sharing Disclosure
We do not sell personal information for monetary consideration.
We share personal information for cross-context behavioral advertising, as that term is defined by the CCPA as amended, through our use of the Meta Pixel and the TikTok Pixelon the Site. These pixels transmit identifiers (including cookie identifiers, IP address, device information, and interaction data) to Meta Platforms, Inc. and TikTok, Inc. (or their affiliates), which use that information to measure advertising performance and to build audiences for targeted advertising across other properties. California residents have the right to opt out of this sharing, as described in Sections 11 and 21; the “Your Privacy Choices” footer link and the Global Privacy Control signal both operate as opt-out mechanisms.
Google Analytics 4 is also deployed on the Site. Depending on our configuration (including Google Signals status, data-sharing settings, and the terms on which we receive the service), Google Analytics 4 may function as a service provider under the CCPA as amended or as a third party that receives shared personal information for purposes that include cross-context behavioral advertising. Where GA4 is functioning as a third party, the opt-out mechanisms in Sections 11 and 21 apply to it as well.
4. How We Use Information
We use personal information to (a) operate, maintain, and improve the Site; (b) respond to inquiries and contact-form submissions; (c) evaluate Apply for Distribution submissions and communicate with prospective artists and labels; (d) send newsletters and marketing communications where you have opted in, and transactional or operational communications as permitted by law; (e) personalize content and features; (f) measure and analyze Site performance; (g) serve and measure advertising on third-party platforms (including Meta and TikTok), subject to the opt-out rights described in Sections 11 and 21; (h) prevent, detect, and respond to fraud, abuse, and security incidents; (i) comply with applicable law and legal process; (j) enforce our Terms of Service and other agreements; (k) protect the rights, property, or safety of Hitskope, our artists, our users, and the public; and (l) carry out corporate transactions consistent with Section 7.
5. Legal Bases for Processing (EEA, UK, and Other GDPR-Type Jurisdictions)
Where GDPR, UK GDPR, or equivalent law applies, we process personal information on the following legal bases: (a) consent (for non-essential cookies, pixels, newsletter signup, and other opt-in processing); (b) legitimate interests (for Site operation, security, fraud prevention, analytics, and inquiry follow-up, subject to a balancing test); (c) contract necessity (for steps taken at your request before entering a potential commercial relationship); and (d) legal obligation (for compliance with applicable law). For sensitive data, we rely on explicit consent where processing occurs.
6. Cookies and Tracking Technologies
Categories
We use cookies and similar technologies in four categories: (a) strictly necessary (session management, security, load balancing; set without consent as permitted by law); (b) functional (language preferences, display settings); (c) analytics (measuring aggregated Site usage); and (d) advertising (measurement, audience-building, and retargeting on third-party platforms).
Specific Tracking Technologies Currently Deployed
As of the Last Updated date, the following tracking technologies are deployed on the Site:
(i) Meta Pixel (advertising).A tracking pixel operated by Meta Platforms, Inc. that records page views, form submissions, and related events and associates them with Meta identifiers for the purposes of advertising measurement, audience-building, and retargeting across Meta properties (including Facebook and Instagram) and Meta-partner inventory. Treated as “sharing for cross-context behavioral advertising” under the CCPA as amended.
(ii) TikTok Pixel (advertising).A tracking pixel operated by TikTok, Inc. (or its affiliates) that records page views and related events for TikTok advertising measurement, audience-building, and retargeting. Treated as “sharing for cross-context behavioral advertising” under the CCPA as amended.
(iii) Google Analytics 4 (analytics; possible advertising).A measurement service operated by Google LLC that records aggregate and pseudonymous usage data. GA4’s characterization under the CCPA as amended depends on configuration, as described in Section 3.
(iv) HubSpot tracking (functional and CRM-linked). Tracking technologies deployed by HubSpot, Inc. in connection with our customer-relationship-management system. Tied to the service-provider relationship described in Section 7; we do not rely on HubSpot tracking for cross-context behavioral advertising.
Consent Architecture
As of the Last Updated date, the Site loads the tracking technologies identified above on page load and presents a cookie consent banner allowing users to decline non-essential tracking. Users may opt out of sale and sharing at any time using the cookie banner, by transmitting a Global Privacy Control signal, or by contacting us directly; we honor all as valid opt-out requests. You may also block or delete cookies through your browser settings and through platform-specific opt-out tools (including the Meta Ad Preferences controls at facebook.com/ads/preferences and TikTok’s advertising preferences at tiktok.com/legal/ads-and-data).
7. How We Share Information
We share personal information only as described here.
(a) Service providers and processors. Vendors that host the Site, provide analytics, deliver email, manage customer relationships, enable cookie management, detect fraud, and provide legal and professional services. Our principal service providers include:
(i) HubSpot, Inc.— customer-relationship-management platform. All Apply for Distribution Form and contact-form submissions are routed to HubSpot for intake, assignment, and follow-up. HubSpot processes personal information as our service provider/processor under a written agreement that restricts HubSpot’s use of the information to the services we have engaged it to provide.
(ii) Resend, Inc. — transactional email delivery. Resend delivers form-notification emails, inquiry acknowledgments, and similar operational messages on our behalf, and processes personal information as our service provider/processor under a written agreement.
Additional service providers may be engaged from time to time; each is bound by contractual restrictions consistent with applicable law.
(b) Hitskope affiliates. Including Hitskope Publishing and other Hitskope group entities, for legitimate business purposes consistent with this Policy.
(c) Advertising platforms. As described in Sections 3 and 6, we share personal information with Meta Platforms, Inc. (via the Meta Pixel) and TikTok, Inc. (via the TikTok Pixel) for cross-context behavioral advertising. Depending on configuration, Google Analytics 4 may also function in this capacity.
(d) Legal and compliance. In response to valid legal process, to comply with law, to enforce our Terms, or to protect rights, property, or safety.
(e) Business transfers.In connection with a merger, acquisition, financing, reorganization, or sale of assets, to the extent consistent with Hitskope’s permanent-independence posture and applicable law.
(f) With your consent. For any other disclosure described at the point of collection or authorized by you.
8. Data Retention
We retain personal information only as long as necessary for the purposes described in this Policy or as required by law. General retention periods: (a) inquiry submissions (including Apply for Distribution Form, stored in our HubSpot CRM) — 24 months following last activity, unless a commercial relationship develops in which case separate retention applies under the commercial agreement; (b) newsletter subscriptions — until unsubscribe plus 90 days for suppression-list purposes; (c) analytics data — 14 months; (d) security logs — 12 months; (e) data-subject rights request records — 24 months as required by CCPA and comparable laws; (f) records required by tax, accounting, or legal-hold obligations — as required. Specific retention may vary by category and legal obligation.
9. Data Security
We maintain reasonable administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These safeguards include access controls, encryption in transit, vendor due diligence, and incident-response procedures. No security program is impenetrable; we cannot guarantee absolute security.
10. International Data Transfers
Hitskope is based in the United States, and personal information we collect is processed in the United States. For transfers from the European Economic Area, the United Kingdom, or Switzerland to the United States, we rely on the following transfer mechanisms as applicable: (a) the EU-U.S. Data Privacy Framework and, where applicable, its UK Extension and the Swiss-U.S. Data Privacy Framework, to the extent Hitskope or the relevant vendor is self-certified; (b) Standard Contractual Clauses adopted by the European Commission in 2021; (c) the UK International Data Transfer Agreement or the UK Addendum to the 2021 SCCs; and (d) supplementary measures and documented transfer-impact assessments where required. For transfers from Brazil, we rely on the Brazilian SCCs. For Quebec, we conduct a Privacy Impact Assessment before cross-border transfer and use contractual safeguards. For other jurisdictions, we apply the transfer mechanism required by local law.
11. Your Rights Under California Law (CCPA/CPRA)
California residents have the following rights, subject to verification and statutory exceptions:
(a) Right to know — to request disclosure of the categories and specific pieces of personal information we have collected, the categories of sources, the purposes of collection, the categories of third parties to whom it is disclosed, and the categories sold or shared (if any);
(b) Right to delete — to request deletion of personal information we have collected, subject to exceptions;
(c) Right to correct — to request correction of inaccurate personal information;
(d) Right to opt out of sale and sharing — to direct that we not sell or share personal information for cross-context behavioral advertising;
(e) Right to limit use of sensitive personal information — to direct that we limit use and disclosure of sensitive personal information to specified purposes;
(f) Right to data portability — to receive a copy in a readily usable format;
(g) Right to non-discrimination — to not receive discriminatory treatment for exercising these rights.
Exercise: submit requests to privacy@hitskope.com or by any verifiable method we publish. We will respond within 45 days (extendable once by 45 days). Authorized agents may submit requests with documentation.
12. Your Rights Under GDPR and UK GDPR
If you are in the European Economic Area, the United Kingdom, or Switzerland, you have rights to (a) access, (b) rectification, (c) erasure, (d) restriction of processing, (e) data portability, (f) object to processing based on legitimate interests or direct marketing, (g) withdraw consent (without affecting prior lawful processing), (h) not be subject to solely automated decision-making that produces legal or similarly significant effects, and (i) lodge a complaint with a supervisory authority. Contact privacy@hitskope.com.
13. Your Rights Under Other State Privacy Laws
Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Delaware, New Jersey, New Hampshire, Nebraska, Tennessee, Minnesota, Maryland, Indiana, Kentucky, and Rhode Island — and residents of any other state with a comprehensive privacy law in force as of the Effective Date — have rights substantially similar to those described above, which typically include rights to access, correct (where provided), delete, port, opt out of targeted advertising, opt out of sale, and opt out of profiling with legal or similarly significant effects (where provided). Specific rights and exceptions vary by state. To exercise rights, contact privacy@hitskope.com.
14. Children’s Privacy
The Site is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided personal information, contact privacy@hitskope.com and we will delete it. Where applicable, we follow COPPA (15 U.S.C. §§ 6501–6506; 16 C.F.R. Part 312).
15. California Shine the Light
Under Cal. Civ. Code § 1798.83, California residents who have an established business relationship with Hitskope may request, once per year, disclosure of the categories of personal information (if any) we shared with third parties for those third parties’ direct-marketing purposes in the preceding calendar year, and the names and addresses of those third parties. Requests may be sent to privacy@hitskope.com. We do not share personal information with third parties for their direct-marketing purposes except as described in this Policy.
16. Do Not Track
Some browsers transmit “Do Not Track” (“DNT”) signals. There is no industry-standard response to DNT signals. Hitskope does not currently respond to DNT signals, but Hitskope recognizes and honors the Global Privacy Control signal, as described in Section 17.
17. Global Privacy Control
Hitskope recognizes the Global Privacy Control browser signal as a valid opt-out of sale and sharing under the CCPA as amended and as an opt-out of targeted advertising under applicable state laws that recognize universal opt-out mechanisms. When we detect a GPC signal, we treat it as an opt-out request for the browser and device from which it is sent, and we disable the Meta Pixel and TikTok Pixel for that browser and device.
18. Email Marketing; CAN-SPAM
Newsletter subscription is opt-in. Every commercial email we send contains a functional opt-out link, the sender’s identity, and a valid physical postal address as required by the CAN-SPAM Act, 15 U.S.C. §§ 7701–7713. Opt-outs are honored within 10 business days. Transactional and operational communications (for example, responses to inquiries, delivered through our service provider Resend) are not subject to opt-out.
19. Changes to This Policy
We may update this Policy from time to time. The “Last Updated” date at the top reflects the most recent revision. Non-material updates take effect upon posting. Material updates — those affecting your rights or our disclosed uses of personal information — take effect no earlier than 30 days after we post notice and, where required, email notice to newsletter subscribers. We archive prior versions and will provide them on request.
20. Contact
Questions about this Policy, or to exercise rights, contact us at privacy@hitskope.com, or by mail at Hitskope Music Group Inc., 9171 Wilshire Blvd., Suite 500, Beverly Hills, California 90210.
21. California-Specific Notice
California residents may exercise the right to opt out of sale or sharing and the right to limit the use and disclosure of sensitive personal information by using our cookie consent banner, by transmitting a Global Privacy Control signal, or by emailing privacy@hitskope.com.
As disclosed in Sections 3, 6, and 11, we do not sell personal information for monetary consideration, but we share personal information for cross-context behavioral advertising through the Meta Pixel and the TikTok Pixel, and potentially through Google Analytics 4 depending on configuration. The opt-out right applies to all such sharing.
22. EU/UK-Specific Notice
Data controller. Hitskope Music Group Inc., 9171 Wilshire Blvd., Suite 500, Beverly Hills, California 90210, United States, is the controller of personal information processed through the Site.
Transfer mechanism. As described in Section 10 — DPF/UK Extension/Swiss-U.S. DPF where applicable, with 2021 SCCs and UK IDTA/Addendum as backstops.
Supervisory authorities.You may contact your local data-protection supervisory authority (for example, the UK Information Commissioner’s Office at ico.org.uk; in the Republic of Ireland, the Data Protection Commission at dataprotection.ie; in France, CNIL at cnil.fr) to lodge a complaint.