KAN Samples

Privacy Policy

What we store and why

No dark patterns, no selling your data. This page explains exactly what we collect, what it's used for, and how to get rid of it.

Last updated · May 2026

Heads up

This is the working draft of our privacy policy. It accurately describes what the platform does today. If you have a specific question that isn't answered below, reach out through the contact form.

The short version

  • We store the minimum needed to run challenges, award prizes, and contact you about both.
  • We never sell your data.
  • You can ask us to delete your account at any time.
  • We use cookies for login sessions and nothing else. No third-party trackers.

What we collect

Account data

  • Email address - used for login, account recovery, and per-stage challenge prompts.
  • Hashed password - stored as a one-way bcrypt hash. We never have access to your actual password.
  • Artist name, username, and optional social handles (Instagram, X, SoundCloud, Spotify, Facebook) - used to attribute submissions and provide profile links.
  • Profile image (if uploaded) - stored in our S3 bucket.

Music and submission data

  • Uploaded audio files - stored in our S3 bucket, served via short-lived signed URLs.
  • Track metadata - title, BPM, genre, length, the challenge stage it was submitted to.
  • Engagement records - plays, likes, who liked what, when.

Activity data

  • XP grants - every action that earned points (immutable audit log).
  • Notifications - what we've sent you in-app, read/unread state.
  • Submission timestamps + hardcore deadline tracking.

Prize fulfilment data (only if you're granted a physical prize)

  • Shipping address - stored until the prize is delivered, then retained for a reasonable period so we can resolve any delivery dispute.
  • Variant choices - size, colour, customisation text.

What we don't collect

  • We don't run any third-party analytics (no Google Analytics, no Mixpanel, no Segment, no Facebook Pixel).
  • We don't use advertising trackers or behavioural ad cookies.
  • We don't fingerprint your browser or device.
  • We don't track your IP address beyond what's necessary for security (rate limiting, abuse detection).

Third-party processors

We use a small set of services that handle subsets of your data on our behalf:

  • Mailchimp - your email address is synced when you enrol in a challenge so we can send you per-stage prompts. You can unsubscribe from any email; unsubscribing keeps your account active but pauses prompts.
  • Amazon S3 - stores your uploaded audio, generated share-card images and waveform videos, and any profile images.
  • Postmark / SendGrid (transactional email) - sends authentication emails like email confirmation and password reset.

All three are bound by their own privacy policies. We don't share your data with any other party.

Cookies

We use a single first-party cookie:

  • A session cookie that keeps you logged in. Strictly necessary - without it, you'd have to enter your password on every page load.

Optionally we set a theme cookie to remember your light/dark mode preference. No tracking cookies, no third-party cookies.

Public vs private data

The following are public on KAN Pro Audio (no login required to view):

  • Your artist name, username, social handles
  • Every track you've uploaded + its metadata + play / like counts
  • Your challenge finishes, certificates, and XP / level
  • Your profile image, if set

These are private - only you (and the KAN Samples team) can see them:

  • Your email address
  • Your shipping address
  • Your notifications and in-app reports
  • Admin notes attached to your account

Your rights

You can:

  • Edit your artist name, username, social handles, and email at any time on your profile.
  • Export your data - email us and we'll send everything we hold.
  • Delete your account - email us. Account deletion removes your profile, submissions, likes, notifications, and prize grants. We retain immutable audit records (XP grants, finish history) in anonymised form so the leaderboard math stays consistent for other users.
  • Withdraw consent for marketing emails by unsubscribing through the link in any Mailchimp email.

Security

Passwords are bcrypt-hashed. Audio files and images are served via short-lived signed URLs, not direct public links. The connection is HTTPS-only. Authentication tokens are rotated when you change your password.

Changes to this policy

If we materially change what we collect or how we use it, we'll send a notice to your account email and post an in-app notification before the change takes effect.

Get in touch

Privacy questions, data export requests, or deletion requests can be sent through the contact form - pick "Bug or problem" and tag it as a privacy request.