Privacy Policy

This Privacy Policy explains how PausePlayRepeat, LLC ("PausePlayRepeat," "PPR," "we," "us," or "our") collects, uses, stores, shares, and protects information when you visit pauseplayrepeat.com, use any PPR product or service, or connect a third-party account to PPR (collectively, the "Service"). PPR is a multi-tenant platform that lets music producers and content creators ("Creators") sell digital products and lets buyers ("Learners") take courses, earn XP and certificates, and engage with creator communities.

By using the Service, you agree to this Privacy Policy. If you do not agree, do not use the Service.

1. Information We Collect

1.1 Account & Profile Data

When you create a PPR account, our authentication provider Clerk collects your email address, password (hashed by Clerk; PPR never sees plaintext passwords), name, profile image, and any social sign-in identifiers you choose to use. PPR receives a unique user identifier from Clerk and stores your name, email, profile image URL, store slug (for Creators), and account preferences in our Convex database.

1.2 Creator Storefront Data

If you are a Creator, we collect the content you upload to sell or distribute (courses, lessons, beats, sample packs, presets, Ableton racks, plugins, memberships, coaching offers, cheat sheets, and other digital products), associated metadata (titles, descriptions, pricing, thumbnails), and your storefront branding (logo, colors, domain).

1.3 Learning & Engagement Data

If you are a Learner, we collect course progress, lesson completion, quiz answers, XP earned, certificates issued, leaderboard standing, and engagement events (lesson views, video watch time, comments, reactions).

1.4 Payment Data

Payments are processed by Stripe, Inc. PPR does not store full credit card numbers, CVCs, or bank account numbers. We receive and store Stripe customer IDs, payment method last-four digits and brand, billing email, country, and transaction history. Creators who accept payouts via Stripe Connect provide identity verification information directly to Stripe; PPR receives only the resulting Connect account ID and payout status.

1.5 Email & Marketing Data

If you join a Creator's email list, we store your email address, name (if provided), tags, subscription status, opt-in source, and engagement events (opens, clicks, bounces, complaints, unsubscribes). PPR maintains a suppression list to honor unsubscribes and bounces across all Creator email sends.

1.6 Social Media & Third-Party Connections

When you connect a third-party account (YouTube, TikTok, Instagram, Facebook, LinkedIn, X/Twitter, Discord), we receive and store:

• OAuth access tokens and, where issued, refresh tokens, encrypted at rest using AES-256-GCM via our encryption module at lib/encryption.ts.
• The granted OAuth scopes and the platform-issued account or channel identifier (e.g., YouTube channel ID, TikTok open ID, Instagram user ID).
• Basic public profile fields exposed by the platform (e.g., username, display name, profile picture URL, channel handle, channel title).
• Platform-specific metadata required to operate the integration (e.g., your default YouTube privacy preference, your TikTok user info basic fields, your Facebook Page list).

1.7 AI Inputs & Generated Content

When you use PPR's AI features (Master AI mixing/mastering chat, AI course builder, AI thumbnail generation, AI voiceover, AI video merge, AI social post drafting), we collect the prompts, files, and context you submit and the AI-generated outputs returned to you.

1.8 Device, Log & Usage Data

Like most web services, we automatically log IP address, user agent, referrer, pages visited, timestamps, and basic device characteristics. We use PostHog for product analytics; PostHog may also collect screen size, session events, and feature usage. We do not use session replay on payment or sensitive form pages.

1.9 Cookies

We use the following cookie categories:

• Strictly necessary: Clerk authentication session cookies, OAuth CSRF state cookies (encrypted, HttpOnly, SameSite=Lax, 5-minute TTL), Stripe checkout cookies. These cannot be disabled.
• Analytics: PostHog product analytics. You may opt out via the cookie banner.
• Preferences: Cookie consent state, theme, locale.

2. How We Use Information

• To create and operate your account.
• To host, sell, and deliver Creator content to Learners; to track course progress, XP, certificates, and leaderboards.
• To process payments, payouts, refunds, and taxes via Stripe and Stripe Connect.
• To send transactional email (receipts, password resets, enrollment notifications) and, where you have opted in, Creator marketing email via AWS SES.
• To generate AI outputs you request and to display them back to you.
• To execute social media actions you explicitly initiate, such as uploading a video to your YouTube channel or your TikTok drafts.
• To detect, prevent, and respond to fraud, abuse, security incidents, and Terms of Service violations.
• To comply with legal obligations, enforce our Terms, and respond to lawful requests.

3. Google API Services & YouTube Data

PausePlayRepeat's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

When you connect a YouTube channel, we request the following Google OAuth scopes:

• youtube.upload — to upload videos you submit to your own YouTube channel.
• youtube.readonly — to read your channel ID, channel title, custom URL, handle, and uploaded video metadata.
• yt-analytics.readonly — to read per-video analytics (views, average view duration, click-through rate) for your own channel, used to power the PPR scoreboard and gamification features.

What we do with YouTube data: We use this data solely to provide and improve the user-facing features you have initiated within PPR (publishing the videos you submit, displaying your channel info, surfacing your analytics in the dashboard). We do not use YouTube data to train AI or machine learning models. We do not transfer YouTube data to third parties except as necessary to operate the Service (e.g., Convex for storage, Vercel for request handling), to comply with law, or as part of a merger or acquisition where the receiving party is bound by terms at least as protective as this Policy. We do not allow humans to read YouTube data unless we have your affirmative consent, it is necessary for security purposes, it is necessary to comply with applicable law, or the data is aggregated and used for internal operations in accordance with Google's Limited Use requirements.

You can revoke PPR's access to your Google account at any time from https://myaccount.google.com/permissions or by disconnecting the integration from your PPR dashboard. Revocation deletes the encrypted tokens from our database.

4. TikTok Data

When you connect a TikTok account via TikTok Login Kit and the Content Posting API, we request the following scopes:

• user.info.basic — your TikTok open ID, union ID, avatar URL, and display name.
• video.upload — to upload videos you submit to your TikTok drafts. Videos are saved as drafts in your TikTok inbox; you decide whether and when to publish them within the TikTok app.
• video.publish — requested only where direct publish is enabled for your account; otherwise videos remain as drafts. Direct publish is gated by a separate TikTok review and is disabled by default.

How we use TikTok data: We use the basic profile fields to display which TikTok account is connected in your PPR dashboard. We upload video files to TikTok only when you explicitly click "Publish to TikTok" (or the equivalent action) for that specific video. PPR never posts to TikTok in the background or on a schedule without your action initiating the upload. We do not use TikTok data to train AI or machine learning models. We do not sell TikTok data, share it with advertisers, or transfer it to third parties except as necessary to operate the Service.

Token retention: TikTok access tokens and refresh tokens are stored encrypted at rest (AES-256-GCM) and are retained until you disconnect the TikTok integration or delete your PPR account, at which point we delete the stored tokens. You can revoke PPR's access at any time from your TikTok account settings or by disconnecting the integration from your PPR dashboard.

5. Meta (Instagram & Facebook), LinkedIn, X/Twitter, Discord

For each of these platforms, we receive only what is needed to operate the integration you have connected. Tokens are encrypted at rest using AES-256-GCM. We never read or post on these accounts outside of actions you have initiated (publishing a post you authored, replying to a comment under a creator-configured rule, fetching engagement data to display in your dashboard). You can revoke access at any time from the corresponding platform's settings or by disconnecting the integration from your PPR dashboard.

6. How We Store & Secure Information

• All data in transit is protected by TLS 1.2 or higher.
• OAuth access tokens, refresh tokens, and other third-party credentials are encrypted at rest using AES-256-GCM with a versioned ciphertext format. The encryption module lives at lib/encryption.ts.
• Authentication is handled by Clerk, which stores hashed passwords and manages session security. PPR does not store plaintext passwords.
• Application data is stored in our Convex deployment (deployment identifier fastidious-snake-859), hosted on Convex's infrastructure in the United States.
• Video assets are stored and streamed via Mux.
• Access to production systems is restricted to authorized personnel and protected by multi-factor authentication.

No security measure is perfect. If we learn of a security incident affecting your information, we will notify you and applicable regulators as required by law.

7. Third-Party Service Providers (Sub-Processors)

We share personal information with the following service providers who process it on our behalf, under contract, only as needed to operate the Service:

• Clerk — authentication and identity management.
• Convex — primary database and serverless backend.
• Vercel — application hosting, CDN, and edge/serverless compute.
• Stripe and Stripe Connect — payment processing and Creator payouts.
• AWS Simple Email Service (SES) — transactional and marketing email delivery.
• Mux — video hosting, encoding, and adaptive streaming.
• OpenAI — text generation (GPT-4o-mini) and image generation (gpt-image-2) for thumbnails and AI-assisted content.
• Anthropic — large language model inference (Claude Sonnet 4.6), accessed via OpenRouter.
• OpenRouter — LLM routing layer.
• ElevenLabs — text-to-speech voice synthesis.
• Fal AI — AI image and video merge generation.
• PostHog — product analytics.
• Google / YouTube — when you connect a YouTube channel.
• TikTok — when you connect a TikTok account.
• Meta (Facebook & Instagram) — when you connect a Facebook Page or Instagram account.
• LinkedIn — when you connect a LinkedIn profile.
• X Corp. (Twitter) — when you connect an X account.
• Resend — legacy email provider, used only for specific in-transition flows; being phased out in favor of AWS SES. New email features do not use Resend.

Each AI provider has its own data retention and use policy. We send only the minimum prompt and payload necessary for each request. PPR does not use Creator or Learner content, uploads, or AI inputs to train PPR's own AI models, and we do not sell your data to any AI provider for training. Third-party AI providers' own training and retention practices are governed by their respective policies; we link to them where available:

• OpenAI: openai.com/policies/privacy-policy (API inputs and outputs are not used to train OpenAI models by default).
• Anthropic: anthropic.com/legal/privacy.
• OpenRouter: openrouter.ai/privacy.
• ElevenLabs: elevenlabs.io/privacy.
• Fal AI: fal.ai/privacy-policy.

8. Sale of Personal Information

PausePlayRepeat does not sell personal information as defined by the California Consumer Privacy Act (CCPA) or any other applicable privacy law. We do not share personal information for cross-context behavioral advertising.

9. Your Rights & Choices

9.1 All Users

• Access, update, or correct your profile from your account dashboard.
• Disconnect any social media or third-party integration from your dashboard, which deletes the associated tokens.
• Unsubscribe from any marketing email by clicking the unsubscribe link in the footer. Transactional emails (receipts, account security) are required and cannot be unsubscribed without closing your account.
• Adjust cookie preferences via the cookie banner.
• Request full account and data deletion by emailing andrew@pauseplayrepeat.com. We will process verified deletion requests within 30 days, subject to retention obligations described in Section 11.

9.2 European Economic Area, United Kingdom & Switzerland (GDPR / UK GDPR)

If you are in the EEA, UK, or Switzerland, you have the right to: access the personal data we hold about you; rectify inaccurate data; erase data (the "right to be forgotten"); restrict or object to processing; receive your data in a portable format; withdraw consent where processing is based on consent; and lodge a complaint with your local data protection authority. Our legal bases for processing are: performance of a contract (operating the Service), legitimate interests (security, fraud prevention, product improvement), consent (marketing email, optional cookies), and compliance with legal obligations.

9.3 California (CCPA / CPRA)

California residents have the right to: know the categories and specific pieces of personal information we have collected; request deletion; correct inaccurate information; opt out of the sale or sharing of personal information (PPR does not sell or share); and not receive discriminatory treatment for exercising these rights. Submit requests to andrew@pauseplayrepeat.com. We will verify your identity using account credentials before fulfilling requests.

10. Children's Privacy

PausePlayRepeat is not directed at children under 13, and we do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, contact andrew@pauseplayrepeat.com and we will delete it.

11. Data Retention

• Account data is retained for the life of your account. When you delete your account, we delete personal data within 30 days, subject to the exceptions below.
• Encrypted OAuth tokens are deleted immediately when you disconnect an integration or delete your account.
• Transaction records, tax records, and dispute/chargeback records are retained as required by applicable tax and financial laws (typically 7 years).
• Email suppression list entries (unsubscribes, bounces, complaints) are retained indefinitely to honor your unsubscribe/bounce status across future Creator sends.
• Aggregated and anonymized data, which cannot reasonably be used to re-identify you, may be retained for product analytics and service improvement.

12. International Data Transfers

PausePlayRepeat is based in the United States. Our primary data stores (Clerk, Convex, Vercel, Stripe, Mux, AWS SES) are operated in the United States and may process your data outside your home country. Where required, we rely on Standard Contractual Clauses and similar approved mechanisms for international transfers from the EEA, UK, and Switzerland to the United States and other countries.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will update the "Last updated" date at the top of this page and, for material changes, provide notice via email or an in-app notification. Your continued use of the Service after changes become effective constitutes acceptance of the revised Policy.

14. Contact Us

Questions, requests, or concerns about this Privacy Policy or your personal information should be directed to: