Privacy Policy.

Introduction

Grootin Music Entertainment Pvt. Ltd. ("Grootin", "we", "us", or "our"), a company registered under the Companies Act 2013 and headquartered in Mumbai, Maharashtra, operates the website grootin.in and the Grootin music distribution platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our services.

By accessing or using our platform, you consent to the practices described in this policy. If you do not agree with these terms, please do not access or use the platform.

Information We Collect

Personal Information

When you register for an account, make a purchase, or interact with our platform, we may collect the following personal information:

• Full name and display name
• Email address
• Mobile number and phone number
• Street address, city, state, pin code, and country
• IP address

Payment Information

We collect your name and billing address for payment processing. We never collect or store your credit card numbers, debit card numbers, CVV, or expiry dates. All payment processing is handled securely by our third-party payment partners, PayPal and Razorpay.

User-Generated Content

Any content you post publicly on our website, social media pages, or submit through registration forms and email or phone inquiries.

Demographics & Preferences

Your preferences, purchase history, and any responses to surveys or promotional campaigns.

Technical Data

We automatically collect certain technical information including your IP address, browser type, operating system, the website you visited before ours, pages viewed, and duration of your visit.

Cookies & Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience. Cookies are small data files stored on your device when you visit our platform.

Types of Cookies We Use

• Essential cookies — Required for the platform to function (login sessions, security tokens, preferences). These cannot be disabled.
• Analytics cookies — Help us understand how visitors interact with the platform. We use Google Analytics and Google Webmaster Tools to collect anonymised usage data such as page views, session duration, and traffic sources.
• Marketing cookies — Used to deliver relevant promotional content and measure the effectiveness of our campaigns. These may be set by third-party advertising partners.

Managing Cookies

You can control or delete cookies through your browser settings. Most browsers allow you to refuse cookies, delete existing cookies, or alert you before a cookie is stored. Please note that disabling essential cookies may affect the functionality of the platform. For more information, visit www.allaboutcookies.org.

Legal Basis for Processing

We process your personal data based on one or more of the following legal grounds, as required under the EU General Data Protection Regulation (GDPR) and India's Digital Personal Data Protection Act (DPDP Act, 2023):

• Consent — When you sign up, subscribe, or opt in to marketing communications, you provide explicit consent for us to process your data for those purposes.
• Contract performance — Processing necessary to fulfil our obligations under your subscription agreement, including distributing your music, processing payments, and providing royalty reports.
• Legitimate interest — Processing necessary for our legitimate business interests, such as fraud prevention, platform security, service improvements, and internal analytics — provided these interests do not override your fundamental rights.
• Legal obligation — Processing required to comply with applicable laws, regulations, or court orders (e.g., tax reporting, responding to lawful government requests).

How We Use Your Information

• To confirm and process your purchases and subscriptions
• To distribute your music to streaming platforms and digital stores
• To calculate and process royalty payments
• To send you promotional content and platform updates
• To respond to your requests, inquiries, and support tickets
• To improve our products, services, and user experience
• To customise your experience on the platform
• To analyse trends and platform usage patterns
• To protect the company and our users from fraud or misuse
• To send transactional communications (receipts, royalty reports, account updates)
• To comply with legal and regulatory requirements

Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy, or as required by law. Specific retention periods are:

• Account data (name, email, address) — Retained for the duration of your account and for 2 years after account deletion, unless a longer retention period is required by law.
• Transaction & payment records — Retained for 7 years from the date of transaction, in compliance with Indian tax and financial regulations.
• Royalty and distribution records — Retained for 7 years after the last distribution activity, as required for licensing and audit purposes.
• Analytics & usage data — Retained in anonymised form for up to 26 months, after which it is automatically purged.
• Support correspondence — Retained for 3 years after the last interaction for quality assurance and dispute resolution.

When data is no longer required, it is securely deleted or anonymised so that it can no longer be associated with you.

Your Rights

Depending on your location and applicable law (including GDPR, CCPA, and India's DPDP Act), you may have the following rights regarding your personal data:

• Right to access — Request a copy of the personal data we hold about you.
• Right to rectification — Request correction of inaccurate or incomplete personal data.
• Right to erasure ("Right to be forgotten") — Request deletion of your personal data, subject to legal retention requirements.
• Right to data portability — Request your data in a structured, commonly used, machine-readable format (e.g., CSV or JSON).
• Right to restrict processing — Request that we limit how we use your data in certain circumstances.
• Right to object — Object to the processing of your data for direct marketing or based on legitimate interest grounds.
• Right to withdraw consent — Withdraw your consent at any time where processing is based on consent. This does not affect the lawfulness of processing performed before withdrawal.
• Right to lodge a complaint — File a complaint with a relevant data protection authority if you believe your rights have been violated.

To exercise any of these rights, email us at hello@grootin.in with the subject line "Data Rights Request". We will respond within 30 days of receiving your request. We may ask you to verify your identity before processing the request.

For California Residents (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and its amendment (CPRA):

• The right to know what personal information we collect, use, and disclose.
• The right to request deletion of your personal information.
• The right to opt out of the sale or sharing of your personal information. Grootin does not sell your personal data.
• The right to non-discrimination for exercising your CCPA rights.

Children's Privacy

The Grootin platform is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. Users between the ages of 13 and 18 may use the platform only under the supervision of a parent or legal guardian who agrees to be bound by our Terms & Conditions.

If we become aware that we have collected personal data from a child under 13 without verified parental consent, we will take immediate steps to delete that information. If you believe we have inadvertently collected data from a child under 13, please contact us at hello@grootin.in.

Data Security

We implement and maintain appropriate technical and organisational security measures to protect your personal information, including:

• SSL/TLS encryption for all data transmitted between your browser and our servers
• Encrypted storage for sensitive personal data at rest
• Access controls and role-based permissions for internal staff
• Regular security audits and vulnerability assessments

However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

We will never ask you to share your password, credit card details, or other sensitive financial information via email, phone, or chat. If you receive such a request claiming to be from Grootin, please report it to us immediately.

Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required under GDPR.
• Notify affected users without undue delay via email, providing details of the breach, the data affected, steps we are taking to mitigate the impact, and recommended actions you can take to protect yourself.
• Maintain an internal breach register documenting all incidents, their effects, and remedial actions taken.

International Data Transfers

Grootin is headquartered in India. Your data may be transferred to and processed in countries outside your country of residence, including countries where our hosting providers, payment processors, and distribution partners operate (such as the United States and European Union).

When we transfer your data internationally, we ensure adequate protection through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data processing agreements with all third-party service providers
• Ensuring that recipients maintain equivalent or higher data protection standards

Third-Party Sharing

We may share your personal information with the following categories of third parties:

• Service providers who assist in operating our platform (payment processors including PayPal and Razorpay, cloud hosting providers, analytics services including Google Analytics)
• Music distribution partners — Streaming platforms and digital stores where your music is distributed (e.g., Spotify, Apple Music, YouTube Music, Amazon Music, and others)
• Business partners and vendors for collaborative services
• Successors in business transactions such as mergers, acquisitions, or asset sales
• Law enforcement or government authorities when required to comply with legal obligations or court orders

We require all third parties to respect the security of your personal data and to process it in accordance with applicable law. We do not allow third-party service providers to use your personal data for their own purposes.

We do not sell your personal data to third parties.

Third-Party API Integrations

The Grootin platform integrates with several third-party APIs to deliver core features such as pre-save campaigns, artist profile linking, and advertising. When you choose to connect or use any of these integrations, the relevant third party's own privacy policy and terms of service also apply to your data.

Spotify

We use the Spotify Web API and Spotify OAuth to power pre-save campaigns, artist profile lookups, and to display public catalog data such as artist names, album artwork, track metadata, and release dates.

• What we access: When a fan authorises a pre-save, we receive their Spotify user ID and an OAuth access token solely to save the upcoming release to their library on release day. We do not read their listening history, playlists, or personal data beyond what is required to perform the pre-save action.
• Storage: Spotify access and refresh tokens are stored encrypted and used only for the specific pre-save action the user authorised. Users can revoke access at any time via spotify.com/account/apps.
• Spotify's policies: Your use of Spotify features through Grootin is also governed by the Spotify Privacy Policy (spotify.com/legal/privacy-policy) and Spotify Terms of Use (spotify.com/legal/end-user-agreement).

YouTube (YouTube API Services)

Grootin uses YouTube API Services (including the YouTube Data API v3) to search for and link artist channels during onboarding, fetch public channel metadata (channel name, thumbnail, subscriber count, video data), and provide YouTube Music pre-save functionality.

• By using the YouTube-powered features of our platform, you agree to be bound by the YouTube Terms of Service.
• You also acknowledge and accept the Google Privacy Policy, which describes how Google handles your information when you interact with YouTube services.
• Revoking access: You can revoke Grootin's access to your YouTube/Google account at any time by visiting Google's security settings at myaccount.google.com/permissions.
• Data we store from YouTube: We cache public channel metadata (channel ID, name, thumbnail URL, subscriber count) you link during onboarding for display in your artist profile. We do not access your private YouTube data, watch history, or content beyond the public metadata required for the linked feature.

Meta (Facebook & Instagram)

We use the Meta Marketing API, Facebook Login, and related Meta Business APIs to power our Express Ads feature, which lets artists run Facebook and Instagram ad campaigns directly from the Grootin platform.

• What we access: When you connect a Meta Business account, we receive access tokens scoped to ad account management, campaign creation, audience targeting, and insights (impressions, reach, clicks, conversions). We do not access your personal Facebook profile, messages, or non-business data.
• Why we access it: Solely to create, manage, and report on the ad campaigns you launch through Grootin's Express Ads wizard.
• Storage: Meta access tokens are stored encrypted and refreshed as required by Meta. You can revoke Grootin's access at any time via facebook.com/settings?tab=business_tools.
• Meta's policies: Your use of Meta features through Grootin is also governed by the Meta Privacy Policy (facebook.com/privacy/policy) and Meta Platform Terms (developers.facebook.com/terms).

Google Ads

We use the Google Ads API to power YouTube and Demand Gen ad campaigns launched through the Grootin Express Ads feature.

• What we access: When you connect a Google Ads account, we receive OAuth tokens scoped to campaign creation, audience and demographic targeting, bidding strategy management, and performance reporting (impressions, views, clicks, conversions).
• Why we access it: Solely to create, manage, and report on the Google/YouTube ad campaigns you launch through Grootin.
• Limited Use Disclosure: Grootin's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data for advertising, do not allow humans to read it (except for security, with your consent, or to comply with law), and do not transfer it to third parties except as necessary to provide the service you requested.
• Storage: Google Ads OAuth tokens are stored encrypted. You can revoke Grootin's access at any time via myaccount.google.com/permissions.
• Google's policies: Your use of Google Ads features through Grootin is also governed by the Google Privacy Policy.

Google Calendar

Grootin uses the Google Calendar API to power the optional Release Plan sync feature, which mirrors your release-plan milestones (pre-production deadlines, pre-save launch, release day, post-release tasks) as events on your Google Calendar.

• Scope requested: https://www.googleapis.com/auth/calendar.events — used solely to create, update, and delete the calendar events you ask us to sync. We do not read other events on your calendar.
• What we access: When you click "Connect Google Calendar" on the Release Plan page, we receive an OAuth refresh token and your account email. We use these only to write the milestone events for releases you choose to sync, and to update/delete them when your plan changes.
• Storage: Google Calendar refresh and access tokens are encrypted at rest and used only for the specific calendar actions you initiate. We do not share them with any third party.
• Limited Use Disclosure: Grootin's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google Calendar data for advertising, do not allow humans to read it (except for security, with your consent, or to comply with law), and do not transfer it to third parties except as necessary to provide the calendar-sync feature you requested.
• Revoking access: You can disconnect Google Calendar at any time from the Release Plan settings, or revoke access globally at myaccount.google.com/permissions. Revocation removes our ability to make further changes; previously synced events remain on your calendar until you delete them.
• Google's policies: Your use of Google Calendar features through Grootin is also governed by the Google Privacy Policy.

Apple Music

We use Apple's MusicKit / Apple Music API to support pre-save campaigns on Apple Music. Apple user data received via MusicKit is used solely for the pre-save action the user authorised and is governed by Apple's privacy terms (apple.com/legal/privacy).

Email Communications

You may opt out of marketing emails at any time by clicking the "Unsubscribe" link at the bottom of any marketing email, or by contacting us at hello@grootin.in. Please allow up to 10 business days for your request to be processed. Transactional emails (such as receipts, royalty reports, and account security alerts) will continue regardless of your marketing preferences.

Third-Party Websites

Our platform may contain links to third-party websites. This Privacy Policy does not cover the practices of those external sites. We encourage you to review the privacy policies of any third-party site you visit. Grootin is not responsible for the privacy practices or content of external websites.

Grievance Officer

In accordance with the Information Technology Act, 2000 and the rules made thereunder, the Grievance Officer for the purpose of this Privacy Policy is:

Name: Abhiraj Singh
Email: hello@grootin.in
Address: 1st floor, 264-265, Dr Annie Besant Rd, Worli, Mumbai, Maharashtra 400025

The Grievance Officer shall address your concerns within 30 days of receiving a written complaint.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by posting the updated policy on this page with a revised "Last Updated" date, and where appropriate, by sending you an email notification.

We encourage you to review this policy periodically. Your continued use of the platform after any changes constitutes your acceptance of the updated policy.

Governing Law

This Privacy Policy and any disputes arising from it are governed by the laws of India, including the Information Technology Act, 2000, the Digital Personal Data Protection Act, 2023, and any rules and regulations made thereunder. Any legal proceedings shall be conducted exclusively in the courts of Mumbai, Maharashtra.

For users in the European Economic Area (EEA), this policy also complies with the EU General Data Protection Regulation (GDPR). For users in California, this policy also complies with the California Consumer Privacy Act (CCPA/CPRA).