Privacy Policy

Effective date: October 30, 2025 • Last updated: November 11, 2025

1. Introduction

RoyaltyHit ("we", "us", "our", or "the Service") is committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy explains how we collect, use, store, protect, and process your information when you use our website and services.

By using RoyaltyHit, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your information as described herein.

2. Information We Collect

2.1 Account Information

• Email Address: Required for account creation, authentication, and communication
• Password: Stored using industry-standard bcrypt hashing (never stored in plain text)
• Nickname (Display Name): Optional custom display name (2-20 characters, must be unique) that you can set to appear in the navigation bar instead of your email username. This is publicly visible within your account interface and can be changed or cleared at any time
• Account Creation Date: Timestamp of registration
• Account Settings: User preferences and configuration options

2.2 Royalty Statement Data

• Financial Information: Royalty statements you voluntarily upload from Getty Images/iStock, including earnings, product IDs, download counts, and dates
• File Metadata: Original filename, upload timestamp, file size
• Parsed Analytics: Aggregated statistics derived from your statements for dashboard visualization

2.3 Technical and Usage Data

• IP Address: Collected for security monitoring and fraud prevention
• Browser Information: User agent string, browser type and version
• Device Information: Operating system, device type (desktop/mobile)
• Login History: Timestamps and approximate location of login attempts
• Usage Patterns: Pages visited, features used, session duration (anonymized)

3. How We Use Your Information

We process your data for the following legitimate purposes:

Purpose	Data Used	Legal Basis
Account Management	Email, password hash, settings	Contract performance
Service Delivery	Royalty data, analytics	Contract performance
Security & Fraud Prevention	IP address, login history, device info	Legitimate interest
Service Improvements	Anonymized usage patterns	Legitimate interest
Communication	Email address	Contract performance / Consent

We will never:

• Sell your personal data to third parties
• Share your financial information with advertisers
• Use your royalty data for any purpose other than providing you with analytics
• Contact you with unsolicited marketing without your explicit consent

4. Data Storage and Retention

4.1 Storage Infrastructure

• Database: Your data is stored in a MySQL database with restricted access
• File Storage: Uploaded royalty statements are stored on secure servers with access controls
• Backups: Regular encrypted backups are maintained for disaster recovery (retained for 30 days)
• Location: All data is stored on servers located in secure data centers with physical security measures

4.2 Data Retention Periods

Data Type	Retention Period	Reason
Account Information	Until account deletion	Service provision
Royalty Statements	Until manually deleted or account closure	Service provision
Login History	90 days	Security monitoring
Backup Data	30 days	Disaster recovery
Usage Analytics	12 months (anonymized)	Service improvement

5. Security Measures

We implement comprehensive security controls to protect your data:

5.1 Technical Security

• Encryption in Transit: All data transmission uses TLS 1.2+ encryption (HTTPS)
• Password Security: Passwords are hashed using bcrypt with salt (never stored in plain text)
• SQL Injection Prevention: Parameterized queries and prepared statements throughout
• XSS Protection: Output encoding and Content Security Policy headers
• CSRF Protection: Token-based validation for state-changing operations
• Session Management: Secure, HttpOnly cookies with appropriate expiration

5.2 Access Controls

• Authentication: Login required for all sensitive operations
• Authorization: User data is isolated - you can only access your own information
• Database Access: Restricted to application layer only, no direct public access
• Admin Access: Limited to essential personnel with audit logging

5.3 Monitoring and Response

• Regular security audits and vulnerability assessments
• Automated monitoring for suspicious activity and intrusion attempts
• Login notifications to alert you of account access
• Incident response procedures for data breaches (notification within 72 hours if applicable)

6. Data Encryption and Protection

6.1 Encryption Standards

• Data in Transit: TLS 1.2+ with modern cipher suites
• Password Storage: Bcrypt hashing algorithm with per-user salt
• Sensitive Data: Additional encryption layers for financial information at rest

6.2 File Upload Security

• File type validation and sanitization
• Size limits to prevent denial-of-service attacks
• Malware scanning on uploaded files
• Isolated storage with restricted execution permissions

7. Your Rights and Choices

You have the following rights regarding your personal data:

7.1 Access and Portability

• Right to Access: Request a copy of all personal data we hold about you
• Right to Portability: Receive your data in a structured, machine-readable format
• How to Exercise: Contact privacy@royaltyhit.com (fulfilled within 30 days)

7.2 Correction and Deletion

• Right to Rectification: Correct inaccurate or incomplete personal data (you can update your nickname in Settings at any time)
• Right to Erasure: Request deletion of your personal data ("right to be forgotten")
• Account Deletion: Available in Settings page - permanently removes all your data including email, nickname, and uploaded files within 30 days

7.3 Restriction and Objection

• Right to Restrict Processing: Limit how we use your data in certain circumstances
• Right to Object: Opt out of processing based on legitimate interests
• Marketing Opt-Out: Unsubscribe from promotional emails at any time

7.4 Withdrawal of Consent

Where processing is based on consent, you may withdraw it at any time by contacting us. This does not affect the lawfulness of processing before withdrawal.

8. Cookies and Tracking

8.1 Cookies We Use

Cookie Type	Purpose	Duration
Session Cookie	Authentication and session management	Session (deleted on logout)
Authentication Token	Keep you logged in between visits	30 days
Preference Cookie	Remember your settings	1 year

8.2 Third-Party Cookies

We do not use third-party advertising or analytics cookies that track you across websites. Any third-party services are limited to essential functionality only.

8.3 Managing Cookies

You can control cookies through your browser settings. However, disabling cookies may limit website functionality, including the ability to log in.

9. Data Sharing and Third Parties

9.1 When We Share Data

We only share your personal data in the following limited circumstances:

• Legal Obligations: When required by law, court order, or governmental regulation
• Service Providers: With essential service providers (hosting, email delivery) under strict confidentiality agreements
• Business Transfers: In the event of a merger, acquisition, or sale (you will be notified)
• Your Consent: With your explicit permission for specific purposes

9.2 What We Never Share

• Your royalty statements or financial data with advertisers or data brokers
• Personal information for marketing purposes
• Individual user data with other users (unless explicitly designed as a feature)

9.3 Third-Party Services

We may use the following categories of service providers:

• Email Delivery: For sending account notifications and alerts
• Hosting Infrastructure: Secure servers for data storage and application hosting

All third-party providers are contractually obligated to protect your data and may only use it for specified purposes.

10. International Data Transfers

Our services are operated from servers that may be located in different countries. By using RoyaltyHit, you consent to the transfer of your data to these locations. We ensure appropriate safeguards are in place for international transfers, including:

• Data processing agreements with service providers
• Compliance with applicable data protection regulations (GDPR, CCPA, etc.)
• Encryption and security measures during transit and at rest

11. Children's Privacy

RoyaltyHit is not intended for users under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will take steps to delete such information promptly. If you believe a child has provided us with personal data, please contact us at privacy@royaltyhit.com.

12. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

• The "Last Updated" date at the top will be revised
• Material changes will be communicated via email to registered users
• Continued use of the service after changes constitutes acceptance
• Previous versions will be archived and available upon request

We encourage you to review this policy periodically to stay informed about how we protect your data.

13. Contact Information

For questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

• Email (Privacy Matters): privacy@royaltyhit.com
• Email (General Support): support@royaltyhit.com
• Response Time: We aim to respond within 48 hours for general inquiries and within 30 days for formal data subject requests

Data Protection Authority

If you are located in the European Economic Area (EEA), you have the right to lodge a complaint with your local data protection authority if you believe we have not handled your personal data appropriately.