Privacy Policy

Effective June 11, 2026

Vivus Tech LLC, a California limited liability company operating the Release Ledger platform ("Vivus," "Release Ledger," "we," "our," or "us"), provides software for music workflow, fan engagement, finance operations, analytics, automation, and related business workflows. This Privacy Policy explains how Vivus collects, uses, discloses, retains, and deletes personal data.

Scope and roles

Vivus has different privacy roles depending on the data population. Where Vivus acts only as a processor or service provider, the artist or workspace administrator normally controls the campaign purpose, audience, and marketing choices. Vivus hosts the tools, processes data on the artist's instructions, and supports rights-request routing.

WorkflowVivus roleArtist roleMeaning
Artist account, workspace, billing, finance, support, and security dataControllerUser or customerVivus decides why and how this data is processed to provide and secure the service.
Fan data entered on public artist pages or imported into an artist workspaceProcessor/service provider, except for security, compliance, or legal usesController/businessThe artist decides the campaign purpose and audience. Vivus processes on the artist's instructions.
Outbound fan email, SMS, and similar communicationsProcessor/service provider; operational co-sender where Vivus infrastructure sends or records messagesController/business and message sponsorThe artist chooses message content and recipients. Vivus sends, logs consent, and manages unsubscribe evidence.
Fraud, abuse, security, legal holds, sanctions, tax/accounting, and incident responseController for Vivus compliance usesController for artist instructions where applicableVivus may retain or process limited data independently where law, safety, or platform integrity requires it.

Information we collect

  • Account and identity data: email address, name, login identifiers, sessions, workspace membership, roles, and permissions.
  • Artist workspace data: releases, campaigns, uploads, labels, submissions, contracts, tour records, CRM contacts, notes, tasks, analytics, and workflow content.
  • Fan data: fan names, email addresses, phone numbers, signup source, consent evidence, attribution, public-page interactions, pre-save/add-to-library actions, and artist-defined fields.
  • Communications data: SMS/email opt-in records, confirmation state, STOP/HELP unsubscribe events where available, delivery logs, message IDs, message content, and support communications.
  • Plaid and finance data: linked financial account metadata, institution identity, balances, transactions, categories, rules, reconciliation records, and encrypted token material needed for sync. Vivus does not receive or store the banking credentials entered into Plaid Link.
  • Billing data: subscription status, billing contact information, invoices, tax/accounting metadata, and Stripe payment metadata.
  • Integration data: OAuth tokens and data returned from artist-authorized services such as Google/YouTube/Calendar/Ads, Spotify, Apple, Meta, TikTok, X, Shopify, and similar platforms, limited to the feature enabled.
  • AI and automation inputs: prompts, generated drafts, uploaded audio, transcripts, campaign or contract fields, and contextual workspace data submitted to an AI feature.
  • Technical, analytics, and security data: device/browser metadata, cookie choices, IP-derived diagnostics, usage events, audit logs, error telemetry, and fraud/abuse signals.

How we use information

  • Provide, maintain, and improve the service.
  • Authenticate users and enforce workspace access controls.
  • Host artist public pages and process fan signups.
  • Send artist-directed communications and record consent/unsubscribe evidence.
  • Sync, categorize, and report finance records.
  • Connect artist-authorized integrations and revoke tokens on disconnect.
  • Provide AI-assisted draft, analysis, transcription, and workflow features where enabled.
  • Detect abuse, fraud, sanctions risk, security issues, and service failures.
  • Process billing, tax, accounting, legal, support, compliance, DSR, deletion, and incident obligations.

GDPR and UK GDPR legal bases

Where GDPR or UK GDPR applies and Vivus acts as controller, Vivus relies on the legal bases below. Where Vivus acts as processor for an artist, the artist determines the controller legal basis and Vivus processes under the artist's instructions.

PurposePrimary legal basis
Account creation, login, workspace operation, support, and core service deliveryContract performance; legitimate interests for service administration.
Billing, subscriptions, tax, accounting, sanctions screening, and legal recordsContract performance; legal obligation; legitimate interests for fraud prevention and claims.
Artist-directed fan page hosting and fan CRM processingProcessor on artist instructions; where Vivus acts as controller for security/compliance, legitimate interests or legal obligation.
Fan marketing email/SMS and double-opt-in flowsConsent or other lawful marketing basis determined by the artist; Vivus processes as service provider/processor and keeps consent evidence.
Plaid bank connection and finance syncContract performance and user consent; legal obligation and legitimate interests for audit, security, and fraud controls.
Product analytics and non-essential cookiesConsent where required; legitimate interests for essential diagnostics and security.
Google, social, and other OAuth integrationsContract performance and user consent for the enabled integration.
AI-assisted drafting, analysis, and transcriptionContract performance for enabled features; legitimate interests for quality/security controls, subject to data minimization and provider restrictions.
Security monitoring, incident response, abuse prevention, and audit loggingLegitimate interests; legal obligation where required.
DSR, deletion, retention, legal holds, and dispute handlingLegal obligation; legitimate interests for claims, security, and compliance evidence.

Sharing, subprocessors, and AI providers

Vivus shares personal data with service providers that help operate the service, subject to contractual, technical, and organizational controls. Current named subprocessors and service providers include Supabase, Vercel, OpenRouter and downstream model providers, OpenAI, Stripe, Plaid, Twilio, Resend, and PostHog. See the Subprocessors page for roles, regions, and status notes.

AI provider processing remains subject to active compliance gates. Request-side controls such as zero-data-retention routing are technical controls, not proof of a fully executed DPA chain. Customer-data-bearing AI paths must remain limited until provider DPA, ZDR, or modified-abuse-monitoring evidence is approved where required.

Vivus does not sell personal information and does not share SMS opt-in data for third-party marketing.

Financial Privacy Notice

When you connect a bank account, Vivus receives account and transaction information through Plaid. This financial information may include nonpublic personal information, depending on the feature you use and the law that applies. We use it only to provide finance tools you request, such as sync, categorization, reconciliation, and reporting.

  • What Plaid handles. Plaid collects the banking credentials you enter in Plaid Link and sends Vivus only the financial-account data you authorize Plaid to share.
  • How we share financial data. We share financial data with service providers only as needed to operate, secure, support, or comply with legal obligations for the service. We do not sell financial data and do not share it for third-party marketing.
  • Your control. You can disconnect linked bank accounts in finance settings. After disconnection, we delete the Plaid connection token and retain or delete related records according to our Data Retention & Deletion Policy.
  • Safeguards posture. We treat bank-account and transaction data as sensitive financial data and apply administrative, technical, and physical safeguards. If the FTC Safeguards Rule applies and a notification event involves unencrypted customer information for at least 500 consumers, our incident process includes assessment of the FTC notice deadline of no later than 30 days after discovery.

Google API Services and Limited Use

If you connect a Google account, Vivus receives data from Google APIs only for the specific, user-facing features you enable. Vivus requests the narrowest scopes needed for each feature: Tour calendar sync, YouTube channel sync and publishing, Google Ads metrics, the Drive picker, and Sign-in. We do not request full Calendar, full Drive, or other broad scopes.

Vivus's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We use Google user data only to provide or improve these user-facing features. We do not use it for advertising, do not sell it, do not transfer it except to provide these features or as required by law, and do not use it to train generalized AI models.

You can disconnect any Google integration at any time. Doing so revokes the OAuth grant at Google and deletes stored tokens. You can also review and revoke access from your Google Account at myaccount.google.com.

SMS messaging program

Artists can offer fans optional SMS updates. A fan may opt in two ways: enter a phone number and check the unchecked opt-in box on an artist's Fan Hub web signup page (which may be reached by scanning a QR code that opens that web page); or text a published keyword to the artist's number, in which case the fan receives a confirmation message and must reply YES to confirm — the fan is not subscribed until they reply YES. Consent is recorded with timestamp and source evidence. Messages may include new release, tour, ticket, or similar artist updates. Message frequency varies. Message and data rates may apply. Reply STOP to unsubscribe or HELP for help where the carrier supports those commands.

SMS consent is not a condition of purchase or access to a fan page. No mobile information — including phone numbers and SMS opt-in or consent data — is sold or shared with third parties or affiliates for their own marketing or promotional purposes. Mobile information may be shared only with the artist whose program you joined and with subprocessors (such as Twilio) strictly to deliver the messages you requested. SMS opt-in consent is never shared for any other purpose.

Cookies, pixels, and tracking choices

Vivus uses essential cookies for login, security, and core service operation. Optional analytics and marketing cookies/pixels are off by default and only turn on after consent where required.

Artists may connect their own advertising accounts for fan-page analytics, such as Meta Pixel, Google Analytics/Ads, or TikTok Pixel. Those vendors may act as independent or joint controllers for their own processing. Cookie consent is required before optional fan-page tracking fires.

You can change your choice at any time from the Cookie Preferences link in the footer. See the Cookie Policy for the current cookie and SDK inventory.

Retention and deletion

Vivus retains personal data only as long as needed for service delivery, security, legal obligations, dispute handling, support, billing/tax/accounting, backup rotation, and audit evidence.

Data classDefault retentionDeletion approach
Account identity and workspace dataAccount lifetime plus a 30-day reactivation window after closure.Delete or irreversibly anonymize eligible records after the window.
Fan signup and CRM dataArtist workspace lifetime or until deleted, subject to legal holds.Delete/anonymize from primary stores; route fan DSRs to the artist controller where needed.
Consent and unsubscribe evidenceAs long as needed to prove consent/unsubscribe and comply with messaging laws.Preserve minimum evidence even when marketing data is removed.
Finance and billing recordsAccount lifetime plus tax/accounting/audit needs, commonly up to 7 years depending on law.Delete non-required records; retain limited records where legally required.
Plaid and OAuth tokensWhile the connection is active.Revoke where supported, then delete stored tokens on disconnect or account deletion.
Operational/security logsRolling retention based on system criticality, generally 30-365 days.Rolling purge or archive deletion.

Verified deletion requests are handled without undue delay, within 30 days where GDPR applies and within 45 days where California privacy law applies, unless a permitted extension or legal exception applies. Deleted data may remain in encrypted backups until backup rotation expires.

Your choices and rights

Depending on your location and the type of data, you may have the rights below. For fan data controlled by an artist, Vivus may need to route or coordinate the request with the artist controller.

Right / requestApplies toVivus handling target
Access / knowReceive a copy or description of personal data processed about you.Verify identity and respond within 30 days where GDPR applies or 45 days where California law applies, unless extended by law.
CorrectionCorrect inaccurate personal data.Verify identity and correct eligible account/workspace data; route fan-data requests to the artist controller where needed.
DeletionDelete eligible personal data.Apply deletion workflow, subject to legal holds, security, tax/accounting, claims, backup, and consent-evidence exceptions.
Portability / exportReceive data in a portable format where required.Export eligible account/workspace data; full tenant exports use controlled GDPR export tooling.
Restriction / objectionRestrict or object to certain processing.Evaluate under applicable law and feature needs; honor where required.
Withdraw consentWithdraw marketing, cookie, or optional integration consent.Stop future consent-based processing where feasible; preserve withdrawal evidence where required.
Opt out of sale/share or targeted advertisingCalifornia and similar state privacy rights.Vivus does not sell personal data; optional advertising cookies/pixels require consent and can be declined or withdrawn.
Appeal / complaintChallenge a rights decision or contact a regulator where available.Provide appeal path where required by applicable state law and preserve evidence of the request.

Vivus targets the same response posture across verified rights requests, not only access and deletion: without undue delay; within 30 days where GDPR or UK GDPR applies; within 45 days where California privacy law applies; with any permitted extension or legal exception applied only after notice within the initial response period. Where an artist is the controller of fan data, Vivus routes or coordinates the request with that artist controller.

To make a request, email privacy@releaseledger.com. Mailing address: Vivus Tech LLC, 2108 N St #15874, Sacramento, CA 95816.

Children and minors

Vivus services are not directed to children under 13. Public fan pages and artist marketing tools are not intended to knowingly collect data from children under 13 or from minors where a higher local digital-consent age applies without appropriate authorization.

For the UK, EU, and similar child-privacy regimes, Vivus treats child-directed or minor-focused fan capture as a gated use case requiring additional review. If Vivus learns that it has collected personal data from a child in a way not permitted by law, Vivus will delete or disable the data as required.

Security and breach notification

Vivus uses safeguards including authentication, scoped authorization, tenant isolation, encryption in transit, encryption at rest for sensitive tokens, audit logging, backup controls, and provider access controls.

If Vivus becomes aware of a security incident involving personal data, Vivus will investigate, mitigate, preserve evidence, and notify affected controllers, users, regulators, or individuals where required by law. Where GDPR applies and Vivus is a processor, Vivus will notify the relevant controller without undue delay after becoming aware of a personal-data breach.

Vivus maintains a written incident-response runbook covering severity classification, evidence preservation, reversible containment, and jurisdiction-specific notification timelines (including GDPR 72-hour supervisory notice, US state breach laws, Australia NDB, FTC Safeguards, and contractual vendor obligations). Notification decisions require counsel and senior management review before any external communication is made.

International transfers

Vivus and its providers may process data in countries different from your residence. Where required, Vivus relies on safeguards such as standard contractual clauses, data-processing agreements, regional configuration, and transfer-impact review. EU/UK launch remains subject to provider-region and transfer-mechanism confirmation.

Contact and changes

Questions about this policy: privacy@releaseledger.com. Mailing address: Vivus Tech LLC, 2108 N St #15874, Sacramento, CA 95816.

Vivus may update this policy periodically and will provide notice where required.

We use essential cookies for core functionality. Optional analytics and marketing cookies are disabled by default and only enabled with your consent.