Privacy Policy

Last updated: April 7, 2026

Rollout Heaven ("we", "us", the "Service") is a marketing command center for independent musicians. This policy explains what information we collect, how we use it, who we share it with, and how we protect it. By using the Service you agree to the terms described below.

1. Information We Collect

Account information. Email address and a one-way hashed (bcrypt) password when you register. We never store plaintext passwords.
Release metadata you enter. Song titles, artist names, release dates, ISRC/UPC/ISWC codes, songwriter and publisher details, PRO information, cover art, streaming links, and any other material you choose to add to the Release Intake form.
Generated campaign content. Hooks, captions, marketing calendars, outreach templates, and other material produced by the AI generation pipeline on your behalf and tied to your releases.
Gamification data. XP, level, achievements, and action counters tied to your account.
Session data. A secure HTTP-only session cookie and a corresponding server-side session record used only to keep you logged in.
Payment information. When you subscribe, Stripe collects and stores your payment details. We never see or store your card number or CVC. We only receive and store a Stripe customer ID, subscription status, and subscription end date.
Technical logs. Standard web server logs (IP address, user-agent, request path, timestamp) kept for operational and abuse-prevention purposes.

2. How We Use Your Information

To operate the Service — authenticate you, render your saved releases, generate campaigns on request, and track your progress.
To process subscription payments, issue receipts, and manage trial periods.
To send transactional email you have explicitly requested (verification links, password resets, subscription receipts).
To debug issues, monitor health, and prevent abuse of the AI generation endpoints.

We do not sell your personal information. We do not use your release metadata or generated campaigns to train any AI model.

3. Who We Share Information With

We only disclose information to the following trusted service providers, and only as necessary for them to perform their function for us:

Stripe — payment processing and subscription management. Governed by Stripe’s privacy policy.
Anthropic (Claude API) — when you click Generate Campaign, the release context you supplied is sent to Anthropic’s Claude API to produce marketing content. Governed by Anthropic’s privacy policy. Anthropic states it does not train on API inputs by default.
Resend — transactional email delivery (verification, receipts). Governed by Resend’s privacy policy.
Serper — optional web/search enrichment used during campaign generation to surface relevant trends and curators. Only non-identifying query strings are sent.
Railway — infrastructure hosting (compute, persistent volume for database and sessions).

We may also disclose information if required by law, subpoena, or to protect our rights, users, or the public.

4. How Disclosure Happens

All disclosures above occur programmatically over encrypted HTTPS/TLS connections at the moment a feature requires them — for example, your card details are sent directly from your browser to Stripe via Stripe’s hosted checkout, and your release context is sent to Anthropic only when you click Generate Campaign. No human at Rollout Heaven accesses your data in the normal course of operating the Service.

5. Security Practices

All traffic is served over HTTPS/TLS.
Passwords are hashed with bcrypt before storage; plaintext is never written to disk or logs.
Session cookies are httpOnly, secure in production, and sameSite=lax. Sessions are stored server-side on an encrypted, persistent volume, not in client-side cookies.
The application database is stored on a private Railway volume that is not publicly reachable.
API keys for third-party providers are held in server environment variables and never exposed to the browser.
Access to the production environment is limited to the site operator.

6. Data Retention & Your Rights

Your data is retained for as long as your account is active. You may request access to, correction of, or deletion of your personal data at any time by emailing us at the address below. On account deletion we remove your account record, saved releases, generated campaigns, sessions, and gamification data within 30 days; Stripe records may be retained by Stripe for legal and tax purposes.

7. Cookies

We use one strictly necessary cookie — the session cookie described above — to keep you logged in. We do not use advertising, analytics, or cross-site tracking cookies.

8. Children

The Service is not directed to children under 13 and we do not knowingly collect personal information from children.

9. Changes to This Policy

We may update this policy from time to time. Material changes will be announced in-app or by email. Continued use of the Service after a change constitutes acceptance of the revised policy.

10. Contact

Questions, requests, or concerns: josephmadiganmusic@gmail.com.