← Back to Rollout Heaven
Privacy Policy
Last updated: June 4, 2026
Rollout Heaven ("we," "us," the "Service") is a marketing command center for independent musicians. This policy explains what information we collect, how we use it, who we share it with, and your rights regarding your data. By using the Service you agree to the practices described below.
1. Information We Collect
1.1 Information You Provide
- Account information. Email address and a one-way hashed (bcrypt) password when you register. We never store plaintext passwords.
- Release metadata. Song titles, artist names, release dates, ISRC/UPC/ISWC codes, songwriter and publisher details, PRO information, cover art, streaming links, and any other material you choose to add to the Release Intake form.
- Generated content. Hooks, captions, marketing calendars, outreach templates, press releases, email campaigns, and other material produced by the AI generation pipeline on your behalf.
- Support communications. Emails, support tickets, and any other correspondence you send to us.
1.2 Information Collected Automatically
- Session data. A secure HTTP-only session cookie and a corresponding server-side session record used solely to keep you logged in.
- Technical logs. Standard web server logs (IP address, user-agent, request path, timestamp) retained for operational, debugging, and abuse-prevention purposes.
- Gamification data. XP, level, achievements, and action counters tied to your account.
1.3 Information From Third Parties
- Payment information. When you subscribe, Stripe collects and stores your payment details directly. We never see or store your card number, CVC, or full bank account information. We receive and store only a Stripe customer ID, subscription status, tier, and billing period end date.
2. How We Use Your Information
- To operate the Service -- authenticate you, render your saved releases, generate campaigns on request, and track your progress.
- To process subscription payments, issue receipts, and manage your plan and billing.
- To send transactional emails you have explicitly requested (verification links, password resets, subscription receipts).
- To debug issues, monitor Service health, and prevent abuse of AI generation endpoints.
- To comply with legal obligations, enforce our Terms, and respond to lawful requests.
We do not sell your personal information. We do not use your release metadata, personal data, or generated campaigns to train any AI model.
3. AI Data Processing
When you use AI-powered features (campaign generation, content creation, etc.), the following data may be sent to Anthropic's Claude API:
- Release metadata you entered (song titles, artist names, genre, release dates).
- Contextual prompts assembled by the Service to generate relevant marketing content.
This data is transmitted over encrypted HTTPS connections. Per Anthropic's API terms, data sent via the API is not used to train Anthropic's models. Rollout Heaven does not control Anthropic's data retention practices; please review Anthropic's privacy policy for details.
4. Who We Share Information With
We only disclose information to the following trusted service providers, and only as necessary for them to perform their function:
- Stripe -- payment processing and subscription management. Governed by Stripe's privacy policy.
- Anthropic (Claude API) -- AI-powered content generation as described in Section 3. Governed by Anthropic's privacy policy.
- Resend -- transactional email delivery (verification, receipts, notifications). Governed by Resend's privacy policy.
- Serper -- optional web search enrichment during campaign generation. Only non-identifying query strings are sent.
- Railway -- infrastructure hosting (compute, database, persistent storage).
We may also disclose information if required by law, subpoena, court order, or governmental request, or to protect our rights, users, or the public.
5. How Disclosure Happens
All disclosures occur programmatically over encrypted HTTPS/TLS connections at the moment a feature requires them. For example, your card details are sent directly from your browser to Stripe via Stripe's hosted checkout, and your release context is sent to Anthropic only when you initiate content generation. No human at Rollout Heaven accesses your data in the normal course of operating the Service.
6. Security Practices
- All traffic is served over HTTPS/TLS.
- Passwords are hashed with bcrypt (cost factor 10) before storage; plaintext is never written to disk or logs.
- Session cookies are
httpOnly, secure in production, and sameSite=lax. Sessions are stored server-side in an encrypted database, not in client-side cookies.
- The application database is on a private infrastructure volume that is not publicly reachable.
- API keys for third-party providers are held in server environment variables and never exposed to the browser.
- Sensitive onboarding credentials are encrypted at rest using AES-256-GCM with authenticated encryption.
- CSRF protection via origin/referer header validation on all state-changing requests.
- Rate limiting on authentication endpoints to prevent brute-force attacks.
- Access to the production environment is limited to the site operator.
7. Data Retention
- Your data is retained for as long as your account is active.
- On account deletion, we remove your account record, saved releases, generated campaigns, sessions, and gamification data within 30 days.
- Stripe records may be retained by Stripe for legal and tax purposes per their retention policies.
- Server logs are retained for up to 90 days for debugging and abuse prevention, then purged.
- Backup copies may persist for up to 30 days after deletion before being purged from backup systems.
8. Your Rights
8.1 All Users
You may request access to, correction of, or deletion of your personal data at any time by emailing josephmadiganmusic@gmail.com. We will respond within 30 days.
8.2 California Residents (CCPA/CPRA)
If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to Know. You have the right to request information about the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected it, our purpose for collecting it, and the categories of third parties with whom we share it.
- Right to Delete. You have the right to request deletion of your personal information, subject to certain exceptions.
- Right to Opt-Out of Sale. We do not sell your personal information. If this changes, we will provide a "Do Not Sell My Personal Information" link.
- Right to Non-Discrimination. We will not discriminate against you for exercising your privacy rights.
- Right to Correct. You have the right to request that we correct inaccurate personal information.
To exercise these rights, contact josephmadiganmusic@gmail.com. We may need to verify your identity before processing your request. We will respond within 45 days, with one 45-day extension if needed.
8.3 European Economic Area, UK, and International Users
If you are located in the EEA, UK, or another jurisdiction with applicable data protection laws, you may have additional rights including the right to access, rectification, erasure, restriction of processing, data portability, and objection. To exercise these rights, contact us at the email above.
9. Cookies
- Session cookie. One strictly necessary cookie used to keep you logged in. This cookie is
httpOnly, secure, and sameSite=lax. It does not track you across websites.
- Stripe. Stripe may set cookies as part of the checkout process for fraud prevention and payment processing.
- We do not use advertising, analytics, or cross-site tracking cookies.
- We do not use browser fingerprinting or persistent tracking technologies.
10. CAN-SPAM Compliance
Transactional emails sent by Rollout Heaven (verification, receipts, password resets) comply with CAN-SPAM requirements. If you use Rollout Heaven's tools to create email campaigns, you are the sender under CAN-SPAM and are responsible for including a valid physical mailing address, a working unsubscribe mechanism, and honest subject lines.
11. Children
The Service is not directed to and not intended for children under 18. We do not knowingly collect personal information from anyone under 18 years of age. If we learn that we have collected personal information from a child under 18, we will promptly delete that information.
12. Changes to This Policy
We may update this policy from time to time. Material changes will be announced in-app or by email at least 30 days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the revised policy.
13. Contact
Questions, data requests, or privacy concerns: josephmadiganmusic@gmail.com