Privacy Policy

Last Updated: April 6, 2026

1. Introduction & Identity of the Data Controller

Subvert Cooperative LCA (“Subvert,” “we,” “us,” or “our”) is a Colorado limited cooperative association. This Privacy Policy explains how we collect, use, disclose, and protect Personal Data when you visit or use our website at subvert.fm, our member forum, and related services (collectively, the “Service”).

Subvert Cooperative LCA is the data controller for Personal Data processed through the Service. We are established in Colorado, United States. We are committed to protecting your privacy and complying with applicable data protection laws, including the EU General Data Protection Regulation (“GDPR”), the UK General Data Protection Regulation (“UK GDPR”) as retained in UK law, the California Consumer Privacy Act (“CCPA/CPRA”), and the Colorado Privacy Act (“CPA”).

By using the Service, you agree to the terms of this Privacy Policy. If you do not agree, please do not use the Service. This Privacy Policy should be read alongside our Terms of Use, available at subvert.fm/terms.

2. Our EU & UK Representatives

As Subvert is established in the United States and not in the EU or UK, we have designated representatives in both jurisdictions pursuant to Article 27 GDPR and the equivalent UK GDPR provision:

[EU REPRESENTATIVE: Name, address, and contact details to be inserted before launch.]

[UK REPRESENTATIVE: Name, address, and contact details to be inserted before launch.]

You may contact our EU or UK representative directly with any queries relating to the processing of your Personal Data or this Privacy Policy.

3. Territorial Scope

This Privacy Policy applies to all users of the Service worldwide. GDPR obligations apply to users in the European Economic Area (EEA). UK GDPR obligations apply to users in the United Kingdom. Applicable US state privacy laws govern users in US states with enacted privacy legislation. In all other cases, applicable local law governs.

Where this Policy refers to rights or obligations under a specific law, those references apply only to users in the relevant jurisdiction. All users regardless of location benefit from our general data practices described throughout this Policy.

4. Personal Data We Collect

We collect only the categories of Personal Data necessary to operate the Service and fulfill our legal obligations as a cooperative.

4.1 Account & Contact Information

For all account holders: username and email address. Collected when you create an account.

4.2 Member Name & Address

For Co-op members only: legal name and mailing address. We are required by the Colorado Uniform Limited Cooperative Association Act (ULCAA) to maintain a record of each member’s legal name and address. This data is collected as part of the membership application process and is retained for the duration of membership and for 7 years following membership termination, as required by law. This data is not publicly displayed.

4.3 Transactional & Payment Data

Purchase history, billing address, and payment details processed securely by Stripe Connect. We never store full payment card numbers. For Artist Members, this includes payout information provided to Stripe.

4.4 Rights & Royalty Metadata

For Artist Members and Label Members: PRO affiliation, publisher or mechanical licensing administrator name, ISRC codes, ISWC codes (when provided), and IPI numbers (when provided). Collected through the upload flow. Used solely to administer the Rights Reserve and fulfill mechanical royalty obligations. Not publicly displayed.

4.5 Sales & Revenue Data

Artist sales history, payout records, Rights Reserve balances, and Ownership Points. Collected as part of operating the marketplace and cooperative.

4.6 Listening & Usage Behavior

Play counts per release, Promotional Preview usage, purchase behavior, and platform navigation data. Collected to operate the Service, enforce preview limits, and improve platform performance.

4.7 Technical & Log Data

IP address, browser and device information, operating system, timestamps, authentication session data, error logs, and usage metrics. Collected automatically when you use the Service.

4.8 Marketing & Communications Data

Newsletter subscriptions, email preferences, support inquiries, and communications sent or received through our email service providers. Collected when you opt in to communications or contact support.

4.9 Forum Data

For members who participate in our Discourse-based member forum: username, email address, forum posts, replies, and activity data. The forum is self-hosted by Subvert on our own infrastructure.

4.10 Cooperative Membership Data

For Co-op members: membership class, membership unit records, voting participation records, patronage activity, and Ownership Points. Collected as part of operating the cooperative under the Bylaws and Form of Member Agreement.

4.11 Membership Application Data

For applicants to the Co-op: name, address, artist or label information, and application responses submitted via our application form. For applicants who are not admitted, this data is retained for 12 months from the date of the rejection decision and then securely deleted. Applicants will be notified of this retention period at the time of the rejection decision.

4.12 Feedback Data

First name, email address, and feedback messages submitted voluntarily through our feedback tool (Userback). Submission is entirely voluntary. You are not required to provide feedback to use the Service.

5. How We Use Personal Data — Lawful Bases

Under GDPR and UK GDPR, we are required to identify a lawful basis for each processing activity. The table below sets out our processing activities, the data involved, and the lawful basis we rely on for each.

Where we rely on “legitimate interests” as our lawful basis, you have the right to object to that processing. See Section 11 for details. Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.

6. Data Sharing & Third-Party Processors

We share Personal Data only as described below. All third-party processors are bound by Data Processing Agreements (DPAs) and are contractually prohibited from selling your Personal Data or using it for their own purposes.

6.1 Service Providers & Processors

The following processors handle Personal Data on our behalf. All transfers to US-based processors from the EU or UK are covered by Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms.

Note on Discourse: Our member forum is self-hosted by Subvert on our own infrastructure. Discourse Inc. does not process your forum data. Mailgun processes email addresses and delivery metadata for forum notifications only and does not have access to forum content.

Note on Zapier: Zapier automates some data flows between our platform tools. Any personal data passed through Zapier is subject to Subvert’s instructions and Zapier’s DPA. We periodically audit Zapier workflows to ensure no unnecessary personal data is transferred.

Note on Linear: Linear is used internally for platform development and issue tracking. Personal data such as usernames or email addresses may appear in tickets when investigating support or technical issues. Access is restricted to the Subvert team.

Note on Userback: Userback is used to collect voluntary feedback from users about the Service. Feedback submissions include your first name, email address, and message. You are not required to submit feedback and may do so anonymously where the tool permits.

6.2 Affiliates

We may share data with Subvert Incorporated, PBC and other Subvert affiliates solely for internal business purposes consistent with this Policy.

6.3 Legal Compliance & Safety

We may disclose Personal Data where required by law, legal process, or court order, or to protect the rights, safety, or property of Subvert, its members, or others. We will notify affected users of such disclosure where legally permitted to do so.

6.4 Business Transfers

In the event of a merger, acquisition, reorganization, or asset sale, Personal Data may be transferred to the successor entity. We will notify affected users via email and a prominent notice on our website at least 30 days prior to any such transfer, and will ensure the successor entity is bound by privacy obligations no less protective than this Policy. As a cooperative, any such transfer is additionally subject to member approval under our Bylaws.

6.5 Publicly Visible Information

Information you choose to make public — such as your artist name and release catalog — is visible to all users. Rights metadata, revenue data, membership records, member addresses, and application data are never displayed publicly.

6.6 No Sale of Personal Data

We do not sell, rent, or trade your Personal Data to any third party for commercial purposes. This applies globally and is not limited to CCPA rights.

7. International Data Transfers

Subvert is based in the United States. Our platform is hosted on Vercel infrastructure, which means Personal Data of EU and UK users is transferred to and processed in the United States.

For transfers from the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914). For transfers from the UK, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs, as applicable. Copies of relevant SCCs are available upon request by contacting info@subvert.fm.

8. Data Retention

We retain Personal Data only for as long as necessary to fulfill the purposes described in this Policy, to operate the cooperative, or as required by law.

•  Account data (username, email): retained for the duration of your account and for 3 years following account deletion.

•  Member name & address: retained for the duration of membership and for 7 years following membership termination, as required by the Colorado ULCAA.

•  Membership application data (accepted applicants): retained as account and membership data above.

•  Membership application data (rejected or withdrawn applicants): retained for 12 months from the date of the decision, then securely deleted.

•  Transactional and payment data: retained for 7 years following each transaction to comply with tax and financial record-keeping laws.

•  Rights & royalty metadata: retained for the duration of membership and for 5 years following membership termination.

•  Rights Reserve records: retained for 7 years following final disbursement or escheatment.

•  Forum data: retained for the duration of membership. Upon account deletion, forum posts are anonymized rather than deleted to preserve community continuity, unless you specifically request deletion of your posts.

•  Marketing & communications data: retained until you withdraw consent or unsubscribe, plus 1 year for audit purposes.

•  Technical & log data: retained for 12 months on a rolling basis.

•  Support inquiry data: retained for 3 years following resolution.

•  Cooperative membership records (voting, patronage, Ownership Points): retained for 7 years following membership termination.

•  Feedback data (Userback): retained for 12 months from submission, then deleted.

Upon expiry of the applicable retention period, we securely delete or anonymize Personal Data.

9. Cookies & Tracking Technologies

We use cookies and similar technologies to operate the Service, analyze usage, and remember your preferences. The following categories of cookies are used:

Strictly Necessary: Required for the Service to function. Cannot be disabled. Examples: authentication session tokens, security cookies, and core platform functionality.

Functional: Used to enable specific platform features. Cannot be disabled without affecting those features. Examples: Promotional Preview play count enforcement — we use a cookie to track how many times you have previewed a release in order to apply the three-play limit described in our Terms of Use. This cookie is necessary to provide the Promotional Preview feature as described.

Analytics: Used to understand how users interact with the Service. We use Google Analytics with IP anonymization enabled. For EU and UK users, analytics cookies are only set where you have given consent via our cookie banner. You may opt out of analytics cookies at any time via the cookie settings link in our website footer.

Error Tracking: Used to identify and diagnose technical issues with the Service. Operated on the basis of legitimate interests. Examples: Sentry error reporting cookies and session replay data used solely for debugging purposes.

You will be presented with a cookie consent banner on your first visit to the Service. You may manage your cookie preferences at any time via the cookie settings link in our website footer. Withdrawing consent for non-essential cookies does not affect the functionality of strictly necessary or functional cookies.

For EU and UK users, our cookie practices comply with the ePrivacy Directive and UK Privacy and Electronic Communications Regulations (PECR) respectively.

10. Automated Decision-Making & Profiling

Subvert does not make decisions about you based solely on automated processing that produce legal or similarly significant effects as defined under Article 22 GDPR. No profiling for behavioral advertising is conducted. We do not use your Personal Data to make automated decisions about your access to the Service, your membership status, or your rights as a Cooperative member.

Certain automated processes operate as standard service features — such as enforcing account-level limits and sending transactional notifications — but these do not produce legal or similarly significant effects and do not constitute automated decision-making under GDPR.

11. Your Privacy Rights

11.1 Rights Under GDPR & UK GDPR

If you are located in the EEA or UK, you have the following rights:

•  Right of Access (Art. 15): Request a copy of the Personal Data we hold about you.

•  Right to Rectification (Art. 16): Request correction of inaccurate or incomplete Personal Data.

•  Right to Erasure (Art. 17): Request deletion of your Personal Data where there is no legitimate reason to continue processing it. Note that some data cannot be erased where we are legally required to retain it — for example, member name and address under ULCAA, or transactional data under tax law. We will inform you of any such limitation when responding to your request.

•  Right to Restriction of Processing (Art. 18): Request that we restrict processing in certain circumstances.

•  Right to Data Portability (Art. 20): Request a copy of Personal Data you have provided in a structured, machine-readable format.

•  Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing. Where you object to legitimate interests processing, we will cease unless we can demonstrate compelling legitimate grounds that override your interests.

•  Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

•  Right not to be subject to Automated Decision-Making (Art. 22): We do not make legally significant decisions about you based solely on automated processing.

To exercise these rights, contact us at info@subvert.fm or through the online form at subvert.fm/privacy-request. We will respond within one month of receipt, and may extend this by a further two months for complex requests. We will verify your identity by sending a confirmation email to your registered email address before acting on your request. You also have the right to lodge a complaint with a supervisory authority. In the UK: the Information Commissioner’s Office (ICO) at ico.org.uk. In the EU: the supervisory authority in your member state of residence or place of work.

11.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:

•  Right to Know: Request disclosure of the categories and specific pieces of Personal Data we have collected about you, the categories of sources from which it was collected, the purposes for which it is used, and the categories of third parties with whom it is shared.

•  Right to Delete: Request deletion of Personal Data we have collected from you, subject to certain exceptions including data we are legally required to retain.

•  Right to Correct: Request correction of inaccurate Personal Data we hold about you.

•  Right to Opt Out of Sale or Sharing: We do not sell or share Personal Data for cross-context behavioral advertising. You do not need to submit an opt-out request. We do not engage in these activities.

•  Right to Limit Use of Sensitive Personal Information: We do not use sensitive Personal Data for purposes beyond those permitted under CPRA. You do not need to submit a limitation request.

•  Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

How to submit a CCPA request: Submit requests through our online form at subvert.fm/privacy-request or by emailing info@subvert.fm with the subject line “California Privacy Request.” We will verify your identity by sending a confirmation email to your registered email address before acting on your request. We respond to verifiable consumer requests within 45 days. We may extend this period by a further 45 days where reasonably necessary and will notify you of the extension.

Authorized Agents: You may designate an authorized agent to submit a CCPA request on your behalf. Authorized agents must provide written proof of authorization, and we may contact you directly to confirm that you have authorized the agent to act on your behalf before processing the request.

Shine the Light (California Civil Code § 1798.83): California residents may request information about our disclosure of Personal Data to third parties for their direct marketing purposes during the preceding calendar year. We do not disclose Personal Data to third parties for their own direct marketing purposes. You may submit a Shine the Light request to info@subvert.fm with the subject line “Shine the Light Request.”

11.3 Rights Under the Colorado Privacy Act (Colorado Residents)

If you are a Colorado resident, you have the following rights under the Colorado Privacy Act:

•  Right to Access: Request confirmation of whether we process Personal Data about you and access to that data.

•  Right to Correction: Request correction of inaccurate Personal Data.

•  Right to Deletion: Request deletion of Personal Data we have collected from you, subject to certain exceptions.

•  Right to Data Portability: Request a copy of Personal Data you have provided to us in a portable and, to the extent technically feasible, readily usable format.

•  Right to Opt Out: Opt out of the processing of your Personal Data for purposes of targeted advertising, the sale of Personal Data, or profiling in furtherance of decisions that produce legal or similarly significant effects. We do not engage in any of these activities. You do not need to submit an opt-out request.

How to submit a Colorado Privacy Act request: Submit requests through our online form at subvert.fm/privacy-request or by emailing info@subvert.fm with the subject line “Colorado Privacy Request.” We will respond within 45 days and may extend by a further 45 days where reasonably necessary.

Colorado Privacy Act Appeals: If you are a Colorado resident and we decline to act on your privacy request, you may appeal our decision by contacting info@subvert.fm with the subject line “Colorado Privacy Appeal.” We will respond to your appeal within 45 days and will provide a written explanation of any action taken or not taken in response to your appeal. If your appeal is denied, you may contact the Colorado Attorney General at coag.gov.

11.4 All Users

Regardless of your location, you may at any time:

•  Update your account information via your account settings.

•  Unsubscribe from marketing emails via the unsubscribe link in any email or through your account settings.

•  Manage cookie preferences via the cookie settings link in our footer.

•  Request deletion of your account by contacting info@subvert.fm or through the online form at subvert.fm/privacy-request.

All privacy requests are submitted through subvert.fm/privacy-request or by emailing info@subvert.fm. We verify identity via email confirmation to your registered address before acting on any request.

12. Security

We implement reasonable industry-standard administrative, technical, and physical safeguards to protect Personal Data against unauthorized access, disclosure, alteration, or destruction. These include encrypted data transmission (TLS), access controls, and regular security monitoring. Payment data is handled exclusively by Stripe and is subject to Stripe’s PCI-DSS compliant security infrastructure. We never store full payment card numbers.

In the event of a Personal Data breach likely to result in risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, and will notify affected individuals without undue delay where the breach is likely to result in high risk, as required by GDPR Articles 33 and 34 and UK GDPR equivalents.

While we take security seriously, no system is completely secure. We encourage you to keep your registered email address current and to contact us immediately at info@subvert.fm if you believe your account has been accessed without authorization.

13. Children’s Privacy

The Service is not directed to children under the age of 16. We do not knowingly collect Personal Data from anyone under 16. Our Terms of Use set a minimum age of 16 globally. If you believe we have inadvertently collected Personal Data from a child under 16, please contact us at info@subvert.fm and we will delete such data promptly.

If you are a parent or guardian and believe your child under the age of 16 has provided Personal Data to us without your consent, please contact us at info@subvert.fm. We will investigate and, where confirmed, delete the data without undue delay.

14. Changes to This Policy

We may update this Privacy Policy periodically. Material changes — including any change to the lawful basis for processing, new categories of data collected, or new processors engaged — will be communicated via email and a prominent notice on our website at least 30 days before taking effect. Your continued use of the Service after the effective date constitutes acceptance. Where changes require fresh consent under GDPR, we will seek that consent before changes take effect.

Non-material changes such as clarifications, corrections, or updated processor details will be posted at subvert.fm/privacy-policy with an updated “Last Updated” date. We encourage you to review this Policy periodically.

15. Contact Us

For questions about this Privacy Policy, to exercise your privacy rights, or to raise a concern about our data practices:

Subvert Cooperative LCA

Email: info@subvert.fm

Website: subvert.fm

Online privacy request form: subvert.fm/privacy-request

[Mailing address to be added before launch.]

For EU users, you may also contact our EU Representative:

[EU Representative name, address, and contact details to be inserted before launch.]

For UK users, you may also contact our UK Representative:

[UK Representative name, address, and contact details to be inserted before launch.]

If you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority:

•  UK: Information Commissioner’s Office (ICO) — ico.org.uk

•  EU: The supervisory authority in your country of residence or work

•  California: California Privacy Protection Agency — cppa.ca.gov

•  Colorado: Colorado Attorney General — coag.gov

Subvert Cooperative LCA — Privacy Policy — Version 4.0 — Last Updated: April 6, 2026

subvert.fm — info@subvert.fm