Privacy Policy

1. Who we are

1.1 The entity responsible for personal information collected through the Service is [ENTITY: TrackOrigin Pty Ltd — replace with registered legal name] (ABN [ABN]) of [registered address], Sydney NSW, Australia.

1.2 In this Policy, "TrackOrigin", "we", "us" and "our" refer to that entity.

1.3 We are based in New South Wales, Australia. We handle personal information in accordance with the Privacy Act 1988 (Cth), including the Australian Privacy Principles, where they apply to us.

1.4 You can contact us at support@trackorigin.io.

2. Scope of this Policy

2.1 This Policy applies to personal information collected through the TrackOrigin website, application, verification system, public certificate pages, widgets, APIs, account features, payment flows, support channels and related services.

2.2 This Policy does not apply to third-party websites, platforms, wallets, payment processors, distributors, labels, publishers, DSPs, social-media platforms or other third parties that may link to, embed, rely on or interact with TrackOrigin.

2.3 If you publish a certificate, embed a seal or share a public certificate page, information on that public page may be accessed, copied, indexed, cached, screenshotted, downloaded or republished by third parties outside our control.

3. What information we collect

3.1 Depending on how you use TrackOrigin, we may collect the following categories of information:

• (a) Account information — name, display name, email address, username, password hash, login details, account settings, account status and timestamps;
• (b) Profile information — artist name, avatar, bio, links, public profile data and information you choose to publish;
• (c) Uploaded audio — audio files, file names, file size, format, duration, sample rate, bitrate, waveform data and technical metadata;
• (d) Track and declaration data — title, artist name, contributors, declared role, AI-tool use, DAW, stems, lyrics, genre, key, BPM, instruments, project facts, answers and related declarations;
• (e) Verification recordings — video, audio, camera, microphone, voice, face, challenge responses, timing signals and liveness information captured during verification;
• (f) Biometric and identity-related data — face frames, facial embeddings, voice features, liveness signals, anti-spoofing outputs, identity consistency checks and derived verification signals;
• (g) Derived technical data — cryptographic hashes, fingerprints, embeddings, transcripts, stems, pitch contours, spectral features, similarity scores, confidence scores, fraud signals, warning flags and model outputs;
• (h) Certificate data — certificate ID, manifest, issue date, verification status, seal status, revocation or annotation status, public certificate fields and audit history;
• (i) Payment data — payment references, purchase history, credit balance, Stripe customer references, invoice data, refund status and billing metadata. We do not store full card numbers;
• (j) Technical and usage data — IP address, device, browser, operating system, user agent, approximate location, referrer, pages viewed, clicks, session timestamps, logs, errors and security events;
• (k) Support and correspondence — emails, support tickets, complaints, legal notices, abuse reports, attachments and related communications;
• (l) Fraud and abuse data — duplicate account signals, suspicious usage patterns, device signals, rate-limit events, failed login events, chargeback signals, spoofing indicators and related risk information;
• (m) Legal and dispute data — claims, takedown requests, rights notices, dispute materials, correspondence, evidence, internal review notes and outcomes.

3.2 Some information may be generated automatically by our systems when you use TrackOrigin.

3.3 Some information may be optional, but if you do not provide information required for verification, we may not be able to provide the relevant feature, certificate or support.

4. Sensitive information, biometrics, face and voice data

4.1 Verification may involve sensitive information, including biometric information used for verification or identification, face recordings, voice recordings and liveness signals.

4.2 We collect sensitive information only where:

• (a) you consent;
• (b) the collection is reasonably necessary for one or more of our functions or activities; or
• (c) collection is otherwise permitted or required by law.

4.3 By starting a verification session, you consent to the collection, use, storage and disclosure of face, voice, biometric, liveness and verification information for the purposes described in this Policy.

4.4 We may use face, voice and liveness information to:

• (a) confirm that a live person is completing a session;
• (b) check that the same person remains present during a session;
• (c) detect spoofing, deepfakes, replay attacks, photo attacks, pre-recorded answers, voice cloning and other abuse;
• (d) bind a verification session to a participant account;
• (e) support certificate integrity and fraud prevention;
• (f) investigate disputes, abuse or suspicious activity; and
• (g) comply with law and enforce our Terms.

4.5 If you do not consent to the collection of face, voice and liveness information, you must not start a verification session.

4.6 You must not submit another person’s face, voice, biometric information or identity-related information without lawful authority and all required consents.

5. How we collect information

5.1 We collect information directly from you when you create an account, upload audio, submit declarations, complete verification, buy credits, publish a certificate, contact support, send a legal notice or otherwise use the Service.

5.2 We collect information automatically through logs, cookies, analytics, security tools, device signals, verification systems and model pipelines.

5.3 We may receive information from payment processors, infrastructure providers, fraud-prevention services, analytics providers, email providers and support tools.

5.4 We may receive information from third parties who submit disputes, rights claims, takedown notices, abuse reports, legal notices or correspondence relating to a track, certificate, account or user.

5.5 If someone submits your personal information to us, we will handle it under this Policy. Where required by law, we will take reasonable steps to notify you of the collection.

6. Why we collect, use and disclose information

6.1 We collect, use and disclose personal information for the following purposes:

• (a) creating, operating and securing accounts;
• (b) providing verification sessions;
• (c) analysing uploaded audio and declarations;
• (d) generating fingerprints, hashes, scores, outputs and certificate manifests;
• (e) issuing, displaying, serving, suspending, annotating, revoking and verifying certificates;
• (f) operating public certificate pages, seals, embeds and APIs;
• (g) detecting and preventing fraud, spoofing, deepfakes, replay attacks, identity misuse, rights misuse, payment abuse, system abuse and platform manipulation;
• (h) processing payments, managing credits, issuing invoices and managing refunds or chargebacks;
• (i) providing support, responding to enquiries and resolving complaints;
• (j) investigating disputes, rights claims, takedown requests, abuse reports and legal notices;
• (k) improving, testing, debugging, securing and maintaining the Service;
• (l) complying with legal, regulatory, tax, accounting and record-keeping obligations;
• (m) enforcing our Terms and protecting legal rights;
• (n) communicating with you about your account, verification, certificates, billing, security or policy updates;
• (o) sending marketing where permitted and where you have not opted out.

6.2 We may also use information for related secondary purposes that you would reasonably expect, including service analytics, fraud monitoring, dispute handling, security audits, model testing, capacity planning and product improvement.

7. AI, model improvement and derived data

7.1 TrackOrigin uses automated systems, signal processing, machine-learning models and fraud-detection tools to operate the Service.

7.2 We may generate derived data from uploaded audio, verification recordings, declarations and technical data, including hashes, fingerprints, embeddings, model inputs, model outputs, confidence scores, fraud signals, liveness signals and analytical features.

7.3 We may use de-identified, aggregated or derived data to evaluate, train, test, benchmark, secure and improve TrackOrigin’s verification models, fraud systems, anti-spoofing tools, liveness systems, AI-use detection, scoring logic and product performance.

7.4 Where we provide an account-level setting to opt out of model-improvement use, switching it off stops new use of your applicable data for that purpose after the setting takes effect. It does not require us to reverse, untrain or remove statistical learnings already incorporated into models or systems.

7.5 We do not sell your uploaded audio as music content. We do not license your recognisable track, vocals, stems, lyrics or melodies to third parties for their own music exploitation merely because you used TrackOrigin.

7.6 De-identified information that is no longer personal information may be retained and used indefinitely.

8. Public certificate pages and published information

8.1 If a certificate is issued or you make information public, the public certificate page may display information such as certificate ID, track title, artist or account name, verification status, issue date, fingerprint status, declared AI-use fields, seal status and revocation or annotation status.

8.2 Public certificate pages and seals are intended to be viewed by third parties. Once information is public, third parties may access, copy, index, cache, screenshot, embed, download, quote, republish or rely on it outside our control.

8.3 If a certificate is revoked, suspended, annotated, replaced or withdrawn, the public page or seal may continue to show historical status, revocation status, annotation status or integrity information.

8.4 We may retain public certificate manifests, certificate IDs, hashes, audit logs and status records to preserve integrity and prevent fraud, even if underlying media is deleted.

9. Who we disclose information to

9.1 We disclose information only as reasonably necessary for the purposes in this Policy. Recipients may include:

• (a) hosting, storage, compute, CDN and infrastructure providers;
• (b) payment processors and billing providers;
• (c) email, support and communication providers;
• (d) analytics, logging, monitoring and security providers;
• (e) fraud-prevention, identity, liveness and abuse-detection providers;
• (f) model, machine-learning or processing infrastructure providers;
• (g) professional advisers, including lawyers, accountants, insurers and auditors;
• (h) regulators, law enforcement, courts, tribunals and government agencies where required or authorised by law;
• (i) rights holders, complainants, accused users or other parties involved in a dispute, where reasonably necessary to investigate or respond;
• (j) a buyer, investor, financier, successor, assignee or adviser in connection with a merger, acquisition, restructuring, financing, sale of assets or business transfer;
• (k) other users or the public where you publish information, publish a certificate, embed a seal or make a profile public.

9.2 We do not sell personal information.

9.3 We may disclose information where we reasonably believe disclosure is necessary to protect TrackOrigin, users, rights holders, third parties, system integrity, legal rights, safety or security.

10. Overseas disclosures

10.1 Some service providers may store, process or access personal information outside Australia.

10.2 Overseas locations may include the United States, European Union, United Kingdom, Singapore, Canada, New Zealand and other countries where our service providers, infrastructure providers or payment processors operate.

10.3 We take reasonable steps in the circumstances to use reputable providers with security, privacy and data-handling commitments.

10.4 By using the Service, you acknowledge that your information may be disclosed to overseas recipients for the purposes described in this Policy.

11. Retention and deletion

11.1 We retain personal information only for as long as reasonably necessary for the purposes in this Policy or as required or permitted by law.

11.2 Our usual retention approach is:

• (a) Account information — while your account exists, and for a reasonable period after closure for legal, audit, security, tax, accounting and dispute purposes;
• (b) Uploaded audio — for the period needed to provide verification, certificate integrity, support, dispute handling, fraud prevention and legal compliance, unless earlier deletion is available and requested;
• (c) Session Recordings — for the period needed to verify, audit, resolve disputes, prevent fraud and comply with law;
• (d) Face embeddings, voice features and liveness signals — for the period needed for verification, fraud prevention, integrity review, dispute handling and legal compliance;
• (e) Hashes, fingerprints, certificate manifests and certificate status records — may be retained indefinitely to preserve certificate integrity, prevent duplicate fraud, verify historical status and maintain the provenance record;
• (f) Payment and tax records — for the period required by tax, accounting, chargeback and financial record-keeping obligations;
• (g) Security, fraud and abuse logs — for as long as reasonably needed to secure the Service and investigate misuse;
• (h) Support and legal correspondence — for as long as reasonably needed to respond, evidence decisions, resolve disputes and protect rights;
• (i) De-identified or aggregated information — may be retained indefinitely where it is no longer personal information.

11.3 Where information is no longer needed and we are not required or permitted to retain it, we will take reasonable steps to destroy or de-identify it.

11.4 Deletion of uploaded media may not remove hashes, fingerprints, certificate manifests, audit logs, transaction records, fraud signals, legal records, backups or de-identified data.

11.5 Backup deletion may occur on delayed cycles. Information removed from active systems may remain temporarily in backups until the relevant backup cycle expires.

12. Security

12.1 We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification and disclosure.

12.2 Security measures may include:

• (a) password hashing and authentication controls;
• (b) access controls and role-based permissions;
• (c) encryption in transit where supported;
• (d) logging, monitoring and audit trails;
• (e) restricted access to storage and verification systems;
• (f) infrastructure security controls;
• (g) fraud and abuse monitoring;
• (h) separation of public certificate data from private verification materials where practical;
• (i) periodic review of security practices.

12.3 No internet service is completely secure. You are responsible for keeping your login details secure and using trusted devices, browsers and networks.

12.4 You must notify us immediately at support@trackorigin.io if you suspect unauthorised access, account compromise or misuse of your verification data.

13. Cookies, analytics and tracking

13.1 We use cookies, local storage, pixels, logs and similar technologies to:

• (a) keep you signed in;
• (b) remember preferences;
• (c) operate verification sessions;
• (d) secure accounts and detect abuse;
• (e) process payments and checkout flows;
• (f) measure performance and errors;
• (g) understand usage and improve the Service;
• (h) support analytics and marketing where permitted.

13.2 You can control some cookies through your browser settings. Essential cookies may be required for the Service to function.

13.3 Blocking cookies or device permissions may prevent login, verification, payment, certificate display or other features from working.

14. Direct marketing

14.1 We may send account messages, product updates, feature announcements, policy notices, certificate notices, security notices and marketing messages.

14.2 You can opt out of marketing emails using unsubscribe links or by contacting support@trackorigin.io.

14.3 Transactional, security, payment, certificate, legal and account messages may still be sent even if you opt out of marketing.

14.4 We will comply with applicable spam and electronic marketing laws.

15. Access, correction and deletion requests

15.1 You may request access to personal information we hold about you by contacting support@trackorigin.io.

15.2 You may request correction of personal information if you believe it is inaccurate, out of date, incomplete, irrelevant or misleading.

15.3 You may request deletion of certain account information, uploaded media or verification materials, subject to our legal, security, fraud-prevention, certificate-integrity, accounting, backup and dispute-handling needs.

15.4 We may need to verify your identity before responding to a request.

15.5 We may refuse a request where permitted by law, including where giving access would affect another person’s privacy, prejudice an investigation, reveal confidential fraud or security systems, breach legal privilege, be unlawful, be frivolous or vexatious, or otherwise fall within an applicable exception.

15.6 If we refuse a request, we will give reasons where reasonable and lawful.

15.7 We will respond within a reasonable period.

16. Children and minors

16.1 TrackOrigin is not intended for persons under 18 years old.

16.2 We do not knowingly collect personal information from children.

16.3 If you believe a person under 18 has used the Service or submitted personal information, contact support@trackorigin.io and we will take reasonable steps to investigate and respond.

17. Notifiable Data Breaches

17.1 We comply with the Notifiable Data Breaches scheme under the Privacy Act where it applies to us.

17.2 If an eligible data breach occurs and is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner as required by law.

17.3 We may also notify users of security incidents where we consider notice appropriate, even if notification is not legally required.

18. Changes to this Policy

18.1 We may update this Policy from time to time.

18.2 The effective date at the top shows when the current version took effect.

18.3 Material changes may be notified by email, account notice or posting on the Service where reasonably practical.

18.4 Continued use of the Service after an updated Policy becomes effective means you acknowledge the updated Policy.

19. Complaints and contact

19.1 If you have a privacy question, request or complaint, contact us at support@trackorigin.io.

19.2 Please include enough detail for us to identify your account, understand the issue and respond properly.

19.3 We will acknowledge privacy complaints within a reasonable period and aim to respond substantively within 30 days where practical.

19.4 If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner.

Office of the Australian Information Commissioner
Web: oaic.gov.au
Phone: 1300 363 992
Post: GPO Box 5288, Sydney NSW 2001

[ENTITY: TrackOrigin Pty Ltd]
ABN [ABN]
[Registered address], Sydney NSW, Australia
Email: support@trackorigin.io