Effective date: May 24, 2025
Welcome to Herd. Your privacy is important to us, and we are committed to protecting your personal information.
This Privacy Policy ("Policy") describes the manner in which Herd Music, Inc. ("Herd," "we," "us," or "our") collects, uses, discloses, and protects personal information obtained through our mobile applications, websites, and other related services (collectively, the "Services").
By accessing or using the Services in any capacity, including through a browser or mobile device, you agree to the terms of this Policy. This Policy forms a part of our Terms of Service and is incorporated therein by reference.
This Policy includes the following provisions:
2. Categories of Personal Information We Collect
3. Purposes for Data Processing
4. Retention of Personal Information
5. Disclosure of Personal Information
6. Your Privacy Rights and Controls
7. External Sites and Third-Party Links
10. International Data Transfers
To view the full privacy policy, please scroll down. For cookie-related preferences, please refer to our Cookie Notice.
This Policy applies to all users of the Services, regardless of location. Additional disclosures may apply to users residing in jurisdictions with unique privacy laws, such as the European Economic Area ("EEA") or the United Kingdom ("UK"), as detailed in Section 13 (Notice to European Users).
We may collect or generate the following types of data:
2.1. Information You Provide to Us
2.1.A Identifiers: Full name, email address, and phone number.
2.1.B Account Credentials: Username and password.
2.1.C User Profile Details: Bio, photo, Spotify integration details, leaderboard position, school affiliation, graduation year, music preferences, top artists, bookmarked and ranked songs, journal entries, and demographic information.
2.1.D Communications: Correspondence between you and Herd, including via messaging features and customer support.
2.1.E User-Generated Content (UGC): Multimedia uploads, comments, reviews, likes, metadata (e.g., time, location, keywords), and other content or information you generate, transmit, or make available on the platform. Metadata includes information on how, when, where, and by whom a piece of content was collected and how that content has been formatted or edited.
PLEASE NOTE: User-generated content may be publicly viewable by others unless otherwise specified. Do not share personal or sensitive information you would not want to be publicly visible.
2.1.F Marketing Preferences: Your opt-in status and interactions with promotional materials.
2.2. Information From Third Parties
2.2.A Public Sources: Government databases, social platforms, or other public records.
2.2.B Private Data Providers: Commercial aggregators or social platforms.
2.2.C Affiliate Networks and Co-Marketing Partners: Event collaborators and promotional sponsors.
2.2.D Spotify Information: When you link your Spotify account, Herd accesses only the categories of Spotify Personal Data for which you have provided explicit consent through Spotify's authentication flow. We do not request or process additional Spotify data without your consent.
2.3. Automatically Collected Information
2.3.A Device & Technical Data: OS version, model, browser, IP address, screen size, RAM/CPU stats, device ID, mobile network, language, and general location.
2.3.B Usage & Interaction Data: Site navigation paths, page views, clickstream data, referring URLs, access time/duration, and email open rates.
2.3.C Location Data: Precise geolocation when you grant permission.
2.3.D Cookies: We do not currently use first-party cookies or tracking technologies to collect information for analytics, advertising, or personalization. However, certain third-party services integrated into the Service—such as Spotify SDKs or hosting infrastructure—may use cookies or similar technologies solely to support essential functionality, such as authentication or session stability. If we begin using cookies or similar technologies in the future for analytics, personalization, or other purposes, we will update our Cookie Notice and comply with all applicable legal requirements, including providing notice and obtaining consent where necessary. You can control or disable cookies and similar technologies through your browser or device settings. Most browsers allow you to block or delete cookies, and some mobile operating systems provide controls to limit tracking. Please note that disabling certain technologies may impact the functionality of the Service. If we introduce additional cookie-based features, we will also provide tools for managing your preferences.
2.4. Data about others. We may offer features that help users invite their friends or contacts to use the Service. In order to deliver invitations, we may collect contact details about prospective and invited users. Given this collected data, please only send invites with permission.
2.5. Google User Data. When you link a Google account, we only access information necessary to operate the Service. No human-readable access is permitted unless authorized by you or required for compliance or security purposes.
We may use your personal data for the following business purposes:
3.1. Service Functionality and Operation
We process your personal data to provide, operate, and maintain the core functionality of the Services. This includes:
3.1.A. Creating, authenticating, managing, and securing your user account and profile;
3.1.B. Remembering preferences, device identifiers, and user-selected settings across sessions;
3.1.C. Facilitating community engagement, social discovery features, and interactions between users;
3.1.D. Processing your content, rankings, journal inputs, and participation in interactive features;
3.1.E. Delivering technical and customer support, including handling support tickets and responding to inquiries.
3.2. Research and Development
We may use personal data, often in aggregated or anonymized form, for the following purposes:
3.2.A. Evaluating the performance, usage patterns, and reliability of our Services;
3.2.B. Conducting internal testing, debugging, product development, and UX research;
3.2.C. Generating insights and trend reports for internal benchmarking or lawful sharing with trusted partners;
3.2.D. Developing and refining algorithmic recommendations and personalization models
3.3. Research and Development
Subject to your marketing preferences and applicable law, we may process your data to:
3.3.A. Send you direct marketing communications via email, SMS, or in-app messages with personalized recommendations, offers, or updates related to the Service;
3.3.B. Measure the effectiveness of our campaigns and promotional activities;
3.3.C. Deliver behavioral or interest-based advertisements on third-party websites or applications, using tracking technologies and cookie-based identifiers;
3.3.D. Facilitate referral programs, giveaways, or contests you voluntarily enter.
3.4. Legal Compliance and Security
We may use your information where necessary to:
3.4.A. Enforce our Terms of Service, Privacy Policy, and other binding legal agreements or user conduct policies;
3.3.B. Detect, investigate, prevent, and mitigate security incidents, including unauthorized access, fraud, spam, abuse, or other unlawful activity;
3.4.C. Comply with applicable laws, lawful requests, subpoenas, court orders, or other legal obligations;
3.4.D. Establish, exercise, or defend against legal claims, including for audit, compliance, or litigation readiness purposes.
3.5. Other Purposes with Consent or as Permitted by Law.
In certain instances, we may ask you for your consent to use your information for a purpose that is not listed above. When we do so, we will clearly describe the intended use at the point of collection, and you may withdraw your consent at any time.
3.6. Notice on Spotify Personal Data and Spotify Content.
We only use Spotify Personal Data and Spotify Content to operate, maintain, and improve the Services as permitted under Spotify's Developer Terms. We do not sell, reuse, or process Spotify Personal Data for any unrelated purposes. We do not use Spotify Content or Spotify Personal Data to train machine learning or artificial intelligence models. Access to Spotify Personal Data is subject to the specific consents users provide when connecting their Spotify account. We do not export Spotify Content or Spotify Personal Data outside of the Services unless explicitly authorized by the user. We comply with Spotify’s Developer Terms of Service and Branding Guidelines in our use of Spotify Content and Spotify Personal Data.
We retain your personal data for as long as necessary to fulfill the purposes outlined in this Policy, including satisfying legal, accounting, or regulatory requirements. To determine the appropriate retention period, we may consider factors about personal information like the nature, sensitivity, amount, potential risk of harm from unauthorized disclosure, the purpose of processing it, if we can accomplish that purpose without access to the personal information, and other applicable legal requirements. Once retention is no longer warranted, we will delete, de-identify, or segregate the data. Spotify metadata and cover art that is not associated with user rankings, playlists, or other interactions will be regularly purged from our databases to minimize storage of Spotify Content. Upon account disconnection, we promptly delete cached Spotify Personal Data in accordance with Spotify's Developer Terms and our Privacy Policy. If a user revokes Spotify permissions, any related Spotify Content and Spotify Personal Data will be promptly and permanently deleted from our systems.
We may share your data with:
5.A. Affiliates and subsidiaries under common ownership.
5.B. Service providers assisting with operations, hosting, analytics, or advertising.
5.C. Third-party platforms (e.g., Spotify, Apple, Google) with whom you choose to link your account.
5.D. Professional advisors (e.g., auditors, attorneys, consultants) for business functions.
5.E. Regulatory authorities where required by law or legal process.
5.F. Successors in connection with mergers, acquisitions, financings, insolvency, or asset sales.
5.G. Other users of the Service when you publish content or interact publicly.
6.A. Access and Updating Information: You may view and edit your profile data through your account settings.
6.B. Communications Opt-Out: You can unsubscribe from marketing communications at any time via the unsubscribe link in our emails or by replying “STOP” to SMS communications.
6.C. Device and Cookie Preferences: You may disable geolocation or adjust cookie preferences through device/browser settings. For more details, see our Cookie Notice.
6.D. Declining to Provide Information: You are always permitted to decline to provide information; however, we may not be able to provide services if you exercise that right.
6.E. Account Deletion: You may request account or data deletion via email. Note that deletion may affect service functionality and is irreversible. Additionally, some data (e.g. legal records or anonymized logs and content) may still be retained where required by law or platform policy.
The Services may contain links to external sites. We are not responsible for the privacy practices or content of such third parties. Please review their respective privacy policies before engaging with them.
8.1. Spotify AB is a third-party beneficiary of this Privacy Policy and is entitled to enforce provisions related to Spotify Personal Data and Spotify Content directly against users of the Services.
8.2. Spotify Content is displayed only within the Services and in accordance with Spotify’s Branding Guidelines and Developer Terms.
We implement appropriate technical, physical, and organizational safeguards to protect personal information. However, no digital system can be guaranteed to be completely secure.
We are based in the United States. Data may be processed in jurisdictions outside of your own, including in the United States. These locations may not offer the same level of data protection. Users located in Europe should read the Notice to European Users about the transfer of personal information outside of Europe.
The Services are not intended for children under the age of thirteen (13), and we do not knowingly collect personal data from them. If we become aware of data collection from an individual younger than 13 without consent of their legal guardian, we will comply with the applicable legal requirements to promptly delete the personal information.
We may revise this Policy periodically, and we reserve the right to do so. Material updates will be published within the Services with an updated effective date. In all cases, continued use of the Services after the updated effective date on the modified Privacy Policy constitutes your acceptance of the revised Policy and your acknowledgement that the privacy policy applies to your interactions with the Service.
If you have any questions or requests regarding this Policy, you may contact us at:
Email: legal@herdmusicapp.com
Mailing Address: 15266 Friends St. Los Angeles, CA, 90272
Thanks for trusting Herd!
This section is intended for users residing within the European Economic Area (“EEA”) and the United Kingdom (“UK”), and outlines our compliance with the General Data Protection Regulation (EU) 2016/679 ("EU GDPR") and the UK General Data Protection Regulation ("UK GDPR").
Definition of Personal Data
For purposes of this section, references to "personal data" refer to any information that relates to an identified or identifiable natural person, as defined under the GDPR. Details regarding the types of personal data we collect can be found in the section titled "Categories of Personal Information We Collect.”
Data Controller Identification
Herd Music, Inc. acts as the data controller for any personal data processed under this Privacy Policy. If you have questions or requests regarding our data processing practices, please contact us via the information provided in the "Contact Us" section.
Representatives Under GDPR
As required under the GDPR, we have designated representatives in the EEA and the UK to facilitate communication with supervisory authorities and data subjects:
UK Representative (UK GDPR): DataRep
Email: datarequest@datarep.com
Address: DataRep, 107-111 Fleet Street, London, EC4A 2AB, United Kingdom
EU Representative (EU GDPR): DataRep
Email: datarequest@datarep.com
Address: DataRep, 72 Rue de Lessard, Rouen 76100, France
Legal Basis for Processing
We rely on a variety of lawful bases to process personal data under the GDPR, which may include:
Contractual Necessity: Where processing is essential for the performance of a contract to which you are a party;
Legitimate Interests: Where the processing is necessary to pursue our legitimate business purposes, and these interests are not overridden by your fundamental rights and freedoms;
Legal Obligations: Where processing is required to comply with a legal obligation imposed on us;
Consent: Where you have provided explicit consent for a particular type of processing, which you may withdraw at any time.
Sensitive Personal Data
We do not intentionally collect or request "special category data" as defined under GDPR (e.g., information about your racial or ethnic origin, political beliefs, religious affiliations, or health). We ask that you do not submit this type of data through the Services.
Retention of Personal Data
We retain personal data only as long as it is necessary to fulfill the purposes for which it was collected, including for legal, accounting, and audit requirements. When data is no longer required, we either securely delete it, anonymize it, or isolate it from further processing.
Automated Decision-Making
We do not engage in automated decision-making processes that produce legal or similarly significant effects on users.
Your Rights Under GDPR
As a data subject in the EEA or UK, you have the following rights, subject to applicable limitations:
Access: Request access to the personal data we hold about you;
Rectification: Request correction of inaccurate or incomplete personal data;
Erasure: Request deletion of your personal data under certain circumstances;
Portability: Receive a copy of your personal data in a structured, machine-readable format or request transmission to another data controller;
Restriction: Request that we restrict the processing of your data in certain circumstances;
Objection: Object to our processing based on legitimate interests, including for direct marketing;
Withdraw Consent: Where we rely on your consent to process personal data, you may withdraw your consent at any time.
To exercise these rights, please contact us at legal@herdmusicapp.com. We may request verification of your identity before fulfilling your request.
Supervisory Authority Complaints
If you believe we have violated your data protection rights, you have the right to lodge a complaint with a supervisory authority.
For EEA residents, a list of national data protection authorities is available at: https://edpb.europa.eu/about-edpb/board/members_en
For UK residents, contact the Information Commissioner’s Office: https://ico.org.uk/make-a-complaint/
Transfers of Personal Data Outside Europe
Because Herd Music, Inc. is located in the United States, and some of our partners or service providers operate in jurisdictions outside the EEA and UK, your personal data may be transferred to these locations.
When we transfer personal data internationally, we ensure adequate protection through mechanisms such as:
Transfers to countries recognized by the European Commission or UK government as offering adequate protection;
Standard Contractual Clauses approved by relevant data protection authorities;
Your explicit consent, where appropriate.
For more information regarding our international data transfer practices, you may contact us using the details provided in this Privacy Policy.