Privacy Policy

1. Preamble

This Privacy Policy explains how Limehouse Inc. (주식회사 라임하우스) ("Stanza," "we," "us," or "our") collects, uses, stores, and shares personal information when you use Stanza (https://stanza.fm) and any associated mobile or desktop app clients (collectively, the "Service").

Stanza is a social platform for tracking, echoing, and discussing high-quality conversations (podcasts, interviews, talks, panels). This policy covers all personal information processed in connection with the Service, regardless of whether you access it via the website or a future app client.

This policy is written to simultaneously meet the requirements of the Republic of Korea's Personal Information Protection Act (PIPA), the European Union's General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA, as amended by the CPRA).

2. Information We Collect

We collect only what we need to run the Service.

Account data (from Google OAuth)

When you sign in with Google, we receive from Google:

• Your email address
• Your name
• Your Google profile image URL

We do not receive or store your Google password.

User content

When you use the Service, we store the content and signals you create:

• The people and accounts you follow
• Your "Want to Listen" (WTL) marks
• Your "Listened" marks
• Your username and any profile information you edit

Technical data

When you interact with the Service, our systems briefly record:

• Your IP address
• Your user agent string (browser/OS identifier)

Technical data is used for security, abuse prevention, and operational logging only. It is retained briefly (see Section 7).

3. How We Use Your Information

We use the information described above to:

• Provide and operate the Service (authenticate you, display your follows and echoes, render your profile, deliver feeds).
• Send the weekly digest email summarizing new appearances from people you follow.
• Improve the product through aggregate analytics (e.g., which features are used, overall traffic patterns). We do not build individual behavioral profiles for advertising.
• Maintain security, prevent abuse, and meet legal obligations.

We do not use your personal information for advertising, and we do not sell it.

4. Legal Bases for Processing (GDPR)

For users in the European Economic Area and the United Kingdom, we process personal information under the following legal bases:

• Performance of a contract (Art. 6(1)(b)) — to operate your account and deliver the features you request.
• Legitimate interests (Art. 6(1)(f)) — to send the weekly digest email to signed-in users, to keep the Service secure, and to analyze product usage in aggregate. We balance these interests against your rights and only rely on this basis where the processing is necessary and proportionate.
• Consent (Art. 6(1)(a)) — where consent is specifically required by law (for example, for certain optional communications). You can withdraw consent at any time without affecting prior processing.

5. How We Share Your Information

We share personal information only with the sub-processors needed to run the Service:

• Amazon Web Services, Inc. — application hosting and database storage. Our database is located in the AWS us-east-1 region (United States).
• Resend (Resend.com, Inc.) — transactional and digest email delivery. Digest emails are sent from the send.stanza.fm subdomain.
• Google LLC — OAuth sign-in (identity verification at login).
• Cloudflare, Inc. — DNS, edge network, and Cloudflare Web Analytics (cookieless, aggregated).

Each sub-processor is bound by a data processing agreement and processes personal information only on our instructions.

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising.

We may disclose personal information if required by law, valid legal process, or to protect the rights, safety, or property of Stanza, our users, or others.

6. International Data Transfers

The Service is operated from infrastructure in the United States. Your personal information is stored in AWS us-east-1 (United States) and may also be processed by sub-processors in other countries.

For users located in the European Economic Area, the United Kingdom, or Switzerland, transfers outside those regions rely on the European Commission's Standard Contractual Clauses (SCCs) or an equivalent lawful transfer mechanism. You can request a copy of the relevant safeguards by emailing us at privacy@stanza.fm.

For users located in the Republic of Korea, we notify you that personal information is transferred and stored overseas (in the United States) as part of operating the Service; the items transferred, purposes, retention periods, and recipients are as described in this Privacy Policy (see Sections 2, 5, and 14).

7. Data Retention

• Account data and user content — retained while your account is active.
• Account deletion — when you request account deletion, we remove your account data and user content from production systems within 30 days of the request. Backup copies are purged on a 30-day rolling cycle; after that window, no copies remain.
• Technical logs (IP address, user agent) — retained for up to 30 days, then deleted.
• Legal obligations — where law requires a longer retention period for specific records, we keep only those records for the required period and delete the rest on the schedule above.

8. Your Rights (GDPR + CCPA + PIPA Consolidated)

Subject to applicable law, you have the following rights over your personal information:

Rights available to all users

• Access — request a copy of the personal information we hold about you.
• Rectification — ask us to correct information that is inaccurate or incomplete.
• Deletion — request that we delete your personal information.
• Data portability — receive your personal information in a structured, machine-readable format.
• Objection — object to processing based on our legitimate interests.
• Withdraw consent — where processing is based on consent, withdraw it at any time.
• Lodge a complaint — contact a data protection supervisory authority (e.g., your national EU DPA, the UK ICO, or, in Korea, the Personal Information Protection Commission at https://www.pipc.go.kr).

California residents (CCPA / CPRA)

• Right to know what personal information we collect, use, and disclose.
• Right to delete personal information we hold about you.
• Right to opt out of sale or sharing — not applicable; we do not sell or share personal information for cross-context behavioral advertising.
• Right to non-discrimination — we will not deny service, charge different prices, or provide a different quality of service because you exercised a privacy right.
• Right to limit use of sensitive personal information — not applicable; we do not collect sensitive personal information as defined by the CCPA.

Korea residents (PIPA)

• Right to access (열람 요구권) your personal information.
• Right to correction (정정 요구권) of inaccurate information.
• Right to deletion (삭제 요구권) of your personal information.
• Right to suspend processing (처리정지 요구권) of your personal information.

9. How to Exercise Your Rights

To exercise any of the rights above, email us at privacy@stanza.fm from the email address associated with your account, or describe your account clearly enough for us to verify your identity.

We will respond within 30 days of receiving a verifiable request. If we need more time because the request is complex, we will tell you why and when you can expect a full response. You may authorize an agent to act on your behalf; we may ask for written proof of authorization.

10. Cookies and Tracking Technologies

We use only the following:

• Session authentication cookies — a first-party cookie that keeps you signed in. It contains a signed JWT session token and is strictly necessary to operate the Service.
• Cloudflare Web Analytics — cookieless. It does not set any cookies, does not collect personal data, does not fingerprint visitors, and does not track you across sites. It produces aggregated traffic statistics only.

We do not use advertising cookies, third-party analytics that track individual users, or cross-site trackers.

11. Children's Privacy

The Service is not directed to children under 14 years of age, and we do not knowingly collect personal information from children under 14. We set 14 as our global minimum age because PIPA Article 22-2 requires legal-guardian consent for Korean users under 14; rather than implementing per-country age gates, we apply this threshold universally. If we become aware that an account was created by a person under 14, we will delete the account and any associated personal information. If you believe a child under 14 has provided us with personal information, please contact us at privacy@stanza.fm and we will delete it.

In jurisdictions where the age threshold is higher (e.g., 16 in parts of the EU), we rely on Google OAuth account eligibility and will honor applicable minimum-age rules on request.

12. Security

We apply the following technical and organizational measures:

• Encryption in transit — all connections to the Service use HTTPS (TLS).
• Encryption at rest — the production database (AWS RDS) uses disk encryption.
• Access controls — production access is limited to authorized engineers, authenticated through individual accounts with least-privilege roles.
• Isolation — sub-processors are used only for their specified purposes under contractual obligations.

No system is perfectly secure. If we become aware of a security incident that affects your personal information, we will notify you and the relevant authorities as required by law.

13. Privacy Officer (PIPA)

Under Article 31 of PIPA, we designate the following Privacy Officer:

• Privacy Officer: Young Lee
• Email: privacy@stanza.fm

The Privacy Officer is responsible for overseeing personal information processing, handling user requests and complaints, and remedying damage arising from processing.

14. Personal Data Collection Details (PIPA)

All items above are required to operate the Service. We do not currently collect any optional personal information.

Where law requires a longer retention period for specific records (e.g., e-commerce or communications records), those records are retained for the legally required period and deleted immediately afterward.

15. California Privacy Rights (CCPA)

• No sale or sharing. We do not sell personal information, and we do not share personal information for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA. We have not done so in the preceding 12 months.
• "Shine the Light" (Cal. Civ. Code § 1798.83). California residents may request information about our disclosures, if any, of personal information to third parties for their direct marketing purposes. We do not make such disclosures. You may confirm this by emailing privacy@stanza.fm.
• Global Privacy Control (GPC). We honor GPC signals sent by your browser as a valid opt-out of sale/sharing where applicable. Because we do not sell or share personal information, GPC does not change how we process your data, but we record the signal and will not treat any future practice as consented against it without an affirmative opt-in.
• Categories collected. See Section 2. We collect identifiers (email, name, profile image URL, IP address, user agent) and internet or other network activity (your Echoes, follows, WTL/Listened marks).
• Sources. Directly from you (via Google OAuth and your use of the Service).
• Business purposes. Operating the Service, security, and product analytics (see Section 3).

16. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will change the "Last updated" date at the top. For material changes, we will notify signed-in users by email and post a notice at the top of this page at least 30 days before the change takes effect, where practicable.

Your continued use of the Service after the effective date of a change constitutes acceptance of the updated policy. If you do not agree with a change, you may delete your account before it takes effect.

17. Contact

For general privacy questions or to exercise your rights, contact:

• Email: privacy@stanza.fm

Company identity:

• Legal name: Limehouse Inc. (주식회사 라임하우스)
• Jurisdiction: A corporation organized under the laws of the Republic of Korea
• Business registration number: 716-87-03840
• Registered office: 123 Seocho-jungang-ro, Seocho-gu, Seoul, Republic of Korea (서울특별시 서초구 서초중앙로 123)