Playalong PLAYALONGXR

Privacy Policy

Last updated: April 5, 2026

1. Controller

The controller responsible for data processing under the General Data Protection Regulation (GDPR) is:

Andreas Eichert
Merzhauser Straße 32
79100 Freiburg im Breisgau
Germany
Email: info@playalongxr.com
Website: playalongxr.com

2. Overview

This Privacy Policy explains how we collect, use, and process personal data when you:

  • Use the PLAYALONGXR application on Meta Quest
  • Visit our website (playalongxr.com)
  • Use our portals (artists/labels portal, mappers portal, admin portal)
  • Interact with our services

We process personal data in accordance with the GDPR and applicable data protection laws.

3. Data We Collect

3.1 Account & Contact Data

When you create an account or use our portal:

  • Name (if provided)
  • Email address
  • Account credentials (managed via Firebase Authentication)
  • Role selection (artist/label or mapper)

Purpose: Account management, authentication, communication
Legal basis: Art. 6(1)(b) GDPR (contract performance)

3.2 Submitted Content (Artists / Labels)

When submitting tracks through the portal:

  • Track links (Spotify, Apple Music, YouTube Music, or private links)
  • Artist name and track title
  • Genre and BPM information
  • Optional notes and workout intent

Purpose: Review for eligibility, playlist placement, platform curation
Legal basis: Art. 6(1)(b) GDPR

3.3 Mapper Content

When creating and uploading workout maps:

  • Map data (timing, events, segments, difficulty settings)
  • Apple Music ID associations
  • Mapper profile and assignment history

Purpose: Platform content creation and management
Legal basis: Art. 6(1)(b) GDPR

3.4 Usage & Interaction Data (App)

When using PLAYALONGXR:

  • Workout starts, completions, and repeats
  • Favorites within the app
  • Playlist interactions
  • Daily and weekly workout participation

Purpose: Improve the experience, optimise playlists and workouts, provide aggregated reporting to submitters
Legal basis: Art. 6(1)(f) GDPR (legitimate interest)

3.5 Music Detection Data (Shazam Integration)

PLAYALONGXR detects music to automatically start workouts. This detection is performed using Shazam technology (provided by Apple Inc.).

How it works:

  • Audio is captured via the device microphone or system-level audio capture (e.g. Android media capture)
  • A short audio sample is transmitted to Shazam for recognition
  • Shazam returns the identified track (if available)

Important information:

  • Audio snippets are processed by Shazam (Apple)
  • We do not store raw audio recordings
  • We only receive and process the identified track result
  • Music detection is active only while the app is in use

Purpose: Automatically match music to workout maps, enable seamless hands-free workout experience
Legal basis: Art. 6(1)(b) GDPR (performance of contract)

3.6 Payment Data

Payments are processed via Stripe. We do not store:

  • Full credit card numbers
  • Payment credentials

Stripe may process:

  • Name and billing details
  • Payment method information

For mappers receiving earnings, we use Stripe Connect to process payouts. Stripe Connect may additionally collect:

  • Bank account details
  • Identity verification documents
  • Tax information

Legal basis: Art. 6(1)(b) GDPR
Processor: Stripe, Inc.

3.7 VR Platform Data

When using PLAYALONGXR on a VR headset, authentication is handled via the Meta platform:

  • Meta Quest: User proof (nonce) validated against Meta Graph API

We receive a platform user ID to create your account. We do not access your broader platform profile.

Purpose: Authentication, account creation
Legal basis: Art. 6(1)(b) GDPR

3.8 Technical Data

Automatically collected:

  • IP address
  • Device type and operating system
  • App version
  • VR headset model

Purpose: Security, debugging, system stability
Legal basis: Art. 6(1)(f) GDPR

4. How We Use Data

We use personal data to:

  • Provide and operate PLAYALONGXR on Meta Quest
  • Detect music and start workouts automatically
  • Review submitted tracks for playlist eligibility
  • Enable playlist placements and booking slots
  • Process payments and mapper payouts
  • Manage mapper assignments and deliverables
  • Provide aggregated performance insights to artists
  • Sync and manage Spotify-integrated playlists
  • Improve the platform
  • Ensure security and prevent abuse

5. Legal Bases (GDPR)

We process personal data based on:

  • Art. 6(1)(b) – Contract performance (account management, payments, service delivery)
  • Art. 6(1)(f) – Legitimate interests (product improvement, security, analytics)
  • Art. 6(1)(a) – Consent (where applicable, e.g. cookies)

6. Data Sharing

We only share data where necessary.

6.1 Service Providers

We use the following third-party services:

  • Google / Firebase (authentication, database, hosting, cloud functions)
  • Stripe, Inc. (payments and payouts via Stripe Connect)
  • Apple Inc. / Shazam (music recognition)
  • Apple Music (track metadata resolution)
  • Spotify (playlist management and sync)
  • Meta (VR platform authentication)

These providers may act as data processors or independent controllers depending on the service.

6.2 No Sale of Data

We do not sell personal data.

7. International Data Transfers

Some service providers process data outside the European Union. This includes:

  • Google / Firebase (global infrastructure)
  • Stripe (USA)
  • Apple / Shazam (global infrastructure)
  • Meta (USA)

We ensure appropriate safeguards such as Standard Contractual Clauses (SCCs) and GDPR-compliant agreements where applicable.

8. Data Retention

We retain data only as long as necessary:

  • Account data – until account deletion
  • Transaction data – as required by law (e.g. tax obligations)
  • Booking data – retained for the duration of the booking and legal retention periods
  • Map data – until deleted by the mapper or removed from the platform
  • Usage data – aggregated or anonymised where possible

9. Your Rights (GDPR)

You have the right to:

  • Access your data (Art. 15)
  • Rectification (Art. 16)
  • Erasure (Art. 17)
  • Restriction of processing (Art. 18)
  • Data portability (Art. 20)
  • Object to processing (Art. 21)

To exercise your rights, contact us at: info@playalongxr.com

10. Security

We implement appropriate technical and organisational measures, including:

  • Secure authentication via Firebase Auth and platform-specific token exchange
  • Encrypted communication (HTTPS)
  • Role-based access controls (admin claims)
  • Firestore security rules
  • Cloud Storage security rules

11. Cookies (Website)

If cookies are used:

  • Essential cookies for functionality
  • Optional analytics cookies (only with consent)

Users can manage cookies via consent banner or browser settings.

12. Children

PLAYALONGXR is not intended for children under 16. We do not knowingly collect personal data from minors.

13. Changes to This Policy

We may update this Privacy Policy from time to time. The latest version is always available at playalongxr.com/privacy.

14. Contact

For any privacy-related inquiries:

Email: info@playalongxr.com
Website: playalongxr.com