Privacy Policy

Note: This English version is provided for information purposes only. In case of any contradiction or conflict of interpretation between this translation and the German original, the German version shall prevail.

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the member states as well as other data protection provisions is:

xtra audio GmbH
Heerdter Sandberg 32 40549 Düsseldorf Germany

Represented by: Timo Mauter (CEO)

Phone: +49 (0)211 781718-81
Email: [email protected]
Website: https://xtra.audio

Commercial register: HRB 107559 (Düsseldorf District Court) VAT ID: DE452158554

Hereinafter referred to as "we" or "xtra.audio".

2. Scope

This privacy policy applies to data processing through our websites and applications:

https://xtra.audio (Marketing website)
https://docs.xtra.audio (Documentation)
https://app.xtra.audio (Web application / SaaS product)

xtra.audio is a SaaS product for cloud-based radio playout, AutoDJ functionality, and live streaming, targeting both business (B2B) and private (B2C) users. Our services are internationally oriented.

3. Data Protection Officer

We have not appointed a Data Protection Officer, as the legal requirements (in particular Art. 37 GDPR in conjunction with § 38 BDSG) are not met. For data protection inquiries, you can reach us at:

Email: [[email protected]]

4. General Information on Data Processing

4.1 Scope of Processing of Personal Data

We generally process personal data of our users only to the extent necessary to provide a functional website and our content and services. Processing regularly takes place only with the user's consent or where a legal basis permits the processing.

4.2 Legal Bases

Where we obtain consent for the processing of personal data, Art. 6(1)(a) GDPR serves as the legal basis.

For the processing of personal data necessary for the performance of a contract, Art. 6(1)(b) GDPR serves as the legal basis. This also applies to processing operations necessary for pre-contractual measures.

Where processing is necessary for compliance with a legal obligation, Art. 6(1)(c) GDPR serves as the legal basis.

Where processing is necessary for the purposes of the legitimate interests of our company or a third party, and the interests, fundamental rights, and fundamental freedoms of the data subject do not override the former interest, Art. 6(1)(f) GDPR serves as the legal basis.

4.3 Data Deletion and Retention Period

The personal data of the data subject will be deleted or blocked as soon as the purpose of storage ceases to apply. Storage may also take place where provided for by the European or national legislator in Union regulations, laws, or other provisions to which the controller is subject (e.g., commercial and tax retention periods of up to 10 years pursuant to § 147 AO, § 257 HGB).

5. Provision of the Website and Creation of Log Files

5.1 Description and Scope

Each time our websites and applications are accessed, our system automatically collects data and information from the accessing device's computer system. The following data is collected:

IP address of the user
Date and time of access
Accessed URL / requested resource
Referrer URL (previously visited page)
Browser type and version
Operating system used
HTTP status code and amount of data transferred

The data is stored in log files of our system. This data is not stored together with other personal data of the user.

5.2 Legal Basis

The legal basis for the temporary storage of data and log files is Art. 6(1)(f) GDPR.

5.3 Purpose of Processing

The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user's computer. Storage in log files is carried out to ensure the functionality of the website and to guarantee the security of our information technology systems (detection and prevention of attacks).

5.4 Duration of Storage

Log files are automatically deleted after 14 days.

6. Hosting and Infrastructure

We host our websites and applications with the following service providers. We have concluded data processing agreements (DPA) pursuant to Art. 28 GDPR with all processors mentioned below.

6.1 Hetzner Online GmbH

Provider: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany.
Server location: Germany (EU).
Purpose: Provision of applications, databases, and server infrastructure.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in reliable and secure operation).
Privacy policy: https://www.hetzner.com/de/rechtliches/datenschutz

6.2 Cloudflare R2 Storage / Cloudflare, Inc.

Provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA.
Purpose: Storage of media files (especially audio content), content delivery, DDoS protection.
Legal basis: Art. 6(1)(f) GDPR.
Third-country transfer: Data may be transferred to the USA. Cloudflare, Inc. is certified under the EU-U.S. Data Privacy Framework (EU Commission adequacy decision of July 10, 2023). EU Standard Contractual Clauses are additionally in place.
Privacy policy: https://www.cloudflare.com/de-de/privacypolicy/

6.3 DigitalOcean, LLC

Provider: DigitalOcean, LLC, 101 Avenue of the Americas, 10th Floor, New York, NY 10013, USA.
Purpose: Provision of additional server and infrastructure services.
Legal basis: Art. 6(1)(f) GDPR.
Third-country transfer: Data may be transferred to the USA. DigitalOcean is certified under the EU-U.S. Data Privacy Framework. EU Standard Contractual Clauses are additionally in place.
Privacy policy: https://www.digitalocean.com/legal/privacy-policy

7. SSL/TLS Encryption

This website and the associated applications use SSL/TLS encryption for security reasons and to protect the transmission of confidential content. You can recognize an encrypted connection by the browser's address bar changing from "http://" to "https://" and the lock icon in your browser bar.

8. Cookies and Similar Technologies

8.1 Use of Our Own Consent Solution

We use a self-developed consent solution on our websites and in the application. Through this, you can grant, manage, and revoke your consent for the use of non-technically necessary cookies and similar technologies.

8.2 Technically Necessary Cookies

We exclusively use technically necessary cookies and similar storage technologies (e.g., session cookies for authentication and maintaining your session). These are strictly required for the operation of the application.

Legal basis: § 25(2)(2) TDDDG (strictly necessary) in conjunction with Art. 6(1)(b) or (f) GDPR.

8.3 No Marketing or Tracking Cookies

We do not use any third-party marketing, tracking, or analytics cookies. No cross-device tracking or profiling for advertising purposes takes place.

9. Registration and User Accounts

9.1 Free User Accounts

Creating a user account is required to use our application. During registration, we collect the following mandatory information:

Name
Email address
Password (stored exclusively in hashed form)

9.2 Free Trial Accounts

We offer time-limited free trial accounts. After the trial period expires, the account is either converted to a paid plan or deactivated and deleted after a reasonable period.

9.3 Project Owners with Paid Plans

For users who subscribe to a paid plan (project owners), we additionally collect:

Full address (street, postal code, city, country)
Payment data (see Section 11)
Company name and VAT ID where applicable (for B2B)

9.4 Roles and Permissions Model

Various roles exist within the application (administrators, regular users with differentiated permissions). Role assignment by project owners serves to control access to projects and content.

9.5 Legal Bases and Purpose

Processing is carried out for the performance of the user agreement (Art. 6(1)(b) GDPR). Invoice and tax-relevant data are additionally processed on the basis of statutory retention obligations (Art. 6(1)(c) GDPR).

9.6 Retention Period

Account data is stored for the duration of active use. After cancellation or deletion of the account, personal data is deleted unless statutory retention obligations (in particular 10 years for invoice and accounting data pursuant to § 147 AO, § 257 HGB) apply. During this period, the affected data is subject to restricted processing.

10. Single Sign-On (SSO) via Audiocon

10.1 Description

We offer the option to log in to xtra.audio via Single Sign-On (SSO) through the Audiocon system operated by UPLINK Digital GmbH. When using this option, the identification and contact data required for authentication (in particular email address, name, user ID) are exchanged between Audiocon and xtra.audio.

Provider: UPLINK Digital GmbH, Heerdter Sandberg 32, 40549 Düsseldorf

10.2 Legal Basis and Purpose

The use of the SSO function is voluntary and based on your consent (Art. 6(1)(a) GDPR) or for the performance of the contract (Art. 6(1)(b) GDPR). The purpose is simplified and secure authentication.

10.3 Revocation

You may revoke your consent at any time by removing the SSO link in your account settings or by using a traditional user account with email and password.

11. Payment Processing via Stripe

11.1 Description

We use the payment service provider Stripe for processing paid subscriptions.

Provider (EU): Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland.
Parent company: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA.

11.2 Data Processed

In the course of payment processing, the following data, among others, is transmitted to or collected directly by Stripe:

Name and address
Email address
Payment data (e.g., credit card, SEPA direct debit, or other payment information)
Invoice amount, currency, transaction and billing time
IP address and technical transaction metadata (fraud prevention)

Payment card data is generally entered directly at Stripe and does not reach our servers in complete form.

11.3 Legal Basis

Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(c) GDPR (legal obligations, including commercial and tax law).

11.4 Third-Country Transfer

Data may be transferred to the USA. Stripe, Inc. is certified under the EU-U.S. Data Privacy Framework. Stripe has additionally implemented EU Standard Contractual Clauses.

12. Error Monitoring via Sentry

12.1 Description

To ensure the functionality, stability, and security of our applications, we use the open-source software Sentry. The Sentry instance is not obtained as a SaaS service from Sentry, Inc. but is operated by our partner UPLINK Digital GmbH on its own infrastructure under contract and contractual obligation (DPA pursuant to Art. 28 GDPR).

Provider (Processor): UPLINK Digital GmbH, [address to be inserted]

12.2 Data Processed

In the event of an error, the following data, among others, is transmitted and analyzed:

Error description, stack traces, and technical context
Browser and device information
IP address
User ID (if logged in)
Action or URL at which the error occurred

12.3 Legal Basis and Purpose

The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in the detection, analysis, and resolution of errors as well as ensuring IT security.

13. Contact Form and Communication

13.1 Contact Form on the Website

We offer a contact form on our website. When using it, the entered data (typically name, email address, subject, and message) is processed to handle the inquiry. Transmission is carried out via our own, internally operated systems; no external third-party providers are used.

13.2 Email Communication

Transactional and notification emails (e.g., registration confirmation, password reset, invoice dispatch) are sent via our own, internally operated mail systems.

13.3 Newsletter

To the extent we send newsletters, this is done exclusively via our own, internally operated systems. Registration follows a double opt-in procedure; you will receive a confirmation email to prevent misuse of third-party email addresses. Unsubscription is possible at any time via the unsubscribe link at the end of each message or by email to [[email protected]].

13.4 Legal Basis

Contact form / email: Art. 6(1)(b) GDPR (pre-contractual or contractual communication) or Art. 6(1)(f) GDPR (responding to general inquiries).
Newsletter: Art. 6(1)(a) GDPR (consent), revocable at any time.

13.5 Retention Period

Inquiries are deleted once they have been conclusively processed and no statutory retention periods apply. Newsletter registration data is stored until consent is revoked.

14. Radio Playout-Specific Processing

14.1 No Own Streaming Server Hosting

xtra.audio currently does not provide its own streaming server hosting. Accordingly, we do not collect listener data (e.g., IP addresses, geolocation, track history of your listeners).

14.2 Reports to Collecting Societies (GEMA / GVL)

In certain larger plans, we support the creation and submission of music usage reports to collecting societies, in particular GEMA (Society for Musical Performing and Mechanical Reproduction Rights) and GVL (Society for the Administration of Neighbouring Rights).

The following data is typically transmitted:

Broadcaster or project/station information
Contact details of the person responsible for reporting
Playlist and track metadata (artist, title, ISRC, label, duration, broadcast time)

Legal basis: Art. 6(1)(c) GDPR (legal obligation of users towards collecting societies) in conjunction with Art. 6(1)(b) GDPR (contract performance towards our users).

Recipients: GEMA (Rosenheimer Straße 11, 81667 Munich) and GVL (Podbielskiallee 64, 14195 Berlin) and comparable collecting societies.

14.3 Public Now-Playing Metadata

If users actively enable the feature, now-playing metadata (e.g., currently playing title, artist, cover) is made available via publicly accessible interfaces. No publication occurs without explicit activation by the user.

Legal basis: Art. 6(1)(a) GDPR (user consent through active activation).

15. AI Features (Gemini via OpenRouter)

15.1 Description

For users of certain plans, we provide AI-powered features. AI processing is carried out via the large language model Google Gemini, which we integrate through the API provider OpenRouter.

OpenRouter provider: OpenRouter, Inc., USA.
Model provider: Google LLC, USA (or Google Ireland Ltd. in the EU context).

15.2 Data Processed

In the context of AI features, the following data in particular is transmitted to the aforementioned providers:

User prompt inputs
Project or broadcast-related metadata that the user includes in the request
Technical metadata of the request

15.3 Legal Basis and Purpose

The use of AI features is voluntary and based on consent (Art. 6(1)(a) GDPR) as well as for the performance of the contract, provided the AI feature is part of the subscribed plan (Art. 6(1)(b) GDPR). The purpose is to provide intelligent, assistive features within the product.

15.4 Third-Country Transfer

Data may be transferred to the USA. Google LLC is certified under the EU-U.S. Data Privacy Framework. EU Standard Contractual Clauses are additionally in place with OpenRouter. We note that despite these safeguards, a residual risk of governmental access under US law cannot be entirely excluded.

15.5 Note on Prompt Input

Users should not enter special categories of personal data (Art. 9 GDPR) or unnecessary personal data of third parties in prompts and inputs.

Privacy notice OpenRouter: https://openrouter.ai/privacy
Privacy notice Google: https://policies.google.com/privacy

16. Internal Chatbot (Project/Radio Control)

Within the application, we provide an internally operated chatbot that acts as an internal user of the app and enables users to control the application as well as answer project or radio-specific questions.

The content entered is processed on our own infrastructure. To the extent the chatbot uses AI services, the information in Section 15 additionally applies.

Legal basis: Art. 6(1)(b) GDPR (contract performance).

17. Data Backup (Backups)

To ensure availability and protect against data loss, we regularly create backups of our systems and databases.

Storage location: Hosting infrastructure as per Section 6
Retention period: 30 days rolling
Encryption: Data at rest is stored in encrypted form

Legal basis: Art. 6(1)(f) GDPR. The legitimate interest is ensuring IT security and business continuity (Art. 32 GDPR).

Deletion requests from data subjects are implemented immediately on production systems; in backup inventories, the affected data is overwritten at the latest within the regular backup rotation cycle (after 30 days).

18. Transfer to Third Countries

We transfer personal data to third countries outside the EU/EEA, in particular to the USA, in the following cases:

Cloudflare, Inc. (Section 6.2)
DigitalOcean, LLC (Section 6.3)
Stripe, Inc. (Section 11)
OpenRouter, Inc. / Google LLC (Section 15)

The aforementioned recipients in the USA are — as stated in the respective sections — certified under the EU-U.S. Data Privacy Framework (EU Commission adequacy decision of July 10, 2023). Additionally, EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR are in place with all recipients in third countries, as well as — where required — additional technical and organizational safeguards (e.g., encryption, pseudonymization).

19. Rights of Data Subjects

As a data subject, you have the following rights:

Access (Art. 15 GDPR): You may request information about the personal data we process about you.
Rectification (Art. 16 GDPR): You may request the correction of inaccurate data or the completion of incomplete data.
Erasure (Art. 17 GDPR): You may request the deletion of your data, provided no statutory retention obligations apply.
Restriction of processing (Art. 18 GDPR).
Data portability (Art. 20 GDPR): You may request to receive the data concerning you in a structured, commonly used, and machine-readable format.
Objection (Art. 21 GDPR): You may object to the processing of your data where we rely on Art. 6(1)(f) GDPR.
Withdrawal of consent (Art. 7(3) GDPR): You may withdraw any consent given at any time with effect for the future.
Complaint to a supervisory authority (Art. 77 GDPR): You have the right to lodge a complaint with a data protection supervisory authority, in particular in the member state of your habitual residence, your place of work, or the place of the alleged infringement.

To exercise these rights, an informal notification to [[email protected]] is sufficient.

The competent supervisory authority for us is:

[Competent state data protection authority to be inserted, e.g., State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia, Kavalleriestr. 2-4, 40213 Düsseldorf]

20. Right to Object Pursuant to Art. 21 GDPR

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on Art. 6(1)(e) or (f) GDPR. We will then no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defense of legal claims.

21. Data Security

We take appropriate technical and organizational measures pursuant to Art. 32 GDPR to protect your data against accidental or intentional manipulation, loss, destruction, or access by unauthorized persons. These include, among others, transport encryption (TLS), encryption of data at rest, access controls, regular backups (Section 17), logging of security-relevant events, and regular review and updating of our security measures.

22. No Automated Decision-Making

Solely automated decision-making including profiling within the meaning of Art. 22 GDPR that produces legal effects concerning you or similarly significantly affects you does not take place.

23. Changes to This Privacy Policy

We reserve the right to amend this privacy policy to ensure it always complies with current legal requirements or to implement changes to our services or data processing procedures. The new privacy policy will then apply to your subsequent visit.

The current version is always available at https://xtra.audio/privacy.

Last updated: April 19, 2026