Privacy Policy
Last updated: May 26, 2026
1. Overview
MusicYaa ("we", "us", or "our") operates the website musicyaa.com and the MusicYaa mobile application (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.
By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this Privacy Policy, please do not access the Service.
Summary
We collect only the information necessary to connect you with Latin music artists and event vendors. We do not sell personal data. Payments are processed securely through Stripe and we never store your full credit card details. We use Google Analytics and Google Ads to measure how the platform is performing — these technologies do not load any cookies or send identifying data until you opt in via Your Privacy Choices. We honor the Global Privacy Control browser signal as an opt-out.
2. Information We Collect
2.1 Information You Provide
- Account Information: Name, email address, and password when you create an account
- Profile Information: Phone number, profile photo, and bio (for artists and vendors)
- Booking Information: Event date, time, location, event type, and special requests
- Payment Information: Payment card details are collected and processed directly by Stripe; we only receive a tokenized reference, the last four digits, and card type
- Communications: Messages sent through our platform between clients, artists, and vendors
- Legal Acceptance Records: When you accept the Terms of Service, Privacy Policy, or Provider Agreement, we record the timestamp, IP address, user agent, and document hash for audit purposes
2.2 Information Collected Automatically
- Device Information: Browser type, operating system, and device identifiers, derived from request headers when you load a page or call our API
- Usage Data: Pages visited, features used, and interaction patterns. The marketing site and the application both send a first-party analytics beacon to our own
/analytics/track endpoint on every page view; this beacon never leaves our infrastructure - Location Data: General location derived from IP address (we do not collect precise GPS location)
- Strictly Necessary Cookies: We set first-party cookies required to operate the Service, including an authentication session cookie issued by AWS Cognito, a CSRF/state cookie set during the booking flow, and the
musicyaa_consent_v1 cookie that records your choices on the Your Privacy Choices page
2.4 Information from Third Parties
- Authentication Providers: If you sign in with a third-party service, we receive your name and email from that provider
- Payment Processor: Stripe provides us with transaction status, payment confirmations, and payout details
- Advertising Measurement: When you opt in to advertising cookies, Google Ads reports back to us in aggregate which campaigns resulted in bookings. We do not receive personal information about individual users from Google in these reports
2.3 Cookies and Tracking Technologies
We disclose every cookie and third-party SDK loaded on the Service below.
Default state: all non-essential storage denied
By default we configure Google's Consent Mode v2 to deny all advertising and analytics storage — no Google Analytics or Google Ads cookies are set, and no identifying data is transmitted to Google — until you opt in via Your Privacy Choices. We also honor the Global Privacy Control browser signal (see Section 6.5).
| SDK or Service | Purpose | Storage Set | Retention | Vendor Privacy Policy |
| Google Analytics 4 | Aggregate traffic, page performance, and user journey measurement | _ga, _ga_*, _gid cookies; only after opt-in | 14 months | Google |
| Google Ads Conversion Tracking | Measure which advertising campaigns produce real bookings | _gcl_au, _gcl_aw cookies; only after opt-in | 90 days | Google |
| Google Maps JavaScript API | Display venue locations on maps | Google session cookies on googleapis.com when a map renders | Session | Google |
| Stripe.js | Tokenize payment cards in the browser before they reach our servers | __stripe_mid, __stripe_sid cookies on stripe.com | 1 year (mid), 30 minutes (sid) | Stripe |
| AWS Cognito | Authenticate logged-in users | First-party session and refresh-token cookies on musicyaa.com | Up to 30 days | AWS |
| MusicYaa Analytics Beacon | First-party page-view counter sent to our own /analytics/track endpoint | First-party sessionStorage key atm_session_id (cleared when the browser tab closes) | Session | First-party |
| MusicYaa Consent Choice | Remember your selections on the Your Privacy Choices page | First-party cookie musicyaa_consent_v1 | 12 months | First-party |
3. How We Use Your Information
We use the information we collect for the following purposes:
- Provide the Service: Process bookings, facilitate payments, and connect clients with artists and vendors
- Account Management: Create and maintain your account, authenticate your identity
- Communications: Send booking confirmations, payment receipts, reminders, and platform messages
- Customer Support: Respond to your inquiries and resolve disputes
- Improvements: Analyze first-party usage patterns to improve our Service and user experience
- Advertising Measurement (only when opted in): Measure which marketing campaigns produce successful bookings so we can invest in the channels that reach people who want what we offer. The CPRA categorizes this as "sharing" of personal information for cross-context behavioral advertising, and you have the right to opt out at any time. See Section 6.4
- Safety & Security: Detect and prevent fraud, abuse, and unauthorized access
- Legal Compliance: Comply with applicable laws, regulations, and legal processes
- Audit & Evidence: Maintain records of legal acceptance, booking agreements, and payment transactions
No sale of personal data
MusicYaa does not "sell" personal information for monetary consideration. We do "share" pseudonymous identifiers with Google Ads when you have opted in to advertising cookies (see Section 4.3); you can opt out of this at any time via Your Privacy Choices.
4. How We Share Your Information
We may share your information in the following circumstances.
4.1 With Other Users
When you make a booking, your name, event details, and contact information are shared with the artist or vendor you are booking. Similarly, artist and vendor profile information is visible to clients browsing the platform.
4.2 Service Providers
We share information with trusted third-party services that help us operate the platform:
| Provider | Purpose | Data Shared |
| Stripe | Payment processing | Payment card details, transaction amounts, billing address |
| Amazon Web Services (AWS) | Cloud hosting, authentication, data storage, email via SES | All platform data (encrypted at rest and in transit) |
| Google Maps | Location services for event venues | Event addresses for map display |
| Google Analytics | Aggregate traffic and usage measurement | Pseudonymous identifiers, page paths, referrers (only after opt-in) |
| Google Ads | Conversion measurement for paid marketing campaigns | Conversion events (only after opt-in) |
4.3 Sharing for Advertising Measurement (CPRA)
When you have opted in via the Your Privacy Choices page, we share certain pseudonymous identifiers and event data with Google Ads to measure which campaigns produce real bookings. The CPRA categorizes this as "sharing for cross-context behavioral advertising." You have the right to opt out of this sharing at any time using the Your Privacy Choices page, or by enabling the Global Privacy Control signal in your browser. We do not share any personal information for advertising measurement when you have not opted in.
4.4 Legal Requirements
We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency).
5. Data Security
We implement industry-standard security measures to protect your personal information:
- All data is encrypted in transit using TLS/HTTPS
- Data at rest is encrypted using AWS encryption services
- Payment processing is handled by Stripe, a PCI-DSS Level 1 certified provider
- Authentication is managed through AWS Cognito with secure password hashing
- Access to production systems is restricted and monitored
- We use AWS WAF (Web Application Firewall) to protect against common web threats
Important
While we strive to use commercially acceptable means to protect your personal information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.
6. Your Rights and Choices
Depending on your location, you have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you
- Correction: Request that we correct any inaccurate or incomplete personal data
- Deletion: Request that we delete your personal data, subject to legal obligations
- Data Portability: Request a machine-readable copy of your data
- Opt-Out: Unsubscribe from marketing emails at any time using the link in our emails
- Account Deletion: Request complete deletion of your account at musicyaa.com/delete-account
6.1 California Residents (CCPA / CPRA)
If you are a California resident, you have the right to:
- Know what personal information we collect about you
- Delete personal information we have collected about you
- Correct inaccurate personal information
- Opt out of the "sale" or "sharing" of personal information for cross-context behavioral advertising (see Section 6.4)
- Limit the use of sensitive personal information
- Non-discrimination: we will not discriminate against you for exercising any of these rights
We do not "sell" personal information for monetary consideration. We do "share" pseudonymous identifiers with Google Ads when you have opted in to advertising cookies; you can opt out of this sharing at any time using the Your Privacy Choices page.
6.2 Other U.S. State Privacy Rights
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon, Montana, Iowa, Delaware, Minnesota, New Jersey, Tennessee, Indiana, New Hampshire, Kentucky, Maryland, and Rhode Island have similar rights under their state privacy laws, including the right to access, delete, correct, port, and opt out of targeted advertising. To exercise any of these rights, email privacy@musicyaa.com from the email associated with your MusicYaa account with the subject "Privacy Rights Request" and a description of the right you wish to exercise. We will respond within the timeframe required by your state's law (typically 30 to 45 days). If you are not satisfied with our response, you have the right to appeal by replying to our response email; we will respond to your appeal within 60 days.
6.3 Children's Privacy
Our Service is not directed to anyone under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us and we will delete such information.
6.4 Your Privacy Choices and Cookie Settings
You can control which non-essential cookies and tracking technologies operate on the Service via the Your Privacy Choices page. From that page you can:
- Opt in or out of Google Analytics measurement
- Opt in or out of Google Ads advertising measurement
- See exactly what choice is recorded in your browser today
Your choice is stored in a first-party cookie (musicyaa_consent_v1) for 12 months. We honor the choice across the marketing site and the application. If you clear your cookies, your previous selection is cleared and the default state (all non-essential storage denied) applies again until you make a new selection.
6.5 Global Privacy Control
We honor the Global Privacy Control browser signal. If your browser sends GPC, we treat that as an opt-out from any "sale" or "sharing" of personal information for cross-context behavioral advertising, even if you have previously opted in via the Your Privacy Choices page. Major browsers and privacy extensions that support GPC include Brave, DuckDuckGo Privacy Browser, Firefox (with the Privacy Badger extension), and other GPC-compatible tools.
6.6 How to Exercise Your Rights
To exercise any right not exposed in the in-app settings or on the Your Privacy Choices page, email privacy@musicyaa.com from the email address associated with your MusicYaa account. We may ask you to verify your identity before processing a request that involves personal information beyond what the requesting account already has access to.
7. Data Retention
We retain your personal information for as long as necessary to fulfill the purposes described in this policy:
| Data Type | Retention Period |
| Account information | Until account deletion requested |
| Booking records | 7 years (tax and legal compliance) |
| Payment records | 7 years (financial regulations) |
| Messages | 2 years after last activity |
| First-party usage analytics | 24 months (anonymized) |
| Google Analytics measurement | 14 months (only when opted in) |
| Google Ads conversion measurement | 90 days (only when opted in) |
| Consent choice cookie | 12 months from last update |
| Legal acceptance records | Permanent (legal evidence) |
When data is no longer needed, it is securely deleted or anonymized.
8. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically.