Privacy Notice

1. ACCEPTANCE OF AND CHANGES TO THIS NOTICE

Your use of the Services, and all communications between you and us, are subject to this Notice. YOU SHOULD READ THIS NOTICE COMPLETELY AND CAREFULLY BEFORE USING THE SERVICES AND/OR PROVIDING US WITH ANY INFORMATION, PARTICULARLY PERSONAL DATA. By using our Services in any way, including browsing, creating an account, expressing an interest in our Services, and/or using any interactive tools, or by otherwise providing us with any personal data, you acknowledge that you have read, understood, and agreed to be bound by this Notice.

Because of changes in technology and practices, this Notice may change from time to time. We will post any changes we make to this Notice on this page, and we will provide you notice of such changes if and when required by applicable law. Any changes will be effective when the updated Notice is posted.

It is your responsibility to check this Notice for updates. You will be able to determine when the Notice was last updated by referring to the "Last Updated" date at the top. By using the Services and/or providing us with any personal data after we post any changes to this Notice, you agree to accept those changes, whether or not you have taken the time to review them.

2. APPLICABILITY OF THIS NOTICE

This Notice covers personal data we may collect and use in the following circumstances:

• When you visit and use the Rythm-operated websites and mobile applications (apps), including the sites, pages, and apps that link to that Notice, such as the https://rythm.fm/ site and the Rythm app (All of these sites, pages, and apps are referred to collectively in this Notice as the "Services," which also includes all associated content, functionality, and services offered on or through the Services);
• When you become our customer or enter into any kind of commercial or business relationship with us (other than an employment or prospective employment relationship);
• When you interact with us through any Services, including through any "Contact Us" or similar feature;
• When you contact us by telephone or email;
• When you sign up for our newsletter or similar communications;
• When you participate in any programs or features that you offer (including participation in "beta programs" or other test features);
• When you "Invite Rythm to your Discord";
• When you attend a marketing or promotional event; and
• When you interact with us on any social media service (including Discord).

This Notice is a master privacy notice provided to all visitors to and users of the Services. Our operations are global, but please note that privacy laws governing both this Notice and our legal obligations regarding the collection, use, and processing of personal data vary across jurisdictions. Accordingly, not all provisions of this Notice apply to all persons. However, nothing in this Notice is intended to limit in any way your statutory or other legal rights.

Additional Privacy Notices

We may provide you with supplemental or additional privacy notices on specific occasions when we collect or process personal data about you. On those occasions, it is important that you read this Notice together with all such other notices, so that you can be fully aware of how and why we are using your personal data. This Notice supplements all other and additional privacy notices, and is not intended to override any of them (and vice versa).

A Note About Children

Our Services are not targeted to, and we have no interest in collecting information from, children under the age of 13. We do not knowingly gather any personal data from children. If you are a parent or legal guardian who believes that your child has provided us with any personal data, please contact us at support@rythm.fm.

3. THE PERSONAL DATA WE COLLECT AND USE

Personal data (also referred to as "personal information") means any information about an individual that can be used to identify that individual. Personal data does not include anonymous or anonymized information that cannot be used to identify a specific person.

The Categories of Personal Data We Collect and Use

Rythm may collect, use, store, and transfer different categories of personal data, as follows:

• Identifiers - Such as user name/login, similar identifiers, billing zip code, email address, IP address.
• Personal information categories - Such as billing zip code.
• Commercial information - Such as records of songs listened to and/or marked as favorites or otherwise cataloged by users, including specific content engaged with by users.
• Internet or other similar network activity - Such as internet protocol (IP) address, login details, browser type and version, time and location settings, browser plug-in types and versions, operating system, platform, and other technology on device(s) used to access our Services, and usage information, including how you interact with the Services.
• Inferences drawn from other personal information - Such as listening activity (e.g., song history), interests and preferences, feedback and survey responses, communications and marketing preferences.

Additional Uses of Personal Data

In addition, we may use any of the personal data we collect for the following purposes:

• To prevent transaction or user fraud, and to help maintain the safety, security, and integrity of our Services and our business;
• To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations; and
• To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets in which personal data is among the assets transferred or is otherwise material to the transaction.

We will only use your personal data for the purposes disclosed in this Notice or in any supplemental notice provided to you at or prior to our collection of that personal data, or for any reasonably compatible purpose, and subject to limitations and requirements of applicable law. If we need to use your personal data for any unrelated purpose, we will notify you and, if required by law to do so, will obtain your consent.

Payment Information

When you subscribe to our premium or other paid plans, you will do so through the platform you use to do so (Discord, Apple Pay, Google Play, etc.), accordingly, we do not directly or indirectly receive or store any payment data.

Sensitive Data

We do not collect or use information that is or may be considered "sensitive data" as defined in applicable privacy laws, such as details about your financial accounts, your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, or information about criminal convictions and offenses. To the extent we do obtain any so-called sensitive data, we do not use that data for purposes of profiling or inferring characteristics about the person with respect to whom it was collected.

Aggregated Data

We also collect, use, and disclose "Aggregated Data," such as statistical or demographic information. Aggregated Data may be derived from personal data, but it is not considered personal data because it does not directly or indirectly reveal your identity. However, if we ever do combine or connect Aggregated Data with other personal data such that it could directly or indirectly identify you, we will treat the combined data as personal data in accordance with this Notice.

4. HOW WE COLLECT PERSONAL DATA; SOURCES OF PERSONAL DATA

We use different methods to collect personal data from and about you, including as follows:

• Direct Interactions. From time to time, you may provide us with your personal data by filling in forms or by corresponding with us by mail, telephone, email, social media, or otherwise. This includes personal data you provide when you:
  • Create an account on or otherwise subscribe to our Services;
  • Participate in promotions, publications, surveys, or any interactive features of the Services;
  • Request that marketing or other materials be sent to you;
  • Create and share content with us through third-party social networks, such as by commenting on our social media pages;
  • Provide us with feedback; and
  • Otherwise contact or communicate with us for any reason.
• Indirect Interactions. You may be able to interact with the Services using third party accounts (such as when you log in to the Services using your Discord account). If you choose to do so, then you will create a connection between our Services and the third party account, and we will obtain information, including personal data, from your third party account. In addition, because our Services allow you to interact with friends, when you choose to share content through the Services with friends, we may collect personal data of the person you are sharing with, such as their user information, name, email address, and/or IP address.
• Automated Technologies and Interactions. As you interact with our Services, we may automatically collect certain data, such as information about the equipment used to access the Services and your browsing actions and patterns. We collect this information using cookies, server logs, and other similar technologies. We may also receive this information about you if you visit other websites employing our cookies. Please see below for further details about how we use cookies.
• Other Third Parties or Publicly Available Sources. We may receive personal data about you from various third parties and public sources, such as advertising networks and analytics providers.
• Consumer Generated Sources and Third Party Social Network Data. We will have access to any content that you create and then share with us on third party social networks or by uploading it to our Services, including the use of third party social network apps such as Discord. Examples include photos, videos, personal stories, or other similar media or content. In addition, we may collect information that you share publicly on a third party social network or information that is part of your profile on a third party social network and that you allow the third party social network to share with us. Examples include your basic account information (e.g. name, email address, gender, birthday, current city, profile picture, user ID, list of friends, etc.) and any other additional information or activities that you permit the third party social network to share.

5. WHEN AND WHY WE DISCLOSE PERSONAL DATA TO OTHERS

We may disclose personal data as described below:

• Affiliated Companies: We may disclose personal data with our affiliated companies to manage our subscriber relationships and for other business and commercial purposes consistent with those disclosed above.
• Service Providers and Contractors: We may disclose personal data to our service providers and contractors in the ordinary course of our business relationship with those parties. This may include parties who provide us with IT and system administration services, parties who process payments, cloud hosting and storage providers, and other parties who provide connected services, manage and service our Services, assist with email distribution, provide research and analytics services, manage promotions, run and manage sponsored events, and/or administer certain features of our Services.
• Analytics Providers: We share personal information with data analytics platforms, to compile statistics and evaluate and perform analytics and site/mobile app improvements.
• Other Business Partners: We may disclose personal data to parties who help provide and deliver our Services, such as our content licensors, to the extent we are contractually obligated to do so.
• Professional Advisors: We may disclose personal data to other service providers who act as professional advisors to us, including lawyers, bankers, accountants, insurers, and others who provide similar services.

When we disclose personal data to third party service providers and contractors, we enter into agreements with those third parties that describe the purposes for which the personal data may be used and that require the third parties to keep the personal data secure and confidential.

We may also disclose data as necessary to respond to law enforcement requests and as required by applicable law, court order, or governmental regulations. And, if we engage in a corporate transaction as described above, we will disclose data with the applicable counterparty in connection with that transaction.

We may share Aggregated Data as follows:

• We use billing ZIP code and/or IP addresses to determine our users' country for licensing purposes and may aggregate this data to provide it to our licensors to fulfill our contractual obligation to pay for licensed content in each country;
• We collect users' listening behavior data (e.g., playing a certain song) and may aggregate that data to provide to music chart/tracking organizations; and
• We may aggregate internet or other usage data to calculate the percentage of users accessing specific features of our Services.

We will not disclose your personal data other than as described in this Notice without providing you notice and, if required by law, obtaining your consent. We do not sell personal data to third parties.

6. COOKIES

When you use the Services, we may store some information on your computer in the form of a "cookie" or similar file. "Cookies" are small data text files that are either used for the duration of a session ("session cookies") or saved on a user's hard drive ("persistent cookies"). Session cookies identify users logging onto the Services and are used for authenticating user accounts and maintaining logged in status, these cookies are deleted from the user's server soon after the session ends and are not collected or saved. Persistent cookies will be saved on your server, will recognize you when you return to the Services, and are used to store profile information and user preferences.

Cookies used on Services are generally divided into the following categories:

• Essential cookies: These are cookies that are required for the operation of our Services, such as cookies that enable you to log into secure areas.
• Analytics cookies: These are cookies that automatically collect information about your use of the Services. These help us understand how many people are using our Services and how they navigate through it. These cookies record only anonymous statistical data, not personal data. We use third party analytics providers to gather data on user engagement and interaction with our Services, which helps us improve user experiences.
• Functional cookies: These are cookies that remember choices that you make when you use our Services, such as language options. They help to make your visit more personal.
• Targeting cookies: These are cookies that record your visit to our Services, the pages you visit, the content you engage with, and the links you followed. They will recognize you as a previous user of the Services, and track your activity on our site and other websites you visit.

We use cookies to enable site features and provide a more personalized site experience, for analytics purposes and to understand how users navigate and use our site, to identify and fix errors, and to enable and support security features, prevent fraud, and protect our site.

Most web browsers automatically accept cookies, but you can usually change your browser's settings to prevent that or to notify you when a cookie is being placed on your browser. Because each browser is different, you should look at your browser's "Help" menu to learn how to modify these settings. If you do disable cookies this may make your experiences with our Services less efficient.

7. EMAIL TRACKING; DO NOT TRACK

When corresponding with you via HTML-capable email, we may use "format sensing" technology, which allows pixel tags to let us know whether you received or opened our email. We may also use unique hyperlinks in emails we send to you, which we use to see whether emails have been opened and responded to.

Currently, certain browsers, including Firefox, Google Chrome, Safari, and Internet Edge, offer a "do not track" (DNT) option. This option, using a technology known as a DNT header, sends a signal to websites visited by a user about the user's DNT preference, if any, set on the browser. If you activate DNT, we cannot currently commit to responding to your browser's DNT signals, because no common industry standard for DNT has been adopted by industry groups, technology companies, or regulators.

8. HOW LONG WE RETAIN PERSONAL DATA

We will only retain your personal data for as long as necessary to fulfill the purpose(s) for which it was collected, including to satisfy any legal, accounting, or reporting requirements. We have established retention periods for the personal data we collect.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

9. SECURITY

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, altered, or used, disclosed, or accessed in an unauthorized way. We have put in place industry-standard encryption protocols to safeguard personal data in transit and at rest. We also employ comprehensive identity and access management processes, which include multi-factor authentication to verify users' identities and limit access to data based on pre-defined roles and responsibilities.

We have put in place advanced firewalls and intrusion detection systems to protect our infrastructure to prevent unauthorized access to our systems, and monitor potential security threats on a continuous basis. We also have implemented procedures to address any suspected or actual personal data breach, and will comply with applicable laws relating to notification of and response to any personal data breaches or other security incidents.

Unfortunately, the transmission of information via the internet is not always completely secure despite our reasonable efforts. While we will reasonably protect your personal data, we do not guarantee the security of your data transmitted over the internet; any such transmission, including via our Services, is at your own risk.

10. THIRD PARTY SITES AND SOCIAL SHARING FEATURES

Our Services may include links to other websites. We do not control the privacy practices of any third parties, and if you submit personal data to any of those sites, their collection and use of your information is governed by their privacy policies, which differ from ours. We encourage you to carefully read the privacy notice of any website you visit.

Our Services may offer social network and similar sharing features, such as Discord, Facebook, X (Twitter), YouTube, Instagram, and similar buttons, which let you share information related to the Services through your preferred social media platforms. If you permit a connection between our Services and your social network page(s), we (and the social network) may be able to identify you, and associate the information we (and they) receive with information we (and they) already have about you. In addition, depending on how you use those features and your settings with the social network provider(s), the information you share to your social network pages will be available to others, including your friends and/or the public. For more information about how your information may be shared through those social networks once it is provided to them, you should review the privacy policies of those social networks.

11. YOUR RIGHTS REGARDING YOUR PERSONAL DATA

A. General

Depending on the jurisdiction in which you live, you have the rights described below regarding our collection and use of your personal data. These rights are subject to certain limitations and exceptions under applicable law.

Providing Personal Data is Your Choice. You can browse our Services without providing us with any personal data, other than browsing data (which we will not attempt to link with other personal data). However, if you choose to use our Services to engage with us, such as by creating an account, becoming a subscriber, or by otherwise interacting with us, you will be required to provide us with the personal data necessary to facilitate that interaction or transaction. If you do not want to provide us with personal data, you may not be able to use many features of our Services.

You Have the Right to Opt Out of Certain Communications. You can ask us to stop sending you marketing and other promotional materials at any time by following the opt-out links in the applicable messages, or by contacting us at any time at support@rythm.fm. Please note that when you opt out of marketing messages, we may still need to contact you regarding your account, your experience with our Services, as required by law, or regarding legal matters. However, we will not send you marketing communications after you have opted out of receiving them.

You Have the Right to Access Your Personal Data and the Right to Data Portability. You have the right to confirm whether we are processing your personal data and, if so, to access information about the specific items of personal data we have collected about you. If you request a copy of your personal data, you have the right to receive it in a portable and, to the extent technically feasible, readily-usable format that allows you to transmit the data to another party without undue difficulty.

You Have the Right to Correct Your Personal Data. If you believe any personal data we have about you is incorrect, you can contact us at any time at support@rythm.fm to request that we make the appropriate edits to correct that data. In addition, if you have an account on our Services, you may be able to update certain of your account details directly through the Services.

You Have the Right to Request Deletion of Your Personal Data. As noted above, we have standard retention practices with respect to the personal data we collect. If you would like to request any earlier deletion of your personal data, you may contact us at support@rythm.fm with this request. Please note that we may not be able to completely remove personal data in certain circumstances. This will be true if the data is not in a searchable format, or if it is retained in backup systems or in cached or archived pages. We also may not be able to delete personal data to the extent it is necessary to conduct active and ongoing business with you, if we are required by law to retain it, or keeping the data it is necessary to comply with our legal obligations, resolve disputes, prevent fraud or future abuse, or otherwise enforce our rights.

You Have the Right to Non-Discrimination. We will not discriminate against you for exercising your privacy rights.

Limitations. Each of the rights set forth above may be subject to certain limitations as set forth in applicable law. Your rights may depend on your state of residence, as different states have adopted privacy laws that provide for specific rights and remedies applicable solely to residents of such states.

Exercising Your Rights. To exercise any of the above rights, or if you have any questions regarding our practices regarding personal data, please contact us at support@rythm.fm. Please note that we may be required to request information from you to verify your identity in connection with any such request, as a security measure to ensure that your personal data is not disclosed to any person who has no right to receive it. If you make any request to exercise your rights, we will respond within the time period required by law (or if no time period is required, within a reasonable period of time). If we are unable to comply with your request, we will inform you of this. If you do not agree with any action we have taken following a request to exercise your rights, or otherwise object to our handing of your personal data, you may have the right to appeal or to raise your objection with your state's regulatory authority. We would, however, appreciate the opportunity to address your concerns directly before you approach a regulatory authority, so please contact us in the first instance, at support@rythm.fm.

B. Rights Applicable to California Residents

For purposes of the CPRA, you have the following rights with respect to your personal information. Please note that your rights are subject to limitations and exceptions set forth in the CPRA:

• Right to Know – You have the right to ask us to provide you with information about our collection and use of your personal information over the past 12 months.
• Right to Access (Data Portability) – You have the right to ask us to provide you with copies of personal information that we have collected about you, in a portable and readily-usable format. Please note that access requests may be made free of charge up to twice in any 12-month period.
• Right to Request Deletion – You have right to ask us to delete personal information about you that we have collected and retained.
• Right to Correct – If you believe any personal information we have about you is incorrect, you have the right to request that we rectify any inaccuracies.
• Right to Non-Discrimination and Non-Retaliation – You have the right not to be discriminated or retaliated against for exercising any of your CPRA rights.
• Right to Opt Out of Sales or Sharing (for Cross-Context Behavioral Advertising) – You have the right to ask us not to sell or share (for cross-context behavioral advertising) your personal information.

To exercise any of the rights described above, you must submit a verifiable consumer request to us. You can do so by emailing us at support@rythm.fm.

Only you, or a person registered with the California Secretary of State that you expressly authorize to act on your behalf, can make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.

We cannot respond to your request or provide you with information if we cannot identify you or confirm your authority to make the request, so any request will require you to provide sufficient information to allow us to reasonably verify your identity and/or the identity and authorization of your agent (if applicable). We will only use any personal information provided in a verifiable consumer request to verify the requesting party's identity or authority to make the request. The information requested to verify your identity, or the identity and authorization of your agent, is dependent on your relationship with Rythm and the type of information available to us.

We will respond to any verifiable consumer request in the manner and within the timeframes required by the CPRA. If your request is denied, you may have the right to appeal the denial in accordance with the instructions provided to you when the denial is made.

In addition:

• California's "Shine the Light" law permits California residents to request certain details about our disclosure of their personal information to third parties for those third parties' own direct marketing purposes. If you are a California resident and you would like to make such a request, please contact us at support@rythm.fm. Please note that there are legal limits on how often you can make such a request, and we are only obligated to respond to one information request per customer per year.
• Although users of our Services are required to be at least 18 years old, if any California residents under the age of 18 have used the Services, created an account, and posted content or information on the Services, they can request removal by contacting us at support@rythm.fm, detailing where the content is posted and confirming that they posted it. Following such a request, we will terminate the unauthorized account, and will make reasonable good faith efforts to remove any post or information from public view, or anonymize it so that the minor cannot be individually identified. However, removal of public postings cannot ensure complete or comprehensive removal, as third parties may republish, archive, or cache web content in a manner that is out of our control.

C. International Users of the Services

If you are in the European Union (EU) or the United Kingdom (UK), under the EU's General Data Protection Regulation (and the UK equivalent, collectively referred to as the GDPR), you have the right to block us from using, or to limit the way we can use, your personal data, as well as the right to object to our use of your personal data, including when we use it for our legitimate business interests. These rights are in addition to the Right to Access Your Personal Data, Right to Correct Your Personal Data, Right to Request Deletion of Your Personal Data, and Right to Data Portability (all disclosed above). Please note that we have disclosed our legal bases for processing your personal data above in this Notice.

If you are not satisfied with how we have responded to any request you make regarding the above rights, you may be able to raise your complaint with the Data Protection Authority in your jurisdiction.

For purposes of the GDPR, the Data Controller of the information you provide is Rythm Inc., 440 N Barranca Ave, Covina, CA, 91723.

If you are from the EU or are located in the European Economic Area (EEA) or in the UK, we are required to give you information about the transfer of your information outside the EEA/UK. If this applies to you, whenever you voluntarily give us your personal data, you should understand that your information will be sent by you to the United States, a jurisdiction that does not provide the same framework for the protection of personal data as the EEA/UK. By sending us your personal data, you are expressly consenting to the transfer by you of information from your location within the EEA/UK to our servers in the United States.

In addition, if we send any of your personal data to servers located within the EEA/UK, if we then transfer your personal data from those servers to areas located outside of the EEA/UK, we will adopt adequate measures as required by the GDPR (for example, the adoption of standard contractual clauses between us and the recipient).