This Privacy Policy explains how SwaLay Digital, a brand operated by TalantonCore LLP (“SwaLay”, “we”, “us”, “our”), collects, uses, stores, shares, and protects your personal data when you use our Platform, including the websites at https://swalay.in, https://swalay.com, https://swalay.talantoncore.in, and https://swalayplus.in, the SwaLay applications, the artist dashboard, and SwaLay Studio (collectively, the “Platform”).

For the purposes of the Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025 (together, the “DPDP law”), TalantonCore LLP is the Data Fiduciary that determines the purpose and means of processing your personal data. By using the Platform, you acknowledge that you have read and understood this Policy. Where the law requires your consent, we will obtain it through a clear, separate, affirmative action, and you may withdraw it at any time.

This Policy should be read together with our Terms of Service, Copyright & Intellectual Property Policy, Content Distribution Policy, Royalty Sharing Policy, and Grievance Redressal Policy.

1. Itemised Notice: What We Collect and Why

In plain language, this is the personal data we collect and the specific purpose for each category. We collect only what we need for the purposes described.

Account information.  Your name, email address, phone number, date of birth, and password to create and secure your account, verify that you are eighteen (18) or older, and communicate with you.

Artist and label information.  Artist or label name, biography, social links, and PAN  to operate your profile, distribute your Content, and meet Indian tax obligations.

Payment and payout information.  Bank account or UPI details and transaction history to process subscription payments and pay your royalties.

Identity and age verification data.  Government-recognised identifiers and documents, including data verified through Aadhaar-based or DigiLocker-based verification and PAN verification, used solely to confirm your identity and that you are eighteen (18) or older, to prevent fraudulent or underage registration, and to comply with law. We collect the minimum necessary and do not store more identity data than required for this purpose.

Content and metadata.  Audio files, artwork, lyrics, titles, credits, and ISRC/UPCs to distribute and manage your releases.

Usage, device, and log data.  Device and browser details, IP address, access times, pages and features used, and error reports to operate, secure, and improve the Platform.

Communications.  Your messages to support and related attachments to respond to and resolve your queries.

Third-party sources.  Profile data from social logins you choose to use, aggregated performance data from DSPs, and confirmations from payment processors to enable login, analytics, and payments.

2. Lawful Bases for Processing

We process your personal data on one or more of the following bases recognised under the DPDP law and other applicable law: your consent; the necessity of performing our contract with you (such as account management, distribution, and royalty processing); certain legitimate uses permitted by law; and compliance with legal obligations, including tax, anti-fraud, and lawful Government requests. Where we rely on consent, you may withdraw it at any time, and withdrawal does not affect processing carried out before withdrawal.

3. How We Use Your Data

We use personal data to: create and manage your account; verify your age and identity; distribute your Content to DSPs; calculate and pay royalties; provide analytics; send transactional messages and, with your consent, marketing; maintain security and prevent fraud; improve the Platform; handle Content ID and copyright matters; provide support; and comply with law. We do not sell your personal data.

4. Audio, Processing & Content ID Data

We store your original audio on secure servers for the duration of your distribution and use it only as you authorise. SwaLay Studio generates technical processing data (such as waveform and loudness measurements) retained for quality assurance. For Content ID, we generate audio fingerprints that are mathematical representations of your audio and cannot reconstruct the original recording; these are shared with relevant platforms to detect unauthorised use. For CRBT, relevant clips and metadata are shared with telecom operators who process them under their own policies.

5. Cookies & Tracking

We use essential cookies (required for login, sessions, and security), functional cookies (preferences), and analytics and performance cookies (to understand and improve usage). You can manage non-essential cookies through your browser or our consent tool; disabling essential cookies may break parts of the Platform. We may use pixels in emails to measure engagement.

6. Sharing Your Data

We share personal data only as needed and under appropriate safeguards, with: DSPs and aggregators (to distribute your Content); telecom operators (for CRBT); payment processors and banking partners (for payments and payouts); YouTube and Content ID partners (for rights management); service providers for hosting, storage, email, analytics, and support who are contractually bound to protect it and use it only for our purposes; and legal or regulatory authorities where required by valid legal process. In a merger, acquisition, or asset sale, data may transfer as part of the transaction, and we will notify you as required. We engage Data Processors only under contracts that require appropriate security measures, as the DPDP Rules require.

7. Data Retention & Erasure

We keep personal data only for as long as necessary for the purpose for which it was collected, or as required by law. Account data is retained while your account is active and for a limited period after closure to meet legal and dispute-resolution needs. Financial and tax records are retained for the minimum period required by Indian tax law. When personal data is no longer needed because the purpose is fulfilled, you withdraw consent, or you have not engaged with the service within the applicable retention period, we erase or anonymise it, except where retention is required by law or for a legal hold. You may request erasure as described in Section 11.

8. Data Security

We apply reasonable technical and organisational security safeguards, as required by the DPDP Rules, including encryption in transit (TLS) and at rest for sensitive data such as payment and identity information, role-based access controls, multi-factor authentication for administrative access, secure cloud infrastructure, monitoring, and periodic security assessments. SwaLay operates an information security management system certified to ISO/IEC 27001. No system is perfectly secure, but we are committed to protecting your data and maintaining audit logs for the period the Rules require.

9. Personal Data Breach Notification

If a personal data breach occurs, we will act in accordance with the DPDP Rules. We will intimate the Data Protection Board of India and the affected individuals without undue delay on becoming aware of the breach, and will submit a detailed report to the Board within seventy-two (72) hours, or within such longer period as the Board allows. Our notification to affected individuals will describe, in plain language, the nature of the breach, the personal data likely affected, the measures we have taken, the steps you can take to protect yourself, and how to contact us with questions.

10. Children’s Data

The Platform is intended only for persons aged eighteen (18) and over. We do not knowingly collect or process the personal data of a child. Our age-verification measures, including Aadhaar-based and DigiLocker-based verification, are designed to prevent underage registration. If we learn that we have collected a child’s data, we will delete it and terminate the associated account. Where the DPDP law requires verifiable consent of a parent or lawful guardian for any processing of a child’s data, we will obtain it before such processing; however, our distribution, monetisation, and royalty services remain restricted to adults.

11. Your Rights  India (DPDP Law)

As a Data Principal, you have the right to: access a summary of your personal data and our processing; correct, complete, update, or erase your personal data; nominate another person to exercise your rights in the event of death or incapacity; withdraw consent at any time; and grievance redressal. You can exercise these rights using the publicly available mechanism we provide by contacting our Grievance Officer (Section 16) using the email and identifier associated with your account. We will respond within the timelines required by law and resolve grievances within ninety (90) days. If you are not satisfied, you may complain to the Data Protection Board of India through its online portal.

12. Your Rights  EEA, UK & Switzerland (GDPR)

If you are in the EEA, the UK, or Switzerland, you have rights of access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making, and you may withdraw consent. To exercise them, contact us using Section 16. We will respond within thirty (30) days. You may also complain to your local supervisory authority.

13. Your Rights  California (CCPA/CPRA)

If you are a California resident, you have rights to know, delete, correct, opt out of sale or sharing (we do not sell personal data), limit the use of sensitive personal information, and not be discriminated against for exercising your rights. Contact us using Section 16; we will verify your identity before acting.

14. International Data Transfers

SwaLay is based in India. Your data may be processed in India and in other countries where our service providers or DSP partners operate. Where we transfer data internationally, we apply appropriate safeguards, such as standard contractual clauses and supplementary measures, and we comply with any restrictions on cross-border transfer under the DPDP law and other applicable law.

15. Changes to This Policy

We may update this Policy to reflect changes in our practices or the law. We will update the “Last Updated” date, provide notice on the Platform, and, for material changes, email you where required. We keep version-controlled records of each iteration. Your continued use after a change takes effect constitutes acceptance, subject to your right to withdraw consent and close your account.

16. Grievance & Data Protection Officer

In accordance with the Information Technology Act, 2000, the DPDP Act, 2023 and the DPDP Rules, 2025, our Grievance Officer is the point of contact for privacy questions, rights requests, and complaints. We will acknowledge your grievance within twenty-four (24) hours and resolve it within the period required by law, and in any event within ninety (90) days for data-protection grievances.

Grievance & Data Protection Officer

SwaLay Digital (a part of TalantonCore LLP)

TalantonCore HO, Graphix Tower-2, A-13, Sector 62, Noida, Gautam Buddha Nagar – 201301, Uttar Pradesh, India

Email: swalay.care@talantoncore.in

For users in the EEA, UK, or Switzerland, the Grievance Officer also serves as the contact for GDPR matters. If unsatisfied, you may escalate to the Data Protection Board of India, your local EU supervisory authority, or the UK ICO.

17. Contact Information

SwaLay Digital (a part of TalantonCore LLP)

TalantonCore HO, Graphix Tower-2, A-13

Sector 62, Noida, Gautam Buddha Nagar

Pin- 201301, Uttar Pradesh, India

General & Privacy Inquiries: swalay.care@talantoncore.in

Websites: https://swalay.in  ·  https://swalay.com  ·  https://swalay.talantoncore.in  ·  https://swalayplus.in