// Compliance
Privacy Policy
Last updated: April 17, 2026
Plain-Language Summary
- You can browse most of the site without giving us any personal information.
- When you create a Crew account we store your email, username, password hash, display-name preferences, and — optionally — your first name, last name, ZIP code, avatar, and bio.
- If you connect YouTube, we store the Google OAuth tokens we need to like videos, post comments, and manage your subscription to our channel at your request. We do not sell or share that data with anyone, and we do not use it to train AI models.
- Payments are handled by Stripe. We never see or store your raw credit-card number.
- You can disconnect YouTube, export your data, or permanently delete your account from your account settings at any time.
Information We Collect
A. Information you give us directly
When you register for a Crew account and use the site, we collect:
- Account credentials— email address and a hashed, salted password (we never store your password in plaintext).
- Profile information— username, display-name format preference, and optional first name, last name, ZIP code, bio, and avatar image.
- Communications— the content of messages, forum posts, comments, presave signups, and newsletter subscriptions you choose to submit.
- Payment information— collected and processed by Stripe on Stripe-hosted pages. We store only your Stripe customer ID, current Crew rank, subscription status, and invoice metadata returned by Stripe webhooks.
B. Information collected automatically
- Authentication cookies set by our CMS (Payload) to keep you logged in, and a
tsm_user_ididentity cookie (up to 90 days) that remembers which presave profile belongs to you when you return after a Spotify handoff. - Analytics and performance data collected via Vercel Analytics and Vercel Speed Insights — aggregated page views, Web Vitals, referrers, approximate geography, and anonymized visitor hashes. These services do not use third-party cookies and do not build cross-site advertising profiles.
- Server logs— IP address, user-agent, timestamps, and request paths kept for a short period for security and debugging purposes.
C. Information from third-party services
If you choose to connect an external service, we receive only the data that service returns to us:
- Google / YouTube— OAuth access token, refresh token, token-expiry timestamp, and (at your action) the channel snippet we use to render your avatar. See Section 4 for the full disclosure.
- Spotify— an anonymized Spotify user ID, a refresh token limited to the scopes you grant during presave, and your email address if you complete a presave flow.
- Stripe— customer ID, subscription status, price ID, invoice history, and the last four digits / brand of your payment method (for display purposes only). Stripe’s privacy practices are described in the Stripe Privacy Policy.
How We Use Your Information
We use the information above to:
- Create and operate your Crew account.
- Provide the features you request — playing music, unlocking Vault content that matches your rank, posting comments, liking videos, subscribing to our YouTube channel, and processing subscription payments.
- Send transactional messages (receipts, membership changes, password resets) and, if you opt in, newsletter and release alerts.
- Protect the service against fraud, abuse, and unauthorized access.
- Comply with legal obligations and enforce our Terms of Service.
We do not sell your personal information. We do not use your YouTube or Google data to train machine learning models, and we do not transfer it to advertising networks or data brokers.
Google API & YouTube Data Disclosure
The Second Messenger’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
A. Scopes we request
When you click Connect YouTube we ask for one OAuth scope:
https://www.googleapis.com/auth/youtube.force-ssl— required to perform the actions you initiate from within our site: liking videos, posting comments and replies on our channel, and subscribing to (or unsubscribing from) our channel.
We do not request youtube.readonly, youtubepartner, the Gmail, Drive, Calendar, Contacts, or any other Google scope. We do not read your private videos, playlists, subscriber lists, analytics, or any data outside the actions you trigger.
B. What we access, store, and share
Upon your authorization we receive from Google:
- A short-lived access token (~1 hour) and a refresh token used to obtain new access tokens.
- A token-expiry timestamp.
- When you interact with our comments UI: your public YouTube channel snippet (display name, profile image, channel URL) so your comment can render correctly.
These tokens are stored encrypted at rest in our Vercel Postgres database and are only accessible to (a) our server-side authentication code, and (b) the authenticated user who owns them. They are never exposed to the browser, never sent to third parties, and never used for any purpose other than executing the actions you explicitly initiate on our site.
We do not share Google user data with any third party. Google user data is also not used to train artificial intelligence or machine learning models.
C. Public YouTube data used to render the site
Independently of your Google account, we use a server-side YouTube Data API v3 key to fetch our own channel’s public uploads playlist and comment threads so visitors can watch and read along. This request returns only public data that anyone on youtube.com can already see and is cached for up to one hour.
D. Data retention & revocation
Your Google tokens are retained only for as long as your Crew account is active and YouTube remains connected. You can remove them at any time:
- Disconnect YouTube in your account — visit Account Settings and use the Disconnect YouTube control. This immediately deletes your access token, refresh token, and expiry from our database and revokes the token with Google.
- Revoke access directly with Google — visit Google Security Settings → Third-party apps with account access and remove “The Second Messenger.” Google will invalidate our tokens. If you don’t also disconnect on our side, our next refresh attempt will fail and the connection will be cleared automatically.
- Delete your entire account (see Section 8) — this also revokes and purges all Google tokens.
E. Required policy references
You can review the governing policies for this integration here:
Third-Party Processors
We rely on a small number of infrastructure providers, and share only the data each one needs to do its job:
- Vercel, Inc.— application hosting, Vercel Postgres database, Vercel Blob media storage, analytics. See the Vercel Privacy Policy.
- Cloudflare, Inc.— R2 object storage for large Vault downloads (stems, archives, high-res images, lossless audio, and video). See the Cloudflare Privacy Policy.
- Stripe, Inc.— payment processing, subscription management, and customer portal. Card numbers, CVCs, and billing addresses are collected and stored by Stripe directly; we never see them. See the Stripe Privacy Policy.
- Google LLC / YouTube LLC— OAuth identity, YouTube Data API v3 for both authorized write actions and public-channel reads.
- Spotify AB— presave flow and optional library syncing.
We may add or substitute processors over time; material changes will be reflected in this policy and in the “Last updated” date.
How We Protect Your Data
- All traffic to the site is served over HTTPS with HSTS.
- Passwords are hashed and salted by Payload CMS using industry-standard algorithms; we never store or log raw passwords.
- Google OAuth tokens, Spotify refresh tokens, and Stripe identifiers are stored in Vercel Postgres, encrypted at rest by the provider, and excluded from client-readable API responses via collection-level access control.
- Gated Vault files hosted on Cloudflare R2 are served through short-lived (1-hour) signed URLs scoped to a single object.
- Access to administrative dashboards is limited to the artist and explicitly designated collaborators, and is protected by session-based authentication.
No system is perfectly secure. If we become aware of a breach that affects your information, we will notify affected users and any applicable authorities as required by law.
Your Choices, Retention & Deletion
A. Data retention
We retain your account data for as long as your Crew account is active. Aggregate, de-identified analytics may be retained indefinitely. Stripe invoice and tax records are retained per Stripe’s own retention rules and applicable financial-records law (typically 7 years).
B. Access, correction, and export
You can view and edit most of your profile information directly from Account Settings. For a machine-readable export or to request correction of data you cannot self-edit, contact us at privacy@thesecondmessenger.com. We will respond within 30 days.
C. Disconnecting third-party services
Use the Disconnect YouTube button in Account Settings to clear and revoke your Google tokens immediately. You can also revoke access directly through the Google Security Settings.
D. Deleting your account
Deleting your account is permanent and, where possible, instant.
- In-app: open Account Settings and use the Delete Account control at the bottom of the page. When confirmed, we revoke any connected Google tokens, cancel active Stripe subscriptions at period end (or immediately, your choice in the confirmation dialog), delete your user record, and log you out.
- By email: send a deletion request from the email address on file to privacy@thesecondmessenger.com. We will action the request within 30 days and reply with confirmation once complete.
Some information must be retained after deletion for legal, accounting, or fraud-prevention reasons (for example, Stripe invoice records and minimal audit logs). We keep these records only for the period required and access them only as necessary.
E. Opting out of marketing
Every marketing email we send includes an unsubscribe link. You can also email privacy@thesecondmessenger.com with the subject “unsubscribe.” Transactional messages (receipts, security notices) cannot be opted out of without closing your account.
Children's Privacy
The Second Messenger is not directed to children under 13 (or the equivalent minimum age in your jurisdiction, such as 16 in parts of the EEA). We do not knowingly collect personal information from children. If you believe a child has created an account, contact us at privacy@thesecondmessenger.com and we will delete the account.
International Users
The service is operated from the United States. By using the site you understand that your data will be transferred to and processed in the United States and in the regions where our infrastructure providers (Vercel, Cloudflare, Stripe, Google) operate. Where required, transfers rely on Standard Contractual Clauses or other lawful transfer mechanisms maintained by those providers.
Regional Rights (GDPR / CCPA)
If you are in the European Economic Area, the United Kingdom, or California, you may have additional rights including access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with a supervisory authority. You can exercise any of these rights by contacting privacy@thesecondmessenger.com. We do not sell personal information, so there is nothing to opt out of under the California “Do Not Sell” right.
Changes to This Policy
We may update this policy from time to time. When we do, we will revise the “Last updated” date at the top. For material changes affecting how we use your data, we will also notify Crew members by email or through a prominent notice in Account Settings. Continued use of the service after a change means you accept the updated policy.
Contact Us
Data-protection inquiries, deletion requests, and general legal questions can be sent to privacy@thesecondmessenger.com.