Privacy Policy

Last updated: 25 April 2026 (v2)

1. Who We Are

This site is operated by Mark Turrell, Miquelstr 8, 14199 Berlin, Germany.

For privacy-related enquiries: hello@mwizard.live

This Privacy Policy forms part of the Terms & Conditions of the Site and is incorporated there by reference.

2. What Data We Collect

2.1 Newsletter Signup

When you subscribe to our newsletter, we collect:

• Email address (required)
• Name (optional)

Legal basis: Your consent (Art. 6(1)(a) GDPR). You can withdraw consent at any time by unsubscribing.

Purpose: To send you updates about new music, events and related content.

Retention: Until you unsubscribe, at which point your data is deleted within 30 days.

2.2 Contact Form

When you send a message through the contact form, we collect:

• Name
• Email address
• Your message

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — to respond to your enquiry.

Purpose: To read and respond to your message.

Retention: Messages are retained for up to 12 months, then deleted.

2.3 Server Logs

Our hosting provider (Railway) collects standard server logs including IP addresses, browser type, and access times. These are processed by the hosting provider under their own privacy policy and are not accessed by us for tracking purposes.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — security and infrastructure maintenance.

2.4 First-Party Creative Analytics (Variant Performance)

When you visit an individual track landing page (for example /track/136), or follow an outbound link from such a page to a streaming platform, we record a minimal record on our own servers to help us understand which creative versions of our hook videos drive interest. We do this ourselves on our own servers — no third-party analytics provider, no cookies, no localStorage, no fingerprinting, no cross-device tracking.

What we record per landing:

• Which track, hook, and creative variant you arrived at
• The referring source (for example: tiktok, direct, a domain such as instagram.com)
• Your browser family and operating system family (for example "Chrome mobile on iOS") — the full User-Agent string is parsed server-side and not stored
• Your truncated IP address (IPv4 addresses are truncated to a /24 prefix and IPv6 to a /48 prefix; we do not store your full IP address). The truncated value is held alongside the other fields above and is also used to derive your country where geolocation data is available
• A daily-rotating visitor hash — a SHA-256 hash of your truncated IP plus browser family plus a secret salt that is rotated and discarded on a fixed 24-hour schedule by an out-of-process job — used only to de-duplicate repeat visits within a single rotation window
• Timestamp

What we additionally record if you click through to a streaming platform:

• Which destination (Spotify, Bandcamp, Apple Music, YouTube, etc.) you clicked
• Which track, hook, and variant the click came from
• Your daily-rotating visitor hash (as above) and timestamp

What we deliberately do NOT record: your full IP address, your full User-Agent string, any cookie, any localStorage or sessionStorage identifier, any device fingerprint, any persistent cross-session identifier, any cross-device identifier, and any information that would allow us to match a visit to a named individual.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR). We have completed a Legitimate Interest Balancing Test weighing our interest in understanding which creative variants drive streaming interest against your interest in not being tracked. The test is available on request. The design above (data minimisation, no cookies, no profiling, short-horizon de-identification) is the direct output of that balancing test.

Purpose: Purely internal analysis of which creative variants of our hook videos are most effective at driving interest in our music. We do not use this data for marketing, retargeting, profiling of individuals, advertising, or any form of outbound communication with visitors.

Notice at point of collection: Each track landing page carries an in-page notice that the page is logged for our creative analytics, with a link to this section.

Retention: Records are retained on a rolling basis only while the creative variant they relate to is still being used for active comparison, with a hard cap of 548 days (approximately a year and a half) from the timestamp of the record. When a creative variant is retired, all records relating exclusively to it are purged within 30 calendar days. Both the rolling per-variant purge and the hard-cap purge are run automatically and recorded in an internal audit log. The retention design is reviewed quarterly.

Processors: The data is stored on our hosting provider (Railway, EU West region, Amsterdam, Netherlands). No third party receives this data.

Identifiability horizon: The visitor hash relies on a secret salt that is rotated and discarded on a fixed 24-hour schedule by an out-of-process job. The schedule is not dependent on site traffic. After a salt has been discarded we cannot reconnect a record to any particular visitor, even if asked to. This is a deliberate minimisation choice and it shapes the practical scope of your rights below (see §7).

3. What We Do Not Collect

• We do not use tracking or advertising cookies.
• We do not build long-term user profiles (see §2.4 for the 24-hour identifiability horizon applied to creative analytics).
• We do not sell or share personal data with third parties for marketing.
• We do not use social media tracking pixels.
• We do not fingerprint devices.

4. Analytics

4.1 Plausible Analytics (aggregate site traffic)

We use Plausible Analytics, a privacy-focused analytics service based in the EU, for aggregate site-wide traffic statistics (page views, referring domains, country breakdown, device type).

Plausible processes the visitor's IP address transiently on its servers to derive country information and a daily-rotated session-grouping hash, then discards the IP — no IP, no cookie, and no cross-session identifier is retained. This is a minimal but legally a personal-data processing operation under EU law (CJEU C-582/14 Breyer, 2016: an IP address processed by a service is personal data even where the resulting record is not). The legal basis is our legitimate interest in measuring aggregate site traffic. Because Plausible processes no persistent identifier on your device and no consent-required identifier under the ePrivacy Directive, no consent banner is required.

More information: plausible.io/data-policy

4.2 First-Party Creative Analytics

In addition to Plausible, we operate our own first-party analytics on individual track landing pages (see §2.4). This is self-hosted on the same server as the Site, uses no cookies, no third party, and no cross-session identifiers beyond a hash that de-identifies on a fixed 24-hour schedule. The legal basis is legitimate interest, as documented in our Legitimate Interest Balancing Test (available on request).

5. Third-Party Services

Fonts are self-hosted on our server. No external font services are used, and no data is shared with font providers.

External links to Spotify, Apple Music, SoundCloud, Bandcamp, YouTube and similar platforms are provided for convenience. When you click such a link, we record the click (see §2.4), you leave our site, and you are subject to those platforms' privacy policies. We do not share personal data with those platforms — we simply redirect your browser.

6. Data Transfers

Your data is processed within the EU. Our hosting provider (Railway) operates in the EU West region (Amsterdam, Netherlands). Plausible Analytics is also EU-based. Fonts are self-hosted. No personal data is transferred outside the EU/EEA.

7. Your Rights

Under the GDPR, you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — correct inaccurate data
• Erasure — request deletion of your data
• Restriction — limit how we process your data
• Data portability — receive your data in a machine-readable format
• Objection — object to processing based on legitimate interest (including the first-party analytics described in §2.4)
• Withdraw consent — at any time, without affecting prior processing

Practical scope of these rights for first-party creative analytics (§2.4): The §2.4 design deliberately places no persistent identifier on your device. As a result, we cannot recognise you on a return visit and therefore cannot apply an individual prospective block to your future visits. Two practical paths remain open to you: (i) within the 24-hour identifiability window of any visit, you may write to us and we will delete the records corresponding to that visit before the salt rotates; (ii) on request, we will add your network range and browser family to a server-side exclusion list — note that this is necessarily over-broad (it will also exclude other visitors sharing those characteristics) and will lapse if your network address changes. We are explicit about these limits because the law (Art. 12(2) GDPR) requires us to facilitate the exercise of your rights honestly, including where the design genuinely constrains them.

To exercise any of these rights, contact us at hello@mwizard.live. We will respond within 30 days.

8. Right to Complain

You have the right to lodge a complaint with a data protection supervisory authority. For Berlin, this is the Berliner Beauftragte für Datenschutz und Informationsfreiheit (datenschutz-berlin.de).

9. Age Restriction

This site is intended for users aged 16 or older. We do not knowingly collect data from anyone under 16. If you believe a child has submitted data to us, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this policy from time to time. The "last updated" date at the top reflects the latest version. We encourage you to review this page periodically. Material changes to §2.4 (first-party creative analytics) will be announced on the site homepage for at least 30 days before they take effect.

11. Contact

Mark Turrell
Miquelstr 8, 14199 Berlin, Germany
hello@mwizard.live