Privacy Policy

1. Who runs this site

samplesh (https://samplesh.com) is a personal music-discovery project operated by Mehmet Baran Korkusuz, an individual based in Türkiye. There is no company, employees, or paid staff behind it. For any privacy-related question, contact curcubaran@gmail.com.

For the purposes of the EU/UK General Data Protection Regulation (GDPR) and the Turkish Personal Data Protection Law (KVKK), the data controller is the operator named above.

2. The short version

• samplesh has no user accounts, no sign-up, and no database that holds identifiable user data.
• We use Google Analytics 4 (when configured) to understand aggregate usage. You can opt out — see Section 6.
• Videos are streamed through YouTube's embedded player, which means Google can set its own cookies and see your IP/browser when a video loads.
• The optional feedback formsends your message — together with your IP address, user agent, page URL, and an approximate location derived from your IP — to the operator's inbox by email. There is no public-facing database.
• Your discovery filters, history, and player preferences live in your browser's local storage. That data stays on your device; we never see it.
• We do not sell your data, run advertising, or share data with marketing networks.

3. Information we collect

3.1 Automatically, when you visit

• IP address. Visible to our hosting provider (AWS in Frankfurt) and used briefly by the application to rate-limit feedback submissions and prevent abuse. We do not log it to a persistent store.
• Request metadata. Standard HTTP headers (user agent, referer, language) — used at request time, not retained beyond ephemeral container memory.

3.2 Through Google Analytics 4 (when enabled)

• Page views, custom events (e.g. "discover clicked", "filter applied" where instrumented), screen size, approximate location, referrer, and a pseudonymous GA-assigned identifier stored in cookies on your browser.
• Google processes the underlying IP address as part of GA4's default behaviour and, per Google, truncates it before storage. We do not have access to raw IPs in the GA4 interface.

3.3 Through the YouTube embedded player

Each video is rendered inside an iframe served by youtube.com. When the iframe loads, your browser communicates directly with Google: it can set cookies, log your IP and user agent, and apply your YouTube account preferences if you are signed in. sampleshdoes not control or see this exchange. Google's practices are described in the Google Privacy Policy.

3.4 When you submit the feedback form

The feedback endpoint receives and forwards by email:

• The message you wrote.
• Your IP address and user agent (for abuse triage).
• The page URL (Referer) you submitted from.
• An approximate city/country derived from your IP via ipapi.co.
• The timestamp of submission.

These details are sent through Resend to the operator's personal email inbox. There is no database, no CRM, and no analytics layer recording feedback content. Your IP is briefly held in process memory for rate-limiting purposes (see Section 8) and is discarded when the container restarts.

3.5 In your browser's local storage

Discovery filters, recently watched tracks ("history"), and player preferences (volume, autoplay, random-start toggle) are persisted to your browser's local storage. This data lives on your device, is never transmitted to our servers, and can be cleared at any time via your browser settings.

4. What we do not collect

• No accounts, usernames, or passwords — we have no authentication system.
• No payment, billing, or financial data — the service is free.
• No mailing list, no newsletter, no marketing email.
• No precise geolocation (we do not request the browser's Geolocation API).
• No microphone, camera, or biometric data.
• No special categories of data under GDPR Art. 9 (health, religion, political opinions, etc.) — we have no use for them and ask for none.

5. How we use the information

• To operate the site, serve discovery results, and debug errors.
• To understand aggregate usage patterns through Google Analytics 4.
• To prevent abuse and apply rate limits to the feedback endpoint.
• To read and reply to feedback you voluntarily send us.
• To comply with legal obligations if and when they arise.

6. Legal bases (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following lawful bases under Article 6 GDPR:

• Consent (Art. 6(1)(a)). For non-essential analytics cookies and the loading of the YouTube embedded player. You may withdraw consent at any time; withdrawal does not affect processing already carried out lawfully.
• Legitimate interests (Art. 6(1)(f)). For operating the service, debugging, abuse prevention, and rate limiting on the feedback endpoint. We have balanced these interests against your rights and consider the impact minimal.
• Performance of a request (Art. 6(1)(b)). For replying to feedback you voluntarily submit.
• Legal obligation (Art. 6(1)(c)). Where required by applicable law.

We do not currently display a cookie-consent banner. Until one is in place, you can opt out of analytics cookies by following one of these paths:

• Install the Google Analytics opt-out browser add-on.
• Block third-party cookies in your browser settings.
• Use private/incognito browsing.
• Send a Global Privacy Control signal — we will treat it as a request to disable non-essential analytics where the underlying provider supports it.

7. Sharing and third parties

We do not sell personal information and we do not share it with marketing or advertising networks. The third parties below process limited data on our behalf or because they provide an integration that runs in your browser:

We may also disclose information when required by law (e.g. court order, legal process) or when necessary to protect our rights, your safety, or the integrity of the service.

8. International transfers

Hosting is in Frankfurt, Germany (AWS eu-central-1), so most processing occurs inside the EU/EEA. However, several of the third parties listed above (Google, Resend, ipapi.co, Discogs, MetaBrainz) operate globally and may transfer data outside the EEA, including to the United States. Where such transfers happen, we rely on the safeguards published by each provider, including, where applicable, the European Commission's Standard Contractual Clauses and the EU–US Data Privacy Framework.

9. Retention

• Server logs. Ephemeral. Held in container memory for the lifetime of the running task and discarded on restart. Load-balancer access logs, where retained at all by AWS, follow AWS retention defaults.
• Feedback rate-limit data. Held in process memory for ten minutes (the rate-limit window). Not persisted.
• Feedback emails.Retained in the operator's personal inbox until manually deleted. You can request deletion at any time (Section 10).
• Google Analytics 4.Subject to Google's retention settings — by default, event-level data is retained for fourteen months.
• Local storage on your device. Lives on your device until you clear it. We have no copy.

10. Your rights

10.1 If you are in the EU/EEA, the United Kingdom, or Switzerland (GDPR)

You have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Request deletion ("right to be forgotten").
• Restrict or object to processing based on legitimate interests.
• Receive a copy in a portable format.
• Withdraw consent at any time, where consent is the legal basis.
• Lodge a complaint with your local data protection authority — for example, the German BfDI (since hosting is in Germany), the UK ICO, the French CNIL, or the authority where you reside.

10.2 If you are a California resident (CCPA/CPRA)

California residents have the right to know what categories of personal information have been collected, the sources, the purposes, and the categories of third parties to whom it is disclosed; the right to delete; the right to correct; the right to opt out of the "sale" or "sharing" of personal information; and the right to non-discrimination for exercising any of these rights.

We do not sellpersonal information for monetary consideration. Use of Google Analytics may, depending on configuration, qualify as "sharing" for cross-context behavioural advertising purposes under the CPRA. To opt out, follow any of the steps listed in Section 6, or contact us. We honour Global Privacy Control signals.

10.3 If you are in Türkiye (KVKK)

Under the Turkish Personal Data Protection Law (Kişisel Verilerin Korunması Kanunu — Law No. 6698), you have the rights set out in Article 11, including the right to learn whether your personal data is processed, request information about the processing, request correction or deletion, object to processing carried out exclusively by automated means, and demand compensation for damage caused by unlawful processing. Requests can be sent to curcubaran@gmail.com.

10.4 How to exercise your rights

Email curcubaran@gmail.com with a clear description of what you want. We may need to ask for additional information to verify the request. We aim to respond within thirty days; the legally required period in your jurisdiction will apply if longer or shorter.

11. Children

samplesh is not directed at children under thirteen, and we do not knowingly collect personal data from them. If you believe a child has submitted personal data through the feedback form, contact curcubaran@gmail.com and we will delete the relevant email and any derived data.

12. Security

Traffic to and from samplesh is encrypted in transit via HTTPS. Secrets and API keys are stored in a managed secret vault (Doppler) and are never exposed to the browser. We apply reasonable technical and organisational measures, but no method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.

13. Breach notification

In the unlikely event of a personal-data breach that creates a high risk to your rights or freedoms, we will notify the relevant supervisory authority and affected users without undue delay, in accordance with applicable law (in the EU, GDPR Articles 33–34).

14. Changes to this policy

We may update this Privacy Policy as the service evolves or as legal requirements change. The "Last updated" date at the top of the page reflects the most recent revision. Material changes will be communicated by updating the page. Continued use of samplesh after a revision is published constitutes acceptance of the updated policy.

15. Contact

For any privacy or data-protection question, write to curcubaran@gmail.com.