Privacy Policy

1. Scope and Applicability

This Privacy Policy explains how Lost Hills LLC ("Lost Hills," "Control," "we," "us," or "our") collects, uses, stores, shares, and otherwise processes personal information when you use Control, our customer relationship and workflow platform for music industry professionals.

This policy covers personal information submitted by account holders, invited team members, customers, visitors to our public website, support contacts, and event participants. If you are using Control on behalf of an organization, your organization may also control certain processing activities in your workspace.

2. Data Controller and Contact

Lost Hills LLC is generally the data controller for personal information processed in connection with providing Control to subscribers.

3. Information We Collect

We collect information in the categories below:

• Account and identity data: name, email, encrypted authentication credentials, login state, organization role, and profile details.
• Workspace and user-generated content: CRM records, contacts, campaigns, releases, notes, files, tasks, comments, and workflow history you or your team create.
• Commercial and billing data: plan tier, subscription status, invoices, billing address, tax information, and transaction metadata. Card numbers are processed by Stripe and are not stored by us in full.
• Device, network, and log data: IP address, browser type, operating system, approximate region, device identifiers, request headers, and timestamps.
• Usage and telemetry data: feature interactions, page views, session events, error traces, performance data, and diagnostic records.
• Support and communications data: messages, attachments, and metadata shared through support tickets, email, or product feedback.
• Cookie and similar technology data:identifiers used for session continuity, security, preferences, and analytics.

4. Sources of Information

We collect personal information from:

• You directly (for example, account sign-up, workspace entries, and support requests)
• Your organization administrators and invited collaborators
• Automated collection technologies in our app and website
• Payment processors and service providers involved in providing our service
• Third-party integrations you authorize to connect to Control

5. Legal Bases for Processing (EEA/UK/Swiss Users)

Where applicable law requires a legal basis, we process personal information on the following grounds:

• Contractual necessity: to provide and maintain Control, authenticate users, process payments, and fulfill support obligations.
• Legitimate interests: to secure the platform, prevent abuse, understand feature usage, and improve reliability and product quality.
• Legal obligations: to comply with tax, accounting, lawful access requests, and regulatory requirements.
• Consent: for certain optional analytics, marketing communications, and other processing where consent is required.

6. How We Use Information

We use collected information to:

• Operate, maintain, and improve Control and related services
• Create and administer accounts, workspaces, permissions, and authentication flows
• Process subscriptions, invoices, taxes, refunds, and billing support
• Provide customer support, onboarding, and service communications
• Monitor reliability, debug issues, and improve performance and security
• Detect and prevent fraud, abuse, unauthorized activity, and policy violations
• Comply with legal obligations and enforce contractual rights
• Send product updates or marketing notices subject to applicable consent rules

7. AI Features and Model Training

If Control provides AI-assisted functionality, we may process relevant prompts, context, and outputs needed to deliver those features. We do not use your Workspace Data to train general-purpose foundation models without your explicit opt-in consent.

We may use de-identified or aggregated product telemetry to improve service quality, reliability, and safety. We apply contractual and technical safeguards where AI-related subprocessors are involved.

8. Cookies and Similar Technologies

We use cookies, local storage, and similar technologies for:

• Essential authentication and session management
• Security and abuse prevention
• Preference storage (for example, interface and consent settings)
• Analytics to understand product use and improve user experience

You can adjust browser settings to block or clear cookies, but essential cookies are needed for core account functionality.

9. Disclosure of Information

We may disclose personal information in the following contexts:

• Service providers and subprocessors:infrastructure hosting, database services, analytics, authentication, customer support, and payment processing providers acting under contractual data protection terms.
• Workspace collaboration: data shared with users you invite or authorize within your organization.
• Legal and safety disclosures: when required by law, subpoena, court order, or to protect rights, safety, and platform security.
• Corporate transaction context: in a merger, acquisition, financing, or asset transfer, subject to standard confidentiality controls.

We do not sell personal information for money. We also do not share personal information for cross-context behavioral advertising.

10. International Data Transfers

Control is operated from the United States and may use providers in multiple countries. If you access the service from another jurisdiction, your information may be transferred to and processed in the United States or other locations with different data protection laws.

Where required, we implement recognized transfer safeguards such as contractual protections and supplementary security measures.

11. Data Retention and Deletion

We retain personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce agreements.

• Active account and workspace data: retained while your subscription is active
• Post-cancellation workspace data: generally retained for up to 30 days to support export and recovery requests, then deleted or irreversibly anonymized
• Billing, tax, and compliance records: retained as required by accounting and legal obligations
• Security and audit logs: retained based on operational and legal necessity

12. Security Measures

We use administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit, encryption at rest where applicable, access controls, authentication safeguards, least-privilege practices, and routine monitoring.

No system is perfectly secure. You are responsible for safeguarding your account credentials, using strong passwords, and promptly notifying us of suspected unauthorized access.

13. Incident Response and Breach Notification

We maintain incident response procedures to detect, contain, investigate, and remediate suspected security incidents. Where required by law, we notify affected users and relevant authorities within applicable timelines.

14. Your Privacy Rights and Choices

Depending on your location, you may have the right to:

• Know what personal information we collect and how it is used
• Request access to specific pieces of personal information
• Request correction of inaccurate personal information
• Request deletion of personal information, subject to legal exceptions
• Request portability of certain data in a usable format
• Object to or restrict certain processing activities
• Withdraw consent for consent-based processing
• Opt out of direct marketing communications
• Appeal certain privacy request decisions where required by law

To submit a request, email privacy@losthills.co. We may verify your identity before completing requests. Authorized agents may submit requests on your behalf where permitted by law.

15. U.S. State Privacy Disclosures

For residents of states with comprehensive privacy laws (such as California, Colorado, Connecticut, Virginia, Utah, and others), this section provides supplemental disclosures.

• We process categories of personal information described in Section 3 for the business purposes described in Section 6.
• We disclose personal information to categories of recipients listed in Section 9.
• We do not sell personal information.
• We do not share personal information for cross-context behavioral advertising.
• You may exercise applicable rights to access, delete, correct, and opt out where available under your state law.
• If we deny your request, you may appeal by contactingprivacy@losthills.co and including "Privacy Appeal" in the subject line.

16. EEA/UK/Swiss Supplemental Notice

If you are located in the EEA, UK, or Switzerland, you may have the right to lodge a complaint with your local data protection authority. You may also request details about the safeguards used for international data transfers.

17. Canada Supplemental Notice

For users in Canada, we process personal information for purposes a reasonable person would consider appropriate in the circumstances, obtain consent where required, and provide access and correction rights consistent with applicable Canadian privacy law.

18. Sensitive Data and Automated Decision-Making

We do not intentionally require or request highly sensitive personal information for normal platform use. Please avoid uploading sensitive data unless necessary for your lawful business operations and permitted under applicable law.

We do not engage in fully automated decision-making that produces legal or similarly significant effects about individuals without meaningful human involvement.

19. Do Not Track and Global Privacy Control

Some browsers send "Do Not Track" signals. Because there is not a universal technical standard for those signals, our services do not currently respond to browser DNT signals in a uniform way.

Where required by applicable U.S. privacy law, we recognize qualifying opt-out preference signals, including Global Privacy Control (GPC), for relevant processing activities.

20. Marketing Communications

You can unsubscribe from marketing emails at any time using the unsubscribe link in the message or by contacting us. Transactional and service-related communications will continue when necessary for account administration and service delivery.

21. Children's Privacy

Control is intended for professional use and is not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided personal information, contact us and we will take appropriate deletion steps.

22. Changes to This Privacy Policy

We may update this Privacy Policy periodically. If material changes occur, we will provide notice through the product, email, or other appropriate channels. The "Last updated" date indicates when the current version took effect.

23. How to Contact Us

Questions, complaints, or requests related to privacy should be sent toprivacy@losthills.co. For legal notices, contactlegal@losthills.co.

We aim to acknowledge privacy requests promptly and generally respond within 30 days, unless a different timeline is required by applicable law.