mp3toolbox.com

Privacy Policy

Last updated:

1. Introduction

MP3 Toolbox ("we", "us", "our") is committed to protecting your privacy and personal data in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679 and other applicable data protection laws. This Privacy Policy explains how we collect, process, store, and protect your personal data when you use our service.

By using MP3 Toolbox, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our service.

2. Data Controller

Data Controller: MP3 Toolbox
Website: https://mp3toolbox.com
Contact: For any data protection inquiries, please contact us through our website.

As the data controller, we are responsible for determining the purposes and means of processing your personal data.

3. Legal Basis for Processing

Under GDPR Article 6, we process your personal data based on the following legal bases:

  • Legitimate Interest (Article 6(1)(f)): Processing IP addresses for rate limiting and security purposes to ensure service availability and prevent abuse.
  • Consent (Article 6(1)(a)): For optional cookies and local storage preferences, where you have provided explicit consent.
  • Contract Performance (Article 6(1)(b)): Processing your uploaded files to provide the conversion service you requested.

4. Types of Personal Data We Collect

4.1 Data You Provide

  • Uploaded Files: Audio and video files you upload for conversion. These files may contain personal information embedded in metadata (e.g., artist names, album titles).
  • Cover Art Images: Images you upload to embed into MP3 files.
  • Metadata Edits: Information you provide when editing MP3 tags (title, artist, album, year, genre, track number).

4.2 Automatically Collected Data

  • IP Address: Collected automatically for rate limiting (10 requests per minute per IP) and security purposes. IP addresses are processed temporarily and not stored permanently.
  • Job IDs: Unique identifiers generated for each conversion job, stored temporarily in memory.
  • Usage Data: Information about how you interact with our service (e.g., file types processed, conversion status).

4.3 Data We Do NOT Collect

  • Names, email addresses, or other personal identifiers
  • Payment information (service is free)
  • Location data beyond IP geolocation
  • Device identifiers or browser fingerprints
  • Third-party tracking cookies or analytics data

5. Purpose of Processing

We process your personal data for the following purposes:

  • Service Provision: To convert your audio/video files to MP3 format, read and edit metadata, and embed cover art as requested.
  • Security & Abuse Prevention: To implement rate limiting and protect our service from abuse, spam, and malicious activities.
  • Technical Functionality: To manage job queues, track conversion progress, and ensure proper file handling.
  • User Preferences: To remember your cookie consent preferences (stored locally in your browser).

We do not use your data for marketing, advertising, profiling, or any purpose other than providing the service you requested.

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy:

  • Uploaded Files: Automatically deleted after 15 minutes (900 seconds) from upload time, regardless of processing status.
  • Converted Output Files: Automatically deleted after 15 minutes from generation time.
  • Job Status Data: Stored in server memory only, automatically cleared on server restart (typically within hours).
  • IP Addresses: Used temporarily for rate limiting calculations, not stored permanently. Rate limit counters reset after the time window expires.
  • Cookie Preferences: Stored in your browser's localStorage, expires after 365 days or when you clear browser data.

Automatic Cleanup: A background process runs every minute to delete files and job data older than 15 minutes. This ensures no data persists beyond the retention period.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

  • File Validation: All uploaded files are validated for type, size (max 100MB), MIME type, and magic bytes before processing to prevent malicious uploads.
  • Isolated Processing: Each job is processed in an isolated directory with a unique, non-guessable job ID to prevent unauthorized access.
  • No Database Storage: We do not use persistent databases. Job statuses are kept in memory only, reducing data breach risks.
  • Automatic Deletion: Files are automatically deleted after the retention period, minimizing exposure window.
  • Rate Limiting: IP-based rate limiting prevents abuse and reduces server load.
  • HTTPS: All data transmission is encrypted using HTTPS/TLS protocols.

Despite our security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to protecting your data to the best of our ability.

8. Data Sharing and Third Parties

We do not sell, rent, or share your personal data with third parties for marketing or commercial purposes. We only share data in the following limited circumstances:

8.1 Service Providers

  • FFmpeg: Open-source audio/video processing tool. Files are processed locally on our servers. No data is sent to external FFmpeg services.
  • Redis: Used only for job queue management. Job metadata (not file contents) may be temporarily stored in Redis. Redis runs on our infrastructure and is not accessible to third parties.

8.2 Legal Requirements

We may disclose your data if required by law, court order, or governmental authority, or to protect our rights, property, or safety, or that of our users.

8.3 No Third-Party Analytics or Tracking

We do not use Google Analytics, Facebook Pixel, or any third-party tracking or analytics services. Your usage is not tracked or analyzed by external parties.

9. International Data Transfers

Your data is processed on servers located within the European Economic Area (EEA) or in jurisdictions with adequate data protection laws. If data is transferred outside the EEA, we ensure appropriate safeguards are in place, such as:

  • Adequacy decisions by the European Commission
  • Standard Contractual Clauses (SCCs)
  • Other legally recognized transfer mechanisms

10. Cookies and Local Storage

We use minimal cookies and local storage:

10.1 Essential Cookies

None. Our service functions without cookies.

10.2 Preference Cookies (Optional)

Cookie Consent Preference: Stored in localStorage with your consent. Used to remember whether you accepted or declined cookies. Expires after 365 days.

  • Name: mp3toolbox_cookie_consent
  • Type: localStorage (not a cookie)
  • Purpose: Remember your cookie consent choice
  • Retention: 365 days or until you clear browser data
  • Consent Required: Yes (you can accept or decline)

10.3 Third-Party Cookies

None. We do not set or allow third-party cookies.

10.4 Managing Cookies

You can manage your cookie preferences through our cookie consent banner or by clearing your browser's localStorage. Note that clearing localStorage will reset your preferences and the consent banner will reappear.

11. Your Rights Under GDPR

As a data subject, you have the following rights under GDPR:

11.1 Right of Access (Article 15)

You have the right to obtain confirmation as to whether we process your personal data and, if so, access to that data and information about how it is processed.

Note: Due to our minimal data collection and automatic deletion, we typically do not retain identifiable personal data. If you believe we have your data, contact us to request access.

11.2 Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected. Since we primarily process files you upload, you can correct metadata by re-uploading with corrected information.

11.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data. Given our automatic deletion policy (15 minutes), most data is already deleted. If you have concerns, contact us.

Automatic Erasure: Your files are automatically deleted after 15 minutes. No action is required from you.

11.4 Right to Restrict Processing (Article 18)

You have the right to request restriction of processing in certain circumstances (e.g., while accuracy is verified or if processing is unlawful).

11.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format. Since we don't maintain persistent databases, there is typically no portable data to provide.

11.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests. You can stop using our service at any time, and your data will be automatically deleted within 15 minutes.

11.7 Right to Withdraw Consent (Article 7(3))

If processing is based on consent, you can withdraw consent at any time. For cookie preferences, clear your browser's localStorage or use the cookie consent banner to change your choice.

11.8 Exercising Your Rights

To exercise any of these rights, please contact us through our website. We will respond within one month (may be extended by two months for complex requests, with notification).

Identity Verification: We may need to verify your identity before processing requests to protect your data from unauthorized access.

12. Right to Lodge a Complaint

If you believe we have violated your data protection rights, you have the right to lodge a complaint with a supervisory authority, particularly in the EU member state where you reside, work, or where the alleged violation occurred.

EU Supervisory Authorities: Find your local data protection authority at https://edpb.europa.eu/about-edpb/board/members_en

13. Children's Privacy

Our service is not intended for children under 16 years of age (or the age of consent in your jurisdiction). We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us, and we will delete such data.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational, legal, or regulatory reasons. The "Last updated" date at the top of this page indicates when changes were made.

Material Changes: If we make material changes, we will notify users by updating the "Last updated" date and, where appropriate, displaying a notice on our website.

Continued Use: Your continued use of our service after changes constitutes acceptance of the updated Privacy Policy.

15. Contact Information

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

  • Website: https://mp3toolbox.com
  • Data Protection Inquiries: Please use our website contact form or email address (if provided on the website).

We aim to respond to all inquiries within 30 days.

16. Additional Information

16.1 No User Accounts

Our service does not require registration, account creation, or login. This means we do not store account credentials, email addresses, or user profiles.

16.2 File Content

Files you upload may contain personal information in their metadata (e.g., artist names, album titles, custom tags). We process this metadata only to provide the conversion and editing services you request. We do not extract, analyze, or use this metadata for any other purpose.

16.3 Job IDs

Job IDs are randomly generated, non-guessable identifiers used to track conversion jobs. They are not linked to your identity and are stored only temporarily in server memory.

16.4 Server Logs

Standard web server logs may contain IP addresses, request timestamps, and HTTP headers. These logs are used for security, debugging, and service improvement. Log retention follows our data retention policy and applicable legal requirements.

17. Summary

What we collect: Minimal data (IP addresses for rate limiting, uploaded files temporarily, cookie preferences with consent).
How long we keep it: Maximum 15 minutes for files, temporary for IP addresses, 365 days for cookie preferences (in your browser).
Who we share with: No one, except as required by law or for essential service operation (FFmpeg, Redis on our infrastructure).
Your rights: Access, rectification, erasure, restriction, portability, objection, and complaint rights under GDPR.
Security: Isolated processing, automatic deletion, no persistent databases, HTTPS encryption.

← Back to Home