Legal · Privacy

Privacy Policy

This Privacy Policy describes how AZMTH collects, uses, shares, and protects personal data. AZMTH does not sell personal information. Fan data submitted by our customers is processed under their instructions and governed by our Data Processing Addendum.

Version 1.0 · Last updated: June 15, 2026

1. Two kinds of personal data

AZMTH operates a multi-tenant platform. We process personal data in two distinct roles, governed by different laws:

  • Customer data (we are the controller). The data of the people who sign up to use AZMTH — account owners, team members, billing contacts. We decide what to collect and why. This Privacy Policy covers that data.
  • Fan data (we are the processor). The data of fans, supporters, ticket buyers, podcast listeners, merch customers — anyone our customers manage in the Service. Our customer is the controller; we process it on their instructions. This category is governed by our Data Processing Addendum (DPA). If you are a fan trying to exercise rights over your data, contact the artist or label that holds your information — their notice and contact details should be on the form where you signed up.

2. Who we are

Elevate Environmental LLC, a Florida limited liability company doing business as AZMTH (“AZMTH,” “we,” “us”) is the data controller for Customer data described in this Policy.

Mailing address and EU/UK representative details are published on our contact page before launch. Reach the privacy team any time at privacy@azmth.app.

3. What we collect

3.1 Account data

  • Email address, name, and (optional) phone number you provide at signup
  • Hashed password (we never see the plaintext — auth runs through Supabase Auth)
  • Organization details: workspace name, kind (solo vs label vs network), billing address, industry, role
  • Invitations you send to teammates and the response status of those invites

3.2 Subscription and billing data

  • Stripe Customer ID and Subscription ID; the last four digits of your card and its brand (not the full number)
  • Invoice history, plan changes, applied coupons
  • Stripe Connect Account ID for customers who collect tips, tickets, or fundraiser payments through the Service

3.3 Content you put into the Service

Audio, video, images, documents, contracts, posts, drafts, notes — anything you upload or type. We hold this on your behalf to provide the Service.

3.4 Telemetry and usage data

  • Page views and feature usage (no third-party ad-tech; self-hosted or first-party only)
  • Approximate location derived from IP address (country and region; we do not store the full IP for analytics)
  • Browser, device, and OS version (for compatibility)
  • Performance and error logs (rate-limited, retained 30 days)

3.5 Communications

Emails you send to support@azmth.app, privacy@azmth.app, etc., chat transcripts if you use our in-app help, and the contents of any feedback you submit through the thumbs-down button or feedback widgets.

3.6 AI Feature inputs and metering

When you use an AZMTH AI Feature, we process the following data so the feature can run:

  • The inputs you submit — the catalog rows, fan lists, financial figures, contract text, brand notes, drafts, or other content you point the AI Feature at. These inputs are forwarded to our AI sub-processor (currently Anthropic, PBC) over an authenticated TLS connection so the model can generate the output.
  • The output the model returns — the suggestion, summary, draft, or score the feature produces. We deliver it to you and persist it only where the Service obviously needs to (e.g. a draft you saved, a generated cover image you added to a release).
  • A usage record — the AI Feature key (e.g.fans.smart_segment), the timestamp, the organization that ran it, the model family used, and the number of credits deducted. We keep this so we can show you a metered usage history and reconcile billing. It does not include the prompt body or the model output.

Anthropic, our AI sub-processor, does not use AZMTH API traffic to train its foundation models and does not retain prompts or outputs beyond a short abuse-detection window defined in their commercial terms. AZMTH does not use your AI inputs or outputs to train any model and does not share them with any party other than the AI sub-processor that served the request. The current AI sub-processor list is published on our sub-processors page; we update it 30 days before any change.

3.7 What we do not collect

  • We do not run third-party advertising trackers. AZMTH products are ad-free.
  • We do not collect biometric data, government-ID numbers, or health data.
  • We do not collect data from minors. The Service is intended for users 18+.
  • We do not buy lists, scrape social platforms, or import third-party data sets.

4. How we use it

We process Customer data for these purposes:

  • To provide the Service: auth, billing, rendering pages, running scheduled jobs you configured. Lawful basis: performance of contract.
  • To bill you: issuing invoices, processing payments via Stripe, sending payment-failure emails. Lawful basis: performance of contract; legal obligation (tax records).
  • To support you: responding to questions, investigating bug reports, restoring deleted data on request. Lawful basis: legitimate interests (running the Service well) and performance of contract.
  • To secure the Service: detecting fraud, investigating account compromise, blocking malicious requests, audit logging. Lawful basis: legitimate interests; legal obligation.
  • To improve the Service: aggregated usage analytics, A/B testing, performance benchmarking. Lawful basis: legitimate interests. We do not train ML models on your content without your written permission.
  • To run AI Features you invoke: when you click an AZMTH AI button, we forward the data you pointed the feature at to our AI sub-processor (currently Anthropic, PBC) and return the generated output to you. Lawful basis: performance of contract. See Section 6 for the full treatment.
  • To communicate with you: service updates, security advisories, billing notices (transactional — you can't opt out and stay subscribed). Marketing emails require opt-in. Lawful basis: legitimate interests (transactional); consent (marketing).

5. Who we share it with

AZMTH uses a small set of vetted sub-processors to operate the Service. The current list is published at /legal/sub-processors; we update it at least 30 days before any change takes effect, with email notice to account owners.

The categories you should expect:

  • Cloud hosting and database: Supabase (auth, Postgres, storage), Vercel (web hosting + edge compute).
  • Payment processing: Stripe (subscriptions, Connect, Customer Portal). Stripe is the merchant of record.
  • Transactional email: Resend.
  • Optional, customer-controlled integrations: Klaviyo / Mailchimp (when you connect them for fan messaging), DocuSign (when you send a contract for signature), Eventbrite (when you connect ticketing), etc. You authorize these via OAuth; you can disconnect at any time.

We do not sell personal data, in any sense of that term — including the broad CPRA/CCPA definition that sweeps in some advertising arrangements. We do not share Customer data with advertisers.

5A. Disclosures required by law and government requests

We may receive requests from courts, regulators, law enforcement agencies, or other public authorities seeking access to user data. We treat every such request as adversarial until proven legitimate. Our standing approach is:

  • Legality review. Before responding to any request from a public authority, we review whether the request is legally valid — properly served, issued by an authority with jurisdiction over us, and seeking data we actually possess. Requests that fail this review are declined.
  • Right to challenge. Where a request appears unlawful, overbroad, improperly served, or contrary to the rights of the affected user, we may challenge it through appropriate legal channels — including motions to quash, requests for narrowing, and assertions of applicable privileges and protections.
  • Data minimization. When we do comply, we disclose only the specific information required by the request — never additional information that the request does not strictly compel. We do not volunteer adjacent data.
  • Documentation. Every request received, our legal review, the actors involved, and our response are documented and retained for our records and for any downstream accountability obligations.
  • User notification. Where permitted by law and not prohibited by a court-issued gag order, we will notify the affected user(s) before responding so they have an opportunity to seek their own legal counsel and, if appropriate, intervene in the proceeding. This pre-notification does not apply to reports of child sexual abuse material (CSAM). Where we are required by law (including 18 U.S.C. § 2258A) to report apparent CSAM to the National Center for Missing & Exploited Children (NCMEC) or to cooperate with a related law-enforcement investigation, we do not notify the user, as doing so could impede the investigation and may itself be unlawful. See Section 5C.

Routine criminal-investigation requests (search warrants, subpoenas, court orders) and national-security requests (FISA orders, National Security Letters) are governed by this same process. Where applicable law prevents us from disclosing the existence of certain national-security requests, we publish aggregate transparency information at the highest level of disclosure law permits.

5B. Google API Services (YouTube, Analytics, Search Console)

AZMTH lets you optionally connect your Google account so we can import your own YouTube channel and analytics — and display them inside your AZMTH dashboards. You grant this access through Google's own consent screen, and all access is read-only. You can review or revoke it at any time at myaccount.google.com/permissions or from /settings/integrations inside AZMTH.

5B.1 Scopes we request and why

  • openid, userinfo.email, userinfo.profile — to identify the Google account you are linking, bind it to your AZMTH account, and display which account is connected. We store your Google account email and basic profile (name, avatar) for this purpose.
  • youtube.readonly — read-only access to your YouTube account so we can retrieve your channel and video metadata (titles, IDs, publish dates, view counts) and show your catalog performance inside AZMTH. We never create, modify, or delete content on your channel.
  • yt-analytics.readonly — read-only access to your YouTube Analytics reports so we can display aggregated performance (views, watch time, and audience demographics such as country and age group) in your AZMTH analytics dashboards.
  • webmasters.readonly — read-only access to Google Search Console. AZMTH requests this scope only for its own company Google account, where it is used internally by our team to monitor search performance for AZMTH's own website (azmth.app). It is not requested from, or granted by, end users connecting their accounts, and we never modify Search Console properties or settings.

5B.2 How we handle Google user data

  • We access Google user data only after you explicitly connect your account, and only at the read-only scopes above.
  • We store the minimum necessary: encrypted OAuth tokens (to refresh access on your behalf), your connected Google account email/profile, and the derived metrics needed to render your dashboards. Tokens are encrypted at rest.
  • We use Google user data solely to provide and improve the user-facing features you connected it for. We do not use it for advertising, and we do not use it to develop, train, or improve generalized AI or machine-learning models.
  • We do not sell Google user data and do not transfer it to third parties except as necessary to provide or improve user-facing features, to comply with applicable law, or as part of a merger or acquisition. We do not allow humans to read it except with your affirmative consent, where necessary for security (e.g. investigating abuse), to comply with law, or where the data has been aggregated and anonymized.
  • When you disconnect the integration or delete your account, we revoke the tokens at Google (where supported) and delete the associated Google user data under the retention rules in Section 8.

5B.3 Limited Use

AZMTH's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

5B.4 YouTube

Where AZMTH uses YouTube API Services, by connecting your account you also agree to the YouTube Terms of Service, and Google's use of your information is governed by the Google Privacy Policy. You can manage the data AZMTH obtains through the YouTube API, and revoke AZMTH's access, via your Google security settings.

5B-1. AZMTH Proof and public blockchains

If you use AZMTH Proof, certain metadata you choose to certify is written to one or more public blockchains: the file's cryptographic fingerprint (a SHA-256 hash), the work title, contributor names, and a hash of the splits. This data is published to a decentralized, public ledger and is permanent and irreversible — it cannot be edited or deleted by you or by AZMTH once recorded, and it may be copied and retained by third parties operating those networks worldwide. We do not write split percentages, the underlying file, or your contact details on-chain. Only submit information you are comfortable making permanently public. The original file itself is stored privately in our cloud storage, not on-chain.

5C. Automated content-safety scanning

To keep the Service safe and lawful, images uploaded to AZMTH are scanned automatically at the time of upload. This scanning is a security and legal-compliance measure, not an AI Feature you invoke, and it runs on all image uploads regardless of plan.

  • How it works. At ingest, we generate a short-lived access link to the uploaded image and submit it to Google Cloud Vision (SafeSearch) — a first-line filter that scores the image for explicit content (adult, racy, violent). We recognize SafeSearch is a general-purpose classifier and is not specific to child sexual abuse material (CSAM).
  • What happens to flagged images. An image that meets our threshold is moved to a private quarantine location with public access disabled, and queued for human review. We retain a quarantined copy under a legal hold (currently 90 days) so it can be reviewed and, where required, reported.
  • CSAM reporting. Where review confirms apparent CSAM, we report it to the National Center for Missing & Exploited Children (NCMEC) CyberTipline as required by U.S. law (18 U.S.C. § 2258A), preserve the material as the statute requires, and cooperate with law enforcement. As described in Section 5A, we do not notify the uploading user of a CSAM report.
  • Tooling we are adding. We have applied for Microsoft PhotoDNA (hash-matching against known CSAM) and for Google's Content Safety API (dedicated CSAM classification, including previously unseen material); both applications are in progress. This Policy will be updated as those tools come online.
  • What we do not do. We do not use uploaded images, or the results of this scanning, for advertising or to train generalized AI/ML models. Scan results are used only for safety, abuse-prevention, and legal-compliance purposes.

6. AI Features and AI sub-processors

AZMTH offers optional AI-powered features (collectively, “AI Features”) — for example smart fan segmentation, brand-deal rate-card suggestions, catalog gap analyzers, tour routing, contract reviewers, royalty-statement anomaly checks, and release-strategy drafts. AI Features are off until you invoke one, and you can disable them at the organization level in /settings/ai.

6.1 What gets sent to the AI sub-processor

When you run an AI Feature, AZMTH composes a prompt from the data you pointed the feature at — for example a list of catalog rows, a fan-list export, a brand-kit JSON object, a contract excerpt, a budget snapshot, or a free-text note. That prompt is sent over an authenticated TLS connection to the AI sub-processor (currently Anthropic, PBC, operating its Claude family of large language models). The model returns a generated output (text, structured JSON, or in some features an image) which AZMTH surfaces back to you.

AZMTH attempts to minimize the prompt to what the feature actually needs. We do not forward fan email addresses, phone numbers, payment card details, government-ID numbers, or passwords as part of any AI prompt. Where a feature operates on fan data (for example, smart segmentation), we forward only the attributes the feature requires — typically aggregated counts and tags — and never the underlying contact identifiers.

6.2 What the AI sub-processor does with it

Anthropic processes the prompt under its commercial API terms. Under those terms, Anthropic does not use AZMTH's API traffic to train its foundation models and applies a short retention window solely for abuse detection and safety enforcement (currently 30 days, subject to Anthropic's then-current commercial terms). After that window, the prompt and output are deleted from Anthropic's systems. AZMTH's sub-processor list at /legal/sub-processors is the authoritative record of the AI providers we use and links to each provider's data-handling commitments.

6.3 What AZMTH itself retains

AZMTH retains, on its own systems:

  • Outputs you save. If you save the AI's output to your workspace (e.g. a drafted post, a generated cover image, a strategy memo), that saved record is treated like any other Content you put into the Service under Section 3.3.
  • A metered usage record — feature key, timestamp, organization, model identifier, and credits deducted. The prompt body and model output are not stored in this record. Usage records are kept for the lifetime of the account so you can review monthly history; they age out under the deletion rules in Section 8 when the account closes.
  • Aggregated, de-identified telemetry — counts of AI calls per feature, error rates, latency buckets. This contains no prompt content.

AZMTH does not keep a long-term log of the prompts sent or the outputs returned. The Service's short-lived application logs may include prompt or output fragments for up to seven days for debugging; those are subject to the access controls described in Section 12.

6.4 No training on your data

AZMTH does not use your Customer data, Content, AI Feature inputs, or AI Feature outputs to train any AI model, and we do not provide them to any third party for the purpose of training a model. Our AI sub-processor (Anthropic) has committed not to train foundation models on API traffic from commercial customers.

6.5 AI Outputs are advisory, not advice

AI Features generate data — patterns, drafts, summaries, or scored suggestions. They are not professional advice and are not a substitute for a qualified financial advisor, lawyer, accountant, tax preparer, manager, or agent. The Terms of Service describe the warranties and limitations that apply to AI Output; see Terms § 8.

6.6 Your controls

  • Disable AI entirely at the organization level in /settings/ai. The platform will still work without AI Features.
  • Skip individual features — every AI button is a deliberate, individual click. AZMTH does not run AI jobs in the background without your action.
  • Review usage at any time in /settings/ai.
  • Request a sub-processor opt-out at privacy@azmth.app. Some AI Features will be unavailable if the underlying sub-processor is opted out; we'll explain which.

7. International transfers

AZMTH's primary data center is in the United States. If you access the Service from outside the US, your Customer data is transferred to and processed in the US under appropriate safeguards: Standard Contractual Clauses (EU 2021/914) for EU/EEA-origin data, the UK International Data Transfer Addendum, and the Swiss FADP equivalents for Switzerland.

8. How long we keep it

  • Account data: while the account exists, plus a 30-day soft-delete window after closure for recovery. After day 31, we permanently delete it.
  • Backups: rolling 90-day window for disaster recovery. Deleted records age out of backups within 90 days.
  • Billing and tax records: retained for 7 years after the relationship ends, as required by US/EU tax law.
  • Audit logs (staff actions): 2 years.
  • Webhook event logs: 90 days.
  • Telemetry and error logs: 30 days.
  • Customer support correspondence: 2 years after the ticket closes.
  • AI usage records (feature key, timestamp, credits deducted — never prompts or outputs): kept for the life of the account so you can audit monthly spend; aged out under the account-deletion rules above.
  • AI prompts and AI Outputs: not retained by AZMTH beyond the response cycle, except for the short-lived (≤ 7 days) application-log debugging window described in Section 6.3. Anthropic, our AI sub-processor, retains prompts and outputs for up to 30 days under its commercial abuse-detection policy.

9. Your rights

Depending on where you live, you have some or all of the following rights over your Customer data. Send any request to privacy@azmth.app or use the in-app data export tool at /settings/billing. We respond within 30 days (or sooner if your local law requires it).

  • Access: ask for a copy of the personal data we hold about you.
  • Rectification: ask us to correct inaccurate data.
  • Deletion (“right to be forgotten”): ask us to delete your data, subject to records we are legally required to keep.
  • Portability: get your data in a common, machine-readable format. The export action exposes a full-fidelity JSON dump.
  • Objection: object to processing based on legitimate interests; we'll evaluate the request and honor it unless we have compelling grounds to continue.
  • Restriction: ask us to pause processing while we resolve an access or rectification request.
  • Withdraw consent: for any processing based on consent (e.g., marketing emails), withdraw it at any time.
  • Lodge a complaint: with your local data protection authority. EU residents can find theirs via the EDPB members list.

10. California privacy rights (CPRA)

California residents have the rights described in Section 9 plus the following CPRA-specific rights:

  • Right to know the categories of personal information we've collected, the sources, the business purpose, and the categories of third parties we've shared it with in the past 12 months.
  • Right to opt out of sale or sharing. AZMTH does not sell personal information and does not share it for cross-context behavioral advertising. You don't need to do anything; the “Do Not Sell or Share My Personal Information” link is therefore not required. If that policy ever changes, we will post the link and email account owners 30 days in advance.
  • Right to limit use of sensitive personal information. We don't process sensitive PI (as CPRA defines it) for purposes outside what is reasonably necessary to provide the Service.
  • Right not to be discriminated against for exercising your rights.

11. Cookies and similar technologies

AZMTH uses a small number of strictly-necessary cookies (auth session, CSRF token, preferences) and first-party analytics cookies. We do not use third-party advertising cookies. We do not deploy session-replay tools.

Where required by your local law, we present a cookie banner at first visit and respect your choices. Most browsers also let you block or delete cookies in their settings.

12. Security

We maintain technical and organizational measures appropriate to the data we process. Highlights:

  • TLS 1.2+ in transit; AES-256 at rest
  • Postgres Row-Level Security (RLS) on every customer-facing table — cross-tenant access is impossible by design
  • Time-boxed PII elevation for engineering work; staff PII access defaults to redacted
  • Audit log on every staff action against a customer account
  • Encrypted secret storage; no production credentials in source control
  • Quarterly access reviews; annual penetration test on the public surfaces
  • 24/7 paging on critical alerts; documented incident response runbook

See DPA Annex 3 for the full security posture.

13. Breach notification

If we suffer a security incident that affects your Customer data, we will notify you without undue delay and in any case within 72 hours of becoming aware, as required by GDPR Art. 33. The notice will describe what happened, the data affected, likely consequences, and the steps we're taking. Where the law also requires direct notification to data subjects, we will help you do so.

14. Children

The Service is not directed to children under 18 (or the local age of digital consent, whichever is older). We do not knowingly collect data from children. If you believe a minor has created an AZMTH account, email privacy@azmth.app and we will delete it.

15. Automated decision-making and AI Outputs

We do not make decisions that produce legal or similarly significant effects about you using solely automated means. Some Service features score or rank content (split-health warnings, exclusivity overlap detection, fundraiser pace badges); these are advisory, not binding, and you can always override them.

AZMTH AI Features (described in Section 6) generate suggestions, summaries, drafts, or scores in response to actions you explicitly take. The outputs are advisory: they are starting points and data points, not decisions, and they do not produce legal or similarly significant effects on you. You remain in control — every action that has financial, contractual, distribution, or fan-facing consequences requires your separate, deliberate confirmation. See Terms § 8 for the full treatment of how AI Outputs may and may not be relied on.

16. Changes to this Policy

We'll update this Policy when material things change. Material changes take effect 30 days after we email the account owner and post the updated version. Non-material edits (typos, clarifications) take effect immediately on posting. We keep a public changelog of material changes alongside the document (see the version history below).

Your continued use of the Service after a change's effective date constitutes acceptance of the updated Policy. If you do not agree to a change, stop using the Service and close your account before the change takes effect. Keep your account email current so change notices reach you.

17. Contact

General privacy questions: privacy@azmth.app.
Security issues: security@azmth.app.
Legal: legal@azmth.app.

For fan data — if you are an end-fan trying to exercise rights over your information — contact the artist or label whose page you used. AZMTH cannot honor your request directly; their privacy notice on the collection form should explain how.

Version history

  • v1.0 · June 15, 2026

    Initial publication.