Legal

Privacy Policy

Privacy Policy

Effective Date: January 10, 2026

MSTRJK Entertainment Group, Co. ("Company," "we," "us," or "our") respects your privacy and is committed to protecting your personal information in accordance with applicable data protection laws, including the General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CPRA"), the Colorado Privacy Act ("CPA"), the Connecticut Data Privacy Act ("CTDPA"), the Oregon Consumer Privacy Act, the Texas Data Privacy and Security Act ("TDPSA"), the Virginia Consumer Data Protection Act ("VCDPA"), and other applicable state and federal privacy laws.

This Privacy Policy explains—in plain language—what personal information we collect, why we collect it, how we use and protect it, how long we retain it, who we share it with, and how you can exercise your rights when you visit mstrjk.com (the "Site"). By accessing or using the Site, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please discontinue use of the Site immediately.

1. Information We Collect

We collect only what is needed to run the Site, keep it secure, meet legal requirements, and honor the choices you make in the privacy banner. That includes:

  • Voluntary submissions. Names, emails, and messages you provide in contact forms, bookings, or account settings.
  • Account data. Login email, display details, and authentication/session identifiers necessary to keep you signed in.
  • Device and connection details (only when you consent).Browser/OS, language, screen and viewport sizes, hardware concurrency, network type/downlink, do-not-track flag, and performance timing to understand speed and reliability. IP addresses are hashed with SHA-256 and stored without salt so we never persist a raw address.
  • Interaction, behavioral, and conversion data (only when you opt into Functional or Marketing categories). Click targets, scroll depth milestones, navigation flows, UI engagement, and optional conversion names/values triggered throughwindow.MJKAnalytics.trackConversion.
  • Security and anti-abuse telemetry. TLS/request headers, rate-limit counters, and hashed IPs used strictly to defend the service from fraud and abuse. These are stored separately from analytics data and are not used for advertising or profiling.
  • Cookies and local storage. Consent preferences, cart tokens, player gate status, newsletter dismissal, and admin sessions as described in our Cookies Policy.

2. Purpose of Data Collection

We process the above information to:

  • Operate the Site, including the media player, store, and account tools.
  • Measure and improve site performance, accessibility, and stability.
  • Understand feature adoption, product funnels, and aggregated usage trends.
  • Measure marketing/conversion effectiveness when you opt into that category.
  • Respond to your inquiries, bookings, and support requests.
  • Detect, investigate, and mitigate security or abuse incidents.
  • Comply with applicable legal, tax, and regulatory requirements.

Analytics, performance, functional, and marketing telemetry are sent only to our first-party endpoint (/api/analytics/track) and stored in our U.S.-hosted Supabase Postgres environment. We do not sell or share personal data with ad networks. Only authorized team members may access the internal dashboard.

3. Security, Analytics & Anti-Abuse Policy

We hash all IP addresses before storage, preserve only essential request headers for diagnostics, and separate anti-abuse telemetry from consented analytics. Logs are retained solely to keep the service secure and reliable. When necessary, we may share narrow, non-identifiable log details with service providers assisting with an investigation.

4. Cookies & Tracking

We rely on first-party cookies and local storage to remember your preferences and, when you consent, to measure analytics, functional interactions, and marketing conversions. You can review or change your consent at any time via the "Manage Privacy Preferences" link in the footer or the banner itself. The categories are:

  • Essential Operations (always on): Consent settings (mjk_privacy_consent), newsletter status (isSubscribed), music player gate (musicPlayerTermsAccepted), store cart (stripe_cart / stripe_cart_timestamp), and admin authentication (misterjk_admin_session).
  • Analytics & Performance (opt-in): Creates themjk_analytics_session cookie and logs device, browser, network, load-time, and Core Web Vitals data so we can benchmark site performance. Raw IPs are never stored—only hashed values appear in our database.
  • Functional Interaction Tracking (opt-in): Uses the same session identifier to store click targets, scroll depth, element interactions, and navigation flows to inform UX research.
  • Marketing & Conversions (opt-in): Enables goal/conversion logging (e.g., newsletter signups, purchases) with optional revenue values and labels passed throughwindow.MJKAnalytics.trackConversion. Opt-outs immediately disable all non-essential tracking, including the "Do Not Sell/Share" control in the footer.

For the full inventory of cookies and storage items, including lifespan and purpose, please review our Cookies Policy.

5. User Rights (GDPR, CPRA/CCPA, CPA, TDPSA)

You may request access, correction, portability, or deletion of your personal data. Logged-in users can initiate permanent account deletion from the Profile page; once confirmed, we place the request in a 14-day queue. Processing may be paused only at your request or where required by applicable law. Users may submit such requests by contacting us at help@mstrjk.com using the email address associated with their account. If no intervention occurs, the account and associated personal data are permanently purged.

California, Colorado, Connecticut, Oregon, Texas, and Virginia residents can also select "Do Not Sell/Share My Personal Info" in the footer to disable all non-essential cookies immediately and contact us at privacy@mstrjk.com.

6. Age & Explicit Content

This Site is not directed to children under the age of 13. We do not knowingly collect personal information from anyone under 13 years old. Lyrics, music, and other creative works may contain mature or explicit content; by accessing the Site you acknowledge and accept this.

7. International Users & Data Transfers

The Site is operated from the United States. If you access the Site from another country, your personal information will be transferred to, processed in, and stored in the United States, which may have data protection laws different from those in your jurisdiction.

For users in the European Economic Area ("EEA"), United Kingdom, or Switzerland: We rely on your explicit consent and/or the necessity of processing to perform our contractual obligations to you as the legal basis for transferring your data to the United States. We implement appropriate safeguards to protect your personal information, including secure data transmission protocols (TLS 1.3), encryption at rest, access controls, and regular security audits. We do not participate in the EU-U.S. Data Privacy Framework but maintain data protection standards consistent with GDPR requirements.

We use third-party service providers to host and deliver our services. These providers may process and store personal data in the United States or other jurisdictions. Where required by law, international data transfers are conducted using approved transfer mechanisms, including Standard Contractual Clauses and other adequacy determinations or derogations under applicable data protection laws. We ensure that our service providers maintain data protection standards consistent with GDPR requirements and the laws applicable to your jurisdiction.

By using the Site, you acknowledge and accept this processing and transfer of your personal information. You have the right to withdraw your consent at any time by discontinuing use of the Site and requesting deletion of your data by contacting us at privacy@mstrjk.com.

8. Data Retention & Deletion

  • Cookies & Local Storage: Consent preferences last 30 days, newsletter cookies 30 days, cart storage two hours, music player consent 365 days, and admin sessions until logout. Clearing your browser storage removes these items sooner.
  • Analytics sessions, page views, events & conversions:Retained for up to 12 months for performance trending, then deleted or fully anonymized. IPs are stored only as unsalted SHA-256 hashes.
  • Security logs: Kept only as long as needed to investigate and mitigate abuse.
  • Contact/booking data: Retained as long as needed to respond to your request, comply with legal obligations, or maintain business records.
  • Account deletion queue: Confirmed deletion requests enter a 14-day window. If you do not revoke the request during that window, we permanently delete the account and associated personal data.

9. Third-Party Services & Data Sharing

We do not sell your personal information to third parties. We do not share your personal information with advertising networks or data brokers. The following third-party service providers may process your data solely to help us operate the Site:

  • Supabase (database hosting): Stores user accounts, analytics data, and account deletion requests on U.S.-based servers with encryption at rest and in transit.
  • Netlify (hosting & CDN): Serves website content, handles edge functions, and processes scheduled tasks. May log IP addresses and request metadata for infrastructure security and DDoS protection.
  • Stripe (payment processing): Processes payments for digital purchases. Stripe has its own privacy policy and PCI DSS Level 1 certification. We do not store full credit card numbers.
  • Email service provider: Sends transactional emails (account verification, password resets, account deletion confirmations). Email addresses are transmitted securely and not used for marketing without separate consent.

These service providers are contractually obligated to use your information only for the purposes we specify and to maintain appropriate security measures. We may also disclose your information if required by law, court order, subpoena, or government regulation, or to protect our legal rights, prevent fraud, or ensure the safety and security of our users.

10. Legal Basis for Processing (GDPR)

For users in jurisdictions governed by GDPR, we process your personal information based on the following legal grounds:

  • Consent: You have given clear, affirmative consent for us to process your personal information for analytics, functional tracking, and marketing purposes through our cookie consent banner.
  • Contract Performance: Processing is necessary to perform our contract with you (providing account services, processing purchases, delivering content you request).
  • Legal Obligations: We must process certain data to comply with legal obligations such as tax laws, data retention requirements, and responses to valid legal requests.
  • Legitimate Interests (Article 6(1)(f) GDPR): We may process personal data where it is necessary for our legitimate interests in operating, securing, and improving the Site, including fraud and abuse prevention, account and platform safety, debugging, performance monitoring, and enforcing our terms. We use this basis only where the processing is proportionate, has minimal privacy impact, and is not overridden by your rights and interests. You may object to this processing in certain circumstances.

11. Data Security & Breach Notification

We implement industry-standard technical and organizational security measures to protect your personal information from unauthorized access, alteration, disclosure, or destruction. These measures include:

  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for data at rest
  • Bcrypt password hashing with unique salts (cost factor 12)
  • SHA-256 hashing of IP addresses before storage (no raw IPs stored)
  • HTTP-only, Secure, and SameSite cookie flags where applicable
  • Regular security audits and penetration testing
  • Access controls limiting personnel who can access personal data
  • Rate limiting and anti-abuse monitoring

Despite these measures, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.

Data Breach Notification: In the event of a data breach that compromises the security, confidentiality, or integrity of your personal information, we will notify affected users within 72 hours of becoming aware of the breach (as required by GDPR) via email to the address on file and/or a prominent notice on the Site. The notification will include the nature of the breach, the types of data affected, steps we have taken to mitigate the breach, and recommended actions you should take to protect yourself. We will also notify applicable regulatory authorities as required by law.

12. California-Specific Rights (CPRA/CCPA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

  • Right to Know: You can request disclosure of the categories and specific pieces of personal information we have collected, the sources from which it was collected, the purposes for collection, and the categories of third parties with whom we share it.
  • Right to Delete: You can request deletion of your personal information, subject to certain exceptions (e.g., legal obligations, fraud prevention).
  • Right to Correct: You can request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Share: We do not sell personal information. The "Do Not Sell/Share My Personal Info" link in the footer allows you to disable all non-essential cookies and tracking.
  • Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes other than those permitted by CPRA.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, contact us at privacy@mstrjk.com or use the account deletion feature in your Profile page. We will respond to verified requests within 45 days (or notify you if we need an additional 45 days). We may request additional information to verify your identity before processing your request.

13. Children's Privacy

The Site is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected personal information from a child under 13 without proper parental consent, we will take immediate steps to delete that information from our systems.

If you believe we have collected information from a child under 13, please contact us immediately at privacy@mstrjk.com. Parents and legal guardians have the right to review, request deletion of, and refuse further collection of their child's personal information by contacting us.

14. Automated Decision-Making & Profiling

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you. Any analytics or behavioral data we collect is used solely for aggregated insights, performance optimization, and improving user experience—not for automated individual decision-making.

15. Do Not Track Signals

Some browsers support a "Do Not Track" (DNT) signal. Our Site respects DNT signals: if your browser sends a DNT signal, we will not load non-essential analytics, functional tracking, or marketing scripts unless you explicitly opt-in through our consent banner. Essential operations required for the Site to function (authentication, cart, consent preferences) will still operate.

16. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Site features. The "Effective Date" at the top reflects the latest revision. Material changes will be communicated through a prominent notice on the Site or via email to registered users at least 30 days before taking effect (where required by law).

Continued use of the Site after changes become effective constitutes acceptance of the updated policy. If you do not agree to the changes, you must discontinue use of the Site and may request deletion of your account and personal information.

17. Contact Information & Data Protection Officer

If you have questions, concerns, or wish to exercise your privacy rights, you may contact us at:

For users in the EU/EEA: You have the right to lodge a complaint with your local supervisory authority if you believe our processing of your personal information violates the GDPR.