AP

Privacy Policy

Last updated: 1 May 2026

This Privacy Policy describes how Starlight Group SA (Pty) Ltd, a private company registered in the Republic of South Africa (“we”, “us”, the “Company”), collects, uses, shares and protects your personal information when you use the AfroPublish website, mobile applications and related services (the “Platform”).

This Policy is issued in accordance with the Protection of Personal Information Act 4 of 2013 (“POPIA”) and the Electronic Communications and Transactions Act 25 of 2002. By using the Platform you confirm that you have read and understood this Policy.

// Contents

  1. Who we are
  2. Information we collect
  3. How we use information
  4. Lawful basis (POPIA)
  5. Sharing your information
  6. International transfers
  7. Retention
  8. Your rights
  9. Security
  10. Cookies & tracking
  11. Children
  12. Information Officer
  13. Complaints
  14. Changes to this Policy

1. Who we are

Starlight Group SA (Pty) Ltd is the responsible party (data controller) for personal information processed through the Platform. You can contact us at privacy@afropublish.com.

2. Information we collect

2.1 Information you give us

  • Account information — legal name, stage name, email address, password, country, language, profile photo and biography.
  • Identity & onboarding information — date of birth, government-issued identity numbers (where required by payment providers or DSPs), tax residency, and proof of address (where required for payouts).
  • Music & creative information — sound recordings, compositions, artwork, lyrics, metadata, ISRCs, UPCs, credits, splits, ownership and rights declarations.
  • Payment & payout information — bank account details, mobile-money details, billing address and tax information, collected and processed only when our payment integration is enabled and you actively configure payouts or subscribe to a paid plan.
  • Communications — messages you send us, support tickets, takedown notices, and survey or feedback responses.

2.2 Information we collect automatically

  • Device & log data — IP address, device type, browser, operating system, language, time zone, referral URL, and pages or screens viewed.
  • Usage data — uploads, plays, listens, clicks, searches, presaves, follow actions, and licence and download purchases.
  • Cookies & similar technologies — see section 10.

2.3 Information from third parties

  • Authentication providers — if you sign in with Google, Apple or another provider, we receive your name, email and profile photo.
  • DSPs and Distribution Partners — stream counts, royalty reports, takedown decisions and rejection reasons.
  • Payment providers — transaction status, partial card or account details for reconciliation, fraud signals.
  • Pre-save integrations — when you authorise Spotify or Apple Music presave, we receive limited account identifiers needed to add the saved release on release day.

3. How we use information

We use personal information to:

  • Create and operate your account and the Platform;
  • Deliver your music to DSPs through our Distribution Partner, generate ISRCs/UPCs, build pre-save links, and track delivery status;
  • Calculate and pay royalties, generate statements, and process licence purchases and payouts;
  • Verify your identity, prevent fraud, detect streaming manipulation, enforce our Acceptable Use policy, and comply with our anti-money laundering obligations;
  • Send transactional emails (release-status updates, royalty statements, payout notifications, security alerts) and, with your consent, marketing emails;
  • Provide customer support, investigate complaints and resolve disputes;
  • Improve, secure and develop the Platform, including through aggregated and anonymised analytics; and
  • Comply with legal, tax, regulatory and reporting obligations.

4. Lawful basis under POPIA

We process personal information on one or more of the following bases:

  • Contract — processing is necessary to deliver the Platform and the services you sign up for;
  • Legitimate interest — for fraud prevention, security, product improvement and direct marketing of similar services to existing customers (subject to your right to opt out);
  • Legal obligation — for tax, accounting, AML/CFT and regulatory compliance;
  • Consent — for cookies that are not strictly necessary, certain marketing communications, and pre-save integrations with DSPs.

5. Sharing your information

We do not sell your personal information. We share it only with the following categories of recipients, and only to the extent necessary for the purposes described above:

  • Distribution Partners and DSPs — to deliver your music, surface it to listeners, and report streams and royalties;
  • Service providers — cloud hosting and databases (Supabase), email delivery (Resend), payment processing (Paystack, when integrated), analytics, error monitoring, and customer support tooling;
  • Professional advisors — auditors, lawyers, accountants and tax advisors, under appropriate confidentiality obligations;
  • Authorities — where required by law, court order or to protect the rights, property or safety of our users, ourselves, or any third party;
  • Business transfers — in the event of a merger, acquisition, restructuring or sale of assets, in which case the recipient will be bound to honour this Policy.

6. International transfers

Some of our service providers and Distribution Partners are located outside the Republic of South Africa. Where we transfer personal information across borders, we do so in accordance with section 72 of POPIA — either to a recipient subject to a law providing substantially similar protection, on the basis of binding agreements, or with your consent. You may request information about the relevant safeguards by emailing privacy@afropublish.com.

7. Retention

We retain personal information for as long as we need it for the purposes described in this Policy, including:

  • Account and music catalogue data — for the duration of your account, plus a reasonable archival period;
  • Royalty, payout, tax and accounting records — for the period required by South African tax and company law (typically 5 years from the end of the financial year);
  • Anti-fraud records — for as long as needed to monitor repeat patterns and protect the Platform and our partners;
  • Backups — rolled forward in line with our backup retention schedule even after deletion from production systems.

Where personal information is no longer needed, we delete or anonymise it.

8. Your rights

Subject to POPIA, you have the right to:

  • Be notified about the personal information we hold about you and request access to it;
  • Correct or update inaccurate or incomplete information — most fields can be edited from your dashboard;
  • Request deletion of your information, subject to our retention obligations;
  • Object to direct marketing at any time, free of charge, by clicking the unsubscribe link in any marketing email or by emailing us;
  • Withdraw consent for processing that is based on consent (this does not affect the lawfulness of processing carried out before withdrawal); and
  • Submit a complaint to the Information Regulator (see section 13).

To exercise any of these rights, email privacy@afropublish.com or use the data export and deletion tools in your account settings. We may need to verify your identity before acting on a request.

9. Security

We use a combination of technical and organisational measures to protect personal information, including encryption in transit (TLS), encryption at rest where supported by our providers, role-based access controls, audit logs, segregation of production systems, and security training for our team.

No system is fully secure. We strongly recommend that you use a unique password for your AfroPublish account, enable two-factor authentication where available, and never share your credentials. If you suspect that your account has been compromised, contact us immediately at security@afropublish.com.

10. Cookies & tracking

The Platform uses cookies and similar technologies for essential functionality (signing you in, keeping you signed in, remembering your preferences) and for product analytics. Where required by law we request your consent before using non-essential cookies.

You can manage cookies through your browser settings, although disabling essential cookies will prevent the Platform from functioning correctly.

11. Children

The Platform is not intended for users under the age of 18. We do not knowingly collect personal information from children. If you believe a child has registered, please contact us so we can remove the account.

12. Information Officer

Our Information Officer can be contacted at privacy@afropublish.com for all matters relating to this Policy or the processing of your personal information.

13. Complaints

If you believe we have not handled your personal information in accordance with POPIA, please contact us first so we can try to resolve the issue. You also have the right to lodge a complaint with the Information Regulator (South Africa):

Information Regulator (South Africa)
Email: complaints.IR@justice.gov.za
Website: inforegulator.org.za

14. Changes to this Policy

We may update this Policy from time to time. Where the changes are material, we will notify you through the Platform or by email. The “Last updated” date at the top of this page indicates the latest version.

Privacy Policy | AfroPublish