privacy
this page covers what the radio collects, why, who else sees it, and how to get rid of it.
who runs the radio
missterspoonradio is run by spoon, the artist, as a sole trader in the united kingdom. contact: spoon@missterspoonradio.com.
what gets collected
only what's needed to make the radio work:
- email address — to sign you in via magic link, send you downloads of tracks you've bought, and (if you're opted in) the occasional message about the radio.
- stripe customer id and a card display fragment (brand + last four digits, e.g.
visa ending 4242) — so the change-card screen works without a round-trip to stripe. card numbers themselves never touch this database; stripe holds them.
- purchase history — track, amount, timestamp, permanent download token — so you can re-download anything you've bought.
- free credit count — referral credits earned or received.
- listen count (
total_listens) and the timestamp of your most recent tune-in (last_listen_at) — used internally to size aggregate listener stats.
- referral records — who referred whom, the bound email, the code's status — so the per-friend cap works and credits flow correctly.
- session record — a token in your browser cookie + the timestamp of your last activity, so you stay signed in and the radio knows whether to count you as currently listening.
nothing else is stored — no name, no country, no behavioural profile, no advertising identifier.
cookies
the radio sets exactly one cookie, named session, after you sign in. it's marked HttpOnly, Secure, and SameSite=Lax, lasts one year, and is used only to keep you signed in. it carries no advertising data, no third-party identifier, and is never read by anyone other than this site.
this cookie is strictly necessary under the privacy and electronic communications regulations (pecr) — the radio doesn't function without it — so no consent banner is shown. no other cookies, pixels, or trackers are loaded by missterspoonradio.com.
why this data is held — the lawful basis
- contract (uk gdpr art 6(1)(b)) — for running your account, processing purchases, delivering downloads, applying credits.
- legitimate interest (art 6(1)(f)) — for security, anti-piracy (one-active-session rule), and aggregate listener stats. these uses don't override your rights.
- soft opt-in / consent (pecr reg 22) — for the occasional email about the radio. you can withdraw consent at any time via the toggle on your account page or the unsubscribe link at the bottom of any email.
who else sees it
the radio depends on a small set of third-party services. each sees only the slice it needs to do its job; none combines this data with anything else:
- stripe (payments) — sees your email and the amount of any purchase. handles all card data directly. stripe's privacy policy.
- resend (email delivery) — sees the email addresses we send to.
- fly.io (hosting) — sees server request logs.
- cloudflare (dns + inbound email routing) — sees connection metadata for traffic to missterspoonradio.com.
- neon (database) — stores everything listed in the section above.
- cloudflare r2 (audio + apk storage) — stores the catalogue files and the android app build.
data isn't sold, traded, or shared with anyone else.
how long it's kept
for as long as your account exists. deleting your account (via the change-details screen on your account) removes your record and cascade-deletes the rows linked to it — sessions, purchases, email-change tokens. used referrals you sent are anonymised (the link to your account is severed) so the recipient's credit history stays consistent. account deletion also kills your permanent download links — the email links stop working immediately.
your rights
under uk gdpr you have the right to:
- access — ask for a copy of the data held about you.
- rectify — change your email via the change-details screen, or ask for any other correction by emailing spoon.
- erase — delete your account at any time from the change-details screen, or by email.
- object — opt out of marketing emails via your account page or the unsubscribe link in any email.
- complain — if you think the radio's mishandling your data, you can complain to the uk information commissioner's office at ico.org.uk/make-a-complaint. we'd rather you reach out directly first, but the path exists.
changes to this page
if the data the radio collects or the services it relies on change materially, this page will be updated. the date below tracks the most recent revision.
last updated: 13 may 2026.