Privacy Policy - Play258
Document: Privacy Policy
ID: PLAY258-PP
Version: 1.0.0
Effective date: 05-04-2026
Operator: VONEKA, headquartered in Maputo, Mozambique, NUIT: 400753504, hereinafter “Operator”.
General contact: info@voneka.co.mz | Support: suporte@voneka.co.mz
This Policy supplements the General Terms of Use and the audience annexes. For retention, erasure, and portability, see also 07-POLITICA-RETENCAO-DADOS.md.
1. Scope and principles
1.1. This Policy applies to processing of personal data in the Play258 ecosystem (web, app, APIs, dashboards, playout to the extent it collects or syncs personal data, integrations).
1.2. The Operator commits to principles of lawfulness, fairness, transparency, purpose limitation, minimization, accuracy, storage limitation, integrity and confidentiality, and accountability, under applicable legislation (including GDPR/LGPD-inspired rules where relevant).
2. Who is responsible for processing
2.1. VONEKA is, as a rule, controller for the operations described here.
2.2. Where the Operator processes data on behalf of a Radio station or Organization (e.g. sending messages to listeners on behalf of the station), the Operator may act as processor, under agreement with the client and law. In those cases, the client may be joint controller or independent controller depending on the facts — validate with counsel.
3. Categories of personal data
3.1. Identification and contact
Name, stage name, email, phone number, physical or billing address, role, employer entity.
3.2. Account and authentication data
Account identifiers, password hashes, session tokens, OTP logs, language preferences.
3.3. Payment data
Transaction identifiers, payment status, amounts; payment instrument data may be processed directly by the processor (tokenization), with minimization at the Operator.
3.4. Technical and usage data
IP address, device identifiers, browser/app type, API logs, timestamps of actions, technical errors, performance metrics.
3.5. Location data
Only when enabled (e.g. OS permissions) or derived from IP with precision allowed by product configuration.
3.6. Content and communications
Messages (SMS/WhatsApp/app), music requests, comments, uploaded audio files, TTS recordings where applicable, campaign content.
3.7. Broadcast and reporting data
Playback history aggregated or identifiable per configuration, “playout” reports, track and artist identifiers linked to events.
3.8. Marketing and preference data
Consents, opt-in/opt-out, campaign identifiers, lead source.
3.9. Legal compliance and security data
Anti-fraud logs, KYC checks when required, retention for disputes or authority responses.
4. Legal bases (reference framework)
Note: adjust per jurisdiction. Multiple-model template below.
| Purpose (summary) | Typical legal basis |
|---|---|
| Providing the Service, contract performance | Contract performance / pre-contractual measures |
| Authentication, security, anti-fraud | Legitimate interests / legal obligation |
| Invoicing and tax duties | Legal obligation |
| Transactional communications | Contract performance |
| Direct electronic marketing | Consent and/or legitimate interest per local law |
| Non-essential cookies | Consent (when required) |
| Aggregated product analysis | Legitimate interests or consent |
| Compliance with court orders | Legal obligation |
| Defense of rights in proceedings | Legitimate interests / judicial proceeding |
5. Processing purposes
5.1. Provide and improve the Service (accounts, queues, APIs, playout, reports).
5.2. Process payments and prevent fraud.
5.3. Communicate with the User (support, security notices, contractual updates).
5.4. Comply with laws (tax, accounting, authority responses).
5.5. Ensure security of the platform and traffic integrity.
5.6. Analytics to understand usage, with pseudonymization where possible.
5.7. Marketing, only with adequate legal basis.
5.8. Rights exercise and complaint handling.
6. Data sharing (recipients)
6.1. Service providers / subprocessors (hosting, transactional email, SMS/WhatsApp, payments, analytics), with data processing agreements when required.
6.2. Radio stations and Organizations, only as necessary for functionality (e.g. music request to a station; campaign report to an agency).
6.3. Public authorities, when legally mandatory or under valid order.
6.4. Business successors in merger or acquisition, with notice when required.
6.5. The Operator does not sell personal data to third-party lists for unrelated marketing, unless specifically disclosed with legal basis.
7. International transfers
7.1. If data are processed on servers outside the data subject’s country, the Operator will apply appropriate safeguards (standard clauses, adequacy decisions, or other mechanisms under applicable law).
7.2. Updated list of processing locations: https://play258.com/legal/privacidade#transferencias-internacionais.
8. Retention and disposal
8.1. Retention periods are in the Retention, Erasure, and Portability Policy.
8.2. After the period, data are erased or irreversibly anonymized, unless legally excepted.
9. Information security
9.1. Appropriate technical and organizational measures: access control, encryption in transit (HTTPS), secrets management, backups, audit logs, permission reviews.
9.2. Breach notification: when required, the Operator will notify authority and/or data subjects within legal deadlines.
10. Data subject rights
Under applicable law, the data subject may request:
- Access to data;
- Rectification of inaccurate data;
- Erasure (“right to be forgotten”), with legal exceptions;
- Restriction of processing;
- Objection to processing based on legitimate interest or marketing;
- Portability of data provided and generated by service use, where applicable;
- Withdrawal of consent without affecting prior lawfulness;
- Complaint to a supervisory authority.
Channel: dpo@voneka.co.mz or form https://play258.com/legal/privacidade#direitos-dos-titulares. Typical response time: 15 business days, extendable with justification.
11. Processing by user category (summary)
| Category | Specific notes |
|---|---|
| Artist | Stage identity, catalog, work metadata, royalty payment data where applicable. See ANEXO-A-ARTISTAS.md. |
| Radio station | Station data, internal users, broadcast logs, request settings. See ANEXO-B-RADIOS.md. |
| Listener | Phone/email for requests and notifications, request history, payment data via third party. See ANEXO-C-OUVINTES.md. |
| Organization | Campaign data, spot files, enterprise account users. See ANEXO-D-ORGANIZACOES.md. |
12. Minors
12.1. The Service does not target users under 18, unless specific products with parental consent.
12.2. If improper minor registration is detected, the Operator will erase data and close the Account, notifying guardians of obligations where applicable.
13. Cookies, analytics, and similar technologies
13.1. Full details in the Cookie Policy, including preference management and mobile app SDKs.
14. Automated decisions
14.1. The Operator may use automated rules for anti-fraud, queue prioritization, or recommendations. No decisions with significant legal effect are taken solely by automation without human intervention, unless legally or contractually provided and communicated.
15. Changes
15.1. Changes to this Policy follow the Changes, Versioning, and Notifications Policy.
16. Contact
VONEKA - Maputo, Mozambique - dpo@voneka.co.mz
Version 1.0.0 — subject to legal review and per-country legal basis adjustments.