Privacy Policy
Last updated: 23 May 2026 ยท Effective: 23 May 2026
๐ The short version
- No account needed to listen โ most visitors leave us nothing but an IP address that’s auto-deleted in 30 days.
- We never sell your data. Ever.
- You can delete your account and everything tied to it anytime, no questions asked.
Who we are
Radio Nations operates as a free online radio directory at radionations.com. For anything privacy-related, write to [email protected] with the subject “Privacy” (optional sub-tags: Access / Delete / Correct / Export / Other). We act as the data controller for the information described below.
What we collect
Browsing without an account
- IP address โ for security, abuse prevention, rate limiting. Hashed with a daily-rotating salt so we can’t trace you across days.
- Browser type and OS โ from the User-Agent header, used for compatibility decisions.
- Pages you visit โ server log, retained 30 days then deleted.
- Your consent choices โ stored locally in your browser as
lr_consent_v1, never on our servers.
When you create an account
- Email address, username, hashed password (bcrypt)
- Account creation date, last-login timestamp
- Your reviews, ratings, and favorites
We never collect your real name, postal address, date of birth, or payment details. The service is free.
When you contact us
Email addresses and message content are kept for 12 months after our last reply, then deleted.
โ What we never collect
- Precise geolocation
- Device sensors (camera, microphone, motion)
- Browser fingerprints
- Cross-site tracking pixels
- Third-party analytics by default
- Access to your files, contacts, or other apps
Legal basis (GDPR Article 6)
- Site operations + security: legitimate interest โ Art. 6(1)(f)
- Account creation + login: contract performance โ Art. 6(1)(b)
- Advertising cookies: explicit consent โ Art. 6(1)(a), only set after you accept
- Reviews and ratings you submit: contract performance + your consent at submission
Data sharing
| Recipient | Purpose | Data shared |
|---|---|---|
| Cloudflare (CDN + WAF) | Security, performance, bot protection | IP, request headers, cookies |
| Hosting provider | Server infrastructure | Server logs, database |
| Google AdSense (only if you accept ad cookies) | Personalized advertising | Cookies, ad identifiers |
| Email provider | Transactional + support email | Email address, message content |
| Audio stream servers | Playing the live audio | Your IP โ when you press Play, your browser connects directly to the broadcaster’s server |
We do not sell, rent, or otherwise commercialize your personal data with any third party.
Retention
| Data | Retained for |
|---|---|
| Access logs | 30 days |
| Account data | As long as your account exists |
| Reviews and ratings | Until you delete them or your account |
| Support email | 12 months after the last reply |
| Encrypted backups | 30-day rolling rotation |
Storage location
All primary data is stored in Frankfurt, Germany (EU). Encrypted backups are stored in the same region. We do not transfer your personal data outside the EU/EEA except where Cloudflare’s edge network terminates TLS in your local region โ Cloudflare’s Data Processing Addendum governs that processing.
Your rights
Under GDPR, UK GDPR, CCPA/CPRA, LGPD, Swiss FADP, India DPDPA, and similar laws, you have the right to:
- Access the personal data we hold about you
- Correct anything that’s wrong
- Delete your account and all linked data
- Restrict our processing
- Receive your data in a portable format (JSON export from your account settings)
- Object to processing based on legitimate interest
- Withdraw consent at any time (without affecting prior lawful processing)
- Lodge a complaint with your local regulator (see “Complaints” below)
Logged-in users can export or delete their data directly from Account โ Settings. For non-account requests, email [email protected] โ we respond within 30 days, often sooner.
Cookies and tracking
Cookies, localStorage, and similar technologies are described in our Cookie Policy.
Children’s privacy
Radio Nations is not directed at children. We don’t knowingly collect personal data from children under:
- 13 in the US, UK, and most other countries
- 14 in Spain, Italy
- 16 in Germany, Ireland, France, the Netherlands, and Norway
If you believe a child has created an account, email [email protected] and we’ll delete it immediately.
Security
- HTTPS-only with HSTS preload; minimum TLS 1.2 (TLS 1.3 by default)
- Passwords stored using bcrypt with per-user salt
- Restricted database access; least-privilege application credentials
- Servers hardened with fail2ban + automatic security updates
- Encrypted backups
- Two-factor authentication required for administrator accounts
We don’t claim our security is perfect โ no one’s is โ but we take it seriously and patch quickly.
Regional rights specifics
๐ช๐บ EU/EEA + ๐ฌ๐ง UK (GDPR + UK GDPR)
You have all rights listed under “Your rights” above. Complaints can be filed with your national Data Protection Authority. UK residents can contact the Information Commissioner’s Office (ICO).
๐จ๐ญ Switzerland (revised FADP, in force September 2023)
Same rights as EU GDPR. Complaints to the FDPIC.
๐บ๐ธ California, USA (CCPA + CPRA)
You have the right to know what we collect, the right to delete, the right to opt out of sale (we don’t sell), and the right to non-discrimination. Complaints to the California Privacy Protection Agency.
๐ง๐ท Brazil (LGPD)
Same rights as GDPR. Regulator: ANPD.
๐ฎ๐ณ India (DPDPA, 2023)
As a Data Principal, you have access, correction, erasure, and grievance rights. Email us to exercise them.
Changes to this policy
We may update this policy as the site evolves or as the law changes. We’ll always update the “Last updated” date above. For material changes, we’ll display an in-site notice at least 14 days before the change takes effect; logged-in users will also receive an email.
Complaints
If you think we’ve mishandled your data, please email [email protected] first โ we’d rather hear from you. You can also file a formal complaint with your regional regulator:
- EU / EEA: your national DPA
- UK: ICO
- Switzerland: FDPIC
- California: CPPA
- Brazil: ANPD
- India: Data Protection Board (via meity.gov.in)
โ๏ธ Contact
Response targets: 7 days for general questions, 30 days for formal access / deletion / portability requests.