Privacy Policy

This privacy policy describes how Blacksmith Holdings, Inc. (“we”, “us”, “our”) collects, uses, and shares information when you use the Vince Staples Fan Pass application at pass.vincestaples.co (the “Service”). The Service lets fans complete challenges, link third-party accounts, earn XP and rewards, and participate in chat-driven live streams.

Blacksmith Holdings, Inc. also operates the main artist site at vincestaples.co, which is governed by its own privacy policy. This policy is the authoritative document for the Fan Pass app because it discloses data flows (YouTube, Spotify, Discord, Klaviyo, Shopify) that the main-site policy does not cover.

For privacy questions, contact vincestaplesteam@gmail.com or write to Blacksmith Holdings, Inc., 630 Fifth Avenue, 20th Floor, New York, NY 10111.

We collect the following categories of information:

• Account information. Your email address and password (managed by Amazon Cognito), an optional display name you choose, and a unique fan identifier we generate.
• YouTube account data. When you choose to link your YouTube account, we request the https://www.googleapis.com/auth/youtube.readonly OAuth scope and store your YouTube channel ID, public display name, and a short-lived access token plus refresh token. We use this strictly to credit chat-driven achievements (matching live-chat comments to your fan account) and to display your channel on the leaderboard. We do not access your watch history, private playlists, or any other YouTube data.
• Spotify account data. When you choose to link Spotify, we store your Spotify user ID and short-lived access plus refresh tokens, used solely to verify song streams of the artist’s tracks.
• Discord account data. When you choose to link Discord, we store your Discord user ID and username, used to verify server membership and credit Discord-related achievements.
• Order data. When you place a Shopify order related to the artist, we receive the order details (including your email and what was purchased) via webhook so we can credit pre-order and merch achievements.
• Email subscriptions. If you opt in to the artist’s email list, your email is sent to Klaviyo for newsletter delivery. You can unsubscribe at any time via the link in any email.
• Activity data. Challenge progress, XP totals, currency balance, login streak, achievement unlocks, photo and text submissions you upload, referral codes and referrals attributed to you, and chat commands you send during live streams (matched to your account via your YouTube channel ID).
• Technical data. Standard server logs (IP address, user agent, request timestamps) used to operate, secure, and debug the Service.
• Cookies and session storage. We set a small number of cookies and use browser local storage to keep you signed in (Amazon Cognito session tokens) and to remember UI preferences. We do not use third-party advertising or cross-site tracking cookies.

We use the information we collect to:

• Create and manage your fan account.
• Verify completion of challenges and credit XP, currency, and achievements.
• Display you on leaderboards and credit your chat commands on live streams.
• Match Shopify orders and Klaviyo subscriptions to your fan account.
• Communicate with you about the Service (account notifications, support).
• Detect, investigate, and prevent fraud or abuse of the Service.

Our use of information received from YouTube APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We use your YouTube channel ID and public display name solely to credit chat-driven achievements on the Service and to identify your fan account in live-stream interactions. We do not use this data for advertising, analytics aggregation, machine learning model training, sale, or transfer to any third party other than the service providers strictly necessary to operate the Service (listed below).

Our use of YouTube APIs is also subject to the YouTube Terms of Service and the YouTube API Services Terms of Service. Google’s privacy practices are described in the Google Privacy Policy.

We do not sell your personal information. We share data only with the following service providers, who process it on our behalf to operate the Service:

• Amazon Web Services — application hosting, database, and file storage
• Amazon Cognito — account authentication
• Klaviyo — newsletter delivery (only if you opted in)
• Shopify — order data webhook (only when you place an order)

We may also disclose information when required by law, to enforce our terms, or to protect the rights, property, or safety of the Service, our users, or others.

We retain your account data and activity history only as long as necessary to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements. When you delete your account or disconnect a third-party platform, we remove the corresponding tokens and identifiers within 30 days, except where retention is required by law.

Depending on where you live, you may have the right to:

• Access the personal information we hold about you.
• Correct inaccurate information.
• Delete your information (the “right to be forgotten”).
• Restrict or object to certain processing.
• Receive a copy of your data in a portable format.
• Opt out of marketing communications.

To exercise any of these rights, contact vincestaplesteam@gmail.com. We’ll respond within 30 days.

You can also act directly on your linked accounts at any time:

• Disconnect a linked account. You can disconnect your YouTube, Spotify, or Discord account at any time from your fan profile in the Service. Disconnecting revokes our access tokens and removes the corresponding identifier from your account.
• Revoke YouTube access via Google. You can also revoke our YouTube access at any time by visiting your Google Account permissions page.
• Delete your account. Contact us at vincestaplesteam@gmail.com to permanently delete your fan account and associated data.

We implement appropriate technical and organizational measures — including encryption in transit, restricted server access, and short-lived OAuth tokens — to protect your personal information. No system is perfectly secure, but we work to minimize risk and to notify you promptly of any incident that affects your data.

The Service is not directed to children under 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us so we can delete it.

We are based in the United States and our service providers process data primarily in the United States. If you access the Service from outside the U.S., your information will be transferred to and processed in the U.S., which may have different data-protection laws than your country.

We may update this policy from time to time. The “Last updated” date at the top of this page reflects the most recent change. Material changes will be communicated via the Service or by email.

For privacy questions, requests, or concerns:

• Email: vincestaplesteam@gmail.com
• Mail: Blacksmith Holdings, Inc., 630 Fifth Avenue, 20th Floor, New York, NY 10111