Privacy Policy

a) Account & Authentication
When you create an account, we store your email address and authentication credentials via Supabase Auth. This data is required to identify you, manage your account, and secure access to your analyses.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract.

b) Uploaded Audio Files
When you submit a song for analysis, your audio file is temporarily stored on our servers for processing. The file passes through our analysis pipeline (tempo, key, genre, lyrics, instruments, virality, etc.) and the resulting analysis data is stored as a JSON report linked to your account.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract.

c) Analysis Results
The results of each analysis (tempo, key, loudness, genre classification, lyrics transcription, instrument detection, virality prediction, etc.) are stored and linked to your account so you can access them at any time.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract.

d) Credits & Payment Data
We track your credit balance (credits purchased and credits used). Payment transactions are processed by Polar. We do not store credit card numbers or full payment details on our servers — only the transaction reference, purchased credit amount, and timestamp received via webhook.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract.

e) API Access Requests
If you request API access, we collect your email address and optionally your company name and intended use case. This data is used solely to evaluate your request and contact you about API access.
Legal basis: Art. 6(1)(a) GDPR — your consent.

f) Server Logs
Our hosting providers (Vercel for the landing page, our own server for the application) may collect technical data such as IP addresses, browser type, and access timestamps. This data is used for security and debugging purposes only.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in security and stability.

g) Anonymous Usage Statistics (Vercel Web Analytics)
We use Vercel Web Analytics to understand how visitors interact with our landing page (page views, referrer domain, country, device type, browser). This service is cookieless: no cookies are set, nothing is written to or read from your device, no cross-site tracking takes place, and no individual user profiles are created. By Vercel, IP addresses are processed only briefly server-side (hashed for bot detection) and are never stored.

Demo upload IP logging. One exception applies on our anonymous demo flow at /try: because there is no account behind the request, we briefly record the requesting IP address on the demo job record for the duration of the 1-hour auto-delete window so we can identify and rate-limit abuse (mass uploads, automated cost-amplification). The IP is hard-deleted together with the rest of the job after 1 hour and never returned to user-facing surfaces. Legal basis: Art. 6(1)(f) GDPR — legitimate interest in protecting the Service from abuse.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in measuring reach and improving our service. No consent banner is required because no information is stored on or read from your device (TTDSG § 25).

h) Email Communications
We send you transactional emails that are necessary to operate your account: signup confirmation, password reset, magic-link login, email-change confirmation, and account invitations. These are delivered via our email-infrastructure provider Resend (see section 5).
Optionally — and only if you explicitly opt in via your account Settings — we send notification emails when one of your songs is added to a curated Spotify playlist, weekly leaderboard updates, or product news. You can change these preferences at any time and unsubscribe with one click via the link in any such email.
Legal basis: Art. 6(1)(b) GDPR for transactional emails — performance of a contract. Art. 6(1)(a) GDPR for optional notifications and product updates — your consent.

j) ML Training Consent (Optional)
You can optionally allow us to use the anonymized results of your analyses (audio features, derived classifications, lyrics transcripts) to train and improve our internal AI models. This is strictly opt-in via your account Settings, can be withdrawn at any time, and applies retroactively when withdrawn (we stop using your past data for future training runs). The original audio file itself is never used for training and is deleted after analysis as described in section 6.
Legal basis: Art. 6(1)(a) GDPR — your consent. Withdrawable at any time under Art. 7(3) GDPR without affecting the lawfulness of prior processing.

k) Public Music-Industry Data for Model Calibration
To calibrate and improve our Virality Score model we continuously collect publicly available metadata about released music from third-party platforms. Specifically:

Spotify Web API (public catalog). Using application-level credentials (no user OAuth), we read public track metadata (title, artist name, ISRC, release date, album art URL), the daily popularity value (0–100) Spotify exposes for each track, and the Spotify-listed genre tags for each artist. We re-poll the same track periodically over time to build a popularity-over-time series — exactly the kind of public chart-tracking that services such as Chartmasters, Chartmetric or Soundcharts also perform on the same API endpoints. No personal data of the artists beyond what is already on their public Spotify catalog page is processed.

Public chart datasets. We additionally ingest publicly available historical chart datasets (e.g. weekly Spotify chart positions aggregated by independent researchers and published on Kaggle under permissive licences). These datasets do not contain personal data — they list tracks, artists and positions, all already in the public domain on Spotify Charts.

This data is used only for internal model calibration and as a comparison baseline for analyses you submit. It is not used for personalized advertising, profiling of individual artists, or any decision that produces legal or similarly significant effects under Art. 22 GDPR. It is never resold or republished in raw form.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in calibrating our analytics model against the public music-industry landscape, weighed against the practically nil impact on individual artists whose publicly released catalog metadata is processed at the same level of detail as on any public chart site.

l) In-app Support Messages
The Service includes an in-app inbox where you can send messages to our team (bug reports, feedback, questions) and where our team can reply to you. For each thread we store the subject, the message bodies, timestamps, sender role (you or admin), and per-side unread counters. Members of our team with administrator access can read every thread in order to provide support and to investigate misuse of the messaging channel. We do not use the content of these messages for any other purpose, do not sell or share it with third parties, and do not feed it into our analysis or training pipelines.

Where you contact support, where we need to investigate a technical issue with one of your analyses, or for periodic quality-assurance sampling, members of our team with administrator access may also open your individual analysis results read-only (audio features, scores, moments, lyrics evaluation, recommendations). Such cross-user accesses are recorded in our GDPR audit log (see section 6) with the timestamp, the admin's identifier, and the analysis that was viewed. Administrators cannot modify your data via this path and never download or share your audio outside what the Service requires to operate.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract (handling your support request). Where the messages or analyses are accessed to investigate abuse of the Service or for quality assurance, Art. 6(1)(f) GDPR — our legitimate interest in keeping the Service safe and reliable.

During our pre-launch phase, the public leaderboard at app.songbrain.ai/leaderboard displays a curated selection of publicly available Spotify tracks together with placeholder Virality Scores and Best Moments. These scores are not the result of an actual Songbrain analysis — they exist solely so visitors can see how the leaderboard will look once the platform opens publicly.

What this means in practice:

• Track data shown— song title, artist name, album art, and Spotify track ID — is publicly available metadata fetched from Spotify's public catalog.
• Scores and moments shown alongside these tracks are generated as illustrative placeholders and do not represent any real analysis, endorsement, or evaluation of the track or artist.
• If you are an artist and would like your track removed from the demo leaderboard, email info [at] songbrain [dot] ai with the subject line "Pre-launch leaderboard removal" and we will remove it within 7 days.
• Once Songbrain launches publicly, the leaderboard will exclusively display tracks that have actually been analyzed by our pipeline, with real scores and moments.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in demonstrating the product to potential users prior to launch. No personal data of the artists shown is processed beyond what is publicly available via Spotify's public catalog API.

• We do not use tracking cookies, cross-site tracking, or advertising cookies (no Google Analytics, no Facebook Pixel). The cookieless usage statistics described in section 3(h) do not identify individual users.
• We do not build advertising profiles or share data with ad networks.
• We do not store your full payment details (handled entirely by Polar).
• We do not retain uploaded audio files longer than necessary for analysis.

We use the following third-party services to operate Songbrain. Each acts as a data processor on our behalf and only processes what is necessary for the listed purpose:

• Supabase Inc.(US, with EU-region data storage) — Authentication, user account management, encrypted profile storage. Data is stored in Supabase's EU region.
• Resend Inc. (US) — Email infrastructure. Delivers all transactional and opt-in notification emails on our behalf. Resend processes recipient address, subject, and message body to deliver the email.
• Anthropic PBC (US) — AI text-processing for genre interpretation, lyric analysis, and result enhancement. We send text-based metadata (track title, artist name where you provided one, lyric transcripts, classifier outputs). We do notsend raw audio files to Anthropic. Anthropic's API does not use submitted data to train its models.
• Google LLC(US, with EU/US data centres) — Gemini audio analyser. A compressed copy of your uploaded audio (MP3 preview, no filename, no artist info) is sent to Google's Gemini API for an independent audio-based classification (genre, sub-genre, instruments, vocal style, tempo, mood). This is part of the analysis service itself and runs on every upload. Google's paid API tier does notuse submitted audio to train its models, per Google's Generative AI Terms. Data is transmitted under Google Cloud's Standard Contractual Clauses and is not retained by Google after the response is returned. This is distinct from "Sign in with Google" below — different Google service, different legal entity contract, different data flow.
• Spotify AB (Sweden, parent in US) — Two distinct uses:
  (i) Playlist publication.When one of your songs qualifies for a curated playlist (subject to your account tier and your song's public availability on Spotify), we send the Spotify Track ID and target playlist ID. No personal data beyond what is already public on your Spotify artist page is transmitted.
  (ii) Public catalog reads for model calibration. We poll Spotify's public Web API (application credentials, no user OAuth) to read track metadata and the daily popularity value of publicly released tracks in order to calibrate our Virality Score model. See section 3(k) for the full description.
• Kaggle (Alphabet Inc., US) — One-shot ingestion of publicly published historical music-chart datasets (e.g. weekly Spotify chart positions aggregated by independent researchers under permissive licences). Used as historical baseline for model calibration. We read the dataset, we do not send your personal data to Kaggle; the only request we make is the authenticated dataset download.
• ACRCloud Limited (Hong Kong, with EU/US edge endpoints) — Audio fingerprinting to detect cover songs and prevent duplicate copyright matches. We send only an audio fingerprint (mathematical hash, not the full audio file). Used only when enabled in our pipeline.
• Apify Technologies s.r.o. (Czech Republic, EU) — TikTok trend scraping for our Virality Score. We do not send any personal data of yours; Apify fetches publicly available TikTok content for trend comparison.
• Replicate, Inc.(US, processing in US) — AI image generation (Flux.1-Schnell model) for the auto-generated album cover that appears alongside your analysis when ACRCloud finds no commercial match and you haven't pasted a Spotify URL. We send only a short text prompt assembled from your analysis metadata (primary genre, subgenre, mood and style descriptors) — never your audio file, your name, your email, or any personal identifier. The generated JPEG is fetched back over HTTPS, stored on our infrastructure, and replaced with the real Spotify cover the moment you paste a Spotify URL. Data is processed under Replicate's Standard Contractual Clauses. See Replicate's privacy policy.
• Cloudflare, Inc.(US, with EU edge presence) — DNS proxy and edge / WAF for api.songbrain.ai. Cloudflare processes HTTP request metadata (IP address, user-agent, request path, response status) for DDoS mitigation, bot filtering, and TLS termination at the edge. Data is processed under Cloudflare's EU Standard Contractual Clauses. See Cloudflare's privacy policy.
• Google LLC(US) — Optional "Sign in with Google" OAuth login. If you choose this method, we receive your email address, name, and profile picture from Google. You can revoke this access at any time via your Google Account settings.
• Polar (US) — Payment processing for credit purchases and subscriptions. We do not store credit card numbers or full payment details — Polar handles all payment data and sends us only a transaction reference, the purchased credit amount, and a timestamp via webhook.
• IONOS SE (Germany, EU) — Domain registration, DNS, and our outbound email domain. Inbound emails sent to addresses on our domain (e.g. hello [at] songbrain [dot] ai) are stored on IONOS mail servers in Germany.
• Vercel Inc. (US) — Hosting of the public landing page (songbrain.ai). The application itself (app.songbrain.ai) runs on our own infrastructure.
• Vercel Web Analytics (US, processing in EU) — Cookieless, anonymous reach measurement on the landing page (page views, referrer, country, device). No individual profiles, no cross-site tracking.

International Data Transfers
Where data is transferred outside the EU/EEA (in particular to the United States), it is protected either by the EU-US Data Privacy Framework (DPF) where the recipient is certified, by the EU Standard Contractual Clauses (SCCs) under Commission Implementing Decision (EU) 2021/914, or by equivalent safeguards under Art. 46 GDPR. We assess each provider individually and supplement transfer mechanisms with technical and organizational measures (encryption in transit, access controls, data minimization) where appropriate.

• Account data: Stored as long as your account is active. Deleted upon account deletion request.
• Anonymous demo uploads (/try): Visitors can run one analysis without signing up. The full job record — uploaded audio, working copies, separation stems, generated cover, and the analysis result — is hard-deleted from disk within 1 hour of analysis completion. Nothing is retained unless the visitor creates an account and explicitly claims the analysis during that window, at which point the standard logged-in retention rules below apply.
• Uploaded audio files: Automatically deleted within 24 hours of analysis completion. This includes the original upload, the resampled working copy used by the analysis pipeline, source separation stems (drums, bass, vocals, other), and any rendered audio exports. One exception: a small compressed playback preview (≈3 MB MP3) is kept for 30 days after analysis so that you and our support team can replay the result from your dashboard. The preview is deleted by a daily sweeper at the end of that 30-day window. Account deletion erases the preview immediately.
• Analysis results: Stored as long as your account is active.
• Payment records: Retained for the legally required period (10 years under German tax law, § 147 AO).
• API access requests: Stored until your request is processed or you request deletion.
• Server logs: Deleted after 30 days.
• Activity feed entries: The in-app timeline of your actions (uploads, refunds, genre corrections, playlist placements, etc.) is kept for 90 days and then auto-deleted by a daily sweeper. Account deletion erases the remaining entries immediately.
• In-app support messages: Threads in your inbox (bug reports, feedback, admin replies) are kept for 12 months after the last message in the thread, then auto-deleted by a daily sweeper. The clock resets every time either side replies — a still-active conversation will not vanish under you. Account deletion erases all of your threads and their messages immediately.
• Backups: Our production database is backed up daily. Backups are retained for 30 days and are then permanently overwritten. When you exercise your right to erasure (Art. 17 GDPR), we remove your data from the live system immediately; backups are not actively edited, but your data ages out of them within the 30-day window. Restores from backup re-apply pending erasure markers so previously deleted accounts are not resurrected.
• GDPR audit log (Art. 30): We retain a minimal record of privacy-impacting actions you take (data export, account deletion, consent changes) for 3 years from the action, as evidence of our compliance with your requests. This log contains only your user ID, the action type, timestamp, IP and user-agent — never the content of your data.

Under the General Data Protection Regulation, you have the following rights:

• Right of access (Art. 15) — Request a copy of all personal data we hold about you.
• Right to rectification (Art. 16) — Correct inaccurate or incomplete data.
• Right to erasure(Art. 17) — Request deletion of your personal data ("right to be forgotten").
• Right to restrict processing (Art. 18) — Limit how we use your data.
• Right to data portability (Art. 20) — Receive a copy of the personal data you have provided to us in a structured, machine-readable format (JSON). The export contains: account information, profile fields, notification preferences, credits ledger (balance, total purchased, refill timestamps), uploaded file metadata, consent records, release-platform links you entered, support messages you sent, genre-feedback inputs you submitted, and your activity log. This right does not extend to data derived or inferred by our analysis pipeline (e.g. virality score, genre classification, moments, lyrics evaluation, embeddings, model outputs): per EDPB guideline WP242 rev.01, inferred data is outside the scope of Art. 20, and the underlying models and feature engineering are protected as trade secrets under Recital 63 GDPR. Payment card details are processed by Polar and never reach our servers.
• Right to object (Art. 21) — Object to processing based on legitimate interest.
• Right to withdraw consent (Art. 7(3)) — Withdraw any previously given consent at any time.

To exercise any of these rights, contact us at info [at] songbrain [dot] ai. We will respond within 30 days.

Songbrain's analysis pipeline uses AI/machine-learning systems to produce the results you see (genre classification, virality score, best-moment detection, lyrics evaluation, instrument recognition). These outputs are generated by automated systems — not by human review — and are intended as guidance, not as definitive musical judgement.

What this means for you:

• All scores and classifications shown in the dashboard are algorithmically produced. They reflect what our models observe in the audio + lyrics + current trend data; they do not reflect commercial success guarantees.
• No decision Songbrain makes about you has legal or similarly significant effects in the sense of Art. 22 GDPR. Playlist routing, virality scoring and ordering are recommendations — you remain free to use, ignore or override any AI output.
• You can request human review of any specific result by contacting info [at] songbrain [dot] ai. We will look at the case and explain how the result came about (within the limits of trade-secret protection per Recital 63 GDPR — we can describe the input signals and the reasoning at a high level, but not the model internals).
• If you submit corrections via the genre-feedback widget, your input may be used (only with your separate ML training consent — see section 3(j)) to improve the models. You can withdraw that consent at any time in Settings.