Privacy Policy

a) Account & Authentication
When you create an account, we store your email address and authentication credentials via Supabase Auth. This data is required to identify you, manage your account, and secure access to your analyses.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract.

b) Uploaded Audio Files
When you submit a song for analysis, your audio file is temporarily stored on our servers for processing. The file passes through our analysis pipeline (tempo, key, genre, lyrics, instruments, virality, etc.) and the resulting analysis data is stored as a JSON report linked to your account.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract.

c) Analysis Results
The results of each analysis (tempo, key, loudness, genre classification, lyrics transcription, instrument detection, virality prediction, etc.) are stored and linked to your account so you can access them at any time.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract.

d) Credits & Payment Data
We track your credit balance (credits purchased and credits used). Payment transactions are processed by LemonSqueezy. We do not store credit card numbers or full payment details on our servers — only the transaction reference, purchased credit amount, and timestamp received via webhook.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract.

e) Waitlist
If you sign up for our Early Access waitlist, we collect your email address solely to notify you when Songbrain becomes available.
Legal basis: Art. 6(1)(a) GDPR — your consent.

f) API Access Requests
If you request API access, we collect your email address and optionally your company name and intended use case. This data is used solely to evaluate your request and contact you about API access.
Legal basis: Art. 6(1)(a) GDPR — your consent.

g) Server Logs
Our hosting providers (Vercel for the landing page, our own server for the application) may collect technical data such as IP addresses, browser type, and access timestamps. This data is used for security and debugging purposes only.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in security and stability.

h) Anonymous Usage Statistics (Vercel Web Analytics)
We use Vercel Web Analytics to understand how visitors interact with our landing page (page views, referrer domain, country, device type, browser). This service is cookieless: no cookies are set, nothing is written to or read from your device, no cross-site tracking takes place, and no individual user profiles are created. IP addresses are processed only briefly server-side (hashed for bot detection) and are never stored.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in measuring reach and improving our service. No consent banner is required because no information is stored on or read from your device (TTDSG § 25).

i) Email Communications
We send you transactional emails that are necessary to operate your account: signup confirmation, password reset, magic-link login, email-change confirmation, and account invitations. These are delivered via our email-infrastructure provider Resend (see section 5).
Optionally — and only if you explicitly opt in via your account Settings — we send notification emails when one of your songs is added to a curated Spotify playlist, weekly leaderboard updates, or product news. You can change these preferences at any time and unsubscribe with one click via the link in any such email.
Legal basis: Art. 6(1)(b) GDPR for transactional emails — performance of a contract. Art. 6(1)(a) GDPR for optional notifications and product updates — your consent.

j) ML Training Consent (Optional)
You can optionally allow us to use the anonymized results of your analyses (audio features, derived classifications, lyrics transcripts) to train and improve our internal AI models. This is strictly opt-in via your account Settings, can be withdrawn at any time, and applies retroactively when withdrawn (we stop using your past data for future training runs). The original audio file itself is never used for training and is deleted after analysis as described in section 6.
Legal basis: Art. 6(1)(a) GDPR — your consent. Withdrawable at any time under Art. 7(3) GDPR without affecting the lawfulness of prior processing.

During our pre-launch phase, the public leaderboard at app.songbrain.ai/leaderboard displays a curated selection of publicly available Spotify tracks together with placeholder Virality Scores and Best Moments. These scores are not the result of an actual Songbrain analysis — they exist solely so visitors can see how the leaderboard will look once the platform opens publicly.

What this means in practice:

• Track data shown— song title, artist name, album art, and Spotify track ID — is publicly available metadata fetched from Spotify's public catalog.
• Scores and moments shown alongside these tracks are generated as illustrative placeholders and do not represent any real analysis, endorsement, or evaluation of the track or artist.
• If you are an artist and would like your track removed from the demo leaderboard, email info [at] songbrain [dot] ai with the subject line "Pre-launch leaderboard removal" and we will remove it within 7 days.
• Once Songbrain launches publicly, the leaderboard will exclusively display tracks that have actually been analyzed by our pipeline, with real scores and moments.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in demonstrating the product to potential users prior to launch. No personal data of the artists shown is processed beyond what is publicly available via Spotify's public catalog API.

• We do not use tracking cookies, cross-site tracking, or advertising cookies (no Google Analytics, no Facebook Pixel). The cookieless usage statistics described in section 3(h) do not identify individual users.
• We do not build advertising profiles or share data with ad networks.
• We do not store your full payment details (handled entirely by LemonSqueezy).
• We do not retain uploaded audio files longer than necessary for analysis.

We use the following third-party services to operate Songbrain. Each acts as a data processor on our behalf and only processes what is necessary for the listed purpose:

• Supabase Inc.(US, with EU-region data storage) — Authentication, user account management, encrypted profile storage. Data is stored in Supabase's EU region.
• Resend Inc. (US) — Email infrastructure. Delivers all transactional and opt-in notification emails on our behalf. Resend processes recipient address, subject, and message body to deliver the email.
• Anthropic PBC (US) — AI text-processing for genre interpretation, lyric analysis, and result enhancement. We send text-based metadata (track title, artist name where you provided one, lyric transcripts, classifier outputs). We do notsend raw audio files to Anthropic. Anthropic's API does not use submitted data to train its models.
• Spotify AB(Sweden, parent in US) — Playlist publication. When one of your songs qualifies for a curated playlist (subject to your account tier and your song's public availability on Spotify), we send the Spotify Track ID and target playlist ID. No personal data beyond what is already public on your Spotify artist page is transmitted.
• ACRCloud Limited (Hong Kong, with EU/US edge endpoints) — Audio fingerprinting to detect cover songs and prevent duplicate copyright matches. We send only an audio fingerprint (mathematical hash, not the full audio file). Used only when enabled in our pipeline.
• Apify Technologies s.r.o. (Czech Republic, EU) — TikTok trend scraping for our Virality Score. We do not send any personal data of yours; Apify fetches publicly available TikTok content for trend comparison.
• Google LLC(US) — Optional "Sign in with Google" OAuth login. If you choose this method, we receive your email address, name, and profile picture from Google. You can revoke this access at any time via your Google Account settings.
• LemonSqueezy (US) — Payment processing for credit purchases. We do not store credit card numbers or full payment details — LemonSqueezy handles all payment data and sends us only a transaction reference, the purchased credit amount, and a timestamp via webhook.
• IONOS SE (Germany, EU) — Domain registration, DNS, and our outbound email domain. Inbound emails sent to addresses on our domain (e.g. hello [at] songbrain [dot] ai) are stored on IONOS mail servers in Germany.
• Vercel Inc. (US) — Hosting of the public landing page (songbrain.ai). The application itself (app.songbrain.ai) runs on our own infrastructure.
• Vercel Web Analytics (US, processing in EU) — Cookieless, anonymous reach measurement on the landing page (page views, referrer, country, device). No individual profiles, no cross-site tracking.

International Data Transfers
Where data is transferred outside the EU/EEA (in particular to the United States), it is protected either by the EU-US Data Privacy Framework (DPF) where the recipient is certified, by the EU Standard Contractual Clauses (SCCs) under Commission Implementing Decision (EU) 2021/914, or by equivalent safeguards under Art. 46 GDPR. We assess each provider individually and supplement transfer mechanisms with technical and organizational measures (encryption in transit, access controls, data minimization) where appropriate.

• Account data: Stored as long as your account is active. Deleted upon account deletion request.
• Uploaded audio files: Automatically deleted within 24 hours of analysis completion. This includes the original upload, any resampled/normalized working copy, source separation stems (drums, bass, vocals, other) produced during analysis, and any rendered audio exports.
• Analysis results: Stored as long as your account is active.
• Payment records: Retained for the legally required period (10 years under German tax law, § 147 AO).
• Waitlist emails: Stored until you unsubscribe or request deletion.
• API access requests: Stored until your request is processed or you request deletion.
• Server logs: Deleted after 30 days.
• Backups: Our production database is backed up daily. Backups are retained for 30 days and are then permanently overwritten. When you exercise your right to erasure (Art. 17 GDPR), we remove your data from the live system immediately; backups are not actively edited, but your data ages out of them within the 30-day window. Restores from backup re-apply pending erasure markers so previously deleted accounts are not resurrected.
• GDPR audit log (Art. 30): We retain a minimal record of privacy-impacting actions you take (data export, account deletion, consent changes) for 3 years from the action, as evidence of our compliance with your requests. This log contains only your user ID, the action type, timestamp, IP and user-agent — never the content of your data.

Under the General Data Protection Regulation, you have the following rights:

• Right of access (Art. 15) — Request a copy of all personal data we hold about you.
• Right to rectification (Art. 16) — Correct inaccurate or incomplete data.
• Right to erasure(Art. 17) — Request deletion of your personal data ("right to be forgotten").
• Right to restrict processing (Art. 18) — Limit how we use your data.
• Right to data portability (Art. 20) — Receive a copy of the personal data you have provided to us in a structured, machine-readable format (JSON). The export contains: account information, profile fields, notification preferences, credits ledger (balance, total purchased, refill timestamps), uploaded file metadata, consent records, release-platform links you entered, support messages you sent, genre-feedback inputs you submitted, and your activity log. This right does not extend to data derived or inferred by our analysis pipeline (e.g. virality score, genre classification, moments, lyrics evaluation, embeddings, model outputs): per EDPB guideline WP242 rev.01, inferred data is outside the scope of Art. 20, and the underlying models and feature engineering are protected as trade secrets under Recital 63 GDPR. Payment card details are processed by LemonSqueezy and never reach our servers.
• Right to object (Art. 21) — Object to processing based on legitimate interest.
• Right to withdraw consent (Art. 7(3)) — Withdraw any previously given consent at any time.

To exercise any of these rights, contact us at info [at] songbrain [dot] ai. We will respond within 30 days.

Songbrain's analysis pipeline uses AI/machine-learning systems to produce the results you see (genre classification, virality score, best-moment detection, lyrics evaluation, instrument recognition). These outputs are generated by automated systems — not by human review — and are intended as guidance, not as definitive musical judgement.

What this means for you:

• All scores and classifications shown in the dashboard are algorithmically produced. They reflect what our models observe in the audio + lyrics + current trend data; they do not reflect commercial success guarantees.
• No decision Songbrain makes about you has legal or similarly significant effects in the sense of Art. 22 GDPR. Playlist routing, virality scoring and ordering are recommendations — you remain free to use, ignore or override any AI output.
• You can request human review of any specific result by contacting info [at] songbrain [dot] ai. We will look at the case and explain how the result came about (within the limits of trade-secret protection per Recital 63 GDPR — we can describe the input signals and the reasoning at a high level, but not the model internals).
• If you submit corrections via the genre-feedback widget, your input may be used (only with your separate ML training consent — see section 3(j)) to improve the models. You can withdraw that consent at any time in Settings.