← Back to home

Privacy Policy

Last updated: March 28, 2026

1. Controller & Contact
Leon Ulicnik
songbrain ai / Smoke-Oh Studios
Bahnhofstr. 27, 24837 Schleswig, Germany
Email: info [at] songbrain [dot] ai

2. Overview of Data Processing
We process personal data only to the extent necessary to provide and improve our service. We do not sell your data to third parties. Below is a summary of what we collect, why, and how long we keep it.

3. Data We Collect

a) Account & Authentication
When you create an account, we store your email address and authentication credentials via Supabase Auth. This data is required to identify you, manage your account, and secure access to your analyses.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract.

b) Uploaded Audio Files
When you submit a song for analysis, your audio file is temporarily stored on our servers for processing. The file passes through our analysis pipeline (tempo, key, genre, lyrics, instruments, virality, etc.) and the resulting analysis data is stored as a JSON report linked to your account.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract.

c) Analysis Results
The results of each analysis (tempo, key, loudness, genre classification, lyrics transcription, instrument detection, virality prediction, etc.) are stored and linked to your account so you can access them at any time.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract.

d) Credits & Payment Data
We track your credit balance (credits purchased and credits used). Payment transactions are processed by LemonSqueezy. We do not store credit card numbers or full payment details on our servers — only the transaction reference, purchased credit amount, and timestamp received via webhook.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract.

e) Waitlist
If you sign up for our waitlist, we collect your email address solely to notify you when Songbrain becomes available.
Legal basis: Art. 6(1)(a) GDPR — your consent.

f) Server Logs
Our hosting providers (Vercel for the landing page, our own server for the application) may collect technical data such as IP addresses, browser type, and access timestamps. This data is used for security and debugging purposes only.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in security and stability.

4. Data We Do NOT Collect
  • We do not use tracking cookies or analytics tools (no Google Analytics, no Facebook Pixel).
  • We do not build advertising profiles or share data with ad networks.
  • We do not store your full payment details (handled entirely by LemonSqueezy).
  • We do not retain uploaded audio files longer than necessary for analysis.
5. Third-Party Services & Data Processors

We use the following third-party services:

  • Supabase (US/EU) — Authentication and user management.
  • LemonSqueezy (US) — Payment processing and credit purchases.
  • Vercel (US) — Hosting of the landing page.

These providers act as data processors on our behalf. Where data is transferred to the US, it is protected by EU Standard Contractual Clauses (SCCs) or equivalent safeguards.

6. Data Retention
  • Account data: Stored as long as your account is active. Deleted upon account deletion request.
  • Uploaded audio files: Automatically deleted after analysis is complete (cleanup worker runs based on TTL).
  • Analysis results: Stored as long as your account is active.
  • Payment records: Retained for the legally required period (10 years under German tax law, § 147 AO).
  • Waitlist emails: Stored until you unsubscribe or request deletion.
  • Server logs: Deleted after 30 days.
7. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the following rights:

  • Right of access (Art. 15) — Request a copy of all personal data we hold about you.
  • Right to rectification (Art. 16) — Correct inaccurate or incomplete data.
  • Right to erasure(Art. 17) — Request deletion of your personal data ("right to be forgotten").
  • Right to restrict processing (Art. 18) — Limit how we use your data.
  • Right to data portability (Art. 20) — Receive your data in a machine-readable format.
  • Right to object (Art. 21) — Object to processing based on legitimate interest.
  • Right to withdraw consent (Art. 7(3)) — Withdraw any previously given consent at any time.

To exercise any of these rights, contact us at info [at] songbrain [dot] ai. We will respond within 30 days.

8. How to Request Data Deletion
You can request complete deletion of your account and all associated data by sending an email to info [at] songbrain [dot] aiwith the subject line "Data Deletion Request". We will delete all your personal data, analysis results, and account information within 30 days, except where retention is required by law (e.g., payment records under German tax regulations).

9. Cookies
This website does not use tracking cookies, advertising cookies, or analytics cookies. Only technically necessary cookies may be set by our hosting providers (Vercel, Supabase) to ensure functionality and security (e.g., session tokens for authentication). These are strictly necessary and do not require consent under GDPR.

10. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, or misuse. This includes encrypted data transmission (TLS/SSL), secure authentication via Supabase, and restricted access to our servers.

11. Right to Lodge a Complaint
If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. The competent authority for us is:

Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD)
Holstenstraße 98, 24103 Kiel, Germany
Website: datenschutzzentrum.de

12. Changes to This Privacy Policy
We may update this privacy policy from time to time. The current version is always available on this page with the date of the last update shown at the top.