Privacy Policy

1. Data we collect

We collect:

• Account data: your email address, and — if you sign in with Google — your Google account identifier and basic profile (name, email) provided by Google.
• Content you submit: song lyrics, song titles, artist names, notes, audio-derived features, AI analyses and rewrites, chat messages, and the threads, folders, tags and album projects you organise them into.
• Usage and billing data: your credit balance and history, feature usage, AI token counts and estimated processing costs.
• Referral data: referral codes you generate or redeem.
• Technical data: IP address, device and browser information, and product-analytics events about how you use the Service.
• Cookies and similar technologies: see section 6.

Please don't submit special-category data (e.g. health, political or religious information) or other people's personal data in your lyrics unless you have the right to do so.

2. How we use your data and our legal bases

We process your data to:

• provide the Service — create your account, run analyses and rewrites, store and display your content (legal basis: performance of our contract with you);
• operate credits, referrals and, in future, payments (performance of contract);
• keep the Service secure, prevent fraud and abuse, and debug problems (legitimate interests, and legal obligation where applicable);
• understand and improve the Service through product analytics (your consent where required, otherwise our legitimate interest in improving the product);
• communicate with you about service-related matters such as sign-in links and important notices (performance of contract / legitimate interests);
• comply with legal obligations and establish, exercise or defend legal claims (legal obligation / legitimate interests).

3. AI processing of your content

To generate analyses, scores and rewrites, the lyrics and related details you submit are sent to our AI provider, Anthropic, which processes them on our behalf to return a result. We send this content only to provide the feature you requested. Under Anthropic's commercial API terms, your inputs and outputs are not used to train their models. We do not sell your content and do not use it to train our own models.

4. Who we share data with (sub-processors)

We share data with service providers who process it on our behalf, under contract, only to run the Service:

• Supabase — authentication and database hosting (EU region).
• Anthropic — AI processing of the lyrics and details you submit (United States; see section 8).
• Vercel — application hosting and delivery (EU region).
• PostHog — product analytics (EU hosting).
• Google — sign-in via Google OAuth, if you choose it.
• A payment provider (e.g. Stripe) — only if and when paid features launch, to process payments.

We may also disclose data if required by law, to enforce our Terms, or in connection with a merger, acquisition or sale of assets, in which case we will tell you. We do not sell your personal data.

5. Public sharing

If you enable a public share link for a thread, the content of that thread becomes accessible to anyone who has the link, without signing in. You control this and can disable the link at any time.

6. Cookies and analytics

We use cookies and similar technologies that are strictly necessary to sign you in and keep the Service working (for example, your authentication session and a referral cookie that remembers a referral code from a shared link). We also use PostHog analytics to understand how the Service is used and improve it. Where required by law, we ask for your consent before setting non-essential analytics cookies, and you can withdraw it at any time.

7. Data retention

We keep your account and content for as long as your account is active. If you ask us to delete your account, we delete or anonymise your personal data within a reasonable period, except where we must keep certain records to comply with the law (for example accounting records) or to establish, exercise or defend legal claims. Backups are retained for a limited period before being overwritten.

8. International transfers

Our hosting and database are located in the EU. Some sub-processors, such as Anthropic, may process data outside the European Economic Area, including in the United States. Where that happens, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses to protect your data. You can ask us for more information about these safeguards.

9. Your rights

Under the GDPR you have the right to access your data; to have it corrected or deleted; to restrict or object to certain processing; to data portability; and, where processing is based on consent, to withdraw that consent at any time without affecting prior processing. To exercise any of these rights, email hello@hitmaster.app. You also have the right to lodge a complaint with the French data-protection authority, the CNIL (www.cnil.fr), or your local supervisory authority.

10. Security

We use technical and organisational measures designed to protect your data, including encryption in transit, access controls and reputable infrastructure providers. No system is perfectly secure, but we work to protect your data and will notify you and the relevant authority of a personal-data breach where the law requires.

11. Children

The Service is not intended for children under 15. We do not knowingly collect personal data from children under that age. If you believe a child has provided us data without appropriate consent, contact us and we will delete it.

12. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will take reasonable steps to notify you. The "last updated" date above shows when this Policy was last revised.

13. Contact

For privacy questions or requests, contact us at hello@hitmaster.app, or write to [OPERATOR NAME], [REGISTERED ADDRESS].