Privacy Policy

1. Data Controller

The controller of your personal data is IT Consulting Anna Olearczyk (the "Controller"), operating the Heart Melody platform at heartmelody.ai.

Contact: contact@updates.heartmelody.ai

2. Legal Basis for Processing

We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable privacy laws. The legal bases for processing include:

• Performance of a contract (Art. 6(1)(b) GDPR) — processing is necessary to fulfill your Order for a personalized song.
• Legal obligation (Art. 6(1)(c) GDPR) — processing is necessary to comply with legal obligations such as tax and accounting requirements.
• Legitimate interest (Art. 6(1)(f) GDPR) — processing is necessary for our legitimate interests, such as improving the Service and protecting against fraud.
• Consent (Art. 6(1)(a) GDPR) — where you have given voluntary consent, such as for marketing communications.

3. Data We Collect

We collect the following categories of data when you use the Service:

3.1. Information you provide in the order form:

• Your name (as the sender/orderer)
• Your email address (optional)
• Recipient's name
• Your relationship with the recipient
• The occasion for the song
• Musical preferences (genre, voice, language)
• Personal memories and stories (content you provide)
• Photos (optional, if uploaded)

3.2. Data collected automatically:

• IP address
• Browser and device type
• Analytics data (via our analytics provider)

3.3. Payment data:

Payment card details are processed exclusively by Stripe, Inc. and are never stored on our servers. We receive only payment confirmation and a transaction identifier.

4. Purposes of Processing

We process your personal data for the following purposes:

• Order fulfillment — generating your personalized song based on the information you provide.
• Payment processing — processing your payment via Stripe.
• Communication — notifying you about your order status and responding to inquiries.
• Song delivery — sending an email notification when your song is ready (if an email address is provided).
• Legal compliance — maintaining accounting and tax records as required by law.
• Analytics — analyzing website traffic to improve the Service.

5. Categories of Recipients (Sub-processors)

Your personal data may be shared with the following categories of third-party service providers acting as data processors on our behalf:

• Stripe, Inc. (USA) — online payment processing. Stripe implements Standard Contractual Clauses approved by the European Commission to safeguard data transfers.
• AI music generation provider (USA) — generates the song based on the order content. Data shared is limited to the song prompt and does not include personally identifiable information.
• AI lyrics generation provider (USA) — generates the song lyrics. Only information necessary to compose the lyrics is shared.
• Transactional email provider (USA) — delivery of order-status notifications.
• Hosting, file storage and web analytics provider (USA) — application hosting and storage of shared files (e.g. photos, audio).
• Managed database provider (USA/EU) — order data storage.

Transfers of data to countries outside the European Economic Area (including the USA) are safeguarded by Standard Contractual Clauses approved by the European Commission (Art. 46(2)(c) GDPR) or by adequacy decisions (EU-U.S. Data Privacy Framework).

Upon request to our contact email, we will disclose the names of the specific providers used within each category.

6. Data Retention

• Order data — retained for 5 years from the date of order completion for tax and accounting purposes.
• Contact information — retained until the inquiry is resolved, and no longer than 2 years from the last contact.
• Analytics data — retained in accordance with our analytics provider's policies (anonymized data).
• Generated songs — retained on our servers for as long as necessary to deliver the service and allow download by the customer.

7. Your Rights

Under the GDPR and applicable privacy laws, you have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR) — the right to obtain information about the personal data we process about you.
• Right to rectification (Art. 16 GDPR) — the right to request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17 GDPR) — the right to request deletion of your data ("right to be forgotten"), subject to our legal obligations.
• Right to restriction of processing (Art. 18 GDPR) — the right to request restriction of processing in certain circumstances.
• Right to data portability (Art. 20 GDPR) — the right to receive your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21 GDPR) — the right to object to processing based on legitimate interests.
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before the withdrawal.

To exercise your rights, please contact us at: contact@updates.heartmelody.ai

8. Right to Lodge a Complaint

If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is:

If you are located in another EU/EEA country, you may also lodge a complaint with the supervisory authority in your country of residence.

9. Cookies

1. The Service uses cookies that are essential for the proper functioning of the website (session cookies, authentication cookies for the admin panel).
2. We use a privacy-friendly analytics provider that operates on anonymized data and does not rely on persistent tracking cookies.
3. Payment-related cookies set by Stripe, Inc. are subject to Stripe's own privacy policy.
4. You can manage your cookie settings through your browser preferences.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, destruction, or disclosure, including:

• Encryption of all communications via SSL/TLS (HTTPS).
• Secure storage of data in encrypted databases.
• Restricted access to personal data limited to authorized personnel only.
• Regular security reviews and updates.

11. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy. Any changes will be communicated through the Service. Continued use of the Service after changes are posted constitutes acceptance of the updated policy.