Privacy Policy

MUSICA ("we", "our", or "the platform") is an AI-powered Latin music generation platform, operated by an independent developer and available at app.musica.dev and as a mobile application. By using the Service, you accept the data practices described in this Privacy Policy. If you do not agree with the terms of this Policy, please do not use the Service.

Account Information: - Name and display name - Email address - Profile photo (optional) - Password (stored as a secure hash, never in plain text) - OAuth authentication tokens (if you sign in with Google or Apple) Usage Data: - Songs generated, including lyrics and style prompts you submit - Listening history and playback behavior - Songs you like, share, or add to playlists - Users you follow and social interactions (comments, likes) - Generation settings and preferences Payment Information: Payment processing is handled by Stripe. We do not store your credit card number, CVV, or full card details. We receive and retain a Stripe customer ID, subscription status, and billing history for account management. Device Data: - Device push notification tokens (Firebase Cloud Messaging) - IP address and general geographic location (country/city level) - Browser type and version - Operating system Social Login: If you register or sign in with Google or Apple, we receive basic profile information from those services, including your name and email, as permitted by your privacy settings on those platforms.

We use the information we collect to: - Provide the Service: Process AI music generation requests, manage your library, and deliver the core platform functionality. - Personalize Your Experience: Generate song recommendations based on your listening and generation history. - Process Payments: Manage subscriptions, process billing, and handle credit allocation. - Communicate with You: Send account-related notifications, service updates, and transactional emails. - Send Push Notifications: Inform you when your songs are ready or other relevant updates, if you have granted permission. - Improve the Service: Analyze usage patterns to improve AI model quality, fix bugs, and develop new features. - Ensure Security: Detect and prevent fraudulent activity, abuse, and unauthorized access. - Comply with Legal Obligations: Respond to legal requests from authorities and fulfill our legal obligations.

We do not sell your personal data. We share your information in a limited way with the following trusted service providers: - Stripe: Payment processing and subscription management. Stripe directly handles your credit card data per their own privacy policies and PCI DSS compliance. - Firebase Cloud Messaging (Google): Sending push notifications to your device. Only the device token necessary for notification delivery is shared. - Amazon SES (Amazon Web Services): Sending transactional emails (welcome, song ready, payment confirmation, password reset, etc.). Your email address is shared. - Cloudflare R2: Storage of generated audio files. Songs are stored securely on Cloudflare infrastructure. - Google and Apple (OAuth): Social login authentication. We receive name and email per your privacy settings on those platforms. - RunPod (AI Processing): AI music generation processing. Generation prompts and lyrics are sent for processing and audio generation. Servers are located in the United States. We may also share information in these circumstances: - Public Content: Songs and content you mark as public are visible to all users. - Legal Requirements: We may disclose information when required by applicable law, subpoena, or court order. - Business Transfers: In the event of a merger, acquisition, or asset sale, your information may be transferred as part of that transaction.

Your data is processed and stored in the following locations: - Backend and database: Hetzner (Germany / European Union) - AI processing: RunPod (United States) - Audio storage: Cloudflare R2 (globally distributed) - Emails: Amazon SES (United States, us-east-1 region) - Payments: Stripe (United States) By using the Service, you consent to the transfer of your information to these countries. We take steps to ensure that any international transfer complies with applicable data protection laws and that your data receives adequate protection.

We retain your personal data while your account is active or as needed to provide the Service: - Active account data is retained for the duration of your account. - Upon deleting your account (available in Settings > Danger Zone), we will delete or anonymize your personal data within 30 days, except where law requires retention. - Backups may persist up to 90 days after deletion. - Aggregated and anonymized data (which cannot identify you) may be retained indefinitely for analytical purposes. - Financial transaction records may be retained up to 7 years to comply with tax and accounting regulations.

Depending on your location, you may have the following rights over your personal data under the GDPR, CCPA, or other applicable privacy laws: - Access: Request a copy of the personal data we hold about you. - Rectification: Request correction of inaccurate or incomplete data. - Erasure: Request deletion of your personal data (the "right to be forgotten"). You can delete your account directly from Settings. - Portability: Request your data in a structured, machine-readable format. - Restriction: Request that we limit processing of your data in certain circumstances. - Objection: Object to processing of your data based on legitimate interests. - No Sale (CCPA): California residents have the right to opt out of the sale of personal information. We do not sell personal information. GDPR - European Union Users: Our main server is located in Germany (Hetzner). AI generation data is transferred to the United States (RunPod) under standard contractual clauses. You can exercise your GDPR rights by contacting us at [email protected]. We will respond within 30 days. CCPA - California Residents: You have the right to know what personal data we collect, request its deletion, and opt out of its sale. We do not sell personal data. To exercise your rights, contact us at [email protected].

We use cookies and similar technologies to operate the Service: - Essential Cookies: Necessary for authentication, session management, and core functionality. Cannot be disabled without disrupting the Service. - Preference Cookies: Remember your settings such as language and playback preferences. We do not use advertising cookies, third-party trackers, tracking pixels, or IDFA (Identifier for Advertisers). We do not perform any advertising tracking.

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If we discover that we have collected personal information from a child under 13 without parental consent, we will take steps to delete that information as soon as possible. If you believe a child under 13 has provided us with personal information, please contact us at [email protected].

We implement appropriate technical and organizational measures to protect your personal data: - Data encryption in transit using TLS/HTTPS - Secure password storage with hashing (never in plain text) - Access controls limiting data access to authorized personnel only - Secure payment processing through Stripe's PCI-compliant infrastructure - JWT tokens with blocklist for revoked sessions - SSRF protection and rate limiting on sensitive endpoints No method of Internet transmission or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. We will notify you of significant changes by posting the new policy on this page and updating the "Last updated" date. For material changes, we may also send you an email notification or in-app notice. Your continued use of the Service after changes take effect constitutes your acceptance of the updated policy.

If you have any questions, concerns, or requests about this Privacy Policy or our data practices, contact us: MUSICA Support email: [email protected] Website: musica.dev