GDPR
GDPR compliance
SongCraft is built privacy-first. The General Data Protection Regulation (Regulation (EU) 2016/679) gives residents of the European Economic Area specific rights over their personal data. This page explains how we meet those obligations.
1. Your rights
- Access & portability — download all your data as JSON from your Privacy controls.
- Rectification — edit your profile and lyrics anytime.
- Erasure (right to be forgotten) — one-click account deletion from Privacy controls. Completed within 30 days.
- Restriction & objection — email privacy@songcraft.app.
- Withdraw consent — manage cookie consent via the banner footer.
- Lodge a complaint — with your local supervisory authority.
2. Lawful bases
We process personal data under: contract performance (running the studio you signed up for), legitimate interests (security, fraud prevention), and consent (analytics & marketing cookies, if accepted).
3. Data we collect
- Account: email, display name, OAuth profile (if you sign in with Google).
- Songs: lyrics, song maps, AI chat transcripts, Suno preset choices — stored under row-level security.
- Billing: payment provider IDs and amounts (we never see card numbers).
- Telemetry: minimal anonymous logs for security & uptime.
4. Data Processing Agreement (DPA)
Enterprise customers can request our DPA at privacy@songcraft.app. See our DPA summary.
5. International transfers
Our infrastructure runs in EU- and US-located data centres provided by Supabase and Cloudflare. Cross-border transfers rely on Standard Contractual Clauses (SCCs).
6. Sub-processors
- Supabase — database & auth (EU/US).
- Cloudflare — edge runtime & CDN (global).
- Lovable AI Gateway — proxied AI inference (Google & OpenAI).
- Razorpay / Paddle — payment processing.
7. Contact
For all GDPR matters: privacy@songcraft.app.
Last updated: June 2026