Privacy Policy

1. Data we process

• Song details: the birthday person's name, age, your relationship, traits, an inside joke/memory, the chosen language and genre, and (optionally) the sender's name.
• Email address: if you sign up to be notified when the song is ready.
• Payment data: processed by Stripe; we do not receive or store your card number.
• Technical data: IP address (for abuse prevention and operation) and basic access logs.

Please do not enter special categories of personal data (e.g. about health, religion, sexual orientation) into free-text fields (such as the inside joke or traits), as we have no legal basis to process them. IP addresses are stored short-term in the database for rate-limiting.

2. Purposes and legal bases

• Performance of a contract (Art. 6(1)(b) GDPR): creating and delivering the song, processing payment and support.
• Legitimate interest (Art. 6(1)(f)): abuse prevention, security and operation of the service; you may object to this processing (Art. 21, see section 7).
• Consent (Art. 6(1)(a)): sending the email notification when the song is ready (you may withdraw consent at any time).
• Legal obligation (Art. 6(1)(c)): retention of invoices and tax law.

3. Data about third parties (the birthday person)

When creating a song, the customer enters details about another person (the birthday person) and thereby warrants that they have a proper basis to provide that data.

Our legal basis for processing the birthday person's data is our legitimate interest (Art. 6(1)(f) GDPR) in creating the ordered song. We process this data only to create the song and keep it to the minimum necessary. The birthday person may exercise their rights (including erasure or objection) at blaz@brainylab.io.

4. Processors

We use trusted processors to run the service:

• Lyrics generation: Anthropic, OpenAI and/or Google (Gemini).
• Music generation: music-AI provider(s) and their resellers — Suno, reached through the third-party reseller sunoapi.org, which forwards data to Suno's infrastructure.
• Email delivery: Resend.
• Payments: Stripe.
• Hosting and storage: a server provider (Hetzner), a database (MongoDB) and object storage (S3-compatible).

5. International transfers

Some processors are located in the US or other countries outside the EU/EEA — including Anthropic, OpenAI, Stripe and Resend, and the music-provider chain (sunoapi.org/Suno). For these transfers we rely on appropriate safeguards: certification under the EU-US Data Privacy Framework where the recipient is certified, otherwise the European Commission's Standard Contractual Clauses (SCCs). You can request a copy of the safeguards at blaz@brainylab.io.

6. Retention

• Invoices and related data: in line with tax law (up to 10 years).
• Songs and entered parameters: deleted no later than 12 months after creation, or sooner on request.
• Email addresses for notifications: until the song is delivered, or at the latest after 12 months of inactivity, even without an explicit withdrawal.
• Technical logs and rate-limit records (IP address): until a short period expires (up to 36 hours).

7. Your rights

You have the right to access, rectification, erasure, restriction of processing, data portability, objection, and to withdraw consent. Send requests to blaz@brainylab.io.

You also have the right to lodge a complaint with the supervisory authority: the Information Commissioner of the Republic of Slovenia (www.ip-rs.si).

8. Cookies

We use only strictly necessary cookies required to operate and secure the service (e.g. session, admin login). Our payment provider Stripe may set cookies for fraud prevention. We do not use tracking or advertising cookies.

9. Security

We apply appropriate technical and organizational measures to protect data (e.g. server access controls, encrypted connections, restricted access). No internet transmission is 100% secure, so absolute security cannot be guaranteed.

10. Changes to this policy

We may update this policy from time to time. The current version is always published on this page.