Legal

Privacy Policy

Last updated: April 29, 2026

The Short Version

  • Your lyrics belong to you. We never train AI on them and never sell or share them.
  • We collect the minimum data needed to run the service: your email, what you write (so we can save it), and basic usage signals.
  • Analytics cookies are off by default. You opt in via the cookie banner.
  • You can access, export, correct, or delete all your data at any time.
  • Questions: welcome@rhymeflux.com.

1. Who We Are

RhymeFlux ("we", "us", "our") is a songwriting application operated from Główna 16, 43-445 Leszna Górna, Poland. The website is rhymeflux.com; the app is app.rhymeflux.com. For privacy questions or to exercise any of the rights listed in this policy, contact us at welcome@rhymeflux.com.

This policy explains what personal data we collect, why, how long we keep it, who we share it with, and what rights you have. It applies to the marketing site and the app.

2. What We Collect

We collect only what we need to run the service:

  • Account data: your email address, hashed password, and account preferences. Created when you sign up.
  • Content you create: the lyrics, notes, and audio you save. Stored locally first; synced to our database only if you enable cloud sync.
  • Usage data: log-in timestamps, feature usage counts (e.g., AI requests this month), error logs. Used to operate the service and prevent abuse.
  • Payment data: we never see or store your card details. Paddle (our merchant of record) handles all card data and shares only your country, name, and the transaction outcome with us.
  • Communications: messages you send via the contact form or by email — including your name, email, and message content.
  • Cookies and similar: see our Cookie Policy for the full list. Analytics cookies require your consent.
  • Device and connection data: IP address, browser type, and operating system. Used for security and to render the site correctly. Not stored beyond standard server-log retention.

3. Why We Use It (Legal Basis)

Under the GDPR (Article 6), we must identify a legal basis for each use of your personal data. Here are ours:

  • Contract performance (Art. 6(1)(b)): account creation, login, storing your lyrics, processing payments, providing AI suggestions, sending service emails (account confirmations, password resets).
  • Legitimate interest (Art. 6(1)(f)): preventing fraud and abuse, securing accounts, maintaining server logs, debugging the app. We balance this against your rights and use only the minimum data needed.
  • Consent (Art. 6(1)(a)): analytics cookies, optional marketing emails. You can withdraw consent at any time without affecting prior processing.
  • Legal obligation (Art. 6(1)(c)): retaining tax records, responding to lawful requests from authorities.

4. How Your Lyrics Are Stored

RhymeFlux uses a local-first design. Your lyrics are saved directly to your device using your browser's IndexedDB storage. Your work exists on your computer first, not on our servers.

If you enable cloud sync, your content is encrypted in transit (TLS) and at rest, then stored in our database (Supabase). Only your authenticated account can decrypt and access this data. We do not read, scan, share, or sell your creative work, and we never use it to train AI models.

5. AI Features and AI-Generated Content

When you use the AI co-writer, we send up to the previous eight lines of your current song to Google's Gemini API to generate suggestions. This data is processed by Google solely to generate your suggestion and is not used by RhymeFlux to train any model. Per Google's terms for the paid Gemini API tier, your input is not used to improve their models either.

Transparency notice (EU AI Act, Article 50): any text returned by the AI co-writer is AI-generated content. It is offered as a creative starting point, not as a finished lyric. You decide whether and how to use it.

You can use RhymeFlux without the AI co-writer at any time.

6. How Long We Keep It

We keep your data only as long as we need it for the purpose it was collected, plus any time we're legally required to keep it (GDPR Art. 5(1)(e)).

  • Account data and content: kept while your account is active. Deleted within 30 days after you delete your account, except for data we must retain for legal reasons.
  • Server logs: 90 days, then deleted automatically.
  • Tax and transaction records: retained for at least 5 years to comply with Polish accounting law.
  • Contact-form messages: 12 months, then deleted unless we still need them to handle an open issue.
  • Analytics data (when consented): 14 months in Google Analytics, then automatically anonymized.
  • Backups: rolling backups are overwritten within 30 days of deletion.

7. Who Processes Your Data On Our Behalf

We use the following service providers ("processors") to run RhymeFlux. Each handles a specific task and is bound by GDPR-compliant data-processing agreements.

  • Supabase — authentication and cloud database (Singapore / US / EU regions).
  • Google (Gemini API) — AI suggestions (US).
  • Google Analytics 4 — site analytics, only when you consent (US). IPs are anonymized.
  • Google Fonts — serving the site's typeface (global CDN).
  • Vercel — hosting and edge delivery for both the marketing site and the app (US, with regional edge caches globally).
  • Vercel Web Analytics — privacy-friendly traffic measurement that does not use cookies and does not collect personal data.
  • Paddle.com Market Limited — merchant of record for payments, taxes, and refunds (UK / US).
  • Resend — sending transactional emails such as password resets, contact-form messages, and account notifications (US).
  • Namecheap Private Email — hosting our welcome@rhymeflux.com inbox.

We do not sell your personal data, and we do not share it with anyone for advertising purposes.

8. International Data Transfers

Some of our processors are based outside the European Economic Area, primarily in the United States. When personal data is transferred there, we rely on one or more of the following safeguards required by GDPR Chapter V:

  • The EU-US Data Privacy Framework adequacy decision (Commission Implementing Decision 2023/1795) for processors that are certified under it (Google, Vercel).
  • Standard Contractual Clauses approved by the European Commission for processors not covered by an adequacy decision.
  • Encryption in transit (TLS) and at rest for data we send to processors.

You can ask us for a copy of the safeguards in place by emailing welcome@rhymeflux.com.

9. Your Rights (GDPR)

Under the GDPR, you have the right to:

  • Access the personal data we hold about you (Art. 15).
  • Rectify data that's inaccurate or incomplete (Art. 16).
  • Erase your data — the "right to be forgotten" (Art. 17).
  • Restrict how we process your data (Art. 18).
  • Object to processing based on legitimate interest, including profiling (Art. 21).
  • Receive your data in a structured, machine-readable format and transfer it elsewhere — data portability (Art. 20).
  • Withdraw consent at any time, including for analytics cookies (Art. 7(3)).
  • Lodge a complaint with your supervisory authority (Art. 77). For Poland that is the President of the Personal Data Protection Office (UODO), uodo.gov.pl. EU residents in other countries may complain to their local data-protection authority.

To exercise any of these rights, email welcome@rhymeflux.com. We respond within 30 days.

10. If You Are in the United States

Many US states have passed comprehensive privacy laws (California's CPRA, Virginia's VCDPA, Colorado's CPA, and others). Whether or not you are entitled to additional rights depends on your state of residence, but the following apply broadly:

  • Right to know what personal information we collect about you and how we use it.
  • Right to delete personal information we hold.
  • Right to correct inaccurate personal information.
  • Right to opt out of "sale" or "share" for cross-context behavioral advertising. We do not sell or share your personal information for advertising in any state.
  • Right to limit use of sensitive personal information. We do not use sensitive personal information for any purpose beyond providing the service.
  • Right to non-discrimination for exercising your rights.

To exercise these rights, email welcome@rhymeflux.com with the subject "Privacy Request" and your account email. California residents may also designate an authorized agent.

11. Children's Privacy

RhymeFlux is not directed at children. You must be at least 16 years old to use the service in countries where the digital-consent age is 16, and at least 13 elsewhere. If we learn that we have collected data from someone under the applicable age without verified parental consent, we will delete it.

12. Security

We protect your data with industry-standard measures:

  • TLS encryption for all traffic between your device and our servers.
  • Encryption at rest for data stored in our database.
  • Passwords stored only as salted hashes (never plain text).
  • Role-based access controls and least-privilege principles for staff access.
  • Routine dependency and vulnerability scans.

No system is perfectly secure. If we ever discover a breach affecting your personal data, we will notify the appropriate supervisory authority within 72 hours and notify you without undue delay where required by law.

13. Changes to This Policy

We may update this policy as the service evolves or the law changes. The "Last updated" date at the top will reflect the most recent version. Material changes will be announced via email or an in-app notice with at least 14 days' advance notice when reasonably possible.

14. Contact

For any privacy questions, data requests, or to invoke any of the rights above, email us at welcome@rhymeflux.com.

Mailing Address: Główna 16, 43-445 Leszna Górna, Poland.

Polish supervisory authority: Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warsaw, Poland — uodo.gov.pl.