Akordly — Privacy Policy

Effective date: 2026-04-23 Last updated: 2026-04-23

This Privacy Policy explains what personal data we collect when you use Akordly (akordly.net), why we collect it, how we use it, who we share it with, and what rights you have. If anything's unclear, email privacy@akordly.net.

1. Who is responsible for your data

Akordly is operated by an individual based in Israel (the "operator", "we", "us"). For the purposes of the EU GDPR, the UK GDPR, and Israel's Privacy Protection Law, the operator is the data controller for your personal data. You can reach us at privacy@akordly.net for any privacy question or rights request.

Operator legal name: TODO(fill)
Postal address: TODO(fill)

2. What we collect and why

2.1 Account information

When you sign in with Google or email, Firebase Authentication gives us:

your email address,
a unique Firebase user ID,
your display name and profile photo (Google sign-in only, and only if your Google account shares them), and
a timestamp of when you created the account.

Purpose. To identify you, authenticate your requests, and scope your data so only you can access it. Legal basis (GDPR / UK GDPR). Performance of a contract (Art. 6(1)(b)).

2.2 Content you upload or submit

When you upload an audio file or submit a YouTube URL, we receive:

the audio file or the audio we fetch from the URL, and
a cryptographic hash of the audio (used to detect duplicates and to enforce copyright blocks).

Purpose. To analyze the audio and return chords, sections, and (if you enable them) lyrics. To enforce our Copyright Policy via hash-based blocking. Retention. Uploaded audio is deleted from our servers after processing succeeds, and in any case within 1 hour. Intermediate analysis artifacts, such as vocal stems produced during transcription, are deleted immediately after the response is assembled. YouTube-fetched audio is cached server-side for up to 48 hours (configurable) to support reprocessing and then automatically purged. Legal basis. Performance of a contract (Art. 6(1)(b)).

2.3 Transcription results

The structured analysis output — chord timeline, sections, optional lyrics, BPM, key estimate, and associated metadata (source type, audio hash, timestamps) — is stored in Firestore, scoped to your account.

Purpose. So you can revisit songs you've previously analyzed. Retention. Until you delete the song or your account. Legal basis. Performance of a contract.

2.4 Local storage on your device

Audio you upload is saved in your browser's IndexedDB so you can play it back without re-uploading. This data never leaves your device through our collection — only your browser holds it. You can clear it anytime from the Settings page ("Clear my audio cache").

2.5 Consent records

When you accept the first-time lyric-reveal prompt, we record a timestamp (lyrics_consent_at) on your profile. When you tick the "I have the right to upload this audio" checkbox, we log the timestamp together with the audio hash.

Purpose. To demonstrate, if questioned, that you confirmed a specific consent before proceeding. Legal basis. Legitimate interests (Art. 6(1)(f)) — operating a Service that handles user-uploaded media responsibly.

2.6 Usage and device data

We collect standard technical information when you use the Service:

IP address,
browser user agent, device type, and operating system,
pages visited within the Service and timestamps,
Firebase App Check attestation data (to confirm requests come from our real app), and
error logs and performance metrics.

Purpose. Security, abuse prevention, service operation, debugging, and basic usage analytics. Retention. 90 days for detailed logs; aggregated metrics longer. Legal basis. Legitimate interests (Art. 6(1)(f)) — keeping the Service secure and functional.

2.7 Billing information (Paid Plans)

If you subscribe to a Paid Plan, our payment processor handles your payment method. We receive:

subscription status,
the last four digits of your card or an equivalent identifier,
billing country, and
invoice records.

We never see or store your full payment card number or CVC.

Purpose. To bill you, send invoices, and comply with tax and accounting law. Retention. As required by applicable tax law (typically 7 years in Israel; may differ in your country). Legal basis. Performance of a contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)) for tax records.

2.8 Support communications

If you email us, we keep the message and our reply so we can follow up.

Retention. 2 years from the last message, unless a dispute requires longer retention. Legal basis. Legitimate interests (Art. 6(1)(f)).

2.9 Product analytics (Google Analytics 4)

We use Google Analytics 4 to understand how the Service is used — which features people try, where they get stuck, and what we should improve. Our Analytics property's account location is Israel, so the contracting entity is Google Ireland Limited; Google LLC (US) acts as a sub-processor on Google's infrastructure.

When you have consented (see Section 9), Google Analytics collects on our behalf:

a random Analytics client identifier stored in first-party cookies (_ga, _ga_<container-id>),
pages viewed, events (for example, uploads, playback, errors) and session metadata,
approximate location (city/country) derived from your IP — GA4 truncates the IP before storage by default, and
browser/device type and language.

We do not enable Google Signals, Google-Ads linking, or any cross-site advertising features. Analytics is used to improve the Service, not to build advertising profiles.

Legal basis.

EEA / UK / Israel. Your prior consent (GDPR / UK GDPR Art. 6(1)(a); ePrivacy Directive Art. 5(3) / PECR reg. 6; Israeli Privacy Protection Law). The Analytics tag only loads after you accept it in our cookie banner, and you can withdraw consent at any time via "Cookie preferences" in the footer — withdrawing does not affect processing done with your prior consent.
Elsewhere. Legitimate interests (Art. 6(1)(f)) — measuring product usage to improve the Service. You can still opt out via "Cookie preferences".

Retention. Event-level data in GA4 is retained for 14 months and then deleted by Google. You can request earlier deletion by emailing privacy@akordly.net.

3. What we don't collect

We don't collect special-category data (health, biometric, religion, etc.) — don't upload any.
We don't use advertising cookies or advertising trackers.
We don't build behavioral profiles for marketing.
We don't sell or rent personal data to anyone, ever.
We don't train foundation models or sell data to AI companies for training.

4. Who we share data with

We share only what's necessary, with these categories of recipients.

Infrastructure and service providers (processors acting on our behalf):

Google LLC / Firebase — authentication, Firestore database, App Check. Our Firebase project is in the eur3 multi-region (Europe), so account data and transcriptions are stored on European infrastructure.
Google Ireland Limited / Google Analytics 4 — product analytics. Account location is Israel; Google Ireland Limited is the contracting entity, and Google LLC (US) operates as a sub-processor on Google's infrastructure. See Section 2.9 for what's collected and Section 5 for the transfer mechanism.
ElevenLabs (current lyrics ASR provider) — receives the isolated vocal stem for transcription during processing; no persistent storage by them on our account beyond what their terms permit.
Our hosting providers for compute that runs the chord model and the orchestration layer.
Our payment processor for Paid Plans (see Section 2.7).

Third-party platforms you interact with:

YouTube / Google LLC. When you submit a YouTube URL, our server fetches the audio from YouTube, and YouTube receives standard request metadata (our server's IP address, request headers). Your browser does not fetch the audio directly.

When required by law or legal process: we may disclose data to comply with valid legal obligations (court orders, subpoenas, regulatory requests), to protect our rights, to prevent fraud, or to respond to emergencies involving a risk of harm.

In a business transfer: if Akordly is sold, merged, or reorganized, personal data may be transferred to the successor, subject to this Privacy Policy.

5. International data transfers

Akordly is operated from Israel. Some of our processors and sub-processors (for example, ElevenLabs, and Google LLC as the Google Analytics sub-processor) are based in or route data through the United States.

EEA / UK residents. When personal data moves from the EEA or the UK to Israel, we rely on the European Commission's adequacy decision for Israel and the equivalent UK adequacy regulations. Transfers to US processors (ElevenLabs; Google LLC as the Google Analytics sub-processor) rely on Standard Contractual Clauses (SCCs) and the supplementary measures set out in each processor's data-processing addendum, together with Google LLC's EU–US Data Privacy Framework certification where applicable.
Other regions. Equivalent safeguards are used where local law requires them.

6. Retention

We keep personal data only as long as we need it for the purpose it was collected:

Data	Retention
Account profile	Until you delete your account
Transcriptions	Until you delete the song or your account
Uploaded audio (server-side)	Deleted on successful processing; maximum 1 hour on failure
YouTube-fetched audio cache	Up to 48 hours
Consent timestamps	Life of the account
Detailed usage logs	90 days
Billing records	As required by tax law (typically 7 years)
Copyright takedown audit log	At least 2 years
Support emails	2 years from last message

7. Your rights

Depending on where you live, you have some or all of the following rights over your personal data:

Access — a copy of what we have.
Rectification — correcting inaccurate data.
Erasure — deleting your data ("right to be forgotten").
Restriction — telling us to stop processing while a question is resolved.
Objection — to processing based on legitimate interests.
Portability — receiving your data in a structured, machine-readable format.
Withdraw consent — where we rely on consent, at any time, without affecting prior lawful processing.
Complain to a supervisory authority — in the EEA your local Data Protection Authority, in the UK the ICO, in Israel the Privacy Protection Authority (PPA).

California residents (CCPA / CPRA). You also have rights to know, delete, correct, and opt out of the "sale" or "sharing" of personal information. Akordly does not sell or share personal information as those terms are defined. You may exercise your rights by emailing privacy@akordly.net. We will not discriminate against you for exercising them.

Israeli residents. You have rights under the Privacy Protection Law, 5741-1981 and its regulations, including the right to review the data held about you and request corrections.

To exercise any right, email privacy@akordly.net. We'll verify your identity — usually by confirming the request from the email address on your account — and respond within 30 days, or faster where local law requires it.

8. Children

Akordly is not intended for anyone under 16. We do not knowingly collect personal data from users under 16. If you believe a child under 16 has provided us data, email privacy@akordly.net and we'll delete it.

9. Cookies and similar technologies

Strictly necessary (always active). These are required to run the Service and do not need consent under EU/UK/Israeli law.

Firebase session cookies and ID tokens — to keep you signed in.
Firebase App Check tokens — to confirm requests come from our real app.
A guest-session identifier — if you use Akordly without signing in, so your pre-signup transcriptions can be migrated when you create an account.
Cookie-preference cookie — remembers your banner choice so we don't keep asking.

Analytics (consent required in the EEA, UK, and Israel). These cookies only load after you accept them in our cookie banner, and you can change your mind at any time via the "Cookie preferences" link in the footer.

_ga and _ga_<container-id> — set by Google Analytics 4 as first-party cookies. They contain a random client identifier used to distinguish unique browsers across pages; typical expiry is 13 months. See Section 2.9 for what we do with this data.

We do not use advertising cookies, cross-site marketing trackers, Google Signals, or Google-Ads linking.

10. Security

We protect your data with:

TLS (HTTPS) for all data in transit,
Firebase Security Rules that enforce account-scoped access at the database layer,
Firebase App Check to prevent abuse of our backend by unofficial clients, and
industry-standard access controls on operator devices and infrastructure.

No system is perfectly secure. If we become aware of a breach affecting your personal data, we'll notify you and the relevant regulators as required by law.

11. Automated decision-making

We don't make decisions that produce legal or similarly significant effects about you by automated means. Our automated processing (chord and lyric estimation) produces suggestions for your personal use, not decisions about you.

12. Changes to this Policy

We may update this Privacy Policy. For material changes we'll notify you in-product or by email at least 14 days before they take effect. The "Last updated" date at the top always reflects the current version.

13. Contact

Privacy requests: privacy@akordly.net
General contact: hello@akordly.net
Postal address: TODO(fill)