Privacy Policy

Effective date: [EFFECTIVE_DATE]

Last updated: [EFFECTIVE_DATE]

1. Controller

The controller responsible for the processing of your personal data is:

[LEGAL_ENTITY_NAME], [LEGAL_FORM]
[POSTAL_ADDRESS]
[COUNTRY]
Email: [PRIVACY_EMAIL]

For privacy-related inquiries, please contact: [DPO_OR_PRIVACY_CONTACT]

2. Scope

This Privacy Policy explains how Stemify collects, uses, shares, and protects personal data in connection with the Stemify website (stemify.space) and the stem separation service (the “Service”). It applies to all users of the Service, including visitors, registered users, and subscribers.

This policy is drafted in compliance with the Swiss Federal Act on Data Protection (nFADP/nLPD, in force since 1 September 2023) and, to the extent applicable, the EU General Data Protection Regulation (GDPR). Where these frameworks differ, we apply the higher standard of protection.

3. Categories of Personal Data We Process

3.1. Account data

When you create an account, we collect: full name, email address, and a password (stored as a bcrypt hash — we never store your password in plain text).

3.2. Subscription and payment data

When you subscribe, PayPal processes your payment. Stemify does not collect, receive, or store your payment card details, bank account numbers, or other financial instruments. We receive from PayPal: your PayPal subscription ID, subscription status, and billing cycle dates. We store these identifiers to manage your subscription.

3.3. Uploaded audio files

When you use the Service, you upload audio files that are processed by our AI model. We store uploaded and processed audio files temporarily for a maximum of 24 hours, after which they are automatically and permanently deleted. Audio files may contain personal data (e.g., voice recordings). We process these files solely to deliver the stem separation service.

3.4. Technical and usage data

We automatically collect: IP address, browser type and version, operating system, referring URL, pages visited, timestamps, and authentication-related data. This data is collected through server logs and essential cookies (see Section 8).

3.5. Communication data

If you contact us via the contact form or email, we collect your name, email address, and message content.

4. Purposes and Legal Bases

We process your personal data for the following purposes:

PurposeLegal basis (GDPR)Legal basis (nFADP)
Account creation and managementPerformance of contract (Art. 6(1)(b))Contract performance
Processing audio files for stem separationPerformance of contract (Art. 6(1)(b))Contract performance
Subscription billing and managementPerformance of contract (Art. 6(1)(b))Contract performance
Sending service-related emails (verification, password reset, subscription confirmation)Performance of contract (Art. 6(1)(b))Contract performance
Security, fraud prevention, abuse detectionLegitimate interest (Art. 6(1)(f))Legitimate interest (no consent required under nFADP)
Responding to contact form inquiriesLegitimate interest (Art. 6(1)(f))Legitimate interest
Legal compliance (tax records, law enforcement requests)Legal obligation (Art. 6(1)(c))Legal obligation

5. Recipients and Processors

We share personal data only with the following categories of recipients, acting as data processors on our behalf or as independent controllers where indicated:

RecipientPurposeCountryRole
PayPal (Europe) S.à r.l. et Cie, S.C.A.Payment processingLuxembourg / USAIndependent controller
Brevo (Sendinblue)Transactional email deliveryFrance / EUProcessor
[HOSTING_PROVIDER]Infrastructure and hosting[HOSTING_COUNTRY]Processor

We do not sell, rent, or trade your personal data to third parties. We do not share personal data with advertisers or ad networks.

6. International Data Transfers

Your personal data may be transferred to and processed in countries outside of Switzerland and the EU/EEA, in particular:

  • PayPal: Data may be transferred to the United States. PayPal operates under the EU-US Data Privacy Framework (where applicable) and Standard Contractual Clauses (SCCs).
  • Brevo: Data is primarily processed within the EU. Where transfers to non-EEA countries occur, Brevo relies on SCCs.
  • [HOSTING_PROVIDER]: [DATA_TRANSFER_MECHANISM]

Under Swiss law (nFADP art. 16), we ensure that data transferred to countries without an adequate level of data protection is protected by appropriate safeguards, including Standard Contractual Clauses approved by the Swiss Federal Data Protection and Information Commissioner (FDPIC) or the European Commission.

7. Data Retention

Data categoryRetention period
Account data (name, email, password hash)Until account deletion
Uploaded and processed audio files24 hours, then permanently deleted
Subscription and payment identifiersDuration of subscription + 10 years (Swiss accounting obligation, CO art. 958f)
Server logs (IP, user agent)90 days
Contact form messages12 months, unless a longer retention is required for follow-up
Email verification and password reset tokens24 hours (tokens expire automatically)

8. Cookies and Similar Technologies

Stemify uses only strictly necessary cookies required for the Service to function. We do not use analytics cookies, advertising cookies, or any third-party tracking technologies.

Cookie namePurposeTypeDuration
access_tokenUser authenticationStrictly necessary, httpOnly, secure, first-party30 minutes
refresh_tokenSession renewalStrictly necessary, httpOnly, secure, first-party30 days

Because we use only strictly necessary cookies, no consent banner is required under the ePrivacy Directive (Directive 2002/58/EC, as amended) or Swiss telecommunications law (FMG art. 45c). When you are redirected to PayPal for payment, PayPal may set its own cookies subject to PayPal’s privacy and cookie policies.

For more details, see our Cookie Policy.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of all data in transit (HTTPS/TLS)
  • Password hashing with bcrypt (salted, adaptive cost factor)
  • Secure httpOnly authentication cookies (not accessible via JavaScript)
  • Automatic deletion of audio files after 24 hours
  • Rate limiting on authentication and API endpoints
  • Access controls and principle of least privilege for backend systems

No system is perfectly secure. While we take reasonable precautions, we cannot guarantee absolute security of your data.

10. Your Rights

Depending on your location and applicable law, you may have the following rights regarding your personal data:

Under Swiss law (nFADP):

  • Right of access: You may request information about what personal data we process about you.
  • Right to rectification: You may request correction of inaccurate data.
  • Right to deletion: You may request deletion of your data (you can also delete your account from your Settings page).
  • Right to data portability: You may request your data in a commonly used, machine-readable format.
  • Right to object: You may object to processing based on legitimate interest.

Additional rights under GDPR (for EU/EEA residents):

  • Right to restriction of processing: You may request limitation of processing in certain circumstances.
  • Right not to be subject to automated decision-making: We do not make decisions based solely on automated processing that produce legal effects concerning you. The stem separation process is automated but does not involve profiling or decisions with legal or similarly significant effects.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

How to exercise your rights:

You can exercise many of these rights directly from your account Settings page (e.g., account deletion, data access). For other requests, contact us at [PRIVACY_EMAIL]. We will respond within 30 days. We may request identity verification before processing your request.

11. AI and Automated Processing

Stemify uses AI-based machine learning models (Demucs, developed by Meta Research) to perform audio stem separation. The processing is fully automated. However:

  • The AI processing does not involve profiling or automated decision-making with legal or similarly significant effects on you.
  • Your audio files are not used to train, retrain, or fine-tune any AI or machine-learning model.
  • Your audio files are not reviewed, listened to, or analyzed by humans (except in response to a valid legal request or copyright complaint).

12. Children and Minors

The Service is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16 without verified parental consent, we will take steps to delete that information promptly.

13. Supervisory Authority

Switzerland: You have the right to lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC): www.edoeb.admin.ch

EU/EEA: If you are located in the EU or EEA, you also have the right to lodge a complaint with the supervisory authority in your country of habitual residence, place of work, or place of the alleged infringement.

14. Changes to This Policy

We may update this Privacy Policy from time to time. The updated version will be posted on this page with a revised “Last updated” date. For material changes, we will notify you by email or through a prominent notice on the Service. We encourage you to review this page periodically.

15. Contact

For any privacy-related questions or to exercise your data protection rights, contact:

[LEGAL_ENTITY_NAME]
[POSTAL_ADDRESS]
Email: [PRIVACY_EMAIL]