Privacy Policy

Effective Date: April 13, 2026

1. Introduction

This Privacy Policy describes how MusicMageX ("we," "us," "our") collects, uses, stores, and protects your information when you use the MusicMageX service ("the Service"). By using the Service, you consent to the practices described in this policy. This policy should be read in conjunction with our Terms of Service.

We are committed to protecting your privacy and processing your personal data in compliance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your email address and display name. Passwords are cryptographically hashed using industry-standard algorithms (bcrypt with salt) before storage — we never store, access, log, or transmit your plaintext password.

2.2 Generated Content and Metadata

We store the audio files you generate through the Service, along with associated metadata including: text prompts, lyrics, musical parameters (BPM, key, time signature, instruments), generation seeds, inference settings, mastering preset selections, song titles, and generation timestamps. Audio files may be automatically archived (deleted) when your stored files exceed your plan's storage limit, but all metadata is retained indefinitely to allow regeneration. This data is stored to provide your song history, playback, regeneration, and download features.

2.3 Digital Provenance Watermark

Each generated audio file contains an inaudible ultrasonic watermark that encodes a unique generation identifier. This identifier links to your generation record in our system but does not contain any personal information — no name, email address, payment details, or other personally identifiable information is embedded in the audio itself. The watermark is used to verify content origin, protect creator rights, and resolve ownership disputes. It cannot be heard and does not affect audio quality. For full details, see Section 5 of our Terms of Service.

2.4 Usage Data

We collect basic usage information including monthly generation counts, daily generation counts, subscription tier status, credit balance, and session identifiers to operate the Service, enforce usage limits, and maintain account security.

2.5 Technical Data

Our servers automatically log standard connection information including IP addresses, request timestamps, HTTP method and path, response status codes, and user agent strings. This data is used for security monitoring, abuse prevention, and debugging. Technical logs are not correlated with user accounts for profiling purposes.

2.6 Cookie Data

We use only strictly necessary cookies as described in Section 4.

3. How We Use Your Information

We process your personal data for the following purposes and legal bases:

Service delivery (contractual necessity): To provide, operate, and maintain the Service, your account, and generated content.
Authentication (contractual necessity): To verify your identity and manage session security.
Usage enforcement (contractual necessity): To enforce subscription tier limits, credit systems, and usage policies.
Content storage (contractual necessity): To store and serve your generated audio, metadata, and song history.
Payment processing (contractual necessity): To process payments through third-party payment processors. We do not store payment card details.
Communication (contractual necessity/legitimate interest): To contact you about account issues, security alerts, Terms/Privacy updates, and service changes.
Security (legitimate interest): To monitor for and prevent fraud, abuse, unauthorized access, and violations of our Terms of Service.
Service improvement (legitimate interest): To fix bugs, improve audio quality, optimize performance, and develop new features. This may include analysis of anonymized, aggregated usage patterns.
Legal compliance (legal obligation): To comply with applicable laws, regulations, and legal processes.
Content administration (legitimate interest): Authorized administrators may review generated audio content for quality assurance, abuse prevention, DMCA compliance, and technical troubleshooting. Administrative access is limited to operational necessity.

4. Cookies and Tracking

We use only the following strictly necessary cookies:

Session cookie (session_token): Authenticates your login session. Expires when you log out or after 24 hours of inactivity. Essential for the Service to function — without it, you cannot remain logged in.
Cookie consent cookie (cookie_consent): Stores your cookie consent preference. Expires after 1 year. Required under EU ePrivacy Directive to remember your consent choice.
Theme preference (mmx_theme): Stores your light/dark theme preference in localStorage (not a cookie). Does not contain personal data.

We do not use: tracking cookies, advertising pixels, social media trackers, Google Analytics, Facebook Pixel, or any third-party analytics or advertising services. We do not engage in cross-site tracking, fingerprinting, or behavioral profiling.

5. Information We Do NOT Collect

We do not accept or process user-uploaded audio files. All content is generated from text input.
We do not sell, rent, trade, or share your personal information with third parties for their marketing, advertising, or commercial purposes.
We do not use your generated content, prompts, lyrics, or any identifiable user data to train, fine-tune, or improve AI models. Service improvement uses only anonymized, aggregated data.
We do not collect payment card numbers, bank account numbers, or financial account information directly — all payment processing is handled by PCI DSS-compliant third-party processors.
We do not create advertising profiles, engage in behavioral targeting, or serve advertisements of any kind.
We do not collect biometric data, precise geolocation, or sensitive personal information as defined under GDPR Article 9.

6. Data Storage, Security, and Location

Your data is stored on servers located in the European Union (Germany). We implement technical and organizational security measures to protect your information, including:

Cryptographic password hashing (bcrypt with unique salt per user)
Session-based authentication with secure, randomly generated tokens
HTTPS/TLS encryption for all data in transit
Access controls and principle of least privilege on stored data
Regular automated backups with encrypted storage
Rate limiting on authentication endpoints to prevent brute-force attacks
Account lockout after repeated failed login attempts

However, no method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security of your data. In the event of a data breach affecting your personal data, we will notify affected users and relevant supervisory authorities within 72 hours as required by GDPR Article 33.

7. Data Retention and Deletion

Active accounts: Account information and generated content are retained for as long as your account remains active.
Archived audio: When audio files are automatically archived due to storage limits, the audio file is deleted but all metadata is retained to allow regeneration.
Account deletion: Upon account deletion request, we will permanently delete your personal information, audio files, and generation metadata within thirty (30) days. Anonymized, aggregated data that cannot be linked back to you may be retained for service improvement.
Technical logs: Server logs containing IP addresses and request data are retained for up to ninety (90) days for security and debugging purposes, then automatically purged.
Legal holds: Data may be retained beyond these periods where required by law, legal proceedings, or regulatory obligation.
Backup retention: Deleted data may persist in encrypted backups for up to thirty (30) additional days before being permanently purged from all backup systems.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Right of Access: Request a copy of the personal information we hold about you, including generated content and metadata.
Right to Rectification: Request correction of inaccurate or incomplete personal information.
Right to Erasure ("Right to be Forgotten"): Request deletion of your account and all associated personal data, subject to legal retention obligations.
Right to Data Portability: Request export of your generated content and metadata in standard, machine-readable formats (JSON for metadata, original audio format for files).
Right to Restrict Processing: Request that we restrict processing of your personal data in certain circumstances.
Right to Object: Object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
Right to Withdraw Consent: Withdraw your consent to data processing at any time. This does not affect the lawfulness of processing carried out before withdrawal.
Right to Non-Discrimination: You will not be discriminated against for exercising your privacy rights.

To exercise any of these rights, contact us at privacy@musicmagex.com. We will verify your identity and respond to requests within thirty (30) days. If we need additional time (up to 60 additional days for complex requests), we will notify you of the extension and reason.

9. Third-Party Services

The Service integrates with the following categories of third-party services:

Payment processors: For subscription billing and credit purchases. These processors are PCI DSS-compliant and have their own privacy policies. We share only the minimum information necessary to process transactions (email address, subscription tier, amount).
GPU compute providers: For AI audio generation processing. Audio generation occurs on remote GPU servers. Generated audio passes through these servers during the generation process only and is not stored by the compute provider after delivery to our servers.

We do not integrate with social media platforms, advertising networks, or data brokers. We do not embed third-party tracking scripts on our Service.

10. Children's Privacy

The Service is not directed to children under the age of 13 (or 16 in the EU/EEA/UK). We do not knowingly collect personal information from children below these age thresholds. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@musicmagex.com and we will promptly investigate and delete such information. If we become aware that we have collected personal data from a child below the applicable minimum age without verifiable parental consent, we will take steps to delete that information.

11. Data Location and International Transfers

The Service is operated with primary servers located in the European Union (Germany). Your data is primarily stored and processed within the EU.

Audio generation may be processed on GPU servers located outside the EU (including the United States). In such cases, audio data is transmitted securely, processed for the duration of generation only, and not stored by the compute provider after delivery. The legal basis for such transfers is GDPR Article 49(1)(b) — processing necessary for the performance of a contract.

In the event that any personal data is transferred outside the European Economic Area (EEA) for other purposes, we will ensure that appropriate safeguards are in place in accordance with GDPR Article 46, such as Standard Contractual Clauses (SCCs) approved by the European Commission.

12. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR) and equivalent legislation:

Data Controller: MusicMageX is the data controller for personal data collected through the Service.
Legal Basis for Processing: We process your personal data on the following legal bases: (a) performance of our contract with you (providing the Service, managing your account, processing payments) per GDPR Article 6(1)(b); (b) our legitimate interests (security monitoring, service improvement, fraud prevention) per GDPR Article 6(1)(f); (c) your consent (where specifically requested) per GDPR Article 6(1)(a); and (d) legal obligation per GDPR Article 6(1)(c).
Right to Access: You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data (GDPR Article 15).
Right to Rectification: You have the right to request correction of inaccurate personal data (GDPR Article 16).
Right to Erasure: You have the right to request deletion of your personal data, subject to legal retention obligations (GDPR Article 17).
Right to Restriction: You have the right to request restriction of processing in certain circumstances (GDPR Article 18).
Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format (GDPR Article 20).
Right to Object: You have the right to object to processing based on legitimate interests (GDPR Article 21).
Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing (GDPR Article 7(3)).
Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your country of residence (GDPR Article 77). A list of EU supervisory authorities is available at edpb.europa.eu.
Automated Decision-Making: We do not make automated decisions that produce legal or similarly significant effects based on your personal data (GDPR Article 22). AI-generated music output is a creative tool, not a decision about you.

To exercise any of these rights, contact us at privacy@musicmagex.com. We will respond within thirty (30) days, as required by GDPR Article 12(3).

13. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know: You have the right to request information about the categories and specific pieces of personal information we have collected about you.
Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
Right to Opt-Out of Sale: We do not sell your personal information. We do not share personal information for cross-context behavioral advertising.
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, contact us at privacy@musicmagex.com.

14. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Article 33)
Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34)
Document the breach, its effects, and remedial actions taken

15. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. Material changes will be communicated via email to the address associated with your account at least fourteen (14) days before they take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy. If you do not agree to the updated policy, your remedy is to discontinue use of the Service and request account deletion.

16. Contact and Data Protection Inquiries

For privacy-related questions, data subject access requests, or concerns about our data practices, contact us at:

Privacy inquiries: privacy@musicmagex.com
General support: support@musicmagex.com
DMCA notices: dmca@musicmagex.com

We aim to resolve all privacy inquiries within thirty (30) days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.