Legal

Privacy Policy

Last updated: May 18, 2026

TuneShed is a songwriting companion app for hobbyist musicians. This policy explains what data we collect, why, who we share it with, and the rights you have over it. We're committed to plain English here — if anything is unclear, email hello@tuneshed.co and we'll explain.

Who we are

The "data controller" responsible for your personal data under this policy is Christopher Sushil, operating TuneShed as a sole trader from Ireland. You can contact us at hello@tuneshed.co for any privacy matter.

What we collect

• Email address — when you join the waitlist or create an account.
• Audio recordings and uploaded tracks — when you record voice memos or upload audio files through the app.
• Song data you create — titles, section tags, lyric notes, AI session history.
• Technical data — IP address (for rate limiting and abuse prevention), device type, app version, error reports.
• Landing-page analytics — page views, session duration, geographic region, device type, referral source. Collected via Google Analytics and Meta Pixel on tuneshed.co only. The mobile app itself does not use any third-party analytics or advertising trackers.

How we use it, and our legal basis

Under data-protection law (including GDPR), we must rely on a specific "lawful basis" for each category of processing. Ours are:

• Email + account data → contract (necessary to provide the service you signed up for).
• Audio recordings + song data → contract (necessary to provide The Listener AI feedback you requested).
• Technical data (IP, device, errors) → legitimate interest in operating the service securely and preventing abuse.
• Landing-page analytics + Meta Pixel → consent, where required by local law. We will honor browser-level Do Not Track and Global Privacy Control signals where technically supported.
• Waitlist marketing emails → consent (you opted in by submitting the form; you can unsubscribe at any time).

Your uploaded content and copyright

You retain all rights to audio and other content you upload to TuneShed. By uploading content, you represent that you own or have the necessary rights to all material you upload — TuneShed is intended for original musical ideas and material you have rights to use.

If you believe content available through TuneShed infringes your copyright, please contact us at hello@tuneshed.co with the subject line "DMCA Notice" and include the information required by 17 U.S.C. § 512(c)(3). A full DMCA takedown procedure is described in our Terms of Service.

Audio you upload is processed by third-party AI services (see "Who we share it with" below). Do not upload material you do not have rights to share with these services.

AI processing of your audio

The Listener and our other AI features process your recordings and the metadata extracted from them (tempo, key, chord progression, etc.) to generate written responses. We use this data only to serve your request — outputs are returned to you and stored in your account.

The AI does not produce decisions with legal or similarly significant effects on you under GDPR Article 22. We do not use your voice for biometric identification or profiling. AI providers (OpenAI, Modal) do not use API inputs from this service to train their underlying models.

Who we share it with

We use a small number of trusted third-party services to run TuneShed. Each receives only the data needed to perform its function. All providers below process data outside the EU/UK (primarily in the United States); transfers rely on the providers' Standard Contractual Clauses or equivalent safeguards.

• Clerk (United States) — authentication. Receives your email address to send verification codes and manage your session.
• Railway (United States) — application hosting and PostgreSQL database. Stores your account, songs, recordings metadata, and AI session history.
• Cloudflare R2 (global) — audio file storage. Holds your uploaded recordings, encrypted at rest.
• Modal (United States) — serverless GPU compute. Receives audio bytes only during stem-separation processing; outputs are returned to our backend and the audio is not retained on Modal.
• OpenAI (United States) — large-language-model inference for The Listener and other AI features. Receives song context and audio-derived features needed to generate responses. OpenAI does not use API inputs to train its models (per the OpenAI API data usage policy).
• Google Play Billing (via RevenueCat) — subscription processing and entitlement management on Android. Google receives payment information directly; we never see your card details. RevenueCat receives anonymized purchase events to manage your subscription status across devices.
• Mailchimp (United States) — waitlist email management.
• Google Analytics (landing page only) — aggregate web analytics. Sets first-party cookies on tuneshed.co. IP addresses are anonymized.
• Meta Pixel (landing page only) — ad campaign measurement. Shares browsing data with Meta Platforms, Inc.

We do not sell your personal information to advertisers or any third parties. The categories above are processors acting under our instructions, not buyers of your data.

International data transfers

Most of the providers above are based in the United States. If you access TuneShed from the European Economic Area, the United Kingdom, or Switzerland, your personal data will be transferred outside your jurisdiction to those providers. We rely on the providers' Standard Contractual Clauses (or equivalent adequacy mechanisms) as the legal basis for these transfers. You can request a summary of the relevant safeguards by emailing hello@tuneshed.co.

App permissions

The TuneShed mobile app requests the following permissions on your device. Each is used only for the stated purpose:

• Microphone — to record audio that you choose to send to The Listener for AI feedback.
• Storage / files — only to read audio files you explicitly select to upload.
• Notifications (optional) — to send reminders if you opt in. Push notifications are not currently implemented; this section will be updated when they are.
• Network access — to communicate with our backend.

The app does not access your contacts, location, calendar, photos library, or any other personal data on your device.

Security

• All data is encrypted in transit using TLS / HTTPS between the app, our backend, and our service providers.
• Your account session token is stored in your device's secure storage (Android Keystore / iOS Keychain) — never in plaintext.
• The database is encrypted at rest by our hosting provider; audio files are encrypted at rest in Cloudflare R2.
• We do not store passwords; authentication is delegated to Clerk, which uses email verification codes (OTP).
• Sensitive operations (analysis, deletion, payment) are rate-limited and require an authenticated session.

Data retention

We hold different categories of data for different periods:

• Account email + Clerk session — for as long as your account is active. Deleted within 30 days of account deletion.
• Audio recordings (R2 storage) — until you delete the recording from inside the app, or 30 days after account deletion.
• Songs and AI session history — until you delete them, or 30 days after account deletion.
• Technical logs (IP, errors) — up to 90 days, for security audit and abuse investigation.
• Database backups — up to 90 days, after which they are overwritten by our hosting provider.
• Waitlist email — until you unsubscribe.

Your rights

Depending on where you live, you have some or all of the following rights regarding your personal data:

• Access — request a copy of all data we hold about you.
• Correction — request that we correct inaccurate data.
• Deletion — request that we delete your account and all associated data.
• Portability — receive your data in a machine-readable format.
• Objection — object to processing based on legitimate interest.
• Withdraw consent — for any processing based on consent (e.g., unsubscribe from waitlist emails, disable analytics).

To exercise any of these rights, email hello@tuneshed.co from the address associated with your account, with the subject line "Privacy Request — [Access | Deletion | Correction | Portability]". We will action the request within 30 days.

If you are in the European Economic Area, the United Kingdom, or Switzerland and believe your privacy rights have been violated, you have the right to lodge a complaint with your local data protection authority. Our lead supervisory authority is the Data Protection Commission of Ireland. We would prefer to address your concern directly first — please contact us before escalating.

California residents

If you are a California resident, the California Consumer Privacy Act (CCPA) and Privacy Rights Act (CPRA) provide you with the following rights, in addition to those listed above:

• Right to know what categories of personal information we have collected about you.
• Right to delete personal information collected from you.
• Right to correct inaccurate personal information.
• Right to opt out of sale or sharing of your personal information. We do not sell personal information. The Meta Pixel on our landing page may be considered "sharing for cross-context behavioral advertising" under CPRA; you can opt out of this via your browser settings, by enabling Global Privacy Control (GPC), or by adjusting your Meta ad preferences.
• Right to limit use of sensitive personal information — we do not use sensitive personal information for purposes beyond providing the service.
• Right against discrimination for exercising any of these rights.
• Shine the Light (California Civil Code § 1798.83) — California residents may request information about disclosures of personal information to third parties for direct marketing. We do not disclose personal information to third parties for their direct marketing purposes.

Analytics and tracking

The TuneShed landing page (tuneshed.co) uses the following third-party tracking technologies. The mobile app itself does NOT use any third-party analytics or advertising trackers — only the marketing website does.

• Google Analytics — measures aggregate traffic patterns (page views, session duration, geographic region, device type). Sets first-party cookies and reports to Google. IP addresses are anonymized. You can opt out using the Google Analytics Opt-Out Browser Add-on. See Google's Privacy Policy for details.
• Meta Pixel (Facebook Pixel) — measures ad campaign performance and supports retargeting on Meta platforms. Shares browsing data with Meta Platforms, Inc. You can opt out via your Meta ad preferences, the DAA opt-out tool, or by enabling Global Privacy Control (GPC) in your browser. See Meta's Cookie Policy.
• Mailchimp — sets a cookie when you submit the waitlist form to prevent duplicate submissions.

The mobile app stores only your authentication session token in your device's secure storage. No analytics, no third-party tracking, no advertising IDs.

Children

TuneShed is not directed at children under 13 (United States, COPPA) or under 16 in the European Union (GDPR). We do not knowingly collect personal data from anyone in these age groups. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

Changes to this policy

If we make material changes to this policy, we will update the "Last updated" date at the top and notify waitlist members and active account holders by email before the changes take effect.

Contact

Questions about privacy, or want to exercise any of your rights? Email us at hello@tuneshed.co. We aim to respond within 7 days.