Privacy Policy

Effective date: March 15, 2026  ·  Last updated: March 15, 2026

1. Introduction

Welcome to Notevra ("we," "us," or "our"). Notevra, accessible at www.notevra.net, is an AI-powered personalized song gift service that transforms your feelings and memories into one-of-a-kind musical gifts. We are committed to protecting your personal information and your right to privacy.

This Privacy Policy explains what information we collect, how we use it, with whom we share it, and what choices you have. Please read it carefully. By using Notevra, you agree to the practices described in this policy. If you do not agree, please do not use our service.

This policy applies to all information collected through our website and any related services, sales, marketing, or events (collectively, the "Services").

2. Information We Collect

We collect information you provide directly, information generated by your use of the service, and information collected automatically.

Information You Provide

• Account information: When you create an account via email/password or Google OAuth, we collect your email address, display name, and (if using Google) your Google profile information.
• Quiz responses: To create your personalized song, we collect the information you enter during the song creation quiz — including the recipient's name, the occasion, the relationship between you and the recipient, the mood you want to capture, and any personal story details or memories you choose to share.
• Recipient information: If you choose to send a song via email, we collect the recipient's email address.
• Communications: If you contact us directly, we may receive your name, email address, the contents of your message, and any attachments you send.

Information Generated by Our Service

• Generated content: We store the AI-generated lyrics, song files (WAV and MP3 formats), and song metadata (title, occasion, mood, creation date) associated with your account.
• Song delivery records: We maintain records of when songs were created and delivered, and to which recipient email addresses.

Information Collected Automatically

• Usage data: We collect information about how you interact with our service, including pages visited, features used, links clicked, and time spent on pages.
• Device and browser information: We collect your IP address, browser type and version, operating system, device type, and referring URLs.
• Cookies and similar technologies: We use cookies to maintain your login session and remember your cookie consent preference. See Section 5 for details.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Generate personalized songs: Your quiz responses are processed by our AI systems to create unique song lyrics and music tailored to your story.
• Deliver your songs: We use your account email and, when provided, the recipient's email address to deliver songs via email.
• Provide and maintain the service: We use your information to operate and maintain your account, provide technical support, and ensure service reliability.
• Improve our service: We analyze aggregated usage data to understand how our service is used, identify issues, and make improvements to the product experience.
• Communicate with you: We send transactional emails (song generation confirmations, song delivery notifications) and, where you have opted in, service updates. We do not send marketing emails without your explicit consent.
• Prevent abuse and ensure safety: We monitor for fraudulent activity, misuse of AI generation capabilities, and violations of our Terms of Service.
• Legal compliance: We process information as necessary to comply with applicable laws, regulations, and legal processes.

Legal bases for processing (GDPR): We process your personal data under one or more of the following legal bases: performance of a contract (providing the service you requested), legitimate interests (improving and securing our service), compliance with a legal obligation, and consent (for non-essential cookies).

4. Third-Party Services and Data Sharing

We do not sell your personal information to third parties. We share data only with the service providers necessary to operate Notevra. Each provider is contractually bound to protect your data and use it only for the purposes we specify.

Supabase

Purpose: Authentication and database storage.
Data processed: Account email addresses, hashed passwords (for email/password accounts), Google OAuth tokens, song metadata, and song delivery records.
Location: United States (us-west-2 region).
Supabase is SOC 2 Type II certified. Learn more at supabase.com/privacy.

Vercel

Purpose: Website hosting and serverless function execution.
Data processed: All web requests pass through Vercel's infrastructure. Vercel may collect IP addresses, request metadata, and performance telemetry as part of standard hosting operations.
Location: Vercel operates a globally distributed edge network.
Learn more at vercel.com/legal/privacy-policy.

Cloudflare R2

Purpose: Audio file storage.
Data processed: Generated song audio files (WAV and MP3). Files are stored under a unique identifier and are not linked to your name or email in the storage layer itself.
Location: United States.
Learn more at cloudflare.com/privacypolicy.

RunPod

Purpose: AI compute infrastructure for music generation.
Data processed: When a song is generated, we send song lyrics, musical tags (genre, mood, tempo), duration, and a unique song identifier to RunPod's serverless compute infrastructure. RunPod processes this data to generate the audio and returns the resulting audio files. No personal account information (email, name) is sent to RunPod.
Location: United States.
Learn more at runpod.io/privacy-policy.

Google Gemini (Google AI)

Purpose: AI text generation for song prompt engineering.
Data processed: Your quiz responses (occasion, mood, relationship description, personal story details) are sent to Google's Gemini AI API to generate song lyrics and creative prompts. We recommend not including highly sensitive personal information (financial details, health information, government ID numbers) in your quiz responses.
Location: Google operates globally distributed data centers.
Google's AI API data use policies apply. Learn more at ai.google.dev/gemini-api/terms.

Resend

Purpose: Transactional email delivery.
Data processed: When we send emails (song generation confirmations, song delivery to recipients), we transmit email addresses and email content through Resend's email delivery infrastructure.
Location: United States.
Learn more at resend.com/legal/privacy-policy.

Other Disclosures

We may also disclose your information: (a) to comply with applicable laws, regulations, legal process, or government requests; (b) to enforce our Terms of Service or protect our rights, privacy, safety, or property; (c) in connection with a merger, acquisition, or sale of assets, in which case we will notify affected users before their data is transferred and becomes subject to a different privacy policy; or (d) with your explicit consent.

5. Cookies and Tracking

We use cookies — small text files stored in your browser — to operate our service. Here is what we use:

Essential Cookies

• Authentication session cookies (Supabase): These cookies keep you signed in to your account across page visits. Without them, you would need to log in on every page. These are strictly necessary for the service to function and cannot be disabled while using your account.
• Cookie consent preference (localStorage): We store your cookie consent choice (accepted or declined) in your browser's localStorage so we do not show the consent banner on every visit.

Non-Essential Cookies

We do not currently use third-party advertising cookies, tracking pixels, or behavioral advertising tools. If we add non-essential analytics or tracking in the future, we will update this policy and request your consent via the cookie consent banner before setting any such cookies.

Managing Cookies

You can manage or delete cookies through your browser settings. Note that disabling essential cookies will affect your ability to use authenticated features. You can reset your cookie consent preference at any time by clearing your browser's localStorage data for notevra.net.

6. Data Retention

We retain your personal information for as long as necessary to provide the Services and for legitimate business and legal purposes:

• Account data: Retained for the lifetime of your account. When you delete your account, we delete your account data within 30 days, except where retention is required by law.
• Song files (audio): Audio files stored in Cloudflare R2 are retained for the lifetime of your account. Generated songs linked to anonymous sessions (no account) may be deleted after 30 days.
• Song metadata and quiz responses: Retained for the lifetime of your account. We do not retain quiz response content in its original form after the song is generated — responses are used solely to generate lyrics and are not stored independently long-term.
• Email addresses (recipient): Recipient email addresses are retained in our delivery records for up to 90 days for support and audit purposes, then deleted.
• Usage and log data: Server logs and analytics data are retained for up to 90 days.

7. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights regarding your personal data:

• Right to access: You can request a copy of the personal data we hold about you.
• Right to rectification: You can ask us to correct inaccurate or incomplete personal data.
• Right to erasure ("right to be forgotten"): You can request that we delete your personal data, subject to certain legal retention obligations.
• Right to restriction of processing: You can ask us to restrict how we process your data in certain circumstances.
• Right to data portability: You can request your personal data in a structured, machine-readable format.
• Right to object: You can object to our processing of your personal data based on legitimate interests.
• Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint: You have the right to file a complaint with your local data protection authority.

To exercise any of these rights, please contact us at the address in Section 13. We will respond to your request within 30 days.

8. Your Rights Under CCPA (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you additional rights:

• Right to know: You can request information about the categories and specific pieces of personal information we have collected about you, the sources of that information, our business purpose for collecting it, and the categories of third parties with whom we share it.
• Right to delete: You can request that we delete personal information we have collected from you, subject to certain exceptions.
• Right to correct: You can request that we correct inaccurate personal information we maintain about you.
• Right to opt out of sale or sharing: We do not sell your personal information and do not share it for cross-context behavioral advertising. There is nothing to opt out of.
• Right to limit use of sensitive personal information: We do not use sensitive personal information beyond what is necessary to provide our services.
• Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To submit a CCPA request, contact us at the address in Section 13. We will verify your identity before processing your request and respond within 45 days (extendable by an additional 45 days when reasonably necessary).

Categories of personal information collected in the last 12 months: Identifiers (email address, IP address); commercial information (songs created, service usage); internet or other electronic network activity (browsing and interaction data); audio or electronic data (generated song files); inferences drawn from usage data to understand your preferences.

9. Children's Privacy

Notevra is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. If we discover that we have collected personal information from a child under 13 without verified parental consent, we will take steps to delete that information promptly.

If you are between 13 and 18 years old, please review this policy with a parent or guardian before using our service.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction:

• All data is transmitted over encrypted HTTPS connections.
• Authentication is managed by Supabase, which implements industry-standard security practices including secure password hashing and OAuth 2.0 token handling.
• Audio files stored in Cloudflare R2 are accessible only via time-limited presigned URLs.
• Database access is restricted through row-level security policies that prevent unauthorized data access between user accounts.
• We limit access to personal data to employees and service providers who need it to operate and improve the service.

Despite these measures, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee the absolute security of your information. If you become aware of any security vulnerability or breach, please contact us immediately.

11. International Data Transfers

Notevra is operated from the United States, and our primary service providers (Supabase, Cloudflare, RunPod, Vercel) process data primarily in the United States. If you are accessing our service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country of residence.

For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) where required. Our service providers are contractually bound to protect your personal data in accordance with applicable privacy laws.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this policy.
• Send an email notification to registered users for significant changes.
• Display a notice on our website for a reasonable period after the change.

Your continued use of Notevra after we post changes to this policy constitutes your acceptance of the updated policy. If you disagree with the changes, you should discontinue use of the service and may request deletion of your account.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Notevra
Website: www.notevra.net
Contact form: notevra.net/contact

We take all privacy inquiries seriously and will respond within 30 days. For GDPR-related requests, our response time is within 30 days from receipt of your request, extendable by two additional months where necessary given the complexity and number of requests.