Privacy Policy

1. Data Controller

The controller of your personal data is IT Consulting Wojciech Olearczyk (the "Controller"), operating the Heart Song platform at nutazserca.pl.

Contact: kontakt@nutazserca.pl

2. Legal Basis for Processing

We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable privacy laws. The legal bases for processing include:

• Performance of a contract (Art. 6(1)(b) GDPR) — processing is necessary to fulfill your Order for a personalized song.
• Legal obligation (Art. 6(1)(c) GDPR) — processing is necessary to comply with legal obligations such as tax and accounting requirements.
• Legitimate interest (Art. 6(1)(f) GDPR) — processing is necessary for our legitimate interests, such as improving the Service and protecting against fraud.
• Consent (Art. 6(1)(a) GDPR) — where you have given voluntary consent, such as for marketing communications.

3. Data We Collect

We collect the following categories of data when you use the Service:

3.1. Information you provide in the order form:

• Your name (as the sender/orderer)
• Your email address (optional)
• Recipient's name
• Your relationship with the recipient
• The occasion for the song
• Musical preferences (genre, voice, language)
• Personal memories and stories (content you provide)
• Photos (optional, if uploaded)

3.2. Data collected automatically:

• IP address
• Browser and device type
• Analytics data (via Vercel Analytics)

3.3. Payment data:

Payment card details are processed exclusively by Stripe, Inc. and are never stored on our servers. We receive only payment confirmation and a transaction identifier.

4. Purposes of Processing

We process your personal data for the following purposes:

• Order fulfillment — generating your personalized song based on the information you provide.
• Payment processing — processing your payment via Stripe.
• Communication — notifying you about your order status and responding to inquiries.
• Song delivery — sending an email notification when your song is ready (if an email address is provided).
• Legal compliance — maintaining accounting and tax records as required by law.
• Analytics — analyzing website traffic to improve the Service.

5. Data Recipients (Sub-processors)

Your personal data may be shared with the following third-party service providers who act as data processors on our behalf:

• Stripe, Inc. (USA) — online payment processing. Stripe implements Standard Contractual Clauses approved by the European Commission to safeguard data transfers.
• Suno, Inc. (USA) — AI-powered song generation. Data shared with Suno consists only of the song prompt content and does not include personally identifiable information.
• Anthropic, PBC (USA) — AI-powered lyric generation using the Claude language model. Only information necessary to create the song lyrics is shared.
• Resend, Inc. (USA) — transactional email delivery (order status notifications).
• Vercel, Inc. (USA) — application hosting, file storage (Vercel Blob), and web analytics (Vercel Analytics).
• Upstash, Inc. (USA/EU) — order data storage in a Redis database.

Transfers of data to countries outside the European Economic Area (including the USA) are safeguarded by Standard Contractual Clauses approved by the European Commission (Art. 46(2)(c) GDPR) or by adequacy decisions (EU-U.S. Data Privacy Framework).

6. Data Retention

• Order data — retained for 5 years from the date of order completion for tax and accounting purposes.
• Contact information — retained until the inquiry is resolved, and no longer than 2 years from the last contact.
• Analytics data — retained in accordance with Vercel Analytics policies (anonymized data).
• Generated songs — retained on our servers for as long as necessary to deliver the service and allow download by the customer.

7. Your Rights

Under the GDPR and applicable privacy laws, you have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR) — the right to obtain information about the personal data we process about you.
• Right to rectification (Art. 16 GDPR) — the right to request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17 GDPR) — the right to request deletion of your data ("right to be forgotten"), subject to our legal obligations.
• Right to restriction of processing (Art. 18 GDPR) — the right to request restriction of processing in certain circumstances.
• Right to data portability (Art. 20 GDPR) — the right to receive your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21 GDPR) — the right to object to processing based on legitimate interests.
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before the withdrawal.

To exercise your rights, please contact us at: kontakt@nutazserca.pl

8. Right to Lodge a Complaint

If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is:

If you are located in another EU/EEA country, you may also lodge a complaint with the supervisory authority in your country of residence.

9. Cookies

1. The Service uses cookies that are essential for the proper functioning of the website (session cookies, authentication cookies for the admin panel).
2. We use Vercel Analytics to collect anonymized analytics data. Vercel Analytics does not use cookies and operates on anonymized data.
3. Payment-related cookies set by Stripe, Inc. are subject to Stripe's own privacy policy.
4. You can manage your cookie settings through your browser preferences.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, destruction, or disclosure, including:

• Encryption of all communications via SSL/TLS (HTTPS).
• Secure storage of data in encrypted databases.
• Restricted access to personal data limited to authorized personnel only.
• Regular security reviews and updates.

11. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy. Any changes will be communicated through the Service. Continued use of the Service after changes are posted constitutes acceptance of the updated policy.