Privacy Policy

Last updated: February 20, 2026

Introduction

Welcome to Orphea, your intelligent music analysis platform. We take the protection of your personal data very seriously and are committed to complying with the General Data Protection Regulation (GDPR) and all applicable privacy laws.

This privacy policy explains in detail how we collect, use, store, and protect your personal data when using our service. It applies to anyone accessing Orphea via the web, a mobile app, or any other means.

Orphea is a service under development. The publishing company is being registered. In the meantime, any questions about your data can be addressed through our support page.

Data Controller: Orphea (registration in progress — sole proprietorship)
Data protection contact: Support page

1. Data Collected

1.1 Identification Data

• Unique identifier (automatically generated upon account creation)
• Username (provided by your Spotify, SoundCloud, Tidal, or Deezer account)
• Email address (if connecting via Google, Email, or direct account creation)
• Profile picture (provided by the connection service, never stored locally)

1.2 OAuth Connection Data

• Access tokens for third-party services (Spotify, SoundCloud, Tidal, Deezer) — encrypted in transit
• Premium subscription status (Spotify, SoundCloud, Tidal) — only used to adapt the interface
• Third-party account identifiers (for service linking)
• Refresh tokens (to maintain sessions without frequent re-authentication)

1.3 Usage Data

• Listening history (tracks, artists, dates — synced from your music services)
• Music analyses performed (pipeline analysis results)
• Playlists viewed and created
• Service interactions (likes, shares, votes, comments)
• AI credit quotas used
• Interface preferences (language, theme, notifications)

1.4 Technical Data

• IP address (anonymized after 30 days)
• Browser type and operating system
• Screen resolution and display preferences
• Session cookies and preferences (detailed in section 7)
• Performance and error data (via Sentry, anonymized)

1.5 Payment Data

• Payments are entirely managed by Stripe — we NEVER store your card numbers
• Stripe customer identifier (to manage your subscription)
• Subscribed plan type and subscription status
• Billing history (retained for 10 years by legal obligation)

2. Legal Basis and Purposes of Processing

Consent (Art. 6.1.a GDPR)

Upon registration, you consent to the processing of your data for:

• Account creation and management
• Connection via third-party services (OAuth 2.1 + PKCE)
• Music analysis by artificial intelligence (OpenAI, Qwen)
• Sending account-related notifications

Contract Performance (Art. 6.1.b GDPR)

To provide our services, we need to process your data for:

• Access to your playlists and listening history
• Generation of personalized music analyses
• Subscription and credit quota management
• Technical support and assistance
• Community features (profiles, follows, arena)

Legitimate Interest (Art. 6.1.f GDPR)

To improve our service, we may process:

• Anonymized usage statistics
• Fraud and abuse prevention (rate limiting)
• Analysis algorithm improvements
• Error monitoring (Sentry — anonymized data)

3. Data Retention Period

Active account dataUntil deletion

Listening history and analysesUntil deletion

Technical logs (IP, browser)30 days (anonymized)

Billing data10 years (legal obligation)

Temporary OAuth cookies10 minutes

Session cookies30 days of inactivity

Deleted accountImmediate erasure

Billing data is retained for 10 years in accordance with French accounting and tax obligations (Commercial Code, art. L123-22).

4. Your GDPR Rights

Under the GDPR, you have the following rights regarding your personal data:

Right of Access (Art. 15)

You can request a copy of all data we hold about you. We will respond within 30 days.

Right to Rectification (Art. 16)

You can correct inaccurate or incomplete data via your profile or by contacting us.

Right to Erasure (Art. 17)

You can request the complete deletion of your account and all data. This action is irreversible.

Right to Portability (Art. 20)

You can retrieve your data in a structured and reusable format (JSON).

Right to Object (Art. 21)

You can object to the processing of your data for legitimate reasons.

Right to Restriction (Art. 18)

You can request the suspension of the processing of your data in certain cases.

Exercise Your Right to Erasure

You can permanently delete your account and all personal data directly from your settings.

Go to Deletion Settings

To exercise your rights, contact us via our support page. We will respond within 30 days.

5. Data Sharing and Transfer

5.1 Third-Party Services Used

• Supabase (DB Hosting): Database hosted in Europe (GDPR compliant)
• Vercel (Web Hosting): Hosting with European data centers, global Edge Network
• OpenAI (AI): Music analysis — anonymized data, no retention by OpenAI
• Sentry (Monitoring): Error tracking — data automatically anonymized
• Spotify / SoundCloud / Tidal / Deezer: OAuth connection and playlist access — minimal data
• Stripe (Payments): Subscription management — PCI DSS Level 1 certified
• Upstash Redis (Cache): Caching and votes — hosted in Europe
• PostHog (Analytics): Anonymized usage analytics — EU-hosted, open-source
• Resend (Emails): Transactional emails (welcome, notifications) — minimal data

Transfers Outside the EU: Some processors (OpenAI, Vercel, Sentry) may process data outside the EU. These transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission and security guarantees equivalent to the GDPR.

5.2 We NEVER Sell Your Data

Your personal data is never sold, rented, or shared for commercial purposes with third parties. It is only used to provide and improve our service.

6. Data Security

We implement technical and organizational security measures in accordance with industry best practices:

• HTTPS/TLS Encryption: All communications are encrypted in transit
• Secure Tokens: httpOnly, sameSite: lax, secure cookies in production
• CSRF Protection: Validation via state parameter + PKCE OAuth 2.1
• Security Headers: HSTS, X-Frame-Options: DENY, strict Content-Security-Policy (no unsafe-eval)
• Session Hashing: HMAC-SHA256 for session management
• Access Limitation: Principle of least privilege, Row Level Security (RLS) on all tables
• Rate Limiting: Abuse protection on all APIs
• Regular Audits: Quarterly security reviews (OWASP ASVS)

Breach Notification: In the event of a personal data breach, we commit to notifying the relevant authority (CNIL) within 72 hours and affected users without delay.

7. Cookie Usage

Strictly Necessary Cookies (cannot be disabled)

• orphea_session — User session (94 characters, HMAC-SHA256)
• *_access_token — OAuth tokens (Spotify, SoundCloud, Tidal, Deezer)
• *_refresh_token — Session renewal
• oauth_state — CSRF protection (temporary, 10 min)
• pkce_verifier — PKCE OAuth security (temporary, 10 min)

Preference Cookies

• Language and interface preferences
• Display theme
• Notification preferences

Retention: Session cookies expire after 30 days of inactivity. OAuth cookies are automatically renewed.

8. Protection of Minors

Orphea is not intended for children under 16 years of age. We do not knowingly collect personal data from minors under 16.

If we learn that personal data from a minor under 16 has been collected, we will delete it immediately. If you are a parent or guardian and believe your child has provided us with data, please contact us via support.

9. Changes to This Policy

We may update this privacy policy to reflect changes in our service or regulatory requirements. Any substantial changes will be notified to you by email or via an in-app notification at least 30 days before taking effect.

Version 2.1 — February 20, 2026

10. Contact and Complaints

For any questions about your personal data or to exercise your GDPR rights:

Support: Orphea Support Page

Address: (to be completed upon business registration)

Right to Complain: If you believe your rights are not being respected, you can file a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés) at www.cnil.fr

Want to delete your data?

Exercise your right to erasure directly from your settings

Manage My Personal Data

← Back to Home