Privacy Policy
Last updated: 1 June 2026 · Version 1.1
1. Who We Are
Chordict (www.chordict.com) is operated by Mehmet Akif VARDAR, a sole proprietor established in Türkiye. For the purposes of the General Data Protection Regulation (GDPR) and other applicable data-protection laws, Mehmet Akif VARDAR is the data controller.
Contact for all privacy matters: info@chordict.com
2. Data We Collect
We collect the following categories of personal data:
| Category | Examples | How collected |
|---|---|---|
| Account identity | Email address, full name, display name, optional profile-picture URL (if set) | Provided by you |
| Profile preferences | Instruments you play and your skill level | Provided by you at signup |
| Audio content | Audio files you upload (up to 25 MB / 15 minutes) | Provided by you |
| Analysis results | Detected chords, transcribed lyrics, timestamps, aligned sections | Generated by our service from your audio |
| Feedback | Star ratings (1–5) and comments you submit on an analysis | Provided by you |
| Subscription & billing | Subscription status, billing-period dates (payment card data handled by Polar, not by us) | Generated by service / received from Polar |
| Technical data | IP address (rate-limiting, billing currency detection), authentication tokens, error logs containing user and analysis IDs | Collected automatically |
| Analytics (with consent) | Pages visited, session duration, browser type — anonymous identifiers only | Google Analytics 4 (only if you accept cookies) |
We do not collect special-category data (health, biometric, political, etc.).
3. Why We Process Your Data
We process your data on the following legal bases:
- Contract performance (Art. 6(1)(b) GDPR): Creating and maintaining your account, processing audio uploads, storing analysis results, managing your subscription, and sending OTP verification codes. Without this processing we cannot provide the service.
- Legitimate interests (Art. 6(1)(f) GDPR): Protecting the service against abuse and bots (hCaptcha), maintaining error logs for debugging, enforcing rate limits to ensure fair use, and detecting billing currency from IP address. Our legitimate interests are proportionate and do not override your rights.
- Consent (Art. 6(1)(a) GDPR): Operating Google Analytics to understand site usage and improve the product. You can withdraw this consent at any time via the cookie widget (🍪) at the bottom-left of every page.
4. Who We Share Your Data With
We do not sell your personal data. We share it only with the service providers (data processors) needed to operate Chordict, each bound by data-processing agreements.
Named processors
| Processor | Purpose | Data shared |
|---|---|---|
| Polar (Merchant of Record) | Subscription billing, checkout, customer portal, VAT/tax | User identifier, IP address (currency detection), subscription state |
| Google Analytics 4 | Anonymous site analytics (consent-gated) | Page events, session identifiers — only if you accept cookies |
| hCaptcha (Intuition Machines) | Bot protection on login, signup, password reset, contact, and in-app feedback forms | IP address, interaction signals |
Additional sub-processors (by category)
The following categories of processors handle data solely to deliver core features. We do not publicly name them to protect operational security, but will identify them on request sent to info@chordict.com.
- Cloud database, authentication & file-storage provider: Stores all account data, analyses, audio files, and authentication state.
- Transactional email provider: Delivers OTP verification codes, password-reset emails, contact-form and feedback relay, and subscription & account lifecycle notifications (trial started, subscription canceled, account deleted). Email address, recipient name, and the relevant message or subscription details are transmitted.
- AI speech-to-text provider: Converts your uploaded audio file into a text transcript. The audio is transmitted for processing; we do not retain audio on this provider's systems beyond their standard processing window.
- AI text-formatting provider: Receives the text transcript (no audio) to reformat it into labeled lyric sections.
- Cloud audio-analysis service (EEA-based): Performs chord detection on your audio using a proprietary model hosted within the European Economic Area. Only a time-limited download link and a job identifier are transmitted; no permanent copy is retained.
- User avatar image CDN: Delivers profile images linked by https URL. Only standard request headers are transmitted.
- Cloud hosting & infrastructure provider: Runs the website and API servers and processes connection metadata (IP address, request logs, User-Agent) needed to deliver the service.
5. International Data Transfers
Some processors are located outside the European Economic Area (EEA). Where this is the case, we rely on the European Commission's Standard Contractual Clauses (SCCs) or other adequacy mechanisms provided by each processor's data-processing agreement to ensure an equivalent level of protection.
6. Data Retention
| Data | Retained for |
|---|---|
| Account data (profile, analyses, audio, feedback) | While your account is active; deleted within 30 days of account deletion |
| Error logs | 90 days, then automatically purged |
| Email OTP codes | 10 minutes (auto-expire) |
| Analytics data (GA4) | Per Google's default (14 months for user-level data) |
7. Your Rights
Depending on your location, you may have the following rights. To exercise any of them, email info@chordict.com or use the self-serve tools at Account Settings. We will respond within 30 days.
- Access: Request a copy of the personal data we hold about you (self-serve JSON export available).
- Rectification: Correct inaccurate profile data — email us and we'll update it for you.
- Erasure: Delete your account and all associated data (self-serve account deletion available).
- Portability: Receive your data in a structured, machine-readable format (self-serve JSON export available).
- Restriction: Ask us to stop processing your data in certain circumstances.
- Objection: Object to processing based on legitimate interests.
- Withdraw consent: Withdraw your analytics consent at any time via the 🍪 widget.
- Lodge a complaint: EU/EEA/UK residents may lodge a complaint with their national supervisory authority. Turkish residents may contact the Personal Data Protection Authority (KVKK, www.kvkk.gov.tr).
California residents: We do not sell or share your personal information for cross-context behavioural advertising. You have the right to know, delete, and opt-out under the CCPA/CPRA.
8. Security
We protect your data using HTTPS encryption, JWT-based authentication, short-lived signed storage URLs, Content Security Policy with per-request nonces, magic-byte validation for uploaded files, and rate limiting on all sensitive endpoints. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security.
9. Children
Chordict is not intended for users under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with data, please contact us at info@chordict.com so we can delete it.
10. Changes to This Policy
We may update this Privacy Policy at any time. Any changes take effect as soon as they are posted on this page, and the “Last updated” date at the top of this page always reflects the current version. Please review this page periodically to stay informed.
11. Contact
Questions or requests: info@chordict.com