Legal

Privacy Policy

Last updated: 8 April 2026

1. Who we are

SongFelt is a personalised music gifting service operated from the United Kingdom. This policy explains what personal data we collect, how we use it, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

For any privacy-related queries, contact us at hello@songfelt.com.

2. What data we collect

We collect the following categories of data when you use SongFelt:

Account and payment data

Your email address (collected at checkout via Stripe) and payment information. We never see or store your full card number — Stripe handles all payment processing.

Story inputs

The personal details you provide about the gift recipient — their name, personality, memories, relationship, and other story details. This is the core input to the song generation process and is stored in our database linked to your order.

Generated content

The lyrics and audio file generated for your order. These are stored in our secure file storage and linked to your unique reveal page.

Usage data

Standard web server logs including your IP address, browser type, and pages visited. This is used for security and to understand how the service is used. We use Vercel for hosting, which collects this data as part of standard infrastructure operation.

3. How we use your data

We use your data only for the following purposes:

  • To process your payment and fulfil your order
  • To generate your personalised song using your story inputs
  • To send you transactional emails (order confirmation, song ready notification) via Resend
  • To host your reveal page and make it accessible to you and your recipient
  • To respond to any support or refund requests you raise
  • To improve the service through anonymised usage analysis

Our lawful basis for processing is contract performance — we need your data to deliver the service you have paid for. Where we process data for service improvement, we rely on legitimate interests.

We do not use your data for marketing, profiling, or targeted advertising. We will never sell your data.

4. Who we share your data with

We share your data only with the third-party services necessary to operate SongFelt. Each is a data processor acting on our instructions:

Stripe

Payment processing

Processes your payment. Stripe is PCI-DSS compliant. Your card details go directly to Stripe and are never seen by us.

Privacy policy →

Supabase

Database and file storage

Stores your order details, story inputs, generated lyrics, and audio files. Data is stored in EU-region infrastructure.

Privacy policy →

Vercel

Website hosting

Hosts the SongFelt website and API. Standard infrastructure logs are retained for security purposes.

Privacy policy →

Anthropic

Lyrics generation

Your story inputs are sent to Anthropic's API to generate personalised lyrics. Anthropic processes this data in accordance with their API data usage policy.

Privacy policy →

udioapi.pro

Music generation

Your approved lyrics are sent to udioapi.pro to generate the audio track. Only the formatted lyrics are shared — no personal identifiers.

Privacy policy →

Resend

Transactional email

Sends order confirmation and song ready emails to your email address.

Privacy policy →

5. How long we keep your data

Your order data (story inputs, lyrics, and audio file) is retained for 12 months from your purchase date — long enough to ensure your reveal page remains accessible throughout the hosted period.

After 12 months, your order data and generated content are deleted. Your email address may be retained for up to 7 years for financial record-keeping obligations under UK law, after which it is permanently deleted.

6. Cookies

SongFelt uses only the minimum cookies necessary to operate the service. We do not use advertising, tracking, or analytics cookies.

Vercel (our hosting provider) may set functional cookies as part of standard web infrastructure operation. Stripe sets cookies during the checkout process to prevent fraud. Neither of these require your consent under UK law as they are strictly necessary for the service to function.

7. Your rights

Under UK GDPR, you have the following rights:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Ask us to correct inaccurate data
  • Erasure: Ask us to delete your data, subject to our legal retention obligations
  • Restriction: Ask us to limit how we use your data
  • Portability: Receive your data in a machine-readable format
  • Objection: Object to processing based on legitimate interests

To exercise any of these rights, email hello@songfelt.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO).

8. Security

We take reasonable technical and organisational measures to protect your data. This includes encrypted data storage, HTTPS across all pages, and access controls on our database. No method of transmission over the internet is completely secure, but we take every practical step to protect your information.

9. Changes to this policy

We may update this policy from time to time. Changes will be posted on this page with an updated date. For significant changes, we will notify active customers by email where we hold your address.

10. Contact

For any questions about this policy or how we handle your data, contact us at hello@songfelt.com.