Privacy Policy

Chords.fm collects the minimum needed to let you sign in, charge you if you upgrade, and transcribe the audio you upload. We delete source audio after rendering. The one exception is guitar-tab uploads, which have an optional off-by-default checkbox letting you keep the audio to help us improve tab accuracy; you can delete any retained audio at any time from /account. We do not sell your data, we do not share your recordings with other users, and opted-in audio is used only to improve Chords.fm itself.

• Account data — the email address used at sign-in, and (for Google sign-in) the basic profile fields Google returns (name, avatar URL). Stored in Supabase Auth.
• Audio you upload — the file itself, held in a private per-user bucket for the duration of the transcription job. Deleted after rendering (see §4). The one exception is a guitar-tab upload where you ticked the opt-in retention checkbox on the upload form, in which case we keep that file until you purge it from /account.
• Transcription output— the chord chart / tab JSON produced from your audio, plus the tab’s name, mode, and per-stage status. Retained in your library until you delete it or your account.
• Billing data — if you upgrade to Pro, Stripe stores your payment details on their infrastructure; Chords.fm stores only the Stripe customer ID and subscription status returned to us via webhook. We never see your card number.
• Operational logs — request paths, response codes, and pipeline stage timings, used for debugging. Logs may incidentally contain your user ID and tab ID but not audio content. Retained for up to 30 days.

We do not set advertising cookies. We do not run third-party trackers on the marketing pages or the app.

• Contract performance (GDPR Art. 6(1)(b)) — transcribing the audio you upload, storing the resulting tab in your library, and keeping your account working.
• Legitimate interests (GDPR Art. 6(1)(f)) — operational logging for debugging and abuse prevention.
• Consent (GDPR Art. 6(1)(a)) — the per-upload rights confirmation, described in our Terms §3.

• Source audio (default) — deleted from our servers as soon as the transcription finishes. In practice this is within minutes of upload.
• Source audio (guitar-tab opt-in) — if the upload was a guitar-tab transcription and you ticked the opt-in retention checkbox, the file is kept in its private per-user bucket until you purge it. You can see every retained file and delete any or all of it from /account. Closing your account also purges retained audio within 30 days. Chord-chart uploads have no retention option and are always deleted after rendering.
• Tabs — kept until you delete them or close your account. Deleted within 30 days of account closure.
• Account record — kept until you close your account. Deleted within 30 days of account closure, except where we are required to retain limited records (e.g. tax records for paid invoices).
• Billing records — Stripe retains invoice data per its own retention policy; we retain subscription status and Stripe customer ID for as long as your account is active, and thereafter only as required by law.
• Operational logs — up to 30 days.

We do not sell personal data. We share it only with the processors needed to run the service:

• Supabase — authentication, database, and file storage. Audio and tabs are stored here.
• Our transcription worker host — the inference pipeline runs on a third-party compute provider. It receives a short-lived signed URL to your audio, produces the transcription, and does not retain the audio.
• Stripe — only if you upgrade to Pro. Receives your payment details directly; we never handle them.
• Vercel — the web application runtime (request routing and rendering).

We may also disclose information if legally required (lawful subpoena, court order) or to protect the rights, safety, or property of Chords.fm or its users.

We only use audio that you have explicitly opted in to retain — via the unchecked-by-default “Let Chords.fm use this audio to improve our guitar-tab results” checkbox, which appears on the upload form for guitar-tab uploads only — to evaluate and improve the guitar-tab software that powers the service. Chord-chart uploads have no retention option; their audio is deleted after rendering and is never used for improvement work.

If you are Pro and you correct a chord chart or a tab in the viewer (for example, fixing a missed chord or moving a note to the right string), we log the before-and-after values for that edit so we can study where our output systematically disagrees with an informed listener. Edit logs contain the corrected musical content only — no audio is attached, and nothing that identifies you outside your account.

We do not share your retained audio, your tabs, or your corrections with other users or with third parties, and we do not use them for anything that is used outside Chords.fm itself. You can revoke retention at any time from /account; revocation immediately purges the retained audio.

Depending on where you live, you may have the right to access, correct, port, or delete the personal data we hold about you, to object to or restrict processing, and to withdraw consent. Specifically:

• Access / export — email us; we will send you the account data and tab content we hold for you within 30 days.
• Deletion — you can delete individual tabs from your library; for full account deletion, email us and we will remove everything within 30 days.
• California residents (CCPA) — you have the right to know, delete, correct, and opt out of the sale or sharing of personal information. We do not sell or share personal information as those terms are defined under CCPA.
• EU / UK / Swiss residents (GDPR / UK GDPR) — you have the rights listed above plus the right to lodge a complaint with your local data protection authority.

To exercise any of these rights, email privacy@chords.fm. We may ask you to verify the account before acting on the request.

Chords.fm is operated from the United States. If you access the service from outside the US, your data will be transferred to and processed in the US. Our processors (Supabase, Stripe, Vercel, the transcription worker host) may also process data in other jurisdictions. Where required, we rely on Standard Contractual Clauses or equivalent safeguards.

Chords.fm is not directed to children under 13, and we do not knowingly collect personal information from anyone under 13. If you believe a child has signed up, email us at the address in §10 and we will delete the account.

Privacy questions or requests? Email privacy@chords.fm.

We may update this Privacy Policy as the product evolves. Material changes will be reflected by updating the “Last updated” date above; we will also try to notify active users by email for significant changes.