AetherKeysAI Piano Studio

Legal

Privacy Policy

Last updated: May 25, 2026

1. Introduction

This Privacy Policy explains how AetherKeys ("AetherKeys", "we", "us", or "our") collects, uses, shares, and protects information in connection with the AetherKeys website, web application, and related services (collectively, the "Service"). It should be read together with our Terms of Service. By using the Service you agree to the practices described here.

2. Information We Collect

We collect only what we need to operate, secure, and improve the Service.

  • Account information. When you sign in through a third-party identity provider (e.g., Google, Discord), we receive a stable user identifier and limited profile fields exposed by that provider — typically your name, email address, and avatar URL. We do not receive or store your provider password.
  • User Content. Audio files and any metadata you upload, together with the transcription artifacts the Service generates from them (MIDI, stem stats, edits, library entries, and a SHA-256 hash of the source audio used for deduplication).
  • Billing information. Subscription tier, daily-allowance state, and purchase history required to operate paid features. Payment-card details are collected and stored by our payment processor (Stripe) — we do not see or store full card numbers. We retain a Stripe customer identifier and minimal transaction metadata returned by Stripe.
  • Authentication & session data. A signed session cookie issued by Auth.js (NextAuth) and a short-lived HS256 JWT used by our backend to identify you on API requests. The backend stores only your provider sub and fields needed to enforce quotas and ownership.
  • Operational logs. Standard server logs (timestamp, request path, response status, IP address, user-agent, error traces) generated automatically when you use the Service.

We do not use third-party analytics, advertising trackers, or cross-site profiling cookies. We do not knowingly collect information from children under 13.

3. How We Use Information

We use the information described above to:

  • Provide, operate, and maintain the Service — including running the transcription pipeline on User Content you upload, storing the resulting Outputs, and rendering them in the player;
  • Authenticate you, enforce per-user quotas and ownership, and keep your account secure;
  • Process payments, manage subscriptions, and reconcile token/credit balances;
  • Diagnose errors, monitor performance, prevent abuse, and improve the reliability of the transcription pipeline;
  • Communicate with you about account, billing, security, or service-related matters;
  • Comply with legal obligations and enforce our Terms of Service.

We do not sell your personal information, and we do not use your User Content to train third-party AI models.

4. Legal Bases (EEA / UK Users)

Where the GDPR or UK GDPR applies, our legal bases for processing are: performance of a contract (operating the Service you requested), our legitimate interests (security, abuse prevention, service improvement), compliance with legal obligations (recordkeeping, tax), and your consent where required (e.g., specific optional features).

5. Sharing & Disclosure

We share information only as needed to run the Service or as required by law:

  • Service providers. Trusted vendors who process data on our behalf under written agreements, including: identity providers (Google, Discord) for sign-in; Stripe for payment processing and the billing portal; cloud hosting and object-storage providers (e.g., Amazon Web Services) where the Service is deployed; and email delivery providers for transactional messages.
  • Legal & safety. When required by law, subpoena, or court order, or where we reasonably believe disclosure is necessary to protect the rights, property, or safety of AetherKeys, our users, or others.
  • Business transfers. In connection with a merger, acquisition, or sale of assets, in which case the recipient will be bound by privacy commitments at least as protective as those described here.

We do not sell or rent your personal information to advertisers or data brokers.

6. Cookies & Local Storage

The Service uses a small number of cookies and browser-storage entries that are strictly necessary to operate the site — primarily the session cookie issued by Auth.js, a CSRF token, and cookies set by Stripe during checkout. We do not set advertising or cross-site tracking cookies. Most browsers let you block or delete cookies, but doing so will prevent you from signing in or completing payments.

7. Data Retention

We retain your account record, library entries, and saved edits for as long as your account is active. Uploaded audio files and generated MIDI/Outputs are retained for as long as you keep them in your library. Operational logs are retained for a limited period (typically up to 90 days) for security and debugging purposes. Billing records are retained for the period required by applicable tax and accounting law. You may delete uploads from your library at any time; account deletion is available on request (see Section 9).

8. Security

We use industry-standard safeguards — including TLS in transit, access controls, scoped service credentials, and SHA-256 integrity hashing of uploaded audio — to protect information against unauthorized access, alteration, or disclosure. No system is perfectly secure, however, and we cannot guarantee absolute security. You are responsible for keeping your third-party identity-provider account secure.

9. Your Rights & Choices

Depending on where you live, you may have the right to access, correct, port, or delete the personal information we hold about you, to object to or restrict certain processing, and to withdraw consent where processing is based on consent. You may exercise these rights at any time by emailing aetherkeys.contact@gmail.com. We will respond within the timeframes required by applicable law. You also have the right to lodge a complaint with your local data-protection authority.

You can manage your subscription and download invoices through the Stripe customer portal linked from your account page, and you can delete individual uploads from your library at any time.

10. International Transfers

We are based in, and operate the Service from, the United States. If you access the Service from outside the United States, your information will be transferred to, processed, and stored in the United States and other jurisdictions where our service providers operate, which may have data-protection laws different from those in your country. Where required, we rely on appropriate transfer mechanisms (such as the European Commission's Standard Contractual Clauses) for international transfers.

11. Children

The Service is not directed to children under 13 (or the minimum age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.

12. Third-Party Links

The Service may link to third-party websites, services, or content (for example, identity-provider sign-in pages or Stripe-hosted checkout). This Privacy Policy does not apply to those third parties, and we are not responsible for their practices. We encourage you to review their privacy policies before providing information to them.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date above and, for material changes, provide additional notice where practicable. Your continued use of the Service after a change takes effect constitutes your acceptance of the revised Policy.

14. Contact

Questions, requests, or complaints about this Privacy Policy? Email aetherkeys.contact@gmail.com.

See also our Terms of Service.