Charthand

Privacy Policy

Effective 2026-05-12

Charthand(“we”, “us”) is a transcription-prep tool that turns an audio recording into a printable lead-sheet PDF. This page describes what data we collect, why, how long we keep it, and the rights you have under the EU General Data Protection Regulation (GDPR).

1. Who we are

The data controller is Liro Music — Oscar Mattsson, Wergelandsgatan 26, 168 48 Stockholm, Sweden. You can reach us at privacy@charthand.com.

2. What we collect and why

  • Email address. Used to send you a magic-link sign-in email and to identify your account. Legal basis: performance of the contract (Art. 6(1)(b) GDPR).
  • Chord charts you create. The JSON output of the transcription pipeline (chords, sections, lyrics, tempo, key, time-signature, hits/stops), stored against your user ID so you can come back to it. Legal basis: performance of the contract.
  • Audio files you upload. Held only for the duration of one analysis run. The file is deleted from disk immediately after the chart JSON is produced; we never persist the raw audio. Legal basis: performance of the contract.
  • Session cookie.A single “strictly necessary” authentication cookie (authjs.session-token) that keeps you signed in. Legal basis: strictly necessary for the service you requested (ePrivacy Directive Art. 5(3)).

We do not use analytics, advertising, or third-party tracking SDKs. We do not profile you or sell your data.

3. How long we keep it

  • Audio uploads: deleted within seconds of analysis completing. There is no scheduled retention.
  • Charts and account data: retained until you delete them. Deleting your account erases all associated charts, sessions, and account records.
  • Backups: our database host (see §5) keeps encrypted point-in-time backups for up to 14 days; backup copies of deleted rows are purged on the same rolling schedule.

4. Your rights

Under GDPR you have the right to:

  • Access — see what we hold. Visit Account & privacy to see your data summary, or use the “Download my data” button to export it as JSON.
  • Rectification — correct inaccurate data. Email privacy@charthand.com.
  • Erasure — delete your account. Available from the Account & privacy page. The deletion is immediate and cascades to every chart and session.
  • Portability— receive your data in a structured, machine-readable format (JSON), via the “Download my data” export.
  • Objection / restriction — to the limited processing described above. Email us.
  • Complain to a supervisory authority. In Sweden this is Integritetsskyddsmyndigheten (IMY).

5. Sub-processors

We use a small set of EU-region processors to deliver the service. We keep this list current as the architecture evolves.

  • Fly.io — application hosting and Postgres database (region: Stockholm, arn). DPA in place.
  • Resend — transactional email delivery for magic-link sign-in. DPA in place; EU data-residency option enabled.
  • Modal — GPU inference for the transcription pipeline. We are confirming EU data residency and a DPA before using Modal for live user traffic. Until then, transcription runs on Fly.io machines.

6. International transfers

Where a processor operates outside the EEA we rely on the European Commission's Standard Contractual Clauses (SCCs) and supplementary measures. We keep your data in EU regions wherever the processor offers one.

7. Security

Connections to the site are encrypted with TLS. Passwords are not used — sign-in is via a single-use magic-link token that expires after a short window. The database is encrypted at rest by the hosting provider. Access to production systems is limited to the operator(s) of this service.

8. Changes to this policy

We will update the “Effective” date at the top of this page when the policy changes. For material changes we will notify signed-in users by email before the new policy takes effect.

9. Contact

Questions, requests, or complaints: privacy@charthand.com.