SmartGroove respects your privacy. This Privacy Policy explains what personal data we collect, why we collect it, how it is stored, who it is shared with, and your rights over it. SmartGroove is operated by Yahav Avraham as a sole proprietorship in Israel and acts as the data controller for purposes of the EU General Data Protection Regulation (GDPR) and analogous laws.
1. Data We Collect
1.1 Account data
When you create an account we collect your email address, display name, plan tier (Free / Pro / Studio / Beta), subscription status, and AI Credit balance. We do not collect payment-card data — that is handled entirely by LemonSqueezy (see §3 below).
1.2 Project files (audio, MIDI, plugin state)
Your audio recordings, MIDI clips, plugin states, and SmartGroove project files stay on your local disk. SmartGroove does not upload, mirror, back up, or otherwise transmit your project content to our servers or to any third party. EULA §4 (No Model Training; Operational Logging) expands on this commitment.
1.3 AI prompts and interaction logs
Text prompts you send to the in-app AI assistant, the corresponding model responses, tool calls invoked, and minimal request metadata (timestamp, plan tier, user identifier) are logged on our Supabase-hosted infrastructure for up to ninety (90) days, after which they are automatically deleted. We use these logs to tune our AI agent's behavior, debug the chat, generation, and tool-dispatch pipelines, detect abuse, and analyze aggregate usage patterns — not to train AI models. EULA §4 expands on this commitment.
To exercise your right to deletion of AI prompt logs before the 90-day automatic purge, email smartGrooveDev@gmail.com. Deletion requests are processed within thirty (30) days.
Prompts are also transmitted to the upstream model provider (currently Anthropic) under commercial API terms that prohibit Anthropic from using API inputs to train models. AI-generated audio output is not stored on our servers.
1.4 Microphone audio (speech-to-MIDI feature)
SmartGroove includes an optional speech-to-MIDI feature that uses a locally-installed model (whisper.cpp) to transcribe microphone input on your device. Microphone audio is processed entirely locally and is never transmitted to SmartGroove servers or any third party. You may grant or revoke microphone permission through your operating system's privacy settings.
1.5 Telemetry & crash reports
SmartGroove does not currently collect telemetry or crash reports. When we add crash reporting (planned for a later phase via Sentry), we will update this policy at least thirty (30) days before the feature ships, describe exactly what is captured, and provide an opt-out.
1.6 Server logs
Our Supabase-hosted edge functions log technical metadata for each request (timestamp, request size, response status, anonymized IP, plan tier) for rate-limiting, abuse detection, and debugging. Logs are retained for up to thirty (30) days and are not used for advertising or profiling.
2. How We Use Your Data
We use your data only to:
- Provide the Service and Software (authenticate you, gate paid features, debit AI Credits).
- Improve the SmartGroove AI agent and underlying system — via the prompt logs described in §1.3 above — without training AI models.
- Process subscription payments and tax compliance (via LemonSqueezy as Merchant of Record).
- Communicate with you about your account, billing, security incidents, and material changes to these policies.
- Respond to abuse reports and enforce our Acceptable Use Policy.
- Comply with legal obligations.
We do not use your data to train AI models, sell to advertisers, build behavioral profiles, or serve targeted advertising.
3. Third-Party Processors
SmartGroove relies on a small set of third-party processors. Each processor handles only the data necessary for its function:
- LemonSqueezy (Merchant of Record) — processes payments, collects and remits sales tax / VAT, sends billing notifications. Receives your email, billing address, payment-card data (which SmartGroove never sees), and subscription metadata.
- Supabase — hosts our account database and authentication. Stores your email, display name, hashed password (if using email/password sign-in), plan tier, AI Credit balance, and subscription identifiers. Supabase processes data in the EU (Frankfurt) region.
- Anthropic — receives AI text prompts via our proxy to generate model responses. Bound by commercial API terms that prohibit using API inputs to train models. Receives only the conversation prompt and minimal user-tier metadata.
- Cloudflare — provides DNS, CDN, and hosting for smartgroove.app. Receives standard web-request metadata (IP address, user-agent, request URL).
Each processor is contractually bound to use your data only for the purposes described above.
4. International Data Transfers
Our processors operate in several jurisdictions (United States, European Union, and others). Transfers from the EU/EEA are governed by Standard Contractual Clauses or equivalent safeguards adopted by each processor. SmartGroove itself, as an Israeli sole proprietorship, operates under Israel's GDPR-adequacy status as recognized by the European Commission.
5. Data Retention
- Account data: retained while your account is active; deleted within thirty (30) days after account closure, subject to any legal-hold obligation.
- AI prompt logs: up to ninety (90) days, then automatically deleted. See EULA §4 for the full retention & deletion regime.
- Server logs: up to thirty (30) days.
- Billing records: retained by LemonSqueezy per their policy and by SmartGroove for as long as tax law requires (up to seven years in Israel).
6. Your Rights (GDPR / CCPA)
You have the right to:
- Access the personal data we hold about you.
- Correct inaccurate or incomplete data.
- Delete your data (the "right to be forgotten"), subject to legal-retention exceptions.
- Port your data to another service in a structured, commonly-used format.
- Object to or restrict processing in certain circumstances.
- Withdraw consent at any time where processing is consent-based.
- Lodge a complaint with your local data-protection authority.
To exercise any of these rights, write to smartGrooveDev@gmail.com. We will respond within thirty (30) days. There is no charge for routine requests.
7. Children
SmartGroove is not intended for children under the age of sixteen (16) and we do not knowingly collect personal data from anyone under that age. If you believe a child under sixteen has provided us with personal data, please contact us and we will delete it.
8. Security
We use industry-standard safeguards to protect your data: TLS encryption in transit, encrypted storage at rest with our processors, scoped API keys, and principle-of-least-privilege access. No system is perfectly secure; in the event of a data breach affecting your personal data, we will notify you and the relevant data-protection authority within seventy-two (72) hours as required by GDPR.
9. Cookies
See our Cookie Policy for details on the cookies used by the marketing site and account portal.
10. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will provide at least thirty (30) days' notice via email or in-app notification before the changes take effect. The "Effective" date at the top of this document indicates the current version.
11. Contact
SmartGroove is operated by Yahav Avraham (Israel). For privacy questions or to exercise your data-subject rights, write to smartGrooveDev@gmail.com.