Privacy Policy
Last updated: 2026-04-28
WindTones is committed to handling your personal data with care and transparency. This policy explains what we collect, why, and what rights you have under the GDPR.
1. Introduction
This Privacy Policy describes how WindTones ("we", "our", or "the Service") collects and processes personal data when you visit or use the platform. It applies to all users, whether you browse as a visitor or register for an account.
We process personal data in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and applicable Spanish data protection law.
2. Who is responsible for your data
The data controller for WindTones is WindTones, a hobbyist project with no registered legal entity. For all data-related enquiries, you can reach the responsible party at alvarezlamasivanroque@gmail.com.
3. What data we collect
When you create an account, we collect your email address, chosen username, and a hashed version of your password, managed by Supabase Auth. If you sign in with Google, we receive an OAuth token and the profile information (name, email) that Google shares with us based on the permissions you grant.
When you use the Service, we may store content you create: tunes you upload (including ABC notation and associated metadata such as title, source, and authorship notes), ratings you submit on song versions, and songs you mark as favourites.
We do not collect payment information, phone numbers, or physical addresses. We do not build advertising profiles.
4. Why we collect it and legal basis
Account credentials are processed on the legal basis of performance of a contract (Art. 6(1)(b) GDPR), as they are necessary to provide you with the registered-user features of the Service (upload, favourites, ratings).
Anonymous usage analytics (see Section 7) are processed on the basis of our legitimate interest (Art. 6(1)(f) GDPR) in understanding how the platform is used so we can improve it. These analytics do not identify individual users.
Where we rely on consent (Art. 6(1)(a) GDPR), for example for optional Google sign-in, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
5. Where data is stored
Account data and content are stored in Supabase, which operates a PostgreSQL database in an EU region (eu-west-1, Ireland). Supabase complies with GDPR and operates under standard contractual clauses where applicable.
The WindTones web application is deployed on Vercel, whose infrastructure spans a global CDN. Static assets and server-side functions may be cached and executed at edge locations outside the EU as part of normal CDN operation. Vercel complies with GDPR and provides appropriate data transfer safeguards.
6. Sub-processors
WindTones uses the following third-party services that may process personal data on our behalf:
- Supabase: database, authentication, and storage. EU region. Privacy: supabase.com/privacy
- Vercel: hosting and CDN. Privacy: vercel.com/legal/privacy-policy
- Vercel Analytics: anonymous web analytics built into the Vercel platform. No cookies set; no personal identifiers collected.
- Google OAuth: only if you choose to sign in with a Google account. Google's privacy policy applies to data shared during the authentication flow.
We do not use any advertising networks, social media tracking pixels, or other third-party analytics services.
8. Data retention
Personal data is retained for as long as your account remains active. If you delete your account, your personal information (email address, username, hashed password, OAuth tokens) will be permanently removed within a reasonable timeframe, typically within 30 days.
Tunes you have uploaded may be anonymised rather than deleted, in order to preserve the integrity of the public-domain catalog. Where moderation decisions require removal, the content will be fully deleted. Ratings and favourites associated with a deleted account are also deleted.
9. Your rights under GDPR
As a data subject under the GDPR, you have the following rights with respect to your personal data:
- Access: the right to obtain a copy of the personal data we hold about you.
- Rectification: the right to have inaccurate data corrected.
- Erasure: the right to request deletion of your personal data ("right to be forgotten").
- Data portability: the right to receive your data in a structured, machine-readable format.
- Objection: the right to object to processing based on legitimate interest.
- Withdrawal of consent: the right to withdraw consent at any time where processing is consent-based.
- Complaint: the right to lodge a complaint with the Agencia Española de Protección de Datos (AEPD) at aepd.es if you believe your rights have been infringed.
10. How to exercise your rights
To exercise any of the rights listed above, send an email to alvarezlamasivanroque@gmail.com with a description of your request. Please include the email address associated with your WindTones account so we can verify your identity.
We will respond to all valid requests within the timeframes required by the GDPR, in most cases within one month. If your request is complex or we receive a high volume of requests, we may extend this period by an additional two months, in which case we will notify you within the first month.
11. Changes to this policy
We may update this Privacy Policy from time to time. When material changes are made, registered users will be notified via an in-app notice or by email to the address associated with their account. The "Last updated" date at the top of this page reflects the most recent revision.
We encourage you to review this policy periodically. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.
12. Contact
For privacy-related questions or to exercise your data rights, contact us at alvarezlamasivanroque@gmail.com.