Privacy Policy

1. Introduction

Code Takova Ltd. ("we", "us", or "our") operates EarTuna, a musical ear training platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using EarTuna, you consent to the data practices described in this policy. If you do not agree with this policy, please do not use the Service.

2. Information We Collect

2.1 Information You Provide

We collect information that you voluntarily provide when using our Service:

• Account Information: Email address, password (encrypted), name
• Profile Information: Optional profile image uploads
• Payment Information: Processed by Stripe (we do not store credit card details)

2.2 OAuth Authentication Data

If you register using Google OAuth, we collect:

• Email address
• Profile name
• Profile picture URL
• OAuth provider identifier

2.3 Usage Data

We automatically collect information about your interaction with the Service:

• Training Progress: Drill attempts, scores, completion status, difficulty levels
• Settings: MIDI input preferences, audio output settings
• Session Data: Login timestamps, last activity

2.4 Technical Data

We may collect technical information automatically:

• Browser type and version
• Device type and operating system
• IP address (anonymized)
• Referring/exit pages

2.5 Local Storage

We use browser localStorage to store user preferences (MIDI settings, UI preferences) locally on your device. This data is not transmitted to our servers except when necessary to sync settings across sessions.

3. How We Use Your Information

We use collected information for the following purposes:

• Service Delivery: To provide, maintain, and improve the EarTuna platform
• Account Management: To create and manage your account, authenticate users
• Email Verification: To send verification emails and confirm account ownership
• Progress Tracking: To track and display your training progress and achievements
• Payment Processing: To process subscription payments via Stripe
• Communication: To send service-related notifications, updates, and support responses
• Analytics: To understand usage patterns and improve the Service
• Security: To detect and prevent fraud, abuse, and security incidents
• Legal Compliance: To comply with legal obligations and enforce our Terms of Service

4. Data Sharing and Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

4.1 Third-Party Service Providers

• Stripe: Payment processing (subject to Stripe's privacy policy)
• Google: OAuth authentication (subject to Google's privacy policy)
• Email Service Providers: For sending verification and transactional emails

4.2 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities.

4.3 Business Transfers

If Code Takova Ltd. is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

5. Data Security

We implement appropriate technical and organizational security measures to protect your personal information:

• Passwords are hashed using bcrypt encryption
• Data transmission is encrypted using HTTPS/TLS
• Database access is restricted and monitored
• Regular security audits and updates

However, no method of transmission over the Internet is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

6. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required by law.

• Account Data: Retained while your account is active
• Training Progress: Retained while your account is active
• Deleted Accounts: Personal data is anonymized or deleted within 90 days of account deletion
• Payment Records: Retained for 7 years for tax and legal compliance purposes
• Verification Tokens: Automatically expire after 24 hours

7. Your Privacy Rights

7.1 Universal Rights

All users have the following rights:

• Right to Access: Request a copy of the personal data we hold about you
• Right to Correction: Update or correct inaccurate information
• Right to Deletion: Request deletion of your personal data (subject to legal obligations)
• Right to Portability: Receive your data in a structured, machine-readable format (JSON/CSV)
• Right to Withdraw Consent: Withdraw consent for data processing at any time

7.2 How to Exercise Your Rights

You can exercise your privacy rights by:

• Emailing us at contact@eartuna.com
• Using the data export tool in your account settings (coming soon)
• Contacting our Data Protection Officer at dpo@eartuna.com

7.3 Response Timeline

We will respond to your request within:

• GDPR (EU/EEA): 30 days (may be extended to 60 days for complex requests)
• CCPA (California): 45 days (may be extended to 90 days)
• PIPEDA (Canada): 30 days
• Other jurisdictions: 30 days

7.4 Identity Verification

To protect your privacy, we will verify your identity before fulfilling data requests. We may request additional information to confirm you are the account holder.

7.5 No Discrimination

We will not discriminate against you for exercising your privacy rights. You will not be denied service, charged different prices, or provided a different level of service quality.

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies:

• Essential Cookies: Required for authentication and basic functionality (NextAuth session cookies)
• Preference Cookies: Remember your settings and preferences (localStorage)

You can control cookies through your browser settings. Note that disabling essential cookies may prevent you from using certain features of the Service.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws different from your jurisdiction. By using the Service, you consent to the transfer of your information to Bulgaria and other countries where we operate.

10. Children's Privacy

The Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you become aware that a child has provided us with personal information, please contact us immediately.

11. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

12. GDPR Compliance (EU/EEA Users)

12.1 Legal Basis for Processing

Under GDPR Article 6, we process your data based on:

• Consent (Article 6(1)(a)): Marketing communications, optional features
• Contract Performance (Article 6(1)(b)): Providing the Service, account management
• Legal Obligation (Article 6(1)(c)): Tax records, fraud prevention, legal compliance
• Legitimate Interests (Article 6(1)(f)): Service improvement, security, analytics

12.2 Additional GDPR Rights

• Right to Object (Article 21): Object to processing based on legitimate interests
• Right to Restriction (Article 18): Request limited processing of your data
• Right to Lodge Complaint: File complaint with your local Data Protection Authority
• Right to Withdraw Consent: Withdraw consent at any time without affecting prior processing
• Right to Not Be Subject to Automated Decision-Making (Article 22): We do not use automated profiling or decision-making

12.3 Data Protection Officer

For GDPR-related inquiries, contact our Data Protection Officer at dpo@eartuna.com.

12.4 EU Representative

Code Takova Ltd. is registered in Bulgaria (EU member state). For EU-specific matters, contact us at the address provided in Section 14.

12.5 Supervisory Authority

You have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection or your local data protection authority.

13. CCPA Compliance (California Users)

13.1 California Consumer Privacy Rights

If you are a California resident, you have additional rights under the CCPA:

• Right to Know: Request disclosure of personal information collected, used, or shared
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt-out of sale of personal information (we do not sell your data)
• Right to Non-Discrimination: Not be discriminated against for exercising your rights
• Right to Correct: Request correction of inaccurate personal information

13.2 Categories of Personal Information Collected

We collect the following CCPA-defined categories of personal information:

• Identifiers: Name, email address, IP address, unique identifiers
• Commercial Information: Subscription records, payment history
• Internet Activity: Usage data, training progress, settings preferences
• Inferences: User preferences derived from activity (drill difficulty preferences)

13.3 Sale of Personal Information

We do not sell your personal information. We have not sold personal information in the preceding 12 months and do not have plans to do so.

13.4 Sharing for Business Purposes

We share information with service providers for business purposes only:

• Stripe (payment processing)
• Google (OAuth authentication)
• Email service providers (transactional emails)

13.5 Do Not Track

We do not currently respond to "Do Not Track" signals. We do not track users across third-party websites for advertising purposes.

13.6 Shine the Light Law

California Civil Code Section 1798.83 permits California residents to request information about disclosure of personal information to third parties for direct marketing. We do not share information for direct marketing.

14. PIPEDA Compliance (Canadian Users)

14.1 Canadian Privacy Rights

If you are a Canadian resident, under PIPEDA you have the right to:

• Access: Know what personal information we hold and how it's used
• Correction: Challenge accuracy and completeness of your information
• Withdrawal: Withdraw consent for data processing (subject to legal/contractual restrictions)
• Complaint: File complaint with the Office of the Privacy Commissioner of Canada

14.2 Consent

We obtain your consent before collecting, using, or disclosing personal information, except where permitted by law. Consent may be express or implied depending on the sensitivity of the information and reasonable expectations.

14.3 Cross-Border Data Transfers

Your personal information may be processed and stored outside of Canada. When transferred, it is subject to the laws of the jurisdiction where it is held and may be accessible to law enforcement and national security authorities in that jurisdiction.

14.4 Privacy Commissioner Contact

Office of the Privacy Commissioner of Canada
Website: www.priv.gc.ca
Toll-free: 1-800-282-1376

15. Changes to This Privacy Policy

15.1 Notification of Changes

We may update this Privacy Policy from time to time. For material changes, we will notify you by:

• Email notification to your registered email address (at least 30 days before effective date)
• Prominent notice on the Service (banner or modal)
• Updating the version number and effective date at the top of this policy

15.2 Version History

Previous versions of this Privacy Policy are archived and available for review at /privacy/versions.

15.3 Material Changes

Material changes include but are not limited to:

• Changes to data collection practices
• New purposes for data use
• Sharing data with new third parties
• Changes to data retention periods
• Reduced user rights or protections

15.4 Continued Use

Continued use of the Service after the effective date of changes constitutes acceptance of the updated policy. If you do not agree to changes, you must discontinue use and may request account deletion.

16. Contact Us

16.1 General Inquiries

16.2 Privacy-Specific Contacts

16.3 Mailing Address

16.4 Response Time

We aim to respond to all privacy inquiries within 2-3 business days for initial acknowledgment, and within 30 days for full resolution (or as required by applicable law).