1. Who We Are
BeatRecap (“Service”, “we”, “us”) is operated by Pavle Kusovac, an individual based in Serbia. For the purposes of the EU General Data Protection Regulation (GDPR), Pavle Kusovac is the data controller.
Contact: pavlekusovac05@gmail.com
2. Data We Collect and Why
We collect only what is necessary to provide the Service.
| Data | When collected | Lawful basis (GDPR) |
|---|---|---|
| Email address, full name | Account creation | Contract performance |
| Password (hashed — never readable) | Account creation | Contract performance |
| Analysis results (filename, subgenre, scores, track duration) | Each time you analyze a track | Contract performance |
| Subscription plan and billing period | When you subscribe to a paid plan | Contract performance |
| Stripe customer & subscription IDs | On payment | Contract performance |
| Bug report content (category, description, page URL) | When you submit a bug report | Legitimate interest |
| IP address, request metadata | Every server request | Legitimate interest (security, abuse prevention) |
3. How We Use Your Data
- To create and manage your account and authenticate your sessions.
- To run mix analyses and store your results so you can review your history.
- To enforce monthly usage quotas and manage your subscription tier.
- To generate AI coaching feedback. Audio features (numeric measurements extracted from your track — not the audio itself) are sent to OpenRouter’s API to produce the coaching text you see on your results page.
- To process payments securely via Stripe.
- To investigate bug reports and improve the Service.
- To detect and prevent abuse, fraud, and unauthorized access.
4. Third-Party Service Providers
We rely on the following processors. Each operates under a Data Processing Agreement and their own privacy documentation.
| Provider | Purpose | Privacy policy |
|---|---|---|
| Supabase (Supabase, Inc.) | Authentication and database | supabase.com/privacy |
| Stripe (Stripe, Inc.) | Payment processing — paid users only | stripe.com/privacy |
| OpenRouter (OpenRouter, Inc.) | AI coaching generation | openrouter.ai/privacy |
| Google Fonts (Google LLC) | Font delivery via CDN | policies.google.com/privacy |
Note on Google Fonts:Fonts are loaded directly from Google’s servers. Google may receive your IP address as part of this request. If you prefer, you can disable web fonts in your browser.
Note on OpenRouter: Only extracted audio features (numeric measurements) are sent — never the original audio file or your personal account details. OpenRouter uses these features solely to generate the coaching response.
5. Data Retention
| Data type | Retention period |
|---|---|
| Account and profile data | Until you request account deletion |
| Analysis results | Until you delete them or request account deletion |
| Subscription and billing records | Until account deletion (or longer if required by law) |
| Audio files | Discarded within 1 hour of upload — never persisted |
| Bug reports | 12 months |
| Server access logs (IP, timestamps) | Up to 30 days |
When you soft-delete an analysis from your history, a deletion timestamp is recorded. The underlying data is removed when your account is deleted.
6. Your Rights Under GDPR
If you are located in the EU or EEA, you have the following rights:
- Access (Art. 15) — Request a copy of the personal data we hold about you.
- Rectification (Art. 16) — Ask us to correct inaccurate or incomplete data.
- Erasure (Art. 17) — Request deletion of your personal data (“right to be forgotten”).
- Restriction (Art. 18) — Ask us to limit how we process your data in certain circumstances.
- Portability (Art. 20) — Receive your data in a structured, machine-readable format.
- Object (Art. 21) — Object to processing based on legitimate interests.
To exercise any of these rights, email pavlekusovac05@gmail.com. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority (for example, the ICO in the UK, or the relevant DPA in your EU member state).
7. International Data Transfers
Your data is stored by Supabase and may be processed in the United States or other countries outside the EU/EEA. Supabase supports EU data residency and provides Standard Contractual Clauses (SCCs) for international transfers. Stripe and OpenRouter are US-based services; we rely on SCCs with each provider to ensure your data receives an equivalent level of protection to that required under GDPR.
8. Security
We take reasonable technical and organizational measures to protect your data: all data is transmitted over HTTPS, passwords are hashed and never stored in plaintext, and our database enforces row-level security so each user can only access their own records. However, no security measure can guarantee absolute protection — if you believe your account has been compromised, contact us immediately.
9. Children
BeatRecap is not directed at anyone under the age of 16. We do not knowingly collect personal data from minors. If you believe a minor has created an account, please contact us and we will delete it promptly.
10. Cookies and Local Storage
We use cookies only for authentication, set automatically by Supabase Auth when you sign in. These cookies are strictly necessary for the Service to function and cannot be opted out of while using the Service.
We also use your browser’s sessionStorage to cache your analysis results locally during your session. This data is cleared automatically when you close your browser tab.
We do not use any analytics, advertising, or tracking cookies.
11. Changes to This Policy
We may update this policy from time to time. When we do, we will update the “Last updated” date at the top. For material changes, we will notify you by email if you have an account. Continued use of the Service after changes are posted constitutes acceptance of the revised policy.
12. Contact
For any privacy questions, data requests, or complaints, contact us at:
Pavle Kusovac
pavlekusovac05@gmail.com
