Account data
When you register, we collect your email address, first and last name, and a password (stored only as a secure hash — we never see or store your plain-text password). You may optionally add a phone number.
Privacy Policy
Your music, your data, your control
We built FRELODY to help you learn songs — not to harvest your personal information. This policy explains what we collect, why, and how you stay in charge.
Effective date: 1 June 2026
1 About this policy
This Privacy Policy applies to the FRELODY website, web application, mobile applications, and all related services (collectively, the "Service"). It describes how FRELODY ("we", "us", or "our") collects, uses, shares, and protects your personal information when you use our music learning platform.
By creating an account or using the Service, you agree to the collection and use of information as described here. If you do not agree, please do not use the Service.
2 Information we collect
We collect information you provide directly, information generated when you use the Service, and limited information from third-party authentication providers.
Google sign-in
If you sign in with Google, we receive your name, email address, profile picture URL, and email verification status from Google. We do not access your Google contacts, calendar, Drive files, or any other Google service data.
Profile data
You may choose to add a bio, profile picture, cover photo, and address. These are entirely optional. Profile pictures are validated for format and size (max 5 MB) and stored securely.
Usage data
We record which songs you play, favourite, and rate, your playlists, your display preferences (theme, chord font, difficulty level), and song analysis requests. This powers personalisation features like your play history and recommendations.
Payment data
When you upgrade to a paid plan, payment is processed by PayPal or PesaPal. We store your order ID, transaction amount, currency, payment status, and billing period. We never receive or store your full card number, CVV, mobile money PIN, or PayPal password — those stay with the payment provider.
Session & device data
For security, we log your IP address, browser/device identifier, and login timestamps each time you sign in. We also track failed login attempts to protect your account from brute-force attacks.
3 How we use your information
We use your information only for the purposes listed below.
| Purpose | Data used | Legal basis |
|---|---|---|
| Provide the Service — account creation, authentication, song analysis, playlists | Account, profile, usage data | Contract performance |
| Process payments — subscription billing, order fulfilment, refunds | Payment, account data | Contract performance |
| Personalise your experience — theme, chord display, difficulty level, play history | Usage data, preferences | Legitimate interest |
| Secure your account — login monitoring, rate limiting, OTP verification | Session, device, email | Legitimate interest |
| Communicate with you — password resets, account notifications, support chat | Email, chat messages | Contract performance |
| Monitor service health — error tracking, performance metrics, uptime | Telemetry (anonymised request paths, response codes) | Legitimate interest |
| Improve the Service — understand usage patterns, fix bugs, develop features | Aggregated usage data | Legitimate interest |
We do not sell your personal data. We do not use your data for targeted advertising. We do not share your information with data brokers.
5 Data security
We protect your data with industry-standard technical and organisational measures:
- Encryption in transit — all connections use TLS/HTTPS
- Password hashing — bcrypt via ASP.NET Core Identity (we never store plain-text passwords)
- Token rotation — JWT access tokens expire after 7 days; refresh tokens rotate on each use and expire after 30 days
- Rate limiting — automatic lockout after repeated failed login attempts to prevent brute-force attacks
- Data Protection keys — persisted and rotated to protect authentication cookies and antiforgery tokens
- OTP verification — time-limited one-time codes for sensitive operations like email verification
- Audit logging — security events (logins, password resets, content changes) are logged with timestamps for accountability
While we work hard to protect your data, no method of transmission or storage is 100% secure. If you discover a vulnerability, please contact us at [email protected].
6 Data retention
We keep your data only as long as necessary for the purpose it was collected:
| Data type | Retention period |
|---|---|
| Account & profile data | Until you delete your account |
| Usage data (play history, favourites, ratings) | Until you delete your account or remove individual items |
| Payment records | 7 years (legal/tax compliance) |
| Login history & session data | 90 days, then automatically purged |
| OTP verification codes | Expire within minutes; purged after use |
| Chat & support messages | Until the session is archived or you request deletion |
| OCR images (uploaded sheet music) | Processed in memory only — never permanently stored |
| Telemetry & logs | 30 days |
When you delete your account, we remove your personal data from our active systems. Some data may persist in encrypted backups for a limited period before being overwritten.
7 Your rights & controls
Depending on your location, you may have the following rights regarding your personal data:
Access
Request a copy of the personal data we hold about you.
Rectification
Update or correct inaccurate data from your profile settings at any time.
Erasure
Request deletion of your account and associated personal data.
Portability
Request an export of your data in a machine-readable format.
Objection
Object to processing of your data based on legitimate interest.
Withdraw consent
Withdraw consent at any time where processing is based on your consent.
To exercise any of these rights, email us at [email protected]. We will respond within 30 days. You can also update your profile, manage your playlists, and delete individual items directly from your account settings.
8 Children's privacy
FRELODY is not directed at children under 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child under 13 has provided us with personal data, please contact us at [email protected] and we will promptly delete it.
9 International data transfers
FRELODY operates from servers that may be located in different countries. Your data may be transferred to and processed in countries other than your own. When we transfer data internationally, we ensure appropriate safeguards are in place, including:
- Encryption of data in transit and at rest
- Standard contractual clauses where applicable
- Data processing agreements with third-party service providers
11 Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by posting the updated policy on this page and updating the "Effective date" at the top. For significant changes, we may also send you a notification via email or an in-app notice.
We encourage you to review this page periodically. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.
12 Contact us
If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, contact us at:
We aim to respond to all privacy-related inquiries within 30 days.
Ready to start learning?
Your data stays yours. Paste a link, get the chords, and play along — free.
See plansBy using FRELODY you agree to our Terms of Service and this Privacy Policy.