This Privacy Policy explains how personal data of users ("User") of the Hifly service at hifly.app is processed. The data controller is Bulut Studio (operating the Hifly service). Payment collection is handled by Lemon Squeezy, Inc. as Merchant of Record.
This policy is prepared in accordance with the Turkish Personal Data Protection Law No. 6698 (KVKK) and, for users residing in the European Union, the General Data Protection Regulation (GDPR).
1. Summary
Hifly processes limited personal data to identify you, manage your account, store your generations, and improve the service. Your password and payment card details are not stored on Hifly servers. Your data is not shared with third parties for marketing; it is shared only with infrastructure providers necessary to operate the service.
You may exercise your data subject rights at any time via support@hifly.app.
2. Personal Data Collected
2.1. Identity and Contact
- Email address (at registration)
- Display name or username (if provided)
2.2. Account and Authentication
- Cryptographic hash (bcrypt) of your password - the password itself is never stored
- Session token (JWT)
- Account creation date, last login date
2.3. Service Usage
- Your generation prompts (Talk conversations, selected genre, mood, lyric guidance)
- Metadata of generated songs (id, date, duration, genre)
- CDN link to the song file (output)
- Like/Lyrics/Revise/Extend actions (usage analytics)
2.4. Plan and Payment
- Current plan (Free / Pro)
- Subscription status and period
- Customer identifier issued by the payment provider (Lemon Squeezy)
- Invoice identifier
Important: Card number, expiry, CVC code are never received by Hifly servers; this information is collected and processed directly by Lemon Squeezy on its PCI-DSS-compliant infrastructure. Lemon Squeezy acts as the Merchant of Record for these transactions; Hifly is operated by Bulut Studio.
2.5. Technical Data
- IP address (at login and during requests, for security)
- Browser type/version, operating system
- Screen resolution and viewport (mobile/desktop)
- Error logs (technical diagnostics on app crashes)
2.6. Cookies
See Section 5.
3. Methods of Collection
3.1. Directly: through the registration form, account management, and use of the service.
3.2. Automatically: technical data from browser requests (IP, user agent, screen dimensions), session cookies, error tracking logs.
3.3. Via third parties: data provided by the User to Lemon Squeezy during the payment flow (name, country, billing address) is transmitted to Hifly via Lemon Squeezy.
4. Processing Purposes and Legal Bases
| Purpose | Legal basis (KVKK / GDPR) |
|---|---|
| Account creation, authentication | Contract performance (KVKK 5/2-c, GDPR 6/1-b) |
| Service delivery (generation, revision, extension) | Contract performance |
| Payment collection and invoicing | Contract performance, legal obligation |
| Customer support | Contract performance, legitimate interest |
| Performance measurement, quality improvement | Legitimate interest |
| Security incident prevention, fraud detection | Legal obligation, legitimate interest |
| AI model improvement (anonymized) | Legitimate interest (anonymization required) |
| Marketing communication (only with consent) | Explicit consent (KVKK 5/1, GDPR 6/1-a) |
5. Cookies
5.1. Strictly Necessary
hifly_token(session token): to remember that you are logged in.
5.2. Preferences
- UI settings such as theme and language.
5.3. Analytics
Hifly does not use third-party analytics tools (e.g. Google Analytics, Mixpanel). If added in the future, this policy will be updated and explicit consent obtained.
6. Third-Party Recipients
The following infrastructure providers receive data only as necessary to operate the service. They process data on behalf of Hifly:
| Service | Provider | Data transferred | Location |
|---|---|---|---|
| Database | Database infrastructure provider | All database content | EU / US |
| Web hosting + CDN | Web hosting and CDN provider | Request logs, IP | US |
| Backend server | Backend server provider | Request logs, IP | US |
| Audio file storage | Audio file storage provider | Generated audio files | Global |
| Payment processing (Merchant of Record) | Lemon Squeezy, Inc. | Card details, customer ID, billing address | US |
| Automated tax (sales tax/VAT) | Lemon Squeezy (MoR) | Transaction location, amount, tax rate | US / global |
| Email delivery | Email delivery provider | Email address, message content | EU (Frankfurt) |
| AI generation infrastructure | Our music generation infrastructure provider | Generation prompts | Global |
| AI language model | Our AI language model provider | Conversation text | US |
| Domain / email forwarding | Domain and email forwarding provider | Forwarding metadata | US |
Hifly works with these providers under data processing agreements compliant with KVKK and GDPR. User data may not be used for marketing or other purposes by these providers.
7. International Data Transfers
Most providers in Section 6 process data in US or EU data centers, which constitutes transfer outside the Republic of Turkey.
7.1. Under KVKK Art. 9, international transfer falls within the explicit consent the User provides at registration.
7.2. For EU and UK residents, adequate protection is provided under GDPR Art. 46. All Hifly infrastructure providers operate under the EU Commission Standard Contractual Clauses (SCCs).
8. Retention Periods
| Data type | Retention |
|---|---|
| Account and identity data | While the account is active |
| Generation metadata | While the account is active |
| Generated audio files | 30 days to indefinite, by plan |
| Payment metadata | 10 years (tax law) |
| Error and security logs | 365 days |
| After account deletion (soft delete) | 30 days, then permanent deletion |
9. Data Subject Rights
Under KVKK Art. 11 and GDPR Art. 15-22, you have the right to: access, rectification, erasure (right to be forgotten), restriction of processing, data portability, objection, and to object to automated decision-making.
You may also withdraw consent at any time.
Submit requests to support@hifly.app. Requests are resolved within 30 days.
10. Children's Data
10.1. Hifly does not knowingly collect personal data from individuals under 13 years old.
10.2. Users aged 13-18 require parental or legal guardian consent to purchase a paid plan.
10.3. For EU residents under 16, parental consent is required under GDPR Art. 8.
11. Data Security
- TLS 1.2+ in transit
- At-rest encryption (managed by our database infrastructure provider)
- Passwords stored as bcrypt hashes
- Row Level Security (RLS): each User can access only their own data
- Brute-force protection: login attempts are rate-limited
- Leaked password check (HaveIBeenPwned integration)
- Regular security reviews
12. Updates
This Policy may be updated periodically. Material changes are notified by email at least 30 days in advance.
13. Contact and Complaints
13.1. Submit inquiries to support@hifly.app.
13.2. Turkish residents may complain to the Personal Data Protection Authority (https://kvkk.gov.tr).
13.3. EU residents may complain to their national data protection supervisory authority under GDPR.
Data Controller
- Email: support@hifly.app
- Operator: Bulut Studio (Hifly), hifly.app · Lemon Squeezy, Inc. (Merchant of Record)
- Brand: Bulut Studio
Questions and requests: support@hifly.app
Hifly © 2026 · Bulut Studio · An independent AI-powered music platform.