Hifly · Privacy

Privacy Policy

How we collect, use, and protect your data.

Effective date · June 19, 2026


This Privacy Policy explains how personal data of users ("User") of the Hifly service at hifly.app is processed. The data controller is Bulut Studio (operating the Hifly service). Payment collection is handled by Lemon Squeezy, Inc. as Merchant of Record.

This policy is prepared in accordance with the Turkish Personal Data Protection Law No. 6698 (KVKK) and, for users residing in the European Union, the General Data Protection Regulation (GDPR).

1. Summary

Hifly processes limited personal data to identify you, manage your account, store your generations, and improve the service. Your password and payment card details are not stored on Hifly servers. Your data is not shared with third parties for marketing; it is shared only with infrastructure providers necessary to operate the service.

You may exercise your data subject rights at any time via support@hifly.app.

2. Personal Data Collected

2.1. Identity and Contact

  • Email address (at registration)
  • Display name or username (if provided)

2.2. Account and Authentication

  • Cryptographic hash (bcrypt) of your password - the password itself is never stored
  • Session token (JWT)
  • Account creation date, last login date

2.3. Service Usage

  • Your generation prompts (Talk conversations, selected genre, mood, lyric guidance)
  • Metadata of generated songs (id, date, duration, genre)
  • CDN link to the song file (output)
  • Like/Lyrics/Revise/Extend actions (usage analytics)

2.4. Plan and Payment

  • Current plan (Free / Pro)
  • Subscription status and period
  • Customer identifier issued by the payment provider (Lemon Squeezy)
  • Invoice identifier

Important: Card number, expiry, CVC code are never received by Hifly servers; this information is collected and processed directly by Lemon Squeezy on its PCI-DSS-compliant infrastructure. Lemon Squeezy acts as the Merchant of Record for these transactions; Hifly is operated by Bulut Studio.

2.5. Technical Data

  • IP address (at login and during requests, for security)
  • Browser type/version, operating system
  • Screen resolution and viewport (mobile/desktop)
  • Error logs (technical diagnostics on app crashes)

2.6. Cookies

See Section 5.

3. Methods of Collection

3.1. Directly: through the registration form, account management, and use of the service.

3.2. Automatically: technical data from browser requests (IP, user agent, screen dimensions), session cookies, error tracking logs.

3.3. Via third parties: data provided by the User to Lemon Squeezy during the payment flow (name, country, billing address) is transmitted to Hifly via Lemon Squeezy.

PurposeLegal basis (KVKK / GDPR)
Account creation, authenticationContract performance (KVKK 5/2-c, GDPR 6/1-b)
Service delivery (generation, revision, extension)Contract performance
Payment collection and invoicingContract performance, legal obligation
Customer supportContract performance, legitimate interest
Performance measurement, quality improvementLegitimate interest
Security incident prevention, fraud detectionLegal obligation, legitimate interest
AI model improvement (anonymized)Legitimate interest (anonymization required)
Marketing communication (only with consent)Explicit consent (KVKK 5/1, GDPR 6/1-a)

5. Cookies

5.1. Strictly Necessary

  • hifly_token (session token): to remember that you are logged in.

5.2. Preferences

  • UI settings such as theme and language.

5.3. Analytics

Hifly does not use third-party analytics tools (e.g. Google Analytics, Mixpanel). If added in the future, this policy will be updated and explicit consent obtained.

6. Third-Party Recipients

The following infrastructure providers receive data only as necessary to operate the service. They process data on behalf of Hifly:

ServiceProviderData transferredLocation
DatabaseDatabase infrastructure providerAll database contentEU / US
Web hosting + CDNWeb hosting and CDN providerRequest logs, IPUS
Backend serverBackend server providerRequest logs, IPUS
Audio file storageAudio file storage providerGenerated audio filesGlobal
Payment processing (Merchant of Record)Lemon Squeezy, Inc.Card details, customer ID, billing addressUS
Automated tax (sales tax/VAT)Lemon Squeezy (MoR)Transaction location, amount, tax rateUS / global
Email deliveryEmail delivery providerEmail address, message contentEU (Frankfurt)
AI generation infrastructureOur music generation infrastructure providerGeneration promptsGlobal
AI language modelOur AI language model providerConversation textUS
Domain / email forwardingDomain and email forwarding providerForwarding metadataUS

Hifly works with these providers under data processing agreements compliant with KVKK and GDPR. User data may not be used for marketing or other purposes by these providers.

7. International Data Transfers

Most providers in Section 6 process data in US or EU data centers, which constitutes transfer outside the Republic of Turkey.

7.1. Under KVKK Art. 9, international transfer falls within the explicit consent the User provides at registration.

7.2. For EU and UK residents, adequate protection is provided under GDPR Art. 46. All Hifly infrastructure providers operate under the EU Commission Standard Contractual Clauses (SCCs).

8. Retention Periods

Data typeRetention
Account and identity dataWhile the account is active
Generation metadataWhile the account is active
Generated audio files30 days to indefinite, by plan
Payment metadata10 years (tax law)
Error and security logs365 days
After account deletion (soft delete)30 days, then permanent deletion

9. Data Subject Rights

Under KVKK Art. 11 and GDPR Art. 15-22, you have the right to: access, rectification, erasure (right to be forgotten), restriction of processing, data portability, objection, and to object to automated decision-making.

You may also withdraw consent at any time.

Submit requests to support@hifly.app. Requests are resolved within 30 days.

10. Children's Data

10.1. Hifly does not knowingly collect personal data from individuals under 13 years old.

10.2. Users aged 13-18 require parental or legal guardian consent to purchase a paid plan.

10.3. For EU residents under 16, parental consent is required under GDPR Art. 8.

11. Data Security

  • TLS 1.2+ in transit
  • At-rest encryption (managed by our database infrastructure provider)
  • Passwords stored as bcrypt hashes
  • Row Level Security (RLS): each User can access only their own data
  • Brute-force protection: login attempts are rate-limited
  • Leaked password check (HaveIBeenPwned integration)
  • Regular security reviews

12. Updates

This Policy may be updated periodically. Material changes are notified by email at least 30 days in advance.

13. Contact and Complaints

13.1. Submit inquiries to support@hifly.app.

13.2. Turkish residents may complain to the Personal Data Protection Authority (https://kvkk.gov.tr).

13.3. EU residents may complain to their national data protection supervisory authority under GDPR.

Data Controller

  • Email: support@hifly.app
  • Operator: Bulut Studio (Hifly), hifly.app · Lemon Squeezy, Inc. (Merchant of Record)
  • Brand: Bulut Studio

Questions and requests: support@hifly.app

Hifly © 2026 · Bulut Studio · An independent AI-powered music platform.