Privacy Policy

Last updated: 6 May 2026

This Privacy Policy describes how ChordExp ("ChordExp", "we", "us" or "our") collects, uses and protects the personal information of users ("you") who access chordexp.com or chordexp.app (collectively, the "Service").

We process personal data in compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and applicable national data protection laws.

1. Data Controller

The Data Controller is:

ChordExp
Email: privacy@chordexp.com
Website: https://chordexp.com

For any questions about this policy or your personal data, please contact us at the email address above.

2. Personal Data We Collect

2.1 Data you provide

When you create an account or use the Service, we collect:

• Registration data: email address, display name and, if you sign in with Google, basic Google profile information (name, email, profile photo).
• User content: songs, chords, lyrics, tags, BPM, key, photos attached to songs and setlists you add to the Service.
• Band data: band name, invited members (via email or invite link) and shared repertoire.
• Communications: messages sent to our support team or via contact forms.

2.2 Data collected automatically

When you use the Service, we automatically collect:

• Usage data: pages visited, features used, action timestamps, application errors.
• Technical data: IP address, browser type, operating system, screen size, browser language.
• Cookies and similar technologies: see Section 4 for details.

3. Purposes and Legal Bases

We process your personal data for the following purposes:

• Service delivery (legal basis: contract performance) — to create your account, authenticate you, and save and sync your songbook and setlists.
• Band collaboration (legal basis: contract performance) — to share repertoires and setlists with your band members.
• Service communications (legal basis: legitimate interest) — to send you account-related emails (registration confirmation, password reset, policy updates).
• Analytics and improvement (legal basis: legitimate interest / consent) — to understand how the Service is used and improve it. Analytics cookies are only placed with your consent.
• Legal obligations (legal basis: legal obligation) — to comply with applicable laws or respond to lawful requests from authorities.

4. Cookies and Similar Technologies

We use cookies and similar technologies (pixels, web beacons) to operate the Service and, with your consent, to analyse traffic.

4.1 Strictly necessary cookies

Essential for the Service to function. These do not require your consent and cannot be disabled.

• Authentication session — keeps you logged in.
• Cookie preference (chordexp_cookies) — stores your cookie consent choice.
• Language preference (chordexp_lang) — stores your selected language.

4.2 Analytics cookies (consent required)

Activated only if you accept all cookies. They allow us to analyse traffic in anonymous or aggregated form to improve the Service. You can withdraw your consent at any time by clearing your browser data.

4.3 Managing cookies

You can manage cookie preferences at any time via the banner displayed on your first visit. You can also configure your browser to block or delete cookies:

• Google Chrome
• Mozilla Firefox
• Apple Safari
• Microsoft Edge

Note that disabling certain cookies may affect the functionality of the Service.

5. Data Sharing

We do not sell your personal data to third parties. We may share your data in the following circumstances:

• Service providers: technical partners who support us in delivering the Service (hosting, databases, authentication). These parties act as Data Processors and are bound by agreements that ensure data protection.
• Band collaboration: content you share (songs, setlists) is visible to the band members you invite.
• Legal obligations: we may disclose your data if required by law, a court order, or to protect the rights of ChordExp and its users.
• Business transfer: in the event of a merger, acquisition or asset sale, your data may be transferred to the new entity, which will be bound by this policy.

6. International Data Transfers

Your data may be transferred to and stored on servers outside the European Economic Area (EEA). In such cases, we ensure adequate safeguards are in place as required by the GDPR, such as Standard Contractual Clauses approved by the European Commission.

7. Data Retention

We retain your personal data for as long as necessary for the purposes described in this policy:

• Account data and content: until you delete your account or as required by legal obligations.
• Usage data and logs: up to 24 months from collection.
• Backups: backup data is retained for a maximum of 90 days after account deletion.

You can request deletion of your account and all associated data at any time by contacting us at privacy@chordexp.com.

8. Your Rights (GDPR)

As a data subject, you have the following rights under the GDPR:

• Access (Art. 15): obtain confirmation that we are processing your data and receive a copy.
• Rectification (Art. 16): correct inaccurate or incomplete data.
• Erasure (Art. 17): request deletion of your data ("right to be forgotten").
• Restriction (Art. 18): restrict processing in certain circumstances.
• Portability (Art. 20): receive your data in a structured, machine-readable format.
• Objection (Art. 21): object to processing based on legitimate interest.
• Withdrawal of consent: withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise your rights, write to privacy@chordexp.com. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority.

9. Security

We implement appropriate technical and organisational measures to protect your data from unauthorised access, loss, destruction or accidental disclosure. These include HTTPS encryption for all transmissions, secure authentication and restricted staff access to data.

No system is completely secure. In the event of a data breach posing a risk to your rights, we will notify you promptly as required by the GDPR.

10. Minors

The Service is not intended for persons under the age of 16. We do not knowingly collect personal data from minors. If you believe a minor has provided data without parental consent, please contact us at privacy@chordexp.com and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email or via a prominent notice in the Service before the changes take effect. The date of the last update is always shown at the top of this page.

Your continued use of the Service after the changes take effect constitutes your acceptance of the updated policy.

12. Contact Us

For any questions about this Privacy Policy or the processing of your personal data:

• Email: privacy@chordexp.com
• Website: https://chordexp.com