Privacy Policy

Last Updated: December 06, 2025

1. Introduction and Scope

This Privacy Policy applies to all personal data processed by TotalAnalyzer in connection with your use of our Service. We are committed to protecting your privacy and complying with applicable data protection laws, including:

• General Data Protection Regulation (GDPR) - European Union
• UK GDPR - United Kingdom
• California Consumer Privacy Act (CCPA) - California, USA
• Personal Information Protection and Electronic Documents Act (PIPEDA) - Canada
• Other applicable national and international privacy regulations

1.1 Data Controller

The data controller responsible for your personal information is:

2. What Personal Data We Collect

We collect and process the following categories of personal information when you use our Service:

2.1 Account Information

When you register for an account, we collect:

• Full Name - Used to personalize your experience and communications
• Email Address - Required for account creation, login, service communications, and support
• Country - Used for regional compliance, currency display, and service localization
• Password - Stored in encrypted (hashed) format for account security

2.2 Technical and Usage Data

We automatically collect certain technical information when you use the Service:

• IP Address - Used for security, fraud prevention, and abuse detection
• Browser Fingerprint - Used to detect multiple account creation and abuse prevention
• Device Information - Browser type, operating system, device identifiers
• Usage Data - Pages visited, features used, time spent on Service, interaction patterns
• Session Data - Login times, session duration, authentication tokens

2.3 Audio Files and Analysis Data

When you upload audio files for analysis:

• Audio Files - Temporarily stored for processing, then permanently deleted after analysis completion
• Song Metadata - Title, genre, duration, file size
• Analysis Results - AI-generated insights, scores, reports
• File Hashes - Used for duplicate detection (not reversible to original content)

2.4 Payment Information

We do not collect or store payment card details. All payment processing is handled by our third-party payment processor, Paddle. Paddle independently collects and processes:

• Payment card information
• Billing addresses
• Transaction details
• VAT/tax information

For details on how Paddle handles your payment data, please review Paddle's Privacy Policy.

2.5 Communications and Support

When you contact us for support or communicate with us:

• Email correspondence content
• Support ticket messages and attachments
• Feedback and survey responses

2.6 Data We Do NOT Collect

For clarity, we explicitly do not collect:

• Social security numbers or national identification numbers
• Payment card details (handled by Paddle)
• Biometric data
• Health or medical information
• Political opinions or religious beliefs
• Trade union membership

3. Why We Collect Your Data (Legal Bases and Purposes)

We collect and process your personal data for the following specific purposes, each based on a valid legal ground under GDPR:

3.1 Service Provision (Legal Basis: Contract Performance)

We process your data to provide the core Service to you:

• Creating and managing your user account
• Processing audio files and generating AI-powered analyses
• Storing and displaying your analysis results
• Managing credits and subscription features
• Enabling PDF export of analysis reports
• Authenticating your login sessions

Legal Basis: Processing is necessary for the performance of the contract between you and us (Terms and Conditions).

3.2 Customer Support (Legal Basis: Contract Performance & Legitimate Interest)

We use your contact information to:

• Respond to your support inquiries and technical issues
• Provide assistance with account or service problems
• Investigate and resolve complaints
• Communicate updates regarding your specific support requests

Legal Basis: Contract performance (providing support as part of the Service) and legitimate interest (maintaining high-quality customer service).

3.3 Service Communications (Legal Basis: Contract Performance & Legitimate Interest)

We send you essential service-related communications:

• Transactional Emails: Account verification, password resets, analysis completion notifications
• Platform Status Notifications: Critical system outages, maintenance windows, security incidents affecting your account
• Service Updates: Changes to Terms, Privacy Policy, or Service features that may affect your use
• Account Activity Alerts: Unusual login attempts, credit balance changes, important account events

Legal Basis: Contract performance (essential communications for service delivery) and legitimate interest (keeping you informed of critical service matters).

3.4 New Services and Feature Announcements (Legal Basis: Legitimate Interest)

We may notify you about:

• Introduction of new analysis features or capabilities
• Launch of new service tiers or offerings
• Significant improvements or enhancements to existing features
• Special promotions or credit offers (occasional and non-intrusive)

Legal Basis: Legitimate interest (informing existing customers about relevant service developments).

Opt-Out: You can opt out of non-essential marketing communications at any time by using the unsubscribe link in emails or contacting us at support@totalanalyzer.ai.

3.5 Security and Fraud Prevention (Legal Basis: Legitimate Interest & Legal Obligation)

We process certain data to:

• Detect and prevent fraudulent account creation
• Identify abuse of free trial or promotional credits
• Prevent unauthorized access to user accounts
• Monitor for suspicious activity patterns
• Protect against cyber attacks and security threats
• Comply with anti-money laundering and fraud prevention regulations

Legal Basis: Legitimate interest (protecting the Service, our users, and our business from fraud and security threats) and legal obligation (compliance with applicable laws).

3.6 Service Improvement and Analytics (Legal Basis: Legitimate Interest)

We analyze aggregated, anonymized usage data to:

• Understand how users interact with the Service
• Identify and fix technical issues or bugs
• Improve user interface and user experience
• Optimize system performance and reliability
• Develop new features based on user needs

Legal Basis: Legitimate interest (improving the Service quality and functionality).

Note: We use anonymized, aggregated data for analytics that cannot be traced back to individual users.

3.7 Legal Compliance (Legal Basis: Legal Obligation)

We may process your data to:

• Comply with EU and Italian data protection laws (GDPR)
• Respond to valid legal requests from law enforcement or regulatory authorities
• Comply with court orders, subpoenas, or legal processes
• Enforce our Terms and Conditions
• Protect our legal rights and interests
• Meet tax, accounting, and financial reporting obligations

Legal Basis: Legal obligation and legitimate interest (protecting legal rights and complying with law).

4. How Long We Retain Your Data

We retain your personal data for different periods depending on the type of data and the purpose for which it was collected:

4.1 Account Data

Retention Period: Until you request account deletion.

Your account information (name, email, country) and associated data (analysis history, credits, preferences) are retained indefinitely as long as your account remains active.

Upon Account Deletion Request:

• Personal identifying information is permanently deleted within 30 days
• Anonymized analytics data may be retained indefinitely
• Data required for legal or regulatory compliance may be retained as necessary (typically 7-10 years)

4.2 Audio Files

Retention Period: Immediately after analysis completion.

Uploaded audio files are permanently deleted from our servers immediately upon completion of the analysis process. We do not maintain archives or backups of your original audio files.

4.3 Analysis Results

Retention Period: Until account deletion.

Analysis reports and results are stored indefinitely while your account is active, allowing you to access them at any time. These are deleted when you request account deletion.

4.4 Payment and Transaction Records

Retention Period: 10 years (legal requirement).

Payment transaction records, invoices, and financial data are retained for accounting, tax, and legal compliance purposes as required by Italian and EU law.

4.5 Communications and Support Records

Retention Period: 3 years after last interaction.

Email correspondence, support tickets, and related communications are retained for up to 3 years to maintain service quality and resolve ongoing issues.

4.6 Security and Log Data

Retention Period: 12 months.

Security logs, access logs, and fraud prevention data are retained for 12 months for security monitoring and investigation purposes, then automatically deleted.

4.7 Backup Data

Deleted data may persist in system backups for up to 90 days before being permanently removed during routine backup rotation cycles.

5. How We Protect Your Data

We implement comprehensive technical and organizational security measures to protect your personal information from unauthorized access, loss, misuse, alteration, or destruction:

5.1 Encryption

• Data in Transit: All data transmitted between your browser and our servers is encrypted using industry-standard TLS/SSL protocols (HTTPS)
• Passwords: User passwords are hashed using bcrypt, a secure one-way cryptographic hashing algorithm
• Sensitive Data: Credit card information is never stored on our servers; payment processing is handled by PCI DSS-compliant Paddle

5.2 Access Controls

• Authentication: Multi-factor authentication available for account access
• Authorization: Role-based access controls limit data access to authorized personnel only
• Principle of Least Privilege: Staff members have access only to data necessary for their specific roles
• Account Security: Automated detection of suspicious login attempts and brute-force attacks

5.3 Infrastructure Security

• Server Location: Data is stored on secure servers located within the European Union
• Firewall Protection: Network-level firewalls protect against unauthorized access
• Regular Security Updates: Operating systems and software are kept up-to-date with security patches
• Intrusion Detection: Automated monitoring for suspicious activities and security threats

5.4 Data Backup and Recovery

• Regular Backups: Automated daily backups of critical data
• Backup Encryption: All backups are encrypted and stored securely
• Disaster Recovery: Documented procedures for data recovery in case of system failure
• Geographic Redundancy: Backups stored in multiple secure locations within the EU

5.5 Organizational Measures

• Staff Training: Regular security and privacy training for employees
• Confidentiality Agreements: All staff members sign confidentiality agreements
• Incident Response Plan: Documented procedures for responding to data breaches
• Third-Party Audits: Regular security assessments and vulnerability testing
• Data Minimization: We collect only the minimum data necessary for service provision

5.6 Security Best Practices

• Secure coding practices following OWASP guidelines
• Regular security audits and penetration testing
• Prompt patching of discovered vulnerabilities
• Secure development lifecycle (SDLC) processes
• Separation of production and development environments

6. Your Rights Under GDPR and Other Privacy Laws

You have the following rights regarding your personal data. These rights apply under GDPR (EU), UK GDPR, CCPA (California), and similar privacy regulations:

6.1 Right of Access (GDPR Art. 15)

You have the right to obtain confirmation as to whether we process your personal data and, if so, to access:

• The categories of personal data we hold about you
• The purposes of the processing
• The recipients or categories of recipients to whom data has been disclosed
• The envisaged period of data retention
• Information about the source of the data

How to Exercise: Email us at support@totalanalyzer.ai with subject "Data Access Request"

6.2 Right to Rectification (GDPR Art. 16)

You have the right to obtain correction of inaccurate personal data and completion of incomplete personal data concerning you.

How to Exercise: Update your information in your account settings, or contact us at support@totalanalyzer.ai

6.3 Right to Erasure / "Right to be Forgotten" (GDPR Art. 17)

You have the right to request deletion of your personal data when:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw your consent (where processing was based on consent)
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed
• Legal obligations require erasure

Exceptions: We may retain certain data when required by law (e.g., financial records for tax purposes).

How to Exercise: Email us at support@totalanalyzer.ai with subject "Account Deletion Request"

6.4 Right to Data Portability (GDPR Art. 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., JSON, CSV) and to transmit that data to another controller.

Included Data: Account information, analysis history, metadata

Not Included: Analysis results generated by our proprietary AI systems (these are not "provided by you")

How to Exercise: Email us at support@totalanalyzer.ai with subject "Data Portability Request"

6.5 Right to Restriction of Processing (GDPR Art. 18)

You have the right to restrict processing of your personal data when:

• You contest the accuracy of the data (during verification period)
• Processing is unlawful but you prefer restriction over deletion
• We no longer need the data but you need it for legal claims
• You have objected to processing (pending verification of our legitimate grounds)

How to Exercise: Contact us at support@totalanalyzer.ai

6.6 Right to Object (GDPR Art. 21)

You have the right to object to processing of your personal data when:

• Processing is based on legitimate interests (you can object on grounds relating to your particular situation)
• Processing is for direct marketing purposes (absolute right to object)

How to Exercise: Use unsubscribe links in emails or contact us at support@totalanalyzer.ai

6.7 Right to Withdraw Consent (GDPR Art. 7)

Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.

How to Exercise: Contact us at support@totalanalyzer.ai

6.8 Right to Lodge a Complaint (GDPR Art. 77)

You have the right to lodge a complaint with your local data protection supervisory authority if you believe our processing of your personal data violates data protection law.

Italian Supervisory Authority:

6.9 Response Times and Procedures

We will respond to all valid requests within:

• 1 month of receiving your request (GDPR requirement)
• Extended to 2 months for complex requests (we will inform you within 1 month)

Verification: For security purposes, we may request additional information to verify your identity before fulfilling your request.

No Fee: We do not charge a fee for exercising your rights, except in cases of manifestly unfounded or excessive requests.

7. Cookies and Tracking Technologies

7.1 What Are Cookies?

Cookies are small text files stored on your device (computer, tablet, smartphone) by your web browser when you visit websites. Cookies allow websites to remember your actions, preferences, and provide enhanced functionality.

How Cookies Work:

• When you visit a website, the server sends a cookie to your browser
• Your browser stores the cookie on your device
• On subsequent visits, your browser sends the cookie back to the server
• This allows the website to recognize you and remember your settings

7.2 Why Cookies Are Essential for Our Service

YOU MUST HAVE COOKIES ENABLED TO USE TOTALANALYZER. Our Service relies on essential cookies to function properly. Without cookies, we cannot:

• Keep You Logged In: Session cookies maintain your authenticated state as you navigate between pages
• Remember Your Preferences: Language selection, display settings, and user interface preferences
• Process Uploads: Cookies are required to handle file uploads and track analysis progress
• Maintain Security: CSRF protection tokens stored in cookies prevent unauthorized actions
• Load Your Dashboard: Access to your account data and analysis results requires session management

7.3 Types of Cookies We Use

Cookie Type	Purpose	Duration	Required?
Session Cookies	Maintain your login session and authentication state	Session (deleted when browser closes)	✅ Essential
Security Cookies	CSRF protection tokens to prevent unauthorized actions	Session	✅ Essential
Preference Cookies	Remember language selection and user preferences	1 year	✅ Essential
Functionality Cookies	Remember your settings, enable feature functionality	1 year	✅ Essential

7.4 Analytics and Anonymous Tracking

We use Matomo, a privacy-focused, self-hosted analytics platform to collect anonymized usage statistics:

What We Track (Anonymously):

• Pages visited and features used (without identifying individuals)
• Aggregated usage patterns and popular features
• General geographic region (country-level, not precise location)
• Browser and device type statistics
• Performance metrics (page load times)

Privacy Protections:

• ✅ IP addresses are anonymized (last 2 octets removed)
• ✅ Data is stored on our own servers (not sent to third parties like Google)
• ✅ No cross-site tracking or advertising cookies
• ✅ No data sharing with advertising networks
• ✅ Complies with GDPR and PECR without requiring consent banners

Legal Basis: Legitimate interest (improving Service quality through anonymized analytics that cannot identify individuals).

7.5 Third-Party Cookies

We do not use third-party advertising or tracking cookies. The only third-party cookies you may encounter are:

• Paddle (Payment Processor): When you visit our payment checkout pages, Paddle may set cookies for payment processing and fraud prevention. See Paddle's Privacy Policy

7.6 Managing Cookie Settings

Browser Controls: You can configure your browser to accept, reject, or delete cookies. However, blocking essential cookies will prevent you from using TotalAnalyzer.

Common browser cookie settings:

• Chrome: Settings → Privacy and security → Cookies and other site data
• Firefox: Settings → Privacy & Security → Cookies and Site Data
• Safari: Preferences → Privacy → Cookies and website data
• Edge: Settings → Cookies and site permissions → Cookies and site data

7.7 Do Not Track (DNT)

Our analytics system respects Do Not Track (DNT) browser signals. If you have DNT enabled, we will not track your visits using Matomo analytics. However, essential cookies required for Service functionality will still be used.

8. Data Sharing and Third-Party Services

We do not sell, rent, or trade your personal information to third parties for marketing purposes. We only share your data with third-party service providers as necessary to operate the Service:

8.1 Payment Processing - Paddle

Purpose: Processing payments, managing subscriptions, generating invoices

Data Shared: Email address, country, purchase amount

Data NOT Shared: Payment card details (handled directly by Paddle)

Privacy Policy: https://www.paddle.com/legal/privacy

Compliance: PCI DSS Level 1 certified

8.2 AI Service Providers

Purpose: Processing audio files and generating analysis results

Data Shared: Audio files (temporarily), song metadata

Data Protection: Processed via secure API connections, files deleted immediately after analysis

Note: AI providers do not have access to your personal account information

8.3 Email Service Provider

Purpose: Sending transactional emails (verification, password reset, notifications)

Data Shared: Email address, name (for personalization)

Usage: Strictly for service-related communications, not marketing

8.4 Cloud Infrastructure Provider

Purpose: Hosting servers and storing data

Location: European Union (GDPR-compliant data centers)

Security: Industry-standard encryption and access controls

8.5 Law Enforcement and Legal Requirements

We may disclose your personal information to government authorities, law enforcement, or other third parties when:

• Required by applicable law, regulation, or legal process
• Responding to valid subpoenas, court orders, or official requests
• Necessary to protect our rights, property, or safety, or that of our users or the public
• Detecting, preventing, or addressing fraud, security, or technical issues
• Enforcing our Terms and Conditions

8.6 Business Transfers

In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, your personal data may be transferred to the acquiring entity. We will notify you via email and/or a prominent notice on our Service before your data is transferred and becomes subject to a different privacy policy.

8.7 Data Processing Agreements

All third-party service providers that process personal data on our behalf are required to:

• Comply with GDPR and applicable data protection laws
• Sign Data Processing Agreements (DPAs) with appropriate safeguards
• Implement appropriate technical and organizational security measures
• Only process data according to our documented instructions
• Delete or return data upon termination of services

9. International Data Transfers

Your personal data is primarily stored and processed within the European Union. Our servers and data centers are located in EU member states to ensure full GDPR compliance.

9.1 Transfers Outside the EU/EEA

In limited circumstances, your data may be transferred to service providers located outside the EU/EEA (e.g., certain AI service providers). When this occurs, we ensure adequate safeguards are in place:

• Standard Contractual Clauses (SCCs): EU-approved model contracts for international data transfers
• Adequacy Decisions: Transfers to countries deemed adequate by the European Commission
• Encryption in Transit and at Rest: All data transfers are encrypted
• Limited Scope: Only necessary data is transferred (e.g., audio files for analysis, not personal account details)

9.2 US-Based Services

Some AI providers may be located in the United States. For such transfers, we rely on:

• Standard Contractual Clauses approved by the European Commission
• Additional security measures (encryption, access controls, audit rights)
• Minimization of personal data transferred (audio files only, not identifying information)

10. Children's Privacy

TotalAnalyzer is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13.

Age Requirement: You must be at least 13 years old to use the Service. Users between 13 and 18 years old must have parental or guardian consent.

If We Discover Child Data: If we become aware that we have inadvertently collected personal information from a child under 13 without parental consent, we will take immediate steps to delete such information from our servers.

Parental Rights: If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us at support@totalanalyzer.ai and we will delete the information.

11. Data Breach Notification

Despite our comprehensive security measures, no system is completely secure. In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

11.1 Notification to Supervisory Authority

We will notify the competent supervisory authority (Garante per la protezione dei dati personali) within 72 hours of becoming aware of the breach, as required by GDPR Article 33.

11.2 Notification to Affected Users

If the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay via email. The notification will include:

• Description of the nature of the breach
• Categories and approximate number of affected users and data records
• Likely consequences of the breach
• Measures we have taken or propose to take to address the breach
• Contact information for further inquiries
• Recommended actions you should take to protect yourself

11.3 Incident Response

Upon discovering a breach, we will:

• Immediately contain and assess the breach
• Investigate the cause and extent of the breach
• Implement remediation measures to prevent recurrence
• Document the incident and response actions
• Review and update security measures as needed

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons.

12.1 Notification of Changes

When we make material changes to this Privacy Policy, we will:

• Update the "Last Updated" date at the top of this page
• Notify you via email if the changes significantly affect your rights
• Display a prominent notice on our Service
• Provide a reasonable notice period before the changes take effect

12.2 Your Acceptance

Your continued use of the Service after the effective date of the updated Privacy Policy constitutes your acceptance of the changes. If you do not agree with the updated Privacy Policy, you must discontinue use of the Service and may request deletion of your account.

12.3 Review Responsibility

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

13. Contact Information and Data Protection Officer

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

Response Time: We will respond to all privacy-related inquiries within 1 month (extendable to 2 months for complex requests).

14. Additional Resources

For more information about data protection and your privacy rights:

• EU General Data Protection Regulation (GDPR): https://gdpr.eu/
• Italian Data Protection Authority: www.garanteprivacy.it
• European Data Protection Board: https://edpb.europa.eu/
• Your Rights Under GDPR: https://gdpr.eu/data-privacy/

---

By using TotalAnalyzer, you acknowledge that you have read, understood, and agree to this Privacy Policy.