1. Who We Are
Chordoo is operated by Louis-Frédéric Fortier ("we", "us", "our"). We are the data controller responsible for your personal data collected through www.chordoo.com (the "Service").
For any privacy-related questions, you can contact us at: loufi.officiel@gmail.com
2. Data We Collect
Account Data
When you create an account, we collect:
- Email address
- Display name (optional)
- Authentication provider (email or Google)
- Account creation date
Payment & Subscription Data
When you subscribe to Chordoo Pro, we store subscription metadata (status, billing period, subscription ID). Payment details (credit card numbers, billing address) are processed exclusively by our payment processor, LemonSqueezy (via Stripe), and are never stored on our servers.
User-Generated Content
Chord progressions you save are stored in your account. These include progression name, chord sequence, genre, key, mode, and creation date.
Analytics Data
We collect anonymized usage events (e.g., feature interactions, feedback ratings) through PostHog, which processes data on EU servers (eu.i.posthog.com). We do not track individual browsing behavior across other websites.
Local Storage
We use your browser's localStorage (not cookies) to remember preferences such as whether the feedback widget has been shown. This data stays on your device and is not transmitted to our servers.
3. Why We Process Your Data (Legal Basis)
Under the EU General Data Protection Regulation (GDPR), we process your data based on:
- Contractual necessity (Art. 6(1)(b) GDPR): To provide your account, store your progressions, and manage your subscription.
- Legitimate interest (Art. 6(1)(f) GDPR): To analyze usage patterns and improve the Service through anonymized analytics.
- Legal obligation (Art. 6(1)(c) GDPR): To comply with tax, accounting, or other legal requirements related to payments.
4. Third-Party Processors
We share your data with the following processors, each bound by data processing agreements:
| Provider | Purpose | Data Location |
|---|---|---|
| Google Firebase | Authentication & data storage | EU/US |
| LemonSqueezy / Stripe | Payment processing | US/Global |
| PostHog | Product analytics | EU |
| Google OAuth | Social login (optional) | US/Global |
Where data is transferred outside the EU/EEA, we rely on EU Standard Contractual Clauses (SCCs) or the provider's EU-US Data Privacy Framework certification to ensure adequate protection.
5. Data Retention
- Account data & progressions: Retained for the lifetime of your account. Deleted upon account deletion request.
- Subscription data: Retained for the lifetime of your account plus any legally required retention period for financial records.
- Analytics data: Retained per PostHog's default retention policies (typically 90 days for raw events).
- Local storage: Persists until you clear your browser data.
6. Your Rights (GDPR)
As an EU/EEA resident, you have the right to:
- Access your personal data and obtain a copy
- Rectify inaccurate or incomplete data
- Erase your personal data ("right to be forgotten")
- Restrict processing of your data
- Port your data to another service in a machine-readable format
- Object to processing based on legitimate interest
- Lodge a complaint with your local data protection authority
To exercise any of these rights, contact us at loufi.officiel@gmail.com. We will respond within 30 days.
7. Cookies & Tracking
Chordoo does not use tracking cookies. We use browser localStorage for essential functionality only (e.g., remembering whether the feedback widget has been displayed). These are not shared with third parties.
Our analytics provider (PostHog) operates on EU servers and does not use cross-site tracking cookies.
8. Children's Privacy
Chordoo is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.
9. Security
We implement appropriate technical and organizational measures to protect your data, including:
- Encrypted connections (HTTPS/TLS) for all communications
- Encryption at rest for stored data (via Firebase)
- HMAC signature verification for payment webhooks
- Firebase Authentication with secure session management
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by updating the "Last updated" date at the top of this page. We encourage you to review this page periodically.