Privacy Policy

AceTagGen ("we," "us," or "our") is a music tag building service for SUNO AI, operated from Netivot, Israel. We are the data controller responsible for your personal data.

For privacy-related inquiries, contact us at: [email protected]

Our order process is conducted by our online reseller Paddle.com. Paddle.com is the Merchant of Record for all our orders. Paddle provides all customer service inquiries and handles returns. Please see Paddle's Privacy Policy and Checkout Buyer Terms.

We collect the following categories of personal data:

• Account information: Email address and display name when you sign up via email/password or Google OAuth. When you use Google OAuth, we receive only your email and display name — we do not access any other Google account data.
• Usage data: Pages visited, features used, tag selections, questionnaire choices, and session duration
• Chat logs: Messages you send in the AI Chat and Song Analyzer features, along with AI responses, for providing the service and enforcing usage limits
• Saved prompts: Style tags and lyrics you choose to save to your account
• Payment information: Processed and stored securely by Paddle (our Merchant of Record). We receive your Paddle customer ID, subscription status, and plan type. We never see or store your full card number, CVV, or banking details.
• Device data: Browser type, operating system, screen resolution, and IP address (for analytics and rate limiting)

• We do not collect or store any music files or audio
• We do not store your SUNO AI credentials or access your SUNO account
• We do not sell, rent, or trade your personal data to third parties
• We do not use your data for profiling or automated decision-making that produces legal effects

Under the General Data Protection Regulation (GDPR), we process your data on these legal bases:

• Contractual necessity: Processing your account data, saved prompts, and chat messages to provide the service you signed up for
• Legitimate interest: Analytics (Google Analytics) to improve the service, rate limiting to prevent abuse, and security monitoring
• Consent: Non-essential cookies and marketing communications (if any). You may withdraw consent at any time.
• Legal obligation: Retaining payment records as required by tax and financial regulations

AceTagGen uses third-party AI services to power certain features. Here is exactly what happens with your data:

• OpenAI (GPT-4.1-mini) — AI Chat: When you use the AI Chat, your messages are sent to OpenAI's API for processing. OpenAI does not use API data to train their models. OpenAI may retain API inputs for up to 30 days for abuse and safety monitoring, after which they are deleted. See OpenAI's API Data Usage Policy.
• OpenAI (GPT-4.1-mini) — Lyrics Generation: When you generate lyrics in the questionnaire, your genre/mood/structure selections are sent to OpenAI. Same data policies as the AI Chat above apply.

We do not send your email, name, or any personally identifiable information to AI providers — only the content of your musical queries and selections.

We use the following cookies and local storage:

You can disable cookies in your browser settings. Disabling authentication cookies will prevent you from logging in. To opt out of Google Analytics, install the Google Analytics Opt-out Browser Add-on.

Your data may be processed by the following third-party services:

• Paddle (UK/EU) — Payment processing, Merchant of Record. Privacy Policy
• Supabase (USA) — Database, authentication, user data storage. Privacy Policy
• Vercel (USA) — Website hosting. Privacy Policy
• Cloudflare (USA) — DNS and domain management. Privacy Policy
• OpenAI (USA) — AI Chat and Lyrics generation. Privacy Policy
• Google (USA) — Google Analytics, Google OAuth. Privacy Policy
• Freesound (Spain) — Instrument audio previews. Privacy Policy

AceTagGen is operated from Israel. Your data may be transferred to and processed in the United States (Supabase, Vercel, OpenAI, Google), the United Kingdom/European Union (Paddle), and Spain (Freesound).

These transfers are conducted using appropriate safeguards, including the service providers' adherence to Standard Contractual Clauses (SCCs), adequacy decisions where applicable, and their respective data protection commitments. Israel has been granted an adequacy decision by the European Commission, meaning transfers between the EU and Israel are permitted under GDPR.

We retain your data for the following periods:

• Account data (email, name, preferences): Kept while your account is active. Deleted within 30 days of account deletion.
• Saved prompts: Kept while your account is active. Deleted with your account.
• Chat logs: Retained for up to 12 months for service improvement and abuse prevention, then automatically deleted.
• Payment records: Retained for 7 years as required by tax and financial regulations. Paddle independently retains payment data per their policies.
• Analytics data: Google Analytics data is retained for 14 months (Google's default), then automatically aggregated and anonymized.
• Server logs: IP addresses in rate-limiting logs are kept in memory only and are not persisted to disk.

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of all personal data we hold about you
• Rectification: Request correction of inaccurate data
• Deletion: Request deletion of your account and all associated data
• Export / Portability: Request your data in a machine-readable format
• Restriction: Request that we limit processing of your data
• Objection: Object to processing based on legitimate interest
• Withdraw consent: Where processing is based on consent, withdraw it at any time
• Opt out of analytics: Disable Google Analytics tracking

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights:

• Right to know: What personal information we collect, use, disclose, and sell
• Right to delete: Request deletion of your personal information
• Right to opt out: Opt out of the sale of your personal information
• Right to non-discrimination: We will not discriminate against you for exercising your rights

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. To submit a CCPA request, email [email protected].

As a service operated from Israel, we comply with the Israeli Privacy Protection Law (PPL), 5741-1981, including Amendment 13 (effective 2025). In accordance with the law:

• We collect only the data necessary for providing the service
• We provide clear disclosure of what data is collected, why, and who it is shared with
• We obtain consent for data processing where required
• We maintain appropriate security measures to protect your data
• You may contact the Israel Privacy Protection Authority (PPA) to file a complaint regarding your data at www.gov.il/en/departments/the_privacy_protection_authority

AceTagGen is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at [email protected] and we will promptly delete that information.

Users between 13 and 18 may use AceTagGen with parental consent. Payment and subscription features require users to be at least 18 years old or have parental/guardian authorization.

We implement industry-standard security measures to protect your data, including:

• HTTPS encryption for all data in transit
• Supabase Row Level Security (RLS) for database access control
• Secure authentication via Supabase Auth (bcrypt-hashed passwords, OAuth tokens)
• API rate limiting to prevent abuse
• Webhook signature verification for payment events
• Environment-variable-based secret management (no hardcoded credentials)

In the unlikely event of a data breach that affects your personal information, we will:

• Notify affected users via email within 72 hours of becoming aware of the breach
• Report the breach to the relevant supervisory authorities as required by law (including the Israel PPA and EU DPAs where applicable)
• Describe the nature of the breach, the data affected, and the steps we are taking to mitigate it

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email (if you have an account) and update the "Last updated" date at the top of this page. Your continued use of AceTagGen after changes are posted constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy, your data, or wish to exercise your rights: