Privacy Policy

1. Data Controller

Yuma Pellon Valdes, sole proprietorship registered in Norway (Org.nr. 930343870), is the data controller for personal data processed through the Cadencea Vault application, the Cadencea website (cadencea.app), and related cloud services (collectively, the “Service”).

• Contact email: privacy@cadencea.app
• Website: https://cadencea.app

2. What Personal Data We Collect

2.1 Data You Provide

• Account information: Email address, display name, and password (hashed) when you create an account
• Profile information: Any optional profile details you choose to add
• Support correspondence: Emails and messages you send to our support channels

2.2 Data Collected Automatically

• Usage data: Features used, session duration, and general interaction patterns with the application
• Error and crash reports: Technical information about application errors, collected via Sentry, including device type, operating system, and application version
• Authentication tokens: Session tokens for maintaining your login state, managed by Supabase
• IP address: Logged temporarily during authentication and API requests

2.3 Data We Do Not Collect

• We do not access, analyze, or listen to the contents of your audio files or project data
• We do not store payment card details — all payment processing is handled securely by Stripe
• We do not use cookies for advertising or third-party tracking

3. Why We Process Your Data (Legal Basis)

Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal grounds:

• Contract fulfillment (Art. 6(1)(b)): Processing your account information, authentication, cloud storage, and synchronization is necessary to provide the Service you signed up for
• Legitimate interest (Art. 6(1)(f)): Error tracking via Sentry and basic usage analytics help us maintain, improve, and secure the Service. We have assessed that this interest does not override your fundamental rights
• Consent (Art. 6(1)(a)): Marketing communications are only sent with your explicit consent, which you can withdraw at any time
• Legal obligation (Art. 6(1)(c)): We may retain certain data to comply with Norwegian tax, accounting, or other legal requirements

4. How We Use Your Data

We use personal data to:

• Provide, operate, and maintain the Service, including authentication, cloud sync, and sharing
• Process subscription payments and manage billing through Stripe
• Send essential communications about your account, service changes, and security notices
• Send marketing communications about product updates and new features (with your consent)
• Monitor and fix errors, crashes, and performance issues via Sentry
• Enforce our Terms of Service and protect against misuse

5. Third-Party Processors (Data Sharing)

We share personal data only with the following third-party service providers (“processors”) who process data on our behalf:

• Supabase (USA): Authentication and database hosting. Processes account data, email, and authentication tokens
• Backblaze B2 (USA): Cloud file storage. Stores your uploaded project files under your unique user ID
• Stripe (USA): Payment processing. Handles all payment card data directly; we receive only confirmation of payment status and subscription details
• Railway (USA): Cloud API hosting. Our backend server runs on Railway infrastructure
• Sentry (USA): Error and crash reporting. Receives technical error data, device information, and IP addresses for debugging purposes
• Vercel (USA): Website hosting for cadencea.app
• Cloudflare (USA): DNS, content delivery network (CDN), and email routing services

Several of our processors are based in the United States. Data transfers to the US are conducted in compliance with GDPR Chapter V, relying on the EU-U.S. Data Privacy Framework where available, or Standard Contractual Clauses (SCCs) approved by the European Commission.

We do not sell, rent, or trade your personal data to third parties for their own purposes.

6. Data Retention

• Account data: Retained for as long as your account is active. Upon account deletion, personal data is deleted within 30 days, except where retention is required by law
• Cloud-stored files: Retained for 30 days after account deletion or subscription cancellation, then permanently deleted
• Error logs (Sentry): Automatically deleted after 90 days
• Payment records: Retained as required by Norwegian bookkeeping law (bokføringsloven), typically 5 years
• Marketing consent records: Retained for as long as you are subscribed to marketing communications, plus a reasonable period for record-keeping

7. Your Rights Under GDPR

As a data subject, you have the following rights:

• Right of access (Art. 15): Request a copy of the personal data we hold about you
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete data
• Right to erasure (Art. 17): Request deletion of your personal data (“right to be forgotten”)
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format
• Right to restrict processing (Art. 18): Request that we limit how we use your data
• Right to object (Art. 21): Object to processing based on legitimate interest
• Right to withdraw consent: Withdraw consent for marketing communications at any time

To exercise any of these rights, contact us at privacy@cadencea.app. We will respond within 30 days as required by GDPR.

If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) at www.datatilsynet.no.

8. Cookies and Tracking Technologies

The Cadencea website uses the following cookies and similar technologies:

• Strictly necessary cookies: Authentication session cookies (Supabase) required for login functionality. These cannot be disabled as the Service cannot function without them
• Error tracking (Sentry): Collects technical data about application errors for debugging. This operates under our legitimate interest in maintaining a functional service

We do not use advertising cookies, social media tracking pixels, or third-party analytics platforms.

9. Marketing Communications

We may send you marketing emails about product updates, new features, and promotional content only if you have given explicit consent. You can unsubscribe at any time by clicking the unsubscribe link in any marketing email or by contacting privacy@cadencea.app. Unsubscribing from marketing emails does not affect essential service communications (e.g., billing confirmations, security alerts).

10. Children’s Privacy

The Service is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you become aware that a child under 13 has provided us with personal data, please contact us at privacy@cadencea.app and we will delete such data promptly.

11. Security

We implement reasonable technical and organizational measures to protect your personal data, including encrypted data transmission (HTTPS/TLS), secure password hashing, and access controls. However, no method of electronic storage or transmission is completely secure, and we cannot guarantee absolute security.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least 30 days before they take effect. The updated policy will be posted on our website with a revised effective date.

13. Contact

For any privacy-related questions, data requests, or concerns:

• Data Controller: Yuma Pellon Valdes (Org.nr. 930343870)
• Privacy inquiries: privacy@cadencea.app
• General support: support@cadencea.app
• Supervisory authority: Datatilsynet (Norwegian Data Protection Authority), www.datatilsynet.no

© 2026 Yuma Pellon Valdes (Org.nr. 930343870). All rights reserved.