Privacy Policy
Last updated: 3 June 2026
This Privacy Policy explains how Nuonda (“Nuonda”, “we”, “us”) collects, uses, shares, and protects personal data when you use the Nuonda website and the Forge, Stems, and Aura tools (together, the “Service”). It also describes the rights you have over your data.
Data controller: Nuonda. For any privacy question, to reach our registered contact, or to exercise your rights, email our data protection contact at dpo@nuonda.studio.
1. Our core commitment: we do not train on your music without consent
This is binding, not marketing. We will not use the audio you upload, or the outputs we generate from it, to train any model unless you give explicit, per-track, revocable opt-in consent. The default for every account is off. If we ever introduce a feature that uses user content for training, it will be opt-in with one-click withdrawal. See our manifesto commitment #1.
2. Data we collect
- Account data: email address and authentication identifiers (managed via Supabase). If you sign in with a third-party provider, we receive the basic profile that provider shares.
- Content you provide: audio files and other material you upload to Forge or Stems, and prompts/parameters you enter into Aura, plus the outputs generated for you (stems, one-shots, MIDI, loops, arrangements).
- Billing data: your subscription tier, credit balance, and transaction records. Card/payment details are handled by our payment processor (Lemon Squeezy) — we do not see or store your full card number.
- Support data: messages you send to our in-app support assistant or support tickets, including their contents.
- Technical data: data necessary to operate the Service securely (e.g. session cookies, IP address at the network layer, basic request logs).
3. How we use your data
- To provide the Service — process your uploads, generate outputs, store your library, and run your account.
- To process payments, manage subscriptions and credits, and prevent fraud and abuse.
- To provide support and respond to your requests.
- To keep the Service secure, debug problems, and meet legal obligations.
- To send service communications (e.g. billing receipts, security and account notices).
We practice data minimization: we collect only what we need to run the Service, and we do not sell your personal data.
4. Legal bases (GDPR)
If you are in the EEA or UK, we rely on the following legal bases:
- Performance of a contract — to deliver the Service you sign up for.
- Legitimate interests — to secure, maintain, and improve the Service (balanced against your rights).
- Consent — for anything optional, such as (if ever offered) using your content for model training. You may withdraw consent at any time.
- Legal obligation — to meet tax, accounting, and other legal duties.
5. How your uploads and outputs are handled
- Your uploads stay yours. We process them to deliver the result you asked for and to store your library so you can retrieve your work.
- Your outputs belong 100% to you — no royalty share and no usage carve-out (see our Terms and manifesto commitment #3).
- No training without consent (section 1).
- Audio is processed on our infrastructure and trusted compute providers (see section 7). For Aura generation, prompts are sent to GPU compute (RunPod) to produce your output.
6. Data retention
- We keep your account and content for as long as your account is open so your library remains available to you.
- If your account is inactive, we will email you before any deletion; today our practice is to reach out before removing content after 12 months of inactivity.
- You can delete your content, or request deletion of your account, at any time (section 8). Deleting your account is a separate, explicit step you take yourself — we will never delete your work without you asking.
- We retain billing and transaction records for as long as required by tax and accounting law.
7. Third-party processors
We share data with a small set of vendors who process it on our behalf, under contract, only to run the Service:
| Processor | Purpose |
|---|---|
| Supabase | Database, authentication, and file storage |
| Netlify | Website hosting and content delivery |
| Cloudflare | Network/CDN and secure access to compute backends |
| RunPod | GPU compute for Aura generation |
| Lemon Squeezy | Payment processing as our merchant of record |
| Anthropic | Support assistant — processes your support-chat messages to generate replies |
Some of these providers may process data outside your country, including in the United States. Where required, transfers are protected by appropriate safeguards such as Standard Contractual Clauses.
8. Your rights
Depending on where you live, you may have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Delete your data (“right to be forgotten”).
- Object to or restrict certain processing.
- Data portability — receive your data in a portable format.
- Withdraw consent at any time, where processing is based on consent.
To exercise any right, email dpo@nuonda.studio. We will respond within the time required by applicable law. You also have the right to lodge a complaint with your local data protection authority.
9. Your California privacy rights (CCPA / CPRA)
If you are a California resident, you have the right to know what personal information we collect and how we use it, the right to request deletion, the right to correct inaccurate information, and the right not to be discriminated against for exercising your rights.
We do not sell your personal information, and we do not “share” it for cross-context behavioral advertising as those terms are defined under California law. We do not use your music to train models without your consent. To exercise your California rights, contact dpo@nuonda.studio.
10. Cookies
We use only cookies that are strictly necessary to run the Service — primarily the authentication/session cookie that keeps you signed in. We do not use advertising or third-party tracking cookies. For details, see our Cookie Policy.
11. Children
The Service is not directed to children under 16 (or the minimum age required in your country). We do not knowingly collect data from children. If you believe a child has provided us data, contact dpo@nuonda.studio and we will delete it.
12. Security
We use appropriate technical and organizational measures to protect your data, including encrypted transport and access controls. No system is perfectly secure, but we work to protect your data and to notify you and regulators of incidents where the law requires.
13. Changes to this policy
We may update this policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you. Your continued use of the Service after an update means you accept the revised policy.
14. Contact
Privacy and data protection: dpo@nuonda.studio. Copyright/DMCA matters: see our DMCA page.