Privacy Policy
1. Introduction
StemForge ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our website and beat generation platform ("Service"). Please read this policy carefully. By using the Service, you consent to the practices described here.
2. Information We Collect
2.1 Information You Provide
- Account information: When you register, we collect your name, email address, and password (stored as a hashed value — we never store plaintext passwords).
- Google OAuth: If you sign in with Google, we receive your Google profile name, email address, and profile photo URL from Google's API.
- Payment information: We process payments via Stripe. We do not store full credit card numbers on our servers — Stripe handles all payment data under their own PCI-compliant systems.
- Generation inputs: Prompts, lyrics, style descriptors, BPM values, and other inputs you provide to generate beats.
- Communications: If you contact us by email or through the platform, we retain your messages to respond and improve the Service.
2.2 Information Collected Automatically
- Session data: We use HttpOnly session cookies to maintain your authenticated session. Session tokens are stored securely in our Cloudflare D1 database.
- Usage data: We collect information about how you interact with the Service, including pages visited, features used, and generation history.
- Device & browser data: IP address, browser type, operating system, and referring URLs, collected via standard server logs.
2.3 Information from Third Parties
- Google: If you authenticate via Google OAuth, we receive the profile information described above, subject to your Google account privacy settings.
- Stripe: We receive transaction status, customer ID, and subscription information from Stripe to manage your billing.
3. How We Use Your Information
We use your information to:
- Create and manage your account and authenticate your identity
- Provide and improve the beat generation Service
- Process payments, manage subscriptions, and track generation usage
- Personalize your experience (profile photo, name, plan status)
- Send transactional emails (account creation, payment receipts, subscription changes)
- Detect and prevent fraud, abuse, and violations of our Terms of Service
- Comply with legal obligations and enforce our agreements
- Analyze usage patterns to improve platform performance and features
We do not sell your personal information to third parties. We do not use your prompts or generated beats to train AI models without your explicit consent.
4. Cookies & Tracking
4.1 Session Cookies
We use a single HttpOnly, Secure, SameSite session cookie (sf_session) to keep you logged in for up to 30 days. This cookie does not track you across other websites.
4.2 Local Storage
We use browser localStorage to save your theme preference (dark/light mode) locally on your device. No personal data is stored in localStorage.
4.3 Third-Party Services
Our Service integrates with third-party providers that may set their own cookies or tracking mechanisms:
- Stripe: For payment processing. Stripe Privacy Policy
- Google OAuth: For optional sign-in. Google Privacy Policy
- Cloudflare: For hosting and edge delivery. Cloudflare Privacy Policy
5. How We Share Your Information
We do not sell or rent your personal information. We share data only in these limited circumstances:
- Service providers: We share necessary data with Stripe (payments), Cloudflare (hosting), and our AI generation providers to operate the Service. These providers process data on our behalf under data processing agreements.
- Legal requirements: We may disclose your information if required by law, court order, or governmental authority, or to protect the rights, safety, or property of StemForge or others.
- Business transfers: If StemForge is acquired or merges with another entity, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice before your data is subject to a different privacy policy.
6. Data Retention
We retain your account information and generation history for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete or anonymize your personal data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., financial records required for tax compliance).
Session tokens expire after 30 days of inactivity. Generation job data is retained to power your dashboard and project history.
7. Data Security
We take reasonable technical and organizational measures to protect your personal information:
- Passwords are hashed using PBKDF2 with SHA-256 and a unique salt per user — we cannot recover your plaintext password
- Session cookies are HttpOnly and Secure — they cannot be accessed by JavaScript and are only sent over HTTPS
- All data is stored on Cloudflare's infrastructure with enterprise-grade security
- Payment processing is fully handled by Stripe — we never touch raw card data
- API keys and secrets are stored as environment variables, never in source code
No system is 100% secure. In the event of a data breach affecting your rights, we will notify you as required by applicable law.
8. Your Rights & Choices
Depending on your location, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate or incomplete data
- Deletion: Request deletion of your account and associated personal data ("right to be forgotten")
- Portability: Request your data in a portable format
- Objection: Object to certain types of processing (e.g., marketing)
- Restriction: Request restriction of processing in certain circumstances
To exercise any of these rights, email us at stemforgesupport@gmail.com. We will respond within 30 days. We may need to verify your identity before processing your request.
California residents (CCPA): You have the right to know what personal information we collect, to delete it, and to opt out of its sale. We do not sell personal information.
EEA/UK residents (GDPR): Our legal basis for processing your data includes contract performance (providing the Service), legitimate interests (fraud prevention, improving the Service), and legal compliance. You may also lodge a complaint with your local data protection authority.
9. Children's Privacy
The Service is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If we discover we have collected data from a child under 13, we will delete it promptly. If you believe we have collected such data, please contact us at stemforgesupport@gmail.com.
10. International Data Transfers
StemForge operates primarily through Cloudflare's global edge network. Your data may be processed in data centers located in the United States and other countries. By using the Service, you consent to the transfer of your information to countries that may have different data protection laws than your country of residence. We take steps to ensure appropriate safeguards are in place for any such transfers.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top of this page and, for material changes, notify registered users by email. Your continued use of the Service after any changes constitutes acceptance of the revised policy.
12. Contact Us
If you have questions, concerns, or requests about this Privacy Policy or how we handle your data, please contact us:
- Email: stemforgesupport@gmail.com
- General: stemforgesupport@gmail.com
- Website: stemforge.studio