Privacy Policy

1. Introduction

1.1. This Privacy Policy (hereinafter referred to as "Policy") defines the procedures for collecting, using, storing, protecting, and deleting personal data of users of the songly.gift service (hereinafter referred to as "Service").

1.2. The Data Controller is: 3 Krolika LLP, BIN 251240001464, address: 010000, Kazakhstan, Astana, Taras Shevchenko Street 4/1, unit 17 (hereinafter referred to as "Operator").

1.3. Contact email address: support@songly.gift.

1.4. This Policy has been developed in accordance with the laws of the Republic of Kazakhstan, including the Law of the Republic of Kazakhstan dated May 21, 2013 No. 94-V "On Personal Data and Their Protection," and is designed to comply with international data protection standards, including the General Data Protection Regulation (GDPR) of the European Union and the California Consumer Privacy Act (CCPA).

1.5. By using the Service, the User confirms that they are at least 18 (eighteen) years of age. Persons under the age of 18 are not permitted to use the Service.

2. Data We Collect

2.1. For the Service to function, we collect and process the following categories of data:

2.1.1. Data Provided by the User:

  • Email address — for registration, authorization, and account recovery;
  • Username (login) — for identification within the system;
  • Password — stored exclusively in encrypted (hashed) form.

2.1.2. Content Uploaded by the User:

  • Photographs and images for processing or as references;
  • Audio files for processing;
  • Video files for processing;
  • Text data (descriptions, wishes, generation instructions).

Images uploaded by the User are automatically transformed (resolution reduction, re-encoding) before being used by AI models. After such transformation, the images do not contain biometric data — extracting unique biometric parameters for identification becomes impossible. Original images are not retained.

2.1.3. Automatically Generated Content:

  • Songs and music;
  • Images (portraits, greeting cards, invitations, logos, coats of arms, and other graphic materials);
  • Poems;
  • Texts (greetings, formal letters, marketing materials, and other text-based content);
  • Videos;
  • Chat history with AI assistants.

2.1.4. Technical Data:

  • Hash of the network address (SHA-256 with a private salt) — used for abuse protection and rate-limiting. The hash is irreversible; the original IP address is not stored or transferred;
  • Browser and device information (general technical request headers);
  • User settings and preferences;
  • Service usage data (statistics, logs).

2.1.5. Payment Information:

We DO NOT store payment data (card numbers, CVV, etc.). All payments are processed through third-party payment services certified to PCI DSS standards. We receive only confirmation of successful payment and a transaction identifier.

3. Purposes of Data Processing

3.1. The collected data is used exclusively for the following purposes:

  • User registration and authentication;
  • Ensuring account security;
  • Providing Service functions (content generation);
  • Processing payments and tracking energy points;
  • Content moderation and violation prevention;
  • Technical support and communication with Users;
  • Improving Service quality and AI algorithms;
  • Compliance with legal requirements;
  • Protecting the rights and legitimate interests of the Operator.

4. Legal Basis for Processing (GDPR)

4.1. For Users in the European Economic Area (EEA), the United Kingdom, and Switzerland, we process personal data based on the following legal grounds:

  • Contract Performance: Processing necessary for the performance of a contract with you (providing Service functions);
  • Legitimate Interests: Processing necessary for our legitimate interests, such as improving our services, preventing fraud, and ensuring security;
  • Consent: Where you have given explicit consent for specific processing activities;
  • Legal Obligation: Processing necessary for compliance with legal obligations.

5. Data Retention Periods

5.1. Account data (email, login, password): stored until the account is deleted by the User or by the Operator in accordance with the terms of use.

5.2. Inactive accounts: To implement the right to be forgotten, User accounts that have not been accessed for 1 (one) year are automatically deleted along with all associated data and content.

5.3. Uploaded content (photographs, audio, video for processing): stored for 7 (seven) calendar days for moderation and verification purposes, after which it is automatically deleted.

5.4. Generated content:

  • For Users without Prime status: generated content is automatically deleted 2-4 months after creation;
  • For Users with Prime status: content is stored until deleted by the User or until the Prime status expires (after which standard retention periods apply).

Upon deletion, content is marked as deleted (for recovery purposes) and completely removed after 7 (seven) calendar days.

5.5. AI assistant chat history:

  • Only the last 100 (one hundred) messages with each AI assistant are stored;
  • For Users without Prime status: message history is automatically deleted after 2-4 months;
  • For Users with Prime status: message history is stored until account deletion or until the Prime status expires.

5.6. Technical logs and network address hashes: stored for 12 (twelve) months for security and incident investigation purposes. The original IP addresses are not retained.

5.7. Transaction data: stored for the period required by applicable law (at least 5 years) for accounting and tax purposes.

6. Data Protection

6.1. The Operator takes necessary legal, organizational, and technical measures to protect personal data from unauthorized or accidental access, destruction, alteration, blocking, copying, distribution, and other unlawful actions.

6.2. Protection measures include:

  • Password encryption using modern cryptographic algorithms;
  • Use of secure connections (HTTPS/TLS);
  • Restricted access to personal data;
  • Regular data backups;
  • System security monitoring.

6.3. Important Notice: Despite the protective measures taken, the Operator cannot guarantee absolute data security during transmission over the Internet. The User uses the Service at their own risk.

7. Data Transfer to Third Parties

7.1. The Operator does not sell personal data. Data is transferred to a limited set of third parties only in the following cases:

  • Upon request of authorized government bodies in accordance with applicable law;
  • To payment operators — for payment processing (only the amount, order identifier, and email; payment credentials are submitted by the User directly to the payment provider and are not accessible to the Operator);
  • To technical contractors — for hosting infrastructure, storing files, and processing content-generation requests.

7.2. Processing of generation requests. To fulfill the generation requested by the User (songs, poems, greetings, images, videos), text prompts and pre-transformed images are transmitted to technical contractors. The transmitted requests are anonymized: email, username, account identifier, and other information that could identify you are not included. Each request is used solely for one-time delivery of the result.

7.3. International Transfers. Where the technical contractors performing such processing are located outside your country of residence, we rely on the lawful basis of contract performance (your generation request) and on appropriate safeguards (such as Standard Contractual Clauses with EU/EEA-based contractors where applicable). The Operator does not currently transfer User personal data internationally for any other purpose.

7.4. All third parties receiving access to data are required to maintain confidentiality and use data exclusively to perform their functions.

8. Use of Data for Generation

8.1. The Operator does not train or fine-tune its own AI models on User data. The Service uses third-party technical infrastructure to perform the generation requested by the User on a one-time basis (see Section 7.2).

8.2. Uploaded and generated content may be used by the Operator for:

  • Internal Service purposes (testing, debugging, improving generation algorithms and parameters);
  • Statistical analysis in anonymized form.

9. User Rights

9.1. The User has the right to:

  • Access their personal data and receive a copy;
  • Request correction or updating of inaccurate personal data;
  • Request deletion of their personal data ("right to be forgotten");
  • Restrict the processing of their personal data;
  • Object to the processing of their personal data;
  • Request data portability (receive data in a structured, commonly used format);
  • Withdraw consent to data processing at any time;
  • Delete their content through the Service interface;
  • Delete their account (all associated content will also be deleted);
  • Lodge a complaint with a supervisory authority.

9.2. Additional Rights for California Residents (CCPA):

If you are a California resident, you have the following additional rights:

  • Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you;
  • Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions;
  • Right to Opt-Out of Sale: We do not sell personal information. However, you have the right to opt out of any future sales;
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise your CCPA rights, please contact us at support@songly.gift.

9.3. To exercise your rights, the User may:

  • Use the personal account functionality to manage data and content;
  • Send a written request to the email address support@songly.gift.

9.4. Request Requirements. Send your request to support@songly.gift from the email address associated with your account — this serves as identity verification. The request should describe the nature of your request and the date. We may request additional information if necessary to confirm your identity, particularly for sensitive actions such as data deletion.

9.5. Request processing time — 30 (thirty) calendar days from receipt of the request, or within shorter timeframes where required by applicable law (e.g., 45 days under CCPA, one month under GDPR).

10. Account and Data Deletion

10.1. The User may delete their account at any time through the personal account settings.

10.2. Upon account deletion:

  • Personal data (email, login) is deleted;
  • All generated content is deleted;
  • AI assistant chat history is deleted;
  • Transaction data is retained in accordance with legal requirements.

10.3. Automatic deletion of inactive accounts: Accounts that have not been accessed for 1 (one) year are automatically deleted along with all associated data.

10.4. Account deletion is irreversible. Recovery of deleted data is not possible.

11. Cookies and Web Analytics

11.1. The Service uses essential cookies (for authentication and session maintenance) and the Yandex.Metrika counter (LLC Yandex, Russia) for visit counting. Metrika is configured in minimal mode: no click map, link tracking, accurate bounce, or WebVisor.

11.2. Third-party analytics services (Google Analytics and similar) are not used.

11.3. Cookie categories:

  • Essential cookies: required for authentication and session maintenance;
  • Functional cookies: remember your preferences and language settings;
  • Analytics cookies: set by Yandex.Metrika to count visits.

11.4. The User may disable cookie usage in browser settings, but this may affect Service functionality.

12. Prohibited Content and Moderation

12.1. The Operator reserves the right to review uploaded content for violations of law and Service rules.

12.2. If prohibited content is discovered (including materials containing child sexual abuse material, hate speech, calls for violence), the Operator has the right to:

  • Immediately block the User's account;
  • Transfer information to law enforcement authorities;
  • Retain necessary data for investigation.

13. Children's Privacy

13.1. The Service is not intended for persons under the age of 18. We do not knowingly collect personal data from children under 18.

13.2. If we become aware that we have collected personal data from a child under 18, we will take steps to delete such information as soon as possible.

13.3. If you believe that a child under 18 has provided us with personal data, please contact us at support@songly.gift.

14. Do Not Track Signals

14.1. Some browsers have a "Do Not Track" feature that signals to websites that you do not want your online activities tracked. The Service does not currently respond to "Do Not Track" signals as there is no industry standard for handling such signals.

15. Changes to the Policy

15.1. The Operator reserves the right to make changes to this Policy at any time.

15.2. Changes take effect from the moment the new version of the Policy is published on the Service website.

15.3. The User undertakes to independently monitor changes in the Policy. Continued use of the Service after changes are made constitutes acceptance of the new version of the Policy.

15.4. For material changes, we will make reasonable efforts to notify you by email or through a prominent notice on the Service.

16. Governing Law and Jurisdiction

16.1. This Policy and any disputes arising from or relating to it shall be governed by the laws of the Republic of Kazakhstan.

16.2. Any disputes shall be subject to the exclusive jurisdiction of the courts located in Astana, Republic of Kazakhstan.

16.3. Notwithstanding the foregoing, if you are located in the European Economic Area, United Kingdom, or Switzerland, nothing in this Policy affects your statutory rights under applicable data protection laws.

17. Additional Disclosures

17.1. Categories of Personal Information Collected (CCPA Disclosure):

In the past 12 months, we have collected the following categories of personal information:

  • Identifiers (email address, username, and an irreversible SHA-256 hash of the network address used for abuse protection — the original IP address is not retained);
  • Internet or other electronic network activity information (interactions with the Service, aggregated visit statistics via Yandex.Metrika);
  • Audio, electronic, visual, or similar information (content uploaded by the User; uploaded images are downscaled and re-encoded prior to processing — see Section 2.1.2);
  • Inferences drawn from the above (preferences such as preferred language).

17.2. Sources of Personal Information:

  • Directly from you when you provide it;
  • Automatically when you use the Service;
  • From third-party payment processors (transaction confirmation only).

17.3. Business or Commercial Purposes for Collection:

As described in Section 3 of this Policy.

17.4. Sale or Sharing of Personal Information:

We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

3 Krolika LLP

BIN: 251240001464

Address: 010000, Kazakhstan, Astana, Taras Shevchenko Street 4/1, unit 17

Email: support@songly.gift

Last updated: April 30, 2026