Privacy Policy

1. Introduction and Controller Information

AIDJSets ("we," "us," "our") is an AI-powered DJ set creation platform operated by:

We are the controller within the meaning of Article 4(7) of the EU General Data Protection Regulation (GDPR) for the processing of your personal data through our services, unless otherwise stated in this policy.

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website (aidjsets.com), desktop application, and related services.

2. Legal Bases for Data Processing

We process your personal data only when we have a valid legal basis under Article 6(1) GDPR:

• Contract performance (Art. 6(1)(b) GDPR): Processing necessary to provide our services, manage your account, and fulfill token purchases.
• Legitimate interests (Art. 6(1)(f) GDPR): Processing for error tracking, service improvement, security, and fraud prevention, where our interests do not override your rights.
• Consent (Art. 6(1)(a) GDPR): Processing based on your freely given consent, which you may withdraw at any time.
• Legal obligation (Art. 6(1)(c) GDPR): Processing required to comply with applicable laws, including tax and commercial record-keeping obligations.

3. Data We Collect

3.1 Account Data (Contract Performance)

When you create an account, we collect:

• First name and last name
• Email address
• Password (stored only in hashed form; we never have access to your plaintext password)

3.2 Profile Data (Contract Performance / Consent)

You may optionally provide:

• Location
• Profile avatar
• DJ software used
• Operating system platform
• Rekordbox version

3.3 Service Usage Data (Contract Performance)

When you use our services, we process:

• Token balance and purchase history
• Generated DJ sets and associated metadata
• Track metadata submitted for set generation (artist, title, BPM, key, genre)
• Playlist names and track selections
• Last login timestamp and last visited page
• Onboarding completion status
• Notification preferences

3.4 Technical Data (Legitimate Interests)

When you visit our website or use our desktop application, we automatically collect:

• IP address
• Browser type and version
• Operating system
• Device information
• Referrer URL
• Pages visited and interaction data
• Error reports and diagnostic data

3.5 Payment Data

Payment processing is handled entirely by Paddle.com Market Limited ("Paddle"), which acts as our Merchant of Record. We do not collect or store your credit card details, bank account information, or other payment credentials. See Section 5.1 for details on Paddle's data processing.

3.6 Rekordbox Data (Local Processing Only)

Our desktop application can read your local Rekordbox database to access playlist and track metadata. This data is processed entirely on your local device and is never uploaded to our servers. Only the track metadata you explicitly select for set generation is transmitted to our service.

4. How We Use Your Data

We use your personal data for the following purposes:

5. Third-Party Services

5.1 Paddle (Payment Processing)

Paddle.com Market Limited acts as our Merchant of Record for all purchases. When you purchase tokens, Paddle processes your payment as the legal seller. Paddle independently collects and processes your payment information (credit card, PayPal, etc.), name, email address, and billing information.

Paddle is an independent data controller for payment data, not our data processor. Paddle's processing of your data is governed by their own privacy policy.

Data we share with Paddle: email address, selected package type, token amount.

Paddle is based in the United Kingdom and may process data internationally. Appropriate safeguards are in place under their privacy framework.

5.2 Google Gemini (AI Set Generation)

We use Google's Gemini AI models to generate DJ set recommendations. When you request a set generation, we send track metadata (artist names, track titles, BPM, musical key, genre) to Google's Gemini API.

We do not send audio files, personal account data, or your Rekordbox database to Google.

Data processor: Google LLC (USA). Processing is covered by Google's Cloud Data Processing Addendum and EU Standard Contractual Clauses (SCCs) for international transfers.

Legal basis: Contract performance (necessary to provide the AI set generation service).

5.3 GlitchTip (Error Tracking — Self-Hosted)

We use GlitchTip (a Sentry-compatible error tracking tool) to monitor application errors and maintain service stability. GlitchTip is self-hosted on our own infrastructure.

Data collected: error stack traces, browser type, operating system, IP address, error context. Performance tracing is disabled.

Legal basis: Legitimate interests (maintaining service stability and resolving technical issues).

Since GlitchTip is self-hosted, your error tracking data does not leave our controlled infrastructure.

5.4 Umami (Website Analytics — Self-Hosted)

We use Umami for privacy-focused website analytics. Umami is self-hosted on our own infrastructure.

Umami is designed to be privacy-friendly: it does not use cookies, does not collect personally identifiable information, and does not track users across websites. Data collected includes page views, referrer, browser type, operating system, and device type — all processed without persistent user identifiers.

Legal basis: Legitimate interests (understanding website usage to improve our service).

5.5 Fider (Feedback — Self-Hosted)

We use Fider for collecting user feedback and feature requests. Fider is self-hosted on our own infrastructure.

When you submit feedback, we process the feedback title and description. No personal account data is automatically linked to feedback submissions through Fider.

Legal basis: Legitimate interests (improving our services based on user input).

5.6 Directus (Backend — Self-Hosted)

Our backend is powered by Directus, self-hosted on our own infrastructure. All user data, account information, generated sets, and content are stored in our self-hosted PostgreSQL database managed through Directus.

6. Cookies and Similar Technologies

6.1 Essential Cookies

We use the following technically necessary cookies:

6.2 No Tracking Cookies

We do not use advertising cookies, third-party tracking cookies, or social media cookies. Our analytics solution (Umami) is cookie-free.

6.3 Cookie Consent (TTDSG)

Under § 25 TTDSG (Telekommunikation-Telemedien-Datenschutz-Gesetz), consent is not required for cookies that are strictly necessary for providing the service you requested. Our cookies fall under this exemption as they are essential for authentication and basic functionality.

7. International Data Transfers

Most of your data is processed within the European Union/European Economic Area on our self-hosted infrastructure.

Data may be transferred outside the EU/EEA in the following cases:

• Google Gemini API (USA): Protected by EU Standard Contractual Clauses (SCCs) and Google's Data Processing Addendum.
• Paddle (UK): Protected by the UK-EU adequacy decision and Paddle's data protection framework.

We do not transfer data to countries without adequate data protection safeguards unless appropriate transfer mechanisms are in place as required by Chapter V GDPR.

8. Data Retention

We retain your personal data only as long as necessary for the purposes described in this policy:

After the retention period, data is permanently deleted or irreversibly anonymized.

9. Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR): Obtain confirmation whether we process your personal data and request a copy of it.
• Right to rectification (Art. 16 GDPR): Request correction of inaccurate personal data.
• Right to erasure (Art. 17 GDPR): Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
• Right to restriction of processing (Art. 18 GDPR): Request restriction of processing in certain circumstances.
• Right to data portability (Art. 20 GDPR): Receive your personal data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21 GDPR): Object to processing based on legitimate interests. Where we process data for direct marketing, you have an absolute right to object at any time.
• Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at: [email protected]

We will respond to your request within one month of receipt, as required by Article 12(3) GDPR. This period may be extended by two further months for complex requests.

10. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for complaints in Germany is:

You may also contact the data protection authority of the German federal state in which you reside.

11. Data Protection Officer

Given the scale and nature of our data processing activities as a sole proprietor, we are not legally required to appoint a Data Protection Officer under Article 37 GDPR. For any data protection inquiries, please contact:

12. Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encrypted session management (sealed cookies)
• Password hashing (never stored in plaintext)
• HTTPS encryption for all data transmission
• Self-hosted infrastructure for core services (database, analytics, error tracking, feedback)
• Access controls and authentication for all backend systems
• Regular security updates and monitoring

13. Children's Privacy

Our services are not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If we learn that we have collected data from a child under 16, we will take steps to delete it promptly. If you believe a child has provided us with personal data, please contact us at [email protected].

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on our website with a new "Last Updated" date. For significant changes, we may also notify you via email.

We encourage you to review this policy periodically.

15. Contact

For any questions or concerns about this Privacy Policy or our data processing practices:

• Tobias Thiele
• Email: [email protected]
• Support: [email protected]