Privacy Policy

Last updated: June 25, 2026

Noema AI ("we," "our," or "us") respects your privacy. This Privacy Policy explains how we collect, use, and protect your information when you use the Noema AI mobile application and related services (the "App").

By using Noema AI, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

Account Information

When you create an account, we may collect:

  • Email address
  • Authentication credentials (such as encrypted passwords or Apple Sign-In tokens)
  • Account identifiers
  • Push tokens (APNs). We may collect device push notification tokens to support background updates and Live Activity-related functionality (where enabled).

Usage Data

We may collect information about how you use the app, including:

  • Music generation requests (such as moods or prompts)
  • Interaction with features
  • Listening habits (including time of day, session duration, skip rates, and station selections) to adapt context-aware stations
  • App performance data

Subscription Information

If you purchase a subscription:

  • Transaction and entitlement data are processed through Apple
  • Subscription status is managed through a third-party service (RevenueCat)
  • We do not receive your full payment details

Diagnostic, Performance, and Crash Data

To keep the app running reliably, we collect a limited set of technical diagnostic information through Datadog (performance monitoring and logging) and KSCrash (an open-source crash reporting library bundled with Datadog's SDK). This data may include:

  • App version, build number, and SDK versions
  • Device model, operating system version, and locale
  • Anonymous installation identifier (not tied to advertising IDs)
  • Network connection type (Wi-Fi/cellular)
  • Crash stack traces and the technical state of the app at the moment of a crash (e.g., thread state, memory pressure)
  • Performance traces of API calls (latency, error codes, endpoint paths — not request body contents)
  • Truncated IP address (used transiently for transport and not retained as a profile identifier)

This data is used solely for app performance monitoring, debugging, and reliability — not for advertising, profiling, or cross-app tracking. We do not enable Datadog's Real User Monitoring features that capture user-identifying behavioral analytics, and we do not link diagnostic data to your prompt content or generated tracks.

2. How We Use Your Information

We use your information to:

  • Create and manage your account
  • Generate music based on your selected mood or input
  • Adapt and personalize radio stations based on your listening habits
  • Provide core app functionality
  • Manage subscriptions and entitlements
  • Improve performance and user experience
  • Detect and prevent abuse or misuse

3. Sub-Processors (Named Third-Party Services)

To operate the Service, we engage a limited set of third-party providers ("sub-processors"). Each is bound by its own privacy policy and processes only the data necessary for its role. We do not sell your personal information to any of these providers; they act on our behalf or as independent controllers for clearly defined purposes.

Current Sub-Processor List

  • Apple Inc. (USA) — Sign in with Apple authentication, Apple in-app purchases (payment processing), and Apple Push Notification service (APNs) for delivering background updates and Live Activity notifications. Apple is an independent controller for payment data. See Apple Privacy Policy.
  • RevenueCat, Inc. (USA) — Subscription entitlement and lifecycle management. Receives Apple-issued anonymous identifiers tied to your subscription status; does not receive payment card data. See RevenueCat Privacy Policy.
  • Vercel Inc. (USA) — Backend hosting and serverless function execution for our API. May process IP addresses and request metadata transiently as part of standard hosting. See Vercel Privacy Policy.
  • Neon, Inc. (USA) — Managed PostgreSQL database hosting. Stores account records, subscription state, music generation request metadata, and the URLs of your generated tracks. See Neon Privacy Policy.
  • MusicGPT (third-party AI music generation provider) — Receives the cleaned/filtered text prompt produced by our backend and returns generated audio. MusicGPT hosts the generated audio files on its own infrastructure (e.g., Amazon S3 at lalals.s3.amazonaws.com); we store only the URL reference in our database. We currently use MusicGPT under their publicly published terms; a formal Data Processing Agreement (DPA) has not yet been executed. Review MusicGPT's own published terms of service and privacy policy for details on their processing.
  • Datadog, Inc. (USA) — Application performance monitoring, logging, and crash reporting (via the bundled KSCrash library). Receives the diagnostic data described in Section 1 ("Diagnostic, Performance, and Crash Data"). See Datadog Privacy Policy.
  • TikTok (ByteDance Ltd.) — Marketing, conversion tracking, and advertising services (via the TikTok Pixel on our marketing website). Processes visitor interactions (e.g., page views, button clicks, and beta registrations) to optimize our advertising campaigns and measure website performance. See TikTok Privacy Policy.

Changes to the Sub-Processor List

We will update this list when we add, remove, or replace a sub-processor and reflect the change in the "Last updated" date above. For EU/UK users, we will, where required by law, provide a reasonable opportunity to object to material changes; if you have concerns about a specific sub-processor, contact support@melodaistudio.com.

4. Music Generation Data Flow

To give you a transparent picture of how a music generation request is handled, here is the actual data flow when you tap "Generate":

  1. Submission. Your selected mood or prompt is sent from the app to our backend (hosted on Vercel) over an encrypted TLS connection.
  2. Prompt cleaning. Our backend filters and sanitizes the prompt to enforce the Terms of Use prohibitions (e.g., artist simulation, copyrighted-work mimicry, prohibited content). The original raw prompt is not retained on our servers after this step; we keep only the cleaned/filtered version that is actually forwarded to the AI provider.
  3. Forwarding to MusicGPT. The cleaned prompt is transmitted to MusicGPT, which generates the audio file and returns a URL pointing to the audio (hosted on MusicGPT's infrastructure, e.g., lalals.s3.amazonaws.com).
  4. Storage on our side. We store the returned URL and associated metadata (title, mood, timestamp, your user ID) in our Neon Postgres database so the track can appear in your in-app library and be streamed back to you on demand. We do not store the audio file itself — when you play a track, the app streams it directly from MusicGPT's URL.
  5. Playback. Listening events (start, skip, completion, station selection) are recorded to power station personalization and paid subscription (Pro/Plus) feature limits.

What This Means in Practice

  • We retain the cleaned prompt, not your original raw text, for abuse review and quality monitoring.
  • We retain a URL reference to your generated tracks, not the audio bytes; the audio file lives on MusicGPT's infrastructure.
  • If MusicGPT removes or invalidates an audio URL on its side, the track may become unplayable from your library; we cannot retrieve the file independently.

AI Model Training

We do not use your prompts, listening history, or generated tracks to train, fine-tune, or refine our own AI models — we do not operate generative AI models in-house. Whether MusicGPT uses prompts or outputs to train its own models is governed by their published terms; please review them. If our practice changes, we will update this policy and provide notice and an opt-out where required by law.

We do not use your prompts or generated tracks to identify you personally beyond linking them to your account for the purpose of providing the Service.

5. Data Storage and Security

We take a defense-in-depth approach to securing your information. Concrete measures include:

  • Encryption in transit. All connections between the iOS app, our backend, and our sub-processors use TLS 1.2 or higher.
  • Encryption at rest. Our Neon Postgres database encrypts data at rest using AES-256. Apple, RevenueCat, Vercel, and Datadog likewise encrypt customer data at rest under their published security standards.
  • Authentication. User authentication uses Sign in with Apple and short-lived signed tokens. Passwords (where used) are hashed with a modern algorithm and never stored in plaintext.
  • Secret management. API keys, database credentials, and other secrets are stored as encrypted environment variables in Vercel and are never embedded in client code.
  • Access controls. Production database and infrastructure access is limited to authorized personnel under the principle of least privilege, with multi-factor authentication required for administrative access.
  • Abuse and rate limiting. Backend endpoints enforce per-user rate limits and prompt-filtering logic to mitigate abuse, scraping, and prompt-injection attacks.
  • Monitoring. Application logs and performance traces are sent to Datadog for security and reliability monitoring; we review error and anomaly signals on an ongoing basis.

Despite these measures, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security, but we work continuously to evaluate and improve our practices.

6. Data Retention and Deletion Schedule

In accordance with applicable children's privacy laws (including COPPA) and consumer privacy regulations, we maintain a strict written data retention schedule. We collect and retain personal information only for the specific purposes and business needs outlined below, and delete or pseudonymize it once those needs are met.

Data Category Purpose & Business Need Retention Period & Deletion Action
Account Credentials & Identifiers To create, authenticate, and manage your account; enable secure user logins. Retained for the life of your account. Upon account deletion, identifiers are immediately scrubbed, passwords and tokens are purged, and your email is replaced with a non-recoverable sentinel value (e.g., deleted+id@deleted.local).
Account Tombstones To preserve database integrity, credit ledgers, and subscription tax histories. Retained indefinitely. Contains no personal identifiers; uses only your internal account ID and a sentinel email value. Cannot be used to re-identify or contact you.
Cleaned/Filtered Prompts To run quality checks, prevent safety violations (e.g., artist-simulation attempts), and monitor for platform abuse. Retained for up to 90 days following submission, then permanently deleted. Original raw prompts are processed transiently and discarded immediately; only filtered prompts are saved.
Biometric Data & Voiceprints N/A (We do not knowingly collect, process, or extract voiceprints or biometric templates). We do not collect or generate biometric data. If you submit any audio containing human voice (such as vocal prompts), it is processed transiently by our upstream AI provider to generate output, is never analyzed for biometric extraction, and is not stored or retained by Noema.
Generated-Track URLs & Metadata To populate your in-app music library and stream generated tracks to you on demand. Retained for the life of your library or until you delete individual tracks. Upon account deletion, metadata is pseudonymized and linked to the tombstoned account ID to prevent database orphans; the actual audio files continue to be hosted by MusicGPT under their own policies.
Subscription & Transaction Records To manage subscriptions, confirm Pro/Plus plan entitlements, and comply with tax and audit laws. Retained for up to 7 years from the date of the transaction to satisfy U.S. federal and state tax recordkeeping requirements.
Listening Events To personalize radio stations based on your habits and enforce daily play/skip limitations. Retained in active profiles for up to 24 months, then aggregated or deleted. Upon account deletion, all active listening history is immediately purged. Aggregated data is pseudonymized and contains no personal identifiers.
Diagnostic & Crash Data To monitor app performance, debug code crashes, and maintain service reliability. Automatically purged from our monitoring platform (Datadog) after 15 days (for logs) and 30 days (for crash reports).
Push Tokens (APNs) To send background updates and support active Live Activities. Retained only while active. Deleted immediately upon account deletion, user logout, or app uninstallation.
Database Backups For disaster recovery and business continuity purposes. Retained for up to 35 days, then automatically overwritten. Deleted account records will persist in backups for a maximum of 35 days.

You may request the deletion of your account and associated personal data at any time by contacting us at support@melodaistudio.com. See Section 7 for details on how we verify and process deletion requests.

7. Your Privacy Rights

The rights available to you depend on where you live. The sections below summarize the rights we extend to all users and the additional rights specific to California (CCPA) and the EU/UK (GDPR).

Rights We Extend to All Users

  • Access. Request a copy of the personal information we hold about you.
  • Correction. Ask us to fix inaccurate or incomplete data.
  • Deletion. Ask us to delete your account and associated data.
  • Portability. Request an export of your account data and library metadata in a structured, machine-readable format.
  • Withdrawal of consent. Where we rely on your consent, withdraw it at any time without affecting prior processing.

California Residents (CCPA / CPRA)

In addition to the rights above, California residents may exercise the rights described in Section 13 of our Terms of Use, including the right to know, the right to delete, the right to correct, the right to limit use of sensitive personal information, and the right to non-discrimination. We do not sell personal information and we do not share it for cross-context behavioral advertising.

EU, UK, and Swiss Residents (GDPR / UK GDPR)

In addition to the rights above, residents of the EU, UK, and Switzerland have the rights set out in Articles 15–22 of the GDPR (and the UK equivalent), including access, rectification, erasure, restriction, portability, objection (including to processing based on legitimate interests), and not being subject to automated decisions producing legal effects. You also have the right to lodge a complaint with your local supervisory authority. See Section 8 ("Legal Basis for Processing") for the lawful bases we rely on.

How to Make a Request

Deletion requests can also be initiated from inside the Noema AI iOS app at Account → Delete Account. The in-app flow runs the same deletion procedure described in Section 6 and does not require email correspondence; we still honor email-based deletion requests for users who prefer that channel or who have lost access to their account.

Submit any request by emailing support@melodaistudio.com with one of these subject lines so we can route it correctly: "Access Request", "Deletion Request", "Correction Request", "Portability Request", "CCPA Request", or "GDPR Request".

Identity Verification

To protect your data, we will verify your identity before fulfilling a request. For most requests, we verify by confirming control of the email address associated with your account; for sensitive requests (deletion, large export), we may ask you to confirm an in-app prompt or provide additional account details. We will not request more information than is reasonably necessary.

Response Times

  • General / CCPA requests: within 45 days of receipt, extendable once by an additional 45 days where reasonably necessary, with notice.
  • GDPR / UK GDPR requests: within one month of receipt, extendable by up to two additional months where the request is complex, with notice.

Requests are free of charge. We may decline manifestly unfounded or excessive requests, or charge a reasonable administrative fee, to the extent permitted by law; in such cases, we will explain our reasoning.

Authorized Agents

You may designate an authorized agent to submit a request on your behalf. We may require the agent to provide written permission and may verify the agent's identity in addition to yours.

8. Legal Basis for Processing (GDPR)

If you are in the EU, UK, or Switzerland, we rely on the following lawful bases under Article 6 GDPR for each category of personal data we process:

  • Account information (email, identifiers, auth tokens) — Contract (Art. 6(1)(b)): necessary to create your account and provide the Service you requested.
  • Music generation prompts and library metadataContract (Art. 6(1)(b)): necessary to deliver the generation and library features.
  • Listening events used for personalizationLegitimate interests (Art. 6(1)(f)): our interest in providing an adaptive, mood-aware listening experience, balanced against your reasonable expectations.
  • Subscription and transaction recordsContract (Art. 6(1)(b)) for service delivery and Legal obligation (Art. 6(1)(c)) for tax recordkeeping.
  • Diagnostic, performance, and crash data (Datadog/KSCrash) — Legitimate interests (Art. 6(1)(f)): our interest in keeping the app reliable and secure, balanced against your reasonable expectations and minimized to non-identifying technical signals.
  • Push notification tokensContract (Art. 6(1)(b)) for service notifications; Consent (Art. 6(1)(a)) where local law requires for promotional notifications.
  • Abuse prevention, fraud detection, security monitoringLegitimate interests (Art. 6(1)(f)) and, where applicable, Legal obligation (Art. 6(1)(c)).
  • Responses to legal requests, dispute resolutionLegal obligation (Art. 6(1)(c)) and Legitimate interests (Art. 6(1)(f)).

We do not process special categories of personal data (Art. 9 GDPR) and we do not make decisions about you that produce legal or similarly significant effects on the basis of automated processing alone (Art. 22).

9. International Data Transfers

Noema Studio LLC is based in the United States, and most of our sub-processors are also located in the United States. If you access the Service from outside the United States, your information will be transferred to, and processed in, the United States or other countries where our sub-processors operate.

For users in the EU, UK, or Switzerland, transfers to the United States and other third countries are made under one or more of the following safeguards, depending on the sub-processor:

  • The European Commission's Standard Contractual Clauses (2021/914), including the UK Addendum where applicable;
  • Adherence to the EU-U.S. Data Privacy Framework and the UK Extension where the sub-processor is certified;
  • Other recognized transfer mechanisms permitted under the GDPR.

Some upstream providers — currently including MusicGPT, which we use under their publicly published terms — may not yet offer a formal transfer mechanism such as SCCs. We disclose this transparently and work to formalize one. EU/UK users who wish to understand the transfer safeguards applicable to a specific sub-processor may contact us at support@melodaistudio.com.

10. Data Breach Notification

We maintain processes to detect, contain, and respond to security incidents involving personal data. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify affected users without undue delay, and where required by Article 34 GDPR within 72 hours of becoming aware;
  • Notify the relevant EU/UK supervisory authority within 72 hours where required by Article 33 GDPR;
  • Provide notification under U.S. state breach-notification statutes within the timelines required by the applicable state;
  • Describe the nature of the incident, the categories and approximate number of records affected, the likely consequences, and the measures we are taking to address it and to mitigate possible adverse effects.

11. Cookies, Tracking & Analytics

iOS App

The Noema AI iOS app does not use browser cookies. It does not present an App Tracking Transparency (ATT) prompt because we do not track you across other apps or websites and we do not use advertising identifiers (IDFA). The diagnostic data described in Section 1 is collected via Datadog/KSCrash strictly for performance and crash monitoring — not for advertising, profiling, or cross-app tracking.

Marketing Website

This marketing website uses cookies and tracking technologies (specifically the TikTok Pixel provided by ByteDance Ltd.) to measure visitor interaction, improve performance, and optimize our advertising campaigns. The TikTok Pixel allows us to track actions (such as joining the beta program or contacting support) taken by users who visit our website after viewing or clicking a TikTok ad. This information helps us measure the effectiveness of our advertisements and optimize our marketing campaigns.

You can manage your cookie preferences in your browser settings. To learn more about TikTok’s privacy practices and how you can opt out of targeted advertising, please refer to TikTok’s Privacy Policy.

12. Social Sharing to Third-Party Platforms (Instagram & Others)

The Noema AI iOS app lets you share a track from your Library as a branded image (and, in a future update, a short video). Sharing is entirely optional and user-initiated — it happens only when you tap a share control and choose a destination. The app never shares your content automatically, and no part of the core experience requires it.

How the Share Card Is Created (On Your Device)

When you choose to share a track, the app assembles a vertical "story card" entirely on your device using Apple's on-device image rendering. The card combines information already present in the app — the track's title, mood, creation date, cover art, your display name, and a "Made with Noema AI" watermark — into a single image. This image generation involves no third party and transmits nothing to Meta or anyone else. Up to this point, your data is used purely internally to build the picture.

What Happens When You Share to Instagram

If you select Share to Instagram, the app hands the finished image to the Instagram app already installed on your device (using Apple's standard pasteboard hand-off) and opens Instagram's own Story composer. At that point:

  • The rendered image — containing the track title, mood, date, your display name, and the cover art shown on the card — is passed to Instagram and is transmitted to Meta's servers if and when you complete the post inside Instagram.
  • An application identifier (a Facebook App ID supplied as source_application) tells Instagram that Noema AI initiated the share. This identifies our app to Meta; it does not transmit your account details, email, listening history, prompts, or any other personal data.
  • Once content reaches Instagram, it is governed by Meta's own Privacy Policy and terms, and Meta acts as an independent controller of what you post. We have no control over, and are not responsible for, how Meta subsequently handles content you choose to share. See the Instagram / Meta Privacy Policy.

We do not embed Meta's SDK, and the Instagram share does not enable any Meta tracking, advertising, or analytics inside the app. The only thing that ever leaves the app for Meta is the image you explicitly choose to post, plus the application identifier described above. Because this is a one-time, user-directed hand-off rather than ongoing processing carried out on our behalf, Meta is not listed as a sub-processor in Section 3.

Other Ways to Share

Instagram is only one optional destination. You can also export a track to your device's Files, use the iOS system share sheet to send it through any app you choose, or share a link to the track. These options do not involve Meta and route your content only to the destination you select. If Instagram is not installed, the Instagram option falls back to the standard iOS system share sheet, where you choose the destination yourself; we do not receive data about where you ultimately send the content.

13. Children's Privacy

The Service is not intended for children under 13, or under 16 if you reside in a jurisdiction that sets a higher age of digital consent (including certain EU/EEA Member States under GDPR Art. 8). We do not knowingly collect personal information from children below the applicable age.

  • The Noema AI iOS app is published with an age rating in the App Store. Parents and guardians can use Apple's Family Sharing and Screen Time controls to prevent download and in-app purchases by minors.
  • By accepting the Terms of Use and using the Service, you represent that you meet the applicable minimum age. (See Section 16 of our Terms of Use for the full age-verification disclosure.)
  • If you are a parent or guardian and believe your child has provided us with personal information without your consent, contact support@melodaistudio.com with the subject line "Child Data Removal". We will verify the request and delete the information promptly.
  • We comply with the U.S. Children's Online Privacy Protection Act (COPPA) and Article 8 of the GDPR. If we learn we have collected personal information from a child below the applicable age without verified parental consent, we will delete it without undue delay.

14. Changes to This Policy

We may update this Privacy Policy from time to time.

When we do, we will update the "Last updated" date at the top of this page. For material changes — for example, the addition of a new sub-processor that processes new categories of personal data, or a change in our lawful basis for processing — we will use reasonable efforts to provide additional notice through the app or by email before the change takes effect.

Continued use of the app after the effective date of an update means you accept the updated policy.

15. Contact Us

If you have any questions about this Privacy Policy or wish to exercise any of the rights described in Section 7, contact us at:

Email: support@melodaistudio.com

Company: Noema Studio LLC (d/b/a Noema AI)

Mailing address: 1600 SW Dash Point Rd, STE B PMB 2015, Federal Way, WA 98023, USA

Data Protection Officer / EU Representative: Noema Studio LLC has not appointed a Data Protection Officer under GDPR Art. 37 or an EU Representative under GDPR Art. 27 at this time, because our current processing activities do not meet the thresholds requiring either appointment (we are not a public authority, we do not engage in large-scale processing of special-category data, and our core activities do not involve regular and systematic monitoring of data subjects on a large scale; we are based in the United States and do not actively market the Service to users in the EU/UK). We monitor this position and will appoint and disclose a DPO or EU Representative if our activities change. EU and UK users may contact us directly using the email above for any privacy matter, including the exercise of GDPR rights.