Legal

Privacy Policy

Effective May 16, 2026

This policy describes what data GhostMidi collects, how we use it, who we share it with, and your rights. We don't sell your data, ever.

What we collect

If you use the Service anonymously (no account):

  • Your project state, stored entirely in your browser's localStorage. We never see it on our servers.
  • A daily generation counter, also in localStorage.
  • Standard server access logs (IP address, browser type, request paths) — same as any website. Used only for debugging and abuse prevention.

If you create an account, we additionally collect:

  • Your email address (for sign-in + transactional emails).
  • A hashed password (we never see your plaintext password — Supabase handles auth).
  • Your plan (Free or Pro) and Stripe customer ID (for billing).
  • A per-day count of generations you've run (for rate-limit enforcement).

If you upgrade to Pro, we additionally collect:

  • The project states you save to the cloud — your MIDI notes, track configurations, project names. Stored in our database in a way only you can read.

What we don't collect

  • We don't use third-party analytics SDKs (Google Analytics, Mixpanel, etc.).
  • We don't use advertising trackers or sell data to ad networks.
  • We don't fingerprint your device, scan your other tabs, or track you across sites.
  • We don't store your credit card data — Stripe handles all payment information directly.

How we use what we collect

  • To operate the Service (auth, billing, generating music, saving your projects).
  • To enforce rate limits and prevent abuse.
  • To send transactional email (account confirmation, payment receipts, password resets).
  • To debug issues you report.

We do notread your project content, your prompts, or your generated MIDI for any other purpose. We don't train models on your data.

Who we share data with (subprocessors)

  • Anthropic — receives the prompts you submit + project context (other tracks' notes) so it can generate MIDI. Their privacy policy applies to that interaction.
  • Supabase — hosts our database (your account data, your cloud-saved projects).
  • Stripe — handles all billing. Receives your email, payment method, and billing address directly when you upgrade.
  • Vercel — hosts the Service. Standard web hosting logs apply.
  • Namecheap — handles email forwarding for support and feedback addresses.

We don't share your data with anyone else. If we were ever legally compelled to (subpoena, court order), we'd notify you unless prohibited.

Cookies and local storage

We use the minimum cookies necessary:

  • An authentication session cookie (only if you're signed in).
  • Your browser's localStorage for anonymous-mode project state and usage counter.

We don't use tracking cookies or marketing pixels. You can clear cookies/localStorage any time via your browser settings — anonymous work will be deleted; account data is preserved.

Your rights

  • Access: email support@ghostmidi.comand we'll provide a copy of the data we hold about you.
  • Deletion: email us to delete your account. Active subscriptions will be cancelled. Project data, generation history, and account record will be removed within 30 days.
  • Portability: cloud-saved projects can be exported as .mid files at any time from the app.
  • Correction: update your email by emailing support; rename your projects directly in the app.

Data retention

We retain account data and cloud-saved projects as long as your account is active. After account deletion, data is removed within 30 days. Server logs are retained for 30 days for debugging and abuse prevention, then deleted.

Children

The Service isn't directed at children under 13 and we don't knowingly collect data from them. If you believe a child has created an account, email us and we'll delete it.

Changes

Material changes to this policy will be announced via email to account holders. Minor changes will be reflected in the “Effective” date at the top.

Contact

Privacy questions or requests: support@ghostmidi.com.