Privacy
Policy

We collect only the information needed to operate the service and maintain your account:

Account information:

• Email address and display name (required for account creation).
• Hashed password (we never store or transmit your password in plaintext — it is one-way hashed using bcrypt).
• If you sign in with Google: your email, name, and Google account identifier. We request only the "openid email profile" scopes and do not access Gmail, Drive, Calendar, or any other Google service.

Billing information:

• Stripe customer ID and subscription status. We do NOT receive, store, or have access to your full credit card number, CVV, or bank details — all payment data is handled directly by Stripe under their PCI-DSS Level 1 certification.
• Purchase history and credit balance.

Service usage:

• Lyrics generation inputs (genre, mood, inspiration text, custom style notes) and outputs (generated lyrics).
• Model selection, tier, and credit-deduction records.
• IP address and request metadata, used solely for rate-limiting, abuse prevention, and security auditing.
• Basic error and performance telemetry (timestamps, error codes, response times).

• To provide the lyrics generation service and store your saved lyrics library.
• To authenticate you and secure your account.
• To process payments, track credit balances, and manage subscriptions.
• To enforce rate limits, detect abuse, and prevent fraud.
• To send transactional emails (receipts, account notifications, password resets). We do not send marketing emails without your explicit opt-in.
• To improve model routing, quality, and reliability using aggregated and anonymised usage patterns.
• To comply with legal obligations and respond to lawful requests from authorities.

We use a small number of reputable third-party services to operate Mugical. Each processes only the minimum data required for its specific function:

• Stripe (payments): Processes credit card transactions and subscriptions. Governed by Stripe's privacy policy at stripe.com/privacy.
• Google (OAuth authentication): If you choose Google sign-in, Google receives the authentication request. Governed by policies.google.com/privacy.
• OpenRouter (AI inference): When you generate lyrics, your prompt inputs (genre, mood, inspiration text, custom style notes) are transmitted to OpenRouter and routed to the model you selected. OpenRouter is our LLM gateway provider. Governed by openrouter.ai/terms.
• Hostinger (hosting): Our servers and database run on Hostinger VPS infrastructure.

We do not sell, rent, or trade your personal information to advertisers, data brokers, or any other third parties.

• Account data is retained for the lifetime of your account plus a short period after deletion (up to 30 days) for backup, recovery, and fraud-prevention purposes.
• Generated lyrics and saved library entries are retained as long as your account is active. You can delete individual entries at any time from your library.
• Generation logs (prompts, outputs, metadata) are retained for up to 24 months for quality, debugging, and training purposes, in anonymised or pseudonymised form where feasible.
• Billing records are retained for at least 7 years as required by tax and accounting regulations.

Depending on your jurisdiction (including the EU/UK under GDPR and California under CCPA/CPRA), you have the following rights regarding your personal data:

• Access: Request a copy of the personal information we hold about you.
• Correction: Ask us to correct inaccurate or incomplete information.
• Deletion: Request that we delete your account and associated personal data, subject to legal retention requirements.
• Portability: Request an export of your data in a machine-readable format.
• Objection: Object to certain processing activities, including the use of your data for training purposes.
• Withdraw consent: Where processing is based on consent, you may withdraw it at any time.
• Lodge a complaint: You have the right to complain to your local data protection authority.

To exercise any of these rights, contact us at the email address at the bottom of this page. We will respond within 30 days.

We take reasonable measures to protect your information, including:

• TLS encryption for all traffic between your browser and our servers.
• Bcrypt password hashing with industry-standard cost factors.
• Per-user data scoping — users cannot access other users' lyrics, library entries, or account data.
• Rate limiting and abuse detection at the API layer.
• Regular security patches and dependency updates.
• Encrypted database backups with limited retention.

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

Mugical uses only essential cookies and local storage required to operate the service:

• Authentication tokens (JWT) stored in your browser to keep you signed in.
• Session state for the lyrics generator and saved library.
• Stripe's payment session cookies, set during checkout only.

We do not use advertising cookies, tracking pixels, or third-party analytics that profile users across sites.

Mugical is operated from the United States. If you access the service from outside the US, your information will be transferred to, stored, and processed in the US and potentially in other jurisdictions where our service providers operate.

Where required, we rely on Standard Contractual Clauses or equivalent transfer mechanisms to protect personal data in accordance with applicable data protection laws.

Mugical is not intended for use by children under 13 (or under 16 in the EU/EEA). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

We may update this privacy policy from time to time. Material changes will be communicated via email or an in-app notice at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the most recent revision.