Legal

Privacy Policy

Last updated: April 2026

Contents

1. Data Controller 2. Data We Collect 3. Audio Files 4. Legal Basis 5. Third-Party Processors 6. Cookies & Local Storage 7. Data Retention 8. International Transfers 9. Your Rights (GDPR)10. Children 11. Security 12. Changes 13. Contact

This Privacy Policy explains how 44Stems (“we”, “us”, “our”) collects, uses, and protects your personal data when you use our Service at 44stems.com. We are committed to protecting your privacy and complying with applicable data protection laws, including the GDPR.

1. Data Controller

The data controller for personal data processed through 44Stems is 44Stems, operating from France. For privacy-related inquiries, contact us at hello@44stems.com.

2. Data We Collect

We collect the following categories of personal data:

Account data: email address, authentication provider (Google, Apple), display name.
Usage data: processing history (filenames, durations, timestamps), subscription plan, credit usage.
Payment data: subscription status, billing period. Payment card details are handled exclusively by Stripe and are never stored by 44Stems.
Technical data: IP address, browser type, operating system, referrer URL, and basic analytics (page views, feature usage).

3. Audio Files

Audio files you upload are processed solely to deliver the stem separation you requested. They are stored temporarily in your private workspace in Cloudflare R2 object storage.

Your audio files are never used to train, fine-tune, or improve AI models— ours or any third party's. Your music stays yours.

You can delete your files at any time from your account. We retain audio files for up to 30 days after processing to allow you to re-download stems. After this period, or when you delete them manually, files are permanently removed.

4. Legal Basis (GDPR)

Contract performance (Art. 6(1)(b)): Processing your audio files, managing your account, billing.
Legitimate interest (Art. 6(1)(f)): Service analytics, fraud prevention, improving reliability.
Consent (Art. 6(1)(a)): Non-essential cookies, if applicable.
Legal obligation (Art. 6(1)(c)): Compliance with applicable laws (tax records, DMCA).

5. Third-Party Processors

We use the following sub-processors to operate the Service:

SupabaseAuthentication and databaseUS / EU

Cloudflare R2Audio file storageUS

Modal LabsGPU processing (AI inference)US

StripePayment processing and subscriptionsUS / EU

GoogleOAuth authenticationUS / EU

VercelWeb hosting and CDNUS / EU

Each processor is bound by data processing agreements and applicable law.

6. Cookies & Local Storage

We use a minimal set of cookies and browser storage:

Supabase auth session cookie: Required for authentication. Expires with your session or after 7 days.
LocalStorage (44stems-preferences): Saves your UI preferences (theme, quality settings) locally. Never sent to our servers.

We do not currently use third-party tracking or advertising cookies.

7. Data Retention

Audio files: Retained for up to 30 days after processing, then permanently deleted.
Account data: Retained while your account is active. Deleted within 30 days of account deletion request.
Billing records: Retained for 7 years as required by French accounting law.
Technical logs: Retained for up to 90 days for security and debugging purposes.

8. International Transfers

Some of our processors (Modal, Cloudflare, Supabase, Stripe, Vercel) operate in the United States. Transfers to the US are covered by Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework where applicable.

Audio processing via Modal runs in US-based data centers. If regional data residency is important to your use case, contact us to discuss options.

9. Your Rights (GDPR)

If you are in the EU or UK, you have the following rights:

Access: Request a copy of the personal data we hold about you.
Rectification: Correct inaccurate or incomplete data.
Erasure: Request deletion of your data (“right to be forgotten”).
Portability: Receive your data in a structured, machine-readable format.
Restriction: Request that we restrict processing of your data in certain circumstances.
Objection: Object to processing based on legitimate interest.
Withdraw consent: Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, email us at hello@44stems.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

10. Children

The Service is not directed to children under 13 (under 16 in the EU/UK). We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us at hello@44stems.com and we will delete it promptly.

11. Security

We implement technical and organizational measures to protect your data, including:

Encryption in transit (TLS/HTTPS) for all data transfers.
Encryption at rest for files stored in Cloudflare R2.
Workspace isolation — each user's files are stored in a private, scoped bucket path inaccessible to other users.
Row-level security in Supabase — database queries are scoped to authenticated user IDs.

No method of transmission or storage is 100% secure. If you discover a security vulnerability, please disclose it responsibly at hello@44stems.com.

12. Changes

We may update this Privacy Policy from time to time. For material changes, we will notify you via email or a prominent notice on the Service at least 30 days before changes take effect. The “last updated” date at the top reflects the most recent revision.

13. Contact

For privacy questions, data requests, or concerns, contact us at hello@44stems.com.

This document was last updated in April 2026 and is based on GDPR best practices. It is not legal advice.