Privacy Policy

Last updated: April 23, 2026

Perfect Song ("we", "us") provides a custom-song writing service at adoru.app. This policy explains what personal data we collect, why we collect it, how we share it with third-party processors, and the rights you have over your data under the EU General Data Protection Regulation (GDPR), the French Loi Informatique et Libertés, the California Consumer Privacy Act (CCPA/CPRA), and other applicable privacy laws.

1. Who is the data controller

Perfect Song, contactable at hello@adoru.app, is the data controller for personal data processed through this site. For privacy questions, access/deletion requests, or complaints, write to that address and we will respond within 30 days.

2. What data we collect

• Order data you give us via the quiz: name, email, phone (optional), country, the recipient's name and occasion, your memories/story, song preferences (genre, voice, special requests). Used to write your song and to email the finished MP3.
• Payment data is handled by Stripe. We never see or store your card number. Stripe returns to us: order ID, amount, currency, billing email, payment status.
• Device & usage data when you visit the site: IP address (pseudonymised via a salted hash before storage), user-agent string, referring URL, pages viewed, quiz steps completed, timestamps.
• Advertising identifiers set by Meta Pixel (_fbp, _fbc cookies) only after you accept the consent banner. Not set if you reject.

3. Why we process it (legal basis)

• To deliver your song and process payment — contractual necessity (Art. 6(1)(b) GDPR).
• Order support, fraud prevention, dispute handling — legitimate interest (Art. 6(1)(f) GDPR).
• Ad performance measurement and retargeting via Meta Pixel + Conversions API — your consent (Art. 6(1)(a) GDPR). You can withdraw consent at any time by deleting our cookies or writing to us.

4. Who we share data with

• Meta Platforms, Inc. (Facebook/Instagram) — hashed email, hashed phone, hashed first/last name, hashed two-letter country code, IP address, user-agent, _fbp/_fbc, external order reference, purchase event + amount. Sent both from your browser (Meta Pixel) and from our server (Meta Conversions API) with identical event IDs so Meta can deduplicate. Purpose: ad campaign attribution and optimization. See Meta's privacy policy.
• Stripe, Inc. — payment card data goes directly to Stripe; we receive only confirmation and metadata. See Stripe's privacy policy.
• Supabase Inc. — hosts our events log and serverless functions. Data is stored in the eu-central-1 region (Frankfurt, Germany). Standard Contractual Clauses are in place for any EU-to-US transfers. See Supabase's privacy policy.
• Vercel Inc. — hosts the static website. Access logs may be generated by the CDN. See Vercel's privacy policy.
• Google LLC — we record paid orders in a Google Sheet (Apps Script) for internal fulfilment. See Google's privacy policy.

We do not sell your personal information. We do not share your data for cross-context behavioural advertising with anyone other than Meta, and Meta only with your consent.

5. Data source declaration for retargeting (Meta)

Audience data used for Meta retargeting and custom audiences originates from: (a) people who visited this website and accepted the analytics consent, and (b) people who placed a paid order on this website. No third-party, scraped, or purchased audience data is used.

6. International transfers

Your data may be transferred to and processed in the United States by Meta, Stripe, Vercel, and Google. These transfers are protected by Standard Contractual Clauses (Art. 46 GDPR) and, where applicable, the EU-U.S. Data Privacy Framework.

7. How long we keep it

• Order records (incl. your story/brief, email) — 7 years, to comply with tax and accounting obligations.
• Event log (pixel/CAPI events) — 13 months rolling, then deleted.
• Cookies set by Meta Pixel — up to 90 days (per Meta's policy).

8. Your rights

Under GDPR (EU/UK) and equivalent laws, you can:

• Access a copy of your personal data.
• Correct inaccurate data.
• Delete your data ("right to be forgotten"), subject to our legal retention obligations.
• Restrict or object to processing.
• Receive your data in a portable format.
• Withdraw consent for analytics/advertising at any time.
• Lodge a complaint with your supervisory authority — in France, the CNIL; in the EU generally, your national Data Protection Authority.

To exercise any right, email hello@adoru.app from the address on your order. We verify identity before disclosing or deleting data.

9. Cookies & consent

We use strictly-necessary cookies to run the site (these cannot be disabled). Analytics/advertising cookies (Meta Pixel _fbp, _fbc) are only set after you click Accept on the consent banner. You can change your choice by clearing ps_consent_v1 from your browser storage — the banner will reappear on next visit.

10. Children

The site is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has given us data, email us and we will delete it.

11. Changes

We may update this policy. Material changes will be announced on the homepage for at least 14 days before they take effect.

Perfect Song · hello@adoru.app · Terms of Service · Home