Back to Home

Privacy Policy

Last Updated: 4/1/2026

1. Overview

EVA is an AI-powered music discovery service. This Privacy Policy explains how EVA collects, uses, and protects your personal information.

2. Information We Collect

EVA collects the following information:

  • /Email Address: Collected via Google OAuth login
  • /Name and Profile Photo: From your Google account
  • /IP Address: For security and audit logs
  • /User-Agent: Browser and device information
  • /Timezone: For service improvement and fingerprinting
  • /Music Preferences: Liked songs, search history, saved playlists
  • /YouTube OAuth Tokens: When using playlist export feature

3. Purpose of Collection

  • /Provide personalized music recommendations
  • /Prevent service abuse and enhance security
  • /Improve service quality and analytics
  • /Provide user support

4. Third-Party Services

Collected data is shared with the following third-party services:

  • /Supabase (USA): Database and authentication
  • /Google Gemini (USA): AI music recommendation engine
  • /Sentry (USA): Error tracking and monitoring (anonymized session ID, browser info, error messages, anonymized IP address)
  • /Upstash (USA/EU): Redis caching and rate limiting
  • /YouTube (USA): Playlist export (optional feature)

⚠️ All international data transfers are based on Standard Contractual Clauses (SCC).

5. Retention Period

  • /Account Data: Retained until account deletion
  • /Audit Logs: Automatically deleted after 1 year
  • /Inactive Accounts: Notified after 2 years of inactivity, then deleted

6. Your Rights (GDPR)

You have the following rights:

  • /Right to Access: View your personal information
  • /Right to Rectification: Request correction of inaccurate data
  • /Right to Erasure: Permanently delete account and data
  • /Right to Data Portability: Download your data in JSON format
  • /Right to Restriction: Request suspension of specific processing

Exercise your rights in the Privacy Settings page.

7. Data Security

  • /HTTPS encryption for data transmission
  • /Supabase Row Level Security (RLS) enforcement
  • /Encrypted OAuth token storage
  • /Regular security audits

8. Cookies

EVA uses the following cookies:

  • /Supabase Authentication Cookie (Required): Maintains login session
  • /Purpose: User authentication state management
  • /Expiration: 1 week

Since login is required, no separate Cookie Consent Banner is provided.

9. Children's Privacy

EVA does not knowingly collect personal information from children under 13. If we become aware of such collection, the account will be immediately deleted.

10. Changes to Privacy Policy

This policy may be updated as needed, and changes will be posted on this page. For significant changes, we will notify you via email.

11. Contact

For privacy-related inquiries, please contact:

[email protected]