# Study Singalong — Privacy Policy

**Effective date:** 25 April 2026
**Last updated:** 25 April 2026
**Controller:** Froggy Eye Ltd, United Kingdom.
**Contact:** info@froggyeye.com

---

## At a glance

Study Singalong turns your study notes into AI-generated songs. To do that we process a small amount of your data — enough to create your account, write lyrics from your notes, generate music, let you pay, and keep the service running. We don't sell your data, we don't show ads, and we don't track you for advertising across the internet.

The key things you should know:

- We store your account (email + age band) and the songs you make.
- Your notes and lyrics are sent to our processors (OpenAI and Mureka) to generate the lyrics and music. They're instructed not to train on your content.
- You can delete your account and all associated data from inside the app at any time.
- Minors (13+) — we explicitly do not serve users in countries whose digital-consent age is 16 until we ship a parental-consent flow. See §10.
- If you're based in the UK or EU, you have full UK/EU GDPR rights (§9).

---

## 1. Who we are

The controller of your personal data is **Froggy Eye Ltd** ("we", "us", "Froggy Eye"), a company registered in England & Wales. Our contact details are in §14.

Study Singalong ("the app") is a mobile application for iOS and Android that lets students turn revision notes into AI-generated songs. We act as the data controller for the information described in this policy.

## 2. What information we collect

### 2.1 Information you give us

- **Account:** email address, password (stored only as a secure hash, and only if you sign up with email), date of birth (used to derive an age bracket; the raw date is not stored beyond the age check).
- **Social sign-in:** if you choose **Sign in with Apple** or **Sign in with Google**, we receive an identity token from Apple or Google that contains your email address (or Apple's private relay email, if you choose it) and, on first sign-up with Apple, your name if you consent to share it. We don't receive passwords, OAuth refresh tokens to your third-party account, or anything else from those providers.
- **Revision notes and lyrics:** the text, photos, PDFs, and Word documents you add on the Capture screen, plus the AI-generated lyrics derived from them.
- **Songs:** the MP3 audio files generated for you, along with the prompt and lyrics used to produce them.
- **Support messages:** if you email us we keep the message, your email address, and anything you chose to tell us.
- **Report submissions:** if you tap "Report" on a song, we keep the report reason, any notes you wrote, and the song id.

### 2.2 Information collected automatically

- **Technical data:** device type, operating system version, app version, crash reports, approximate region (derived from network at request time — we do not store GPS location).
- **Usage data:** which screens you visit, how many songs you've generated, when your free-tier cycle resets. We use this for product improvement and quota enforcement.

### 2.3 Information from third parties

- **Purchase confirmations** from Apple App Store and Google Play when you buy a subscription or a song pack (transaction id, product id, purchase date, whether you're still subscribed). We do **not** receive your card number or full billing address.

### 2.4 What we do NOT collect

- We do **not** read your contacts, call logs, messages, location history, microphone beyond active recording if you use voice dictation (feature not yet live), photos you didn't explicitly select, or any accounts outside Study Singalong.
- We do **not** run behavioural advertising trackers, third-party analytics SDKs, or social-media pixel SDKs.
- We do **not** perform OCR on your photos remotely — image-to-text extraction runs entirely on your device using Apple / Google ML Kit. Only the resulting text leaves your device.

## 3. How we use your information

| Purpose | Data used |
|---|---|
| Creating and securing your account | Email, password hash, age band |
| Writing lyrics from your notes | Notes, subject, genre, selected song length |
| Generating music | Lyrics, genre/style prompt |
| Storing and playing your songs | MP3 files, lyric timing data, subject/genre metadata |
| Enforcing the free-tier quota | Entitlement tier, free-songs-used-this-cycle counter |
| Processing subscriptions | Platform receipts from Apple / Google |
| Safety moderation | Notes, generated lyrics, generated audio metadata |
| Keeping the service reliable | Device and usage data, crash reports |
| Responding to reports of inappropriate content | Report reason, song id, reporter user id |
| Complying with legal obligations (tax, records) | Purchase records |

## 4. Legal basis for processing (UK / EU GDPR)

- **Performance of a contract** (Art. 6(1)(b)): to create your account and deliver the song-generation service you asked for.
- **Legitimate interests** (Art. 6(1)(f)): keeping the app reliable, detecting abuse, preventing fraud, moderating content to keep the service safe for a teen audience. You can object to processing on this basis — see §9.
- **Consent** (Art. 6(1)(a)): for optional features that require explicit opt-in (e.g. future email newsletters — not yet live). You can withdraw consent at any time.
- **Compliance with a legal obligation** (Art. 6(1)(c)): retaining purchase and tax records for the period required by UK law.

## 5. How long we keep it

- **Account and profile data:** as long as your account exists. On deletion (in-app Settings → Delete account), we remove your profile, songs, attachments, and moderation events within 30 days, except where we're legally required to retain purchase/tax records.
- **Songs and audio files:** kept while your account exists. Signed URLs expire 30 minutes after issue for security.
- **Moderation events:** retained for up to 24 months to help us improve safety detection and respond to repeat issues. Anonymised after that.
- **Crash and usage logs:** retained for up to 90 days.
- **Purchase and tax records:** retained for 7 years to meet UK HMRC requirements.

## 6. Who we share your information with

We use a small number of specialist service providers ("processors") to run the app. Each is contractually bound not to use your data for their own purposes.

| Provider | Role | Where they process data |
|---|---|---|
| **Supabase Inc.** (our backend — hosts the database, authentication, storage, and edge functions) | Storage of your account, songs, purchases, and content | EU / Frankfurt region |
| **OpenAI, L.L.C.** (lyric generation via `gpt-4o-mini` + content moderation) | Processes the text of your notes + generated lyrics to produce songs and enforce safety rules. Instructed not to train on API inputs. | United States |
| **SKYWORK AI PTE. LTD.** (Mureka — music generation) | Processes your lyrics + style prompt to produce the audio file. Contractual term: does not train on your content. | Singapore |
| **Apple Inc. / Google LLC** (App Store / Google Play) | Receipt verification for subscriptions and one-off purchases | United States / Ireland |
| **Apple Inc.** (Sign in with Apple) | If you sign in with Apple, we receive an identity token from Apple together with your Apple ID email (or a private relay address you choose) and, only on first sign-up, your name if you consent to share it. We don't receive your password or any other Apple account data. | United States / Ireland |
| **Google LLC** (Google Sign-In) | If you sign in with Google, we receive an identity token from Google together with your Google account email and display name. We request only the `openid`, `email`, and `profile` scopes; we don't see your Drive, contacts, calendar, or anything else. | United States / Ireland |

We do **not** sell your personal data to anyone, and we do **not** share it with advertisers or data brokers.

We may share data where legally compelled (court order, law enforcement request with valid legal basis) or where necessary to protect the safety of users or the public.

## 7. International transfers

Some of our processors are based outside the UK. When we transfer personal data internationally we rely on one of the UK/EU-approved transfer mechanisms:

- **UK International Data Transfer Agreement ("IDTA")** or the **EU Standard Contractual Clauses ("SCCs")** with our sub-processors.
- Where available, transfers to jurisdictions the UK/EU has deemed **adequate**.

You can ask for a copy of the specific safeguards in place for any transfer at the contact address in §14.

## 8. AI content generation

Study Singalong uses AI to write lyrics and generate audio. A few things you should know specifically about that:

- **Accuracy:** AI-generated lyrics may occasionally contain mistakes, hallucinations, or oversimplifications. You should always verify important facts against your original notes or a trusted source — we aim for memorisability, not encyclopedic accuracy.
- **Uniqueness:** because of how generative AI works, two students with similar notes may receive lyrics or music with similar elements. Ownership of the output is assigned to you (under our Terms of Service), but the same or similar content may appear in other users' songs.
- **Safety:** every note input and every generated lyric is passed through an automated moderation check before it reaches the music model or your device. Content that fails the check is blocked and logged.
- **Training:** neither OpenAI (API tier) nor Mureka trains their models on your content. We ourselves do not train any model on your content.
- **Reporting:** if you encounter AI output that's inappropriate, inaccurate, or broken, tap the flag icon on the player screen. Reports are reviewed and factored into our moderation rules.

## 9. Your rights

Under UK GDPR (and EU GDPR where applicable), you have the right to:

- **Access** the personal data we hold about you.
- **Rectify** inaccurate personal data.
- **Erase** your personal data ("right to be forgotten") — the easiest way is **Settings → Delete account** in the app, which removes your account within 30 days.
- **Restrict** processing.
- **Port** your data to another service (we will provide a structured export on request).
- **Object** to processing based on legitimate interests (§4).
- **Withdraw consent** where we relied on it.
- **Complain** to a supervisory authority. The UK authority is the **Information Commissioner's Office** (ico.org.uk, 0303 123 1113). Residents of EU/EEA countries can contact their local data-protection authority.

To exercise any right other than "Delete account", email **info@froggyeye.com**. We will respond within 30 days.

## 10. Children and minors

Study Singalong is designed for students aged **13 and over**. We do not knowingly collect personal data from anyone under 13. If you believe a child under 13 has created an account, please contact us at **info@froggyeye.com** and we will delete the account within 7 days.

For launch (v1.0) we do **not** serve users in countries whose digital-consent age is 16 under the EU GDPR (for example Germany, Austria, Ireland, Netherlands, Poland) until we ship a verified parental-consent flow. These territories are excluded from the App Store and Google Play listings for the current version.

We follow the principles of the UK ICO's **Age-Appropriate Design Code** ("Children's Code"):

- High-privacy defaults
- Minimal data collection
- No profiling for advertising
- Clear, plain-English privacy information
- Transparency about who we share data with and why
- Easy-to-use deletion and access tools

We do not serve behavioural advertising to any user regardless of age.

## 11. Security

We take reasonable and appropriate technical and organisational measures to protect your data, including:

- All traffic over TLS 1.2+.
- Authentication tokens stored in the iOS Keychain / Android EncryptedSharedPreferences — never in plain preferences or cloud backup.
- Service-role credentials stored server-side in Supabase Vault.
- Row-level security on every database table so users can only read their own data.
- Input moderation on generated content.
- Rate limiting on all AI endpoints to prevent abuse.
- On-device OCR — your photos aren't uploaded for text extraction.
- Regular dependency audits.

No system is perfectly secure. If we ever suffer a personal-data breach that's likely to result in a high risk to your rights, we'll notify you and the ICO within the timelines required by law.

## 12. Cookies and similar technologies

Study Singalong is a native mobile app and does not use cookies. We do not use web-view tracking or advertising SDKs. Our app uses a secure, non-advertising identifier (your Supabase user id) only for authentication.

## 13. Links to other services

The app links out to Apple App Store, Google Play, and our own web pages (Terms, Support). Once you follow one of those links their own privacy policies apply, not ours.

## 14. Contact us

**Froggy Eye Ltd** — United Kingdom

- **General / privacy:** info@froggyeye.com
- **Support:** info@froggyeye.com
- **Data subject access requests:** info@froggyeye.com

If you're not satisfied with our response, you can complain to the **Information Commissioner's Office** at ico.org.uk or by phoning 0303 123 1113.

## 15. Changes to this policy

We may update this policy from time to time. If we make material changes we'll notify you in-app at least 14 days before the change takes effect. The current version and effective date are always shown at the top of this page.

---

_This policy is provided in plain English and is non-exhaustive. If you have questions about any part of it, please contact info@froggyeye.com._