Skip to main content
LrcSong

Privacy Policy

Last updated: 23 April 2026.

This Privacy Policy explains how LrcSong ("we", "us", "our") collects, uses, stores and shares information when you use lrcsong.com("Service"). By using the Service you agree to this policy. If you do not agree, please do not use the Service.

Operator / data controller: LrcSong. Contact for privacy matters: support@lrcsong.com.

1. Information we collect

(a) Account data

  • Email address (required to create an account).
  • A salted bcrypt hash of your password. We never store or see the plaintext.
  • Optional display name and avatar URL.
  • Credit balance, subscription plan, and lifetime credit usage.
  • Email verification state and password-reset tokens.

(b) Usage data

  • Records of AI jobs you run: job type, status, duration, error messages, and credits consumed. These are retained for up to 7 days before automatic deletion.
  • Webhook event receipts from Stripe (for idempotency and audit).
  • Server access logs (IP address, user-agent, request path, timestamp). Retained up to 30 days for abuse detection and debugging.

(c) Uploaded files

  • Audio, video, image, and subtitle files you upload are written to a short-lived temporary directory for processing and deleted immediately once the response is returned or the background job completes.
  • For in-browser tools (subtitle converters, viewers, validators, lyrics cleaner, CUE splitter), files never leave your browser — no server upload happens.

(d) Payment data

  • We do not see or store card numbers. Payments are processed directly by Stripe; we store only your Stripe customer/subscription identifiers and subscription status.

2. Legal basis for processing (EU / UK users)

  • Contract — to create your account, deliver the Service, process payments.
  • Legitimate interests — to prevent fraud, debug failures, and secure the platform (rate limiting, abuse detection, access logs).
  • Consent — for optional features (e.g., marketing emails, if ever introduced). Withdrawable at any time.
  • Legal obligation — to retain invoices and tax records where law requires.

3. Self-hosted AI — what does NOT leave our server

Our AI transcription engine and the LrcSong AI Assistant run on our own infrastructure. Your audio, text, and prompts are notforwarded to any third-party AI provider in the default deployment. Operators can optionally enable a cloud-AI fallback for specific endpoints; this is off in the public deployment.

4. Third-party processors

  • Stripe (payments) — processes your card, email, billing address. See Stripe's privacy policy.
  • SMTP relay (e.g., Gmail, Postmark — operator-configurable) — delivers transactional emails (verification, password reset).
  • YouTube — if you paste a YouTube URL, yt-dlp fetches the public video from YouTube on our behalf. YouTube receives our server's IP address; it does not receive your account email.
  • Let's Encrypt — issues the TLS certificate for the site.
  • Google Fonts — loads the Inter web font. Google receives your IP address when the font is fetched. No cookies are set.

We do not use analytics, advertising pixels, or tracking cookies. No data is sold.

5. Cookies & similar technologies

We set one cookie:

  • lrcsong_refresh — HTTP-only, Secure, SameSite=Lax, scoped to /auth. Holds the signed refresh token that keeps you logged in between visits. Expires in 30 days or when you log out.

We also use browser localStorage to cache your current access token and user profile so the UI doesn't refetch on every page reload. Clearing site data signs you out.

6. Data retention

  • Account records (email, password hash, credits, subscription) — kept while your account is active. Hard-deleted on account deletion via ON DELETE CASCADE.
  • Job records — 7 days, then auto-swept.
  • Uploaded files — minutes to hours (only while the job runs), then deleted.
  • Stripe webhook receipts — 90 days for reconciliation and audit.
  • Server logs — up to 30 days.
  • Invoices & tax records — retained for the period required by applicable law (typically 7 years).

7. Your rights

You have the following rights over your personal data, subject to applicable law (GDPR / UK GDPR / CCPA and equivalents):

  • Access — request a copy of the data we hold about you.
  • Rectification — correct inaccurate data (edit your profile directly, or email us).
  • Erasure — delete your account at any time from Account → Delete Account, or email us. All rows tied to your user ID are hard-deleted.
  • Portability — export your job history as JSON (from the Job History page) or on request.
  • Restriction / Objection — ask us to stop specific processing where you have grounds.
  • Withdraw consent — for any consent-based processing, at any time.
  • Complaint — you may lodge a complaint with your local data-protection authority.

To exercise any of these rights email support@lrcsong.com. We respond within 30 days.

8. Security

The Service is served over TLS 1.2+ (via Let's Encrypt) with HSTS enabled. Passwords are hashed with bcrypt. Access tokens are short-lived (15 min) and the refresh cookie is HTTP-only + Secure + SameSite=Lax. Admin endpoints require an is_admin flag. Rate limits protect login, registration, and password reset from brute-force abuse. We still recommend you use a strong, unique password and a password manager. No system is perfectly secure; if you believe you've found a vulnerability, email support@lrcsong.com.

9. Children

The Service is not directed to children under 13 (or the age of digital consent in your jurisdiction, whichever is higher). We do not knowingly collect personal data from children. If you believe a child has registered, email us and we will delete the account.

10. International transfers

Our servers are hosted on Microsoft Azure. Depending on your location, your data may be processed outside your country of residence. Where we use sub-processors (Stripe, SMTP providers), data transfers rely on standard contractual clauses or other lawful mechanisms published by those providers.

11. Changes to this policy

If we change this policy in any material way we will post the updated version here and update the "Last updated" date above. Continued use of the Service after a change constitutes acceptance.

12. Contact

Questions, requests, or complaints — email support@lrcsong.com.

We use cookies for auth and, optionally, privacy-friendly analytics. You can accept, decline, or read our privacy policy.

Install LrcSong
Add to your home screen for offline tools and faster startup.