Privacy

Privacy Policy

Last updated: March 9, 2026

At Celestial Interactive, we are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use MandoScribe. As a business based in Japan, we comply with the Act on the Protection of Personal Information (APPI), in addition to the General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Data Controller

Contact Information

Celestial Interactive (Sole Proprietorship) Owner: Alexander Adam Laurence Address: 〒220-0072 Kanagawa-ken, Yokohama-shi, Nishi-ku, 1-4-3 Asamacho, Wizard Building 402 Email: legal@mandoscribe.com

2. Personal Data We Collect

We collect the following types of personal data:

Account Information

  • Email address
  • Name (if provided)
  • Profile picture (if using OAuth)
  • Authentication credentials

Usage Data

  • Songs and musical content you create
  • Feature usage patterns
  • Device information and IP address
  • Browser type and version

Payment Information

Payment details are collected and processed by Lemon Squeezy, our Merchant of Record. We do not store your full credit card information on our servers. We may receive limited billing-related identifiers and transaction metadata from Lemon Squeezy, such as customer, subscription, order, status, and similar payment administration references.

Beta Service Data

  • Debug logs and error reports
  • Performance metrics
  • Feedback you provide directly
  • Operating system and browser information included only when you choose to submit a bug report

3. How We Use Your Data

We process your personal data for the following purposes:

Authentication & Service Delivery

Provider: Supabase (USA/EU) Purpose: Account creation, login, and storing your songs securely. Legal Basis: Contract performance (Art. 6(1)(b) GDPR)

Public Sharing & Search Visibility

Purpose: Enabling public links and Song Library pages to be publicly accessible and discoverable. Data Covered: Public share links, Song Library uploads, song title/artist metadata, and preview images shown for those public pages. Search Engines: Public links and library songs may be crawled and may appear in search engine results (for example, Google). Once indexed, third-party caching and re-indexing timelines are controlled by those search engines. Legal Basis: Contract performance (Art. 6(1)(b) GDPR) and Legitimate Interest (Art. 6(1)(f) GDPR) for service discoverability.

AI-Powered Features

Provider: Google Gemini API (USA) Purpose: Generating lyric suggestions and chord recommendations. Data Sent: Lyric context and chord progressions (anonymized). Legal Basis: Contract performance (Art. 6(1)(b) GDPR) Note: We do not use your User Content to train our own AI models. Data sent to Google Gemini is used solely for generating suggestions.

Email Delivery

Provider: Third-Party SMTP Providers Purpose: Sending transactional emails (e.g., password resets) and contact form messages. Legal Basis: Legitimate Interest (Art. 6(1)(f) GDPR)

Bug Reports & Diagnostics (Optional)

Purpose: Investigating and resolving bug reports you voluntarily submit. Data Covered: The bug report details you enter, the relevant score snapshot, and your operating system and browser information. Scope Limitation: We record this diagnostic information only if you choose to submit a bug report, and we use it only for diagnostic and support purposes. Legal Basis: Legitimate Interest (Art. 6(1)(f) GDPR)

Payment Processing

Provider: Lemon Squeezy (USA) Purpose: Processing subscription payments, handling taxes and invoicing. Legal Basis: Contract performance (Art. 6(1)(b) GDPR)

Fraud Prevention, Abuse Detection & Account Enforcement

Purpose: Protecting the Service, preventing fraud and abuse, detecting prohibited multi-account activity, investigating suspected violations of our Terms, and enforcing account suspensions, terminations, and bans. Data Covered: Account information, device information, IP address, browser and technical signals, usage patterns, and limited billing-related identifiers or transaction metadata supplied by Lemon Squeezy. Legal Basis: Legitimate Interest (Art. 6(1)(f) GDPR) in securing the Service, preventing abuse, and enforcing our contractual terms; and, where applicable, compliance with legal obligations (Art. 6(1)(c) GDPR).

Analytics (Optional)

Provider: PostHog (EU) Purpose: Understanding how users interact with our service to improve it. Legal Basis: Consent (Art. 6(1)(a) GDPR) — Only activated if you accept analytics cookies.

4. Data Retention

We retain your personal data for as long as your account is active or as needed to provide you with our services. If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it for legal or regulatory purposes. We may also retain limited records reasonably necessary to investigate or document fraud, abuse, chargebacks, security incidents, prohibited multi-account activity, or account bans, and to protect the Service or defend legal claims, for as long as reasonably necessary for those purposes and as permitted by applicable law.

5. International Data Transfers

Your data may be transferred to and processed in countries outside Japan, including the United States and European Union. We ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the EU Commission
  • Use of service providers with adequate data protection certifications
  • Data Processing Agreements with all third-party processors

6. Your Privacy Rights (Global)

We believe privacy is a fundamental right. Regardless of where you live (EU/EEA, California, Japan, or elsewhere), we extend the following rights to all our users. For users in Japan, these rights align with the APPI:

Right of Access

Request a copy of your personal data.

Right to Rectification

Request correction of inaccurate data.

Right to Erasure ("Right to be Forgotten")

Request deletion of your account and all associated personal data. Contact us at legal@mandoscribe.com to exercise this right.

Right to Data Portability

Request your data in a machine-readable format.

Right to Object

Object to processing based on legitimate interests.

Right to Withdraw Consent

Withdraw consent at any time (e.g., for analytics).

Right to Non-Discrimination

We will not discriminate against you for exercising your privacy rights.

Notice to California Residents (CCPA/CPRA)

In addition to the rights above, California law requires us to make specific disclosures:

  • We do NOT sell your personal information. We have not sold personal data in the past 12 months.
  • We do NOT share your personal information for cross-context behavioral advertising.
  • We limit the use of sensitive personal information to what is necessary to perform the services.

7. Cookies

We use the following types of cookies:

  • Essential Cookies: Required for authentication and core functionality.
  • Analytics Cookies: Used only with your consent to understand usage patterns.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption in transit (TLS/HTTPS) and at rest
  • Row Level Security (RLS) on our database
  • Regular security reviews and updates
  • Access controls and authentication requirements
  • Fraud, abuse, and account-security monitoring controls

9. Children's Privacy

MandoScribe is not intended for children under 16 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on our website. Your continued use of the service after such changes constitutes acceptance of the updated policy.

Contact Us

For any privacy-related questions or to exercise your data rights, please contact us:

Celestial Interactive

Owner: Alexander Adam Laurence

Address: 〒220-0072 Kanagawa-ken, Yokohama-shi, Nishi-ku, 1-4-3 Asamacho, Wizard Building 402

Email: legal@mandoscribe.com

You also have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated.

Note on Legal Correspondence: Legal letters sent to the above address may take up to 1 month to be forwarded to us. Please also consider delivery time from your country to Japan. We recommend setting a 3 month response window for legal correspondence (2-3 weeks for international delivery, 1 month for forwarding, and 1 month for reply and response delivery). We apologise for any inconvenience this may cause due to our small sole proprietor company setup in Japan.