Privacy Policy
Last Updated: 04 September 2025
1. Introduction
Welcome to Music Linguist. We are committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you visit and use our website, https://musiclinguist.com (our "Service").
This policy will also inform you about your privacy rights and how the law protects you.
2. Who We Are (Data Controller)
For the purpose of the UK General Data Protection Regulation (UK GDPR), the data controller is:
- Name: George Burgess, trading as Music Linguist
- Location: Birmingham, UK
- Contact Email: For any data protection queries, please email us at george@musiclinguist.co.uk.
3. What Personal Data We Collect
We collect data to operate our Service effectively and provide you with the best experience.
a) Data You Provide to Us:
- Contact Data: Your email address when you create an account or contact us.
- Account Data: Your password (which is stored in a hashed, unreadable format) and any user preferences you set.
- User-Generated Content: Any notes, answers to questions, lyrics, or other text you create and save within our Service.
- Communications: Any feedback or information you provide when you communicate with us.
b) Data We Collect Automatically:
- Technical Data: Your IP address, device type, operating system, browser type and version, and general geographic location (country).
- Usage Data: Information about how you interact with our Service, such as the pages you visit, the features you use, and the time you spend on the site. We use Vercel Analytics and Hotjar for this purpose.
- Usage Logs: We collect detailed interaction data including navigation actions, searches, button clicks, song selections, and feature usage to improve our Service and understand user behaviour patterns.
4. How We Use Your Data & Our Lawful Basis
We only use your personal data when the law allows us to. Below, we have set out the purposes for which we use your data and the lawful basis we rely on for each.
| Purpose / Activity | Data Types Used | Lawful Basis for Processing |
|---|---|---|
| To register you as a new user and manage your account. | Contact, Account | Performance of a Contract with you. |
| To provide the core Service, including saving and processing your User-Generated Content. | User-Generated Content, Account | Performance of a Contract with you. |
| To process payments for the Service. | Contact (passed to our payment processor) | Performance of a Contract with you. |
| To manage our relationship with you, including sending essential transactional emails (e.g., password resets, billing notifications). | Contact, Account | Legitimate Interest (to keep our records updated and manage your use of the service). |
| To send you marketing newsletters and promotional offers. | Contact | Consent. You can withdraw consent at any time by clicking the "unsubscribe" link in any marketing email. |
| To analyse website usage to improve our Service, troubleshoot issues, and enhance user experience. | Technical, Usage | Legitimate Interest (for us to develop our products/services and grow our business). |
| To track detailed user interactions, navigation patterns, and feature usage to improve Service functionality and user experience. | Usage Logs | Legitimate Interest (to understand user behaviour and improve our products/services). |
| To comply with our legal and regulatory obligations. | Transactional records (held by our payment processor) | Legal Obligation. |
5. Who We Share Your Personal Data With
We do not sell your personal data. We may share your data with trusted third-party service providers (known as "data processors") who help us operate our Service:
- Hosting & Database: Vercel (USA) and Supabase (UK) provide the cloud infrastructure to host our website and your data.
- Payment Processing: Paddle (UK/Ireland) securely handles all payment card information and processing. We do not store your full payment card details.
- Analytics: Vercel Analytics (USA) and Hotjar (Malta) help us understand how our users interact with the site.
6. International Data Transfers
Some of our service providers are based outside the UK. We ensure all international transfers comply with UK GDPR requirements through appropriate safeguards:
| Service Provider | Location | Transfer Mechanism | Safeguards |
|---|---|---|---|
| Vercel (Hosting) | USA | UK Extension to EU-U.S. Data Privacy Framework | Certified under adequacy decision, contractual clauses |
| Supabase (Database) | UK/EU | UK Adequacy Decision for EEA | EU data centres, GDPR compliance |
| Hotjar (Analytics) | Malta (EEA) | UK Adequacy Decision for EEA | EU-based, GDPR compliance |
| Paddle (Payments) | UK/Ireland | UK Adequacy Decision for EEA | UK/EU entity, GDPR compliance |
These adequacy decisions mean the UK government has determined these countries/regions provide adequate protection for personal data. Where adequacy decisions don't apply, we use Standard Contractual Clauses approved by the UK government or other appropriate safeguards.
7. Data Security
We have implemented appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way. These measures include:
- SSL/TLS encryption for all data in transit
- Encrypted storage of sensitive data at rest
- Access controls and authentication requirements
- Regular security monitoring and updates
- Secure backup and disaster recovery procedures
Data Breach Notification
In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:
- Report to ICO: Notify the Information Commissioner's Office within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33.
- Notify Affected Users: If the breach is likely to result in high risk to your rights and freedoms, we will notify you directly without undue delay, providing clear information about the nature of the breach and steps you can take to protect yourself.
- Containment: Take immediate steps to contain the breach and prevent further unauthorized access.
- Investigation: Conduct a thorough investigation to understand the cause and scope of the breach.
- Remediation: Implement measures to prevent similar breaches in the future.
Our breach notification procedures comply with ICO guidance and UK GDPR requirements. We maintain detailed incident response plans and regularly test our security measures.
8. Data Retention
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, in accordance with our data retention schedule:
| Data Category | Retention Period | Legal Basis for Retention |
|---|---|---|
| Account Data (email, password) | Duration of account + 24 months | Contract performance, legitimate interests |
| User-Generated Content | Until account deletion or user request | Contract performance |
| Analytics Data (Vercel, Hotjar) | 12 months from collection | Legitimate interests |
| Payment Records | 7 years (via Paddle) | Legal obligation (UK tax law) |
| Marketing Communications | Until consent withdrawn + 30 days | Consent |
| Support Communications | 3 years from last contact | Legitimate interests |
| Usage Logs (interaction tracking) | 12 months from collection | Legitimate interests |
9. Your Data Protection Rights
Under UK data protection law, you have the following rights:
- Right of Access (Article 15): To request a copy of the personal data we hold about you, along with information about how we process it.
- Right to Rectification (Article 16): To ask us to correct inaccurate or incomplete personal data.
- Right to Erasure (Article 17): To request deletion of your personal data in certain circumstances.
- Right to Restrict Processing (Article 18): To ask us to suspend processing of your personal data in certain circumstances.
- Right to Data Portability (Article 20): To request transfer of your data to you or another organisation in a structured format.
- Right to Object (Article 21): To object to processing based on legitimate interests or for direct marketing purposes.
- Right to Withdraw Consent: Where processing is based on consent, you can withdraw it at any time.
How to Exercise Your Rights
- Account Settings: You can update your personal information, download your personal data, or delete your account directly through your account settings.
- Data Export: Use the "Download My Data" button in your account settings to export all your personal data in JSON format.
- Email Requests: For other requests or if you need assistance, email us at george@musiclinguist.co.uk with "Data Protection Request" in the subject line.
- Identity Verification: We may require proof of identity before processing your request to protect your data security.
- Response Time: We will respond to your request within one month. For complex requests, we may extend this by two additional months.
- Fees: Requests are normally free, but we may charge a reasonable fee for excessive or repeated requests.
Right to Complain
If you believe we have not handled your personal data in accordance with UK data protection law, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk/make-a-complaint
- Phone: 0303 123 1113
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
10. User-Generated Content
Our Service allows you to create and store your own content, such as lyrics. We advise you not to include any sensitive personal information (e.g., relating to your health, religion, or political beliefs) in this content.
11. Children's Data Protection
We take the protection of children's personal data seriously and comply with UK GDPR requirements for processing children's data:
- Age Restrictions: Our Service is not intended for children under 13 years of age. We do not knowingly collect, process, or store personal data from children under 13.
- Verification: We do not have reliable age verification mechanisms, therefore we prohibit registration by children under 13 to ensure GDPR compliance.
- Parental Rights: If you are a parent or guardian and believe your child under 13 has provided us with personal data, please contact us immediately at george@musiclinguist.co.uk.
- Data Deletion: If we become aware that we have collected personal data from a child under 13 without parental consent, we will take steps to delete that information as quickly as possible.
- Teens (13-17): For users aged 13-17, we require parental consent and supervision as outlined in our Terms and Conditions.
12. Cookies and Tracking Technologies
Our website uses cookies and similar tracking technologies to enhance your experience and analyze usage patterns. Here's what we use:
| Cookie Type | Purpose | Legal Basis | Duration |
|---|---|---|---|
| Essential Cookies | Authentication, security, basic functionality | Legitimate Interest (necessary for service) | Session/Account duration |
| Analytics Cookies (Vercel) | Website performance and usage analytics | Consent required | Up to 12 months |
| Analytics Cookies (Hotjar) | User behavior analysis, heatmaps | Consent required | Up to 12 months |
Cookie Consent
We obtain your consent before placing non-essential cookies. You can:
- Manage your cookie preferences through our cookie banner when you first visit
- Withdraw consent at any time by contacting us at george@musiclinguist.co.uk
- Control cookies through your browser settings (note this may affect website functionality)
For detailed information about all cookies we use, please see our Cookie Policy.
13. Data Protection Impact Assessments (DPIA)
When we introduce new processing activities that may pose high risk to your rights and freedoms, we conduct Data Protection Impact Assessments as required by UK GDPR Article 35. This ensures we identify and mitigate privacy risks before implementation.
14. Automated Decision-Making and Profiling
We do not use your personal data for automated decision-making or profiling that would have legal or similarly significant effects on you. Any AI functionality in our service is used to provide guidance and feedback, not to make decisions about you.
15. Data Portability
You have the right to receive your personal data in a structured, commonly used, machine-readable format. You can export your data through your account settings or by contacting us.
What Data You Can Export
- Account Information: Email address, account creation date, language preferences
- User-Generated Content: All notes, vocabulary entries, and text content you've created
- Learning Progress: Song completion status, chat histories with AI, practice statistics
- Vocabulary Data: Saved words with translation attempts and success rates
- Notes: Personal notes on songs, sections, and lyrics
- Streak Data: Learning streak information and activity history
What Data Cannot Be Exported
- Anonymous Analytics: Usage data from Vercel Analytics and Hotjar is anonymised and cannot be linked to your specific account
- Technical Data: Server logs, IP addresses, and device information used for analytics are not personally identifiable
- Security Data: Password hashes and authentication tokens for security reasons
- Usage Logs: Detailed interaction logs are used for service improvement and are not exported as they contain sensitive behavioural patterns
Your exported data is provided in JSON format, making it easy to import into other systems or analyse with standard tools.
16. Changes to This Policy
We may update this policy to reflect changes in our processing activities, legal requirements, or service improvements. When we make material changes:
- We will post the updated policy on this page with a new "Last Updated" date
- For significant changes affecting your rights, we will notify you by email
- We will provide a summary of changes where appropriate
- Your continued use of the Service after changes constitutes acceptance of the updated policy
17. Contact Information
For any questions about this Privacy Policy, your personal data, or to exercise your rights, please contact us:
- Email: george@musiclinguist.co.uk
- Subject Line: Use "Data Protection Query" for faster response
- Response Time: We aim to respond within 72 hours for urgent matters, or within one month for formal requests