Hummify ("we", "us", or "our") is operated by HUMMIFY LTD, a company registered in England and Wales (company number 16826424) with a registered office at 82a James Carter Road, Mildenhall, England, IP28 7DE. We act as the data controller for the personal information associated with your account and use of the Hummify platform, website, and related services (together, the "Service").
This Privacy Policy explains how we collect, use, store, and share your personal data and describes the choices and rights available to you under UK GDPR, EU GDPR, and other applicable laws.
2. Information we collect
The specific data we collect depends on how you use the Service. We may collect the following categories of information:
Contact data: Name and email address.
Account and profile data: User ID, avatar or profile image URL, organisation/workspace membership, and basic account configuration.
Google OAuth data: Name, email address, and profile image URL received when you choose to sign in with Google. This data is used only to authenticate you, populate your profile, and maintain your account. We do not share any personal data back to Google.
Communication data: Messages, support requests, feedback, and other communications you send to us, including email correspondence.
Collaboration and comment data: Comments, timestamps, markers on waveforms or files, references to projects or versions, and other collaboration metadata associated with your use of the Service.
User-generated content: Audio files, derived media (e.g. encoded or processed versions), associated metadata, version history, playlists, stacks, project structures, and related workspace content you upload or create.
Usage data: Pages you visit, UI elements you interact with, features used, time spent in the application, navigation flows, and basic aggregated usage statistics.
Technical data: IP address, approximate location derived from IP, browser type and version, device type, operating system, screen resolution, language preferences, referrer URLs, diagnostic logs, and error reports.
Billing and payment data: Limited billing metadata such as Stripe customer ID, subscription status, pricing plan and invoices. Payment card details are processed directly by Stripe or another payment processor and are not stored by us.
Cookie, preference, and consent data: Authentication cookies, CloudFront delivery cookies, security tokens, local storage or similar mechanisms used to remember your settings (including analytics consent), and, where you have consented, identifiers related to analytics and session replay.
3. Sources of personal data
We collect personal data from the following sources:
Directly from you: When you register, log in, upload content, create projects or comments, configure workspaces, or contact us.
OAuth providers: Basic profile information provided by Google when you use Google sign-in.
Automatic collection: Through server logs, cookies, local storage, analytics tools, and similar technologies when you access or interact with the Service.
Service providers: Information we receive from providers such as hosting, analytics, payment processing, and security vendors, where they act on our behalf.
Hummify's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
4. How we use your data
We use personal data for the following purposes:
Providing and operating the Service: Authentication, maintaining user sessions, enabling file uploads, transcoding and streaming media, managing projects, shares, and collaboration features.
Collaboration and communication: Displaying names, avatars, comments, and activity to authorised users within shared projects and workspaces.
Account administration: Managing your subscription, billing, account configuration, and plan entitlements.
Support and troubleshooting: Responding to support requests, diagnosing issues, improving stability, and reproducing bugs (including through masked session replay where enabled).
Analytics and product improvement: Understanding how features are used, improving performance and usability, prioritising roadmap work, and developing new functionality.
Security, fraud prevention, and abuse detection: Protecting user accounts and content, enforcing access control, preventing unauthorised access, and detecting misuse.
Legal and compliance: Maintaining records required for accounting, tax, and regulatory purposes, and complying with legal obligations and law enforcement requests.
5. No sensitive data
We do not intentionally collect special-category personal data (such as information about health, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, or sexual orientation). You should not upload or share such information through the Service. If you believe special-category data has been provided, please contact us so that we can review and, where appropriate, remove it.
6. Legal grounds for processing
We process personal data only where we have a valid legal basis to do so under UK GDPR/EU GDPR. Depending on the context, this may include:
Contractual necessity: We process data that is strictly necessary to create and maintain your account, provide access to the Service, store and stream your content, and enable collaboration features you use.
Legitimate interests: We process certain data to secure and maintain the Service, understand high-level usage patterns, prevent fraud and abuse, and improve performance and reliability. Where we rely on legitimate interests, we balance those interests against your rights and expectations.
Consent: For optional analytics and session replay (for example, PostHog product analytics and session replay, and Vercel Web Analytics where enabled), we rely on your consent. These technologies will only run after you have provided consent through our cookie banner or in-product controls. You can withdraw your consent at any time.
Legal obligation: We may process and retain data where necessary to comply with legal obligations, such as accounting and tax record-keeping requirements.
The processing purposes and legal bases can be summarised as:
Service operation: Contractual necessity.
Security and access control: Legitimate interests and, in some cases, legal obligation.
Analytics and diagnostics: Legitimate interests for basic aggregated metrics that do not track individuals, and consent for optional analytics and session replay.
Billing and compliance: Legal obligation.
7. Data storage and retention
We store most data in the eu-west-2 AWS region (London) or in other regions that provide a comparable level of protection. We retain personal data only for as long as necessary for the purposes described in this policy, or as required by law.
In general:
Account and profile data: Retained for as long as your account is active. If your account is closed, we normally delete or anonymise account data within a reasonable period, unless we need to retain it for legal or operational reasons (for example, to resolve disputes or comply with obligations).
User-generated content and project data: Retained while your account or workspace remains active, unless you or a workspace owner delete the relevant content.
Deleted assets: When you delete an asset, it is moved into a deletion queue and is permanently removed from our systems after approximately 30 days, subject to backup and logging constraints.
Comments and collaboration data: Retained alongside associated projects and content unless deleted by you or as part of workspace or account deletion.
Analytics and session replay data: PostHog analytics and masked session replay data are typically retained for up to 30 days, after which they are deleted or aggregated.
Technical logs: Server and application logs are retained for limited periods for security and operational purposes and then deleted or aggregated.
Billing and financial records: Retained for 6 years or as required by UK tax and accounting laws.
When data is no longer required, we delete it or irreversibly anonymise it.
8. Sharing your information
We share personal data only where necessary and in line with this policy:
Service providers (processors): We use third-party vendors for hosting, storage, databases, analytics, email delivery, logging, monitoring, payment processing, and security. These providers process personal data only on our behalf and under contracts that require appropriate safeguards.
Professional advisers: We may share limited data with legal, financial, and technical advisers to obtain professional advice and support.
Authorities and legal requests: We may disclose information to law enforcement or other authorities where required by law, court order, or legal process, or to protect our rights or the rights of others.
Business transfers: If we undergo a merger, acquisition, restructuring, or sale of assets, personal data may be transferred as part of that transaction, subject to continued protection consistent with this policy.
We do not sell personal data.
A list of key subprocessors is available on request by contacting contact@hummify.app.
9. International transfers
Some of our service providers may process data outside the UK or EEA. Where personal data is transferred to a country that does not have an adequacy decision from the UK or EU, we use appropriate safeguards, such as the UK Addendum to the EU Standard Contractual Clauses or other approved transfer mechanisms.
You can contact us for more information about the safeguards we use for international transfers.
10. Security of your information
We implement technical and organisational measures designed to protect personal data, including:
Encryption in transit for web and media delivery.
Access controls and role-based permissions for staff and system components.
Segregation of environments (e.g. staging vs production) and controlled access to infrastructure.
Secure media delivery using AWS CloudFront, signed URLs/cookies, and token-based access.
Logging, monitoring, and alerts for unusual activity.
No system can be fully secure, but we aim to reduce risk and continuously improve our security measures.
11. Your rights and choices
If you are in the UK or EEA, or in a jurisdiction with similar laws, you may have the following rights in relation to your personal data:
Access: Request a copy of the personal data we hold about you.
Rectification: Request correction of inaccurate or incomplete data.
Erasure: Request deletion of your personal data, subject to legal and contractual requirements.
Restriction: Request that we restrict the processing of your data in certain circumstances.
Objection: Object to processing based on legitimate interests, on grounds relating to your particular situation.
Data portability: Request a copy of your data in a structured, commonly used, machine-readable format, where technically feasible and where the processing is based on consent or contract.
Withdraw consent: Where we rely on your consent, you can withdraw it at any time. This will not affect the lawfulness of processing before withdrawal.
To exercise these rights, contact us at contact@hummify.app. We may need to verify your identity before responding.
You also have the right to lodge a complaint with your local data protection authority (see section 16).
12. Children's access
The Service is intended for users aged 18 and over. We do not knowingly collect or process personal data from children. If you believe a child has provided us with personal data, please contact us so we can review and, where appropriate, delete that data.
13. Third-party services and integrations
The Service may integrate with third-party services such as Google OAuth (for sign-in), Stripe (for payments), hosting and infrastructure providers (such as AWS and Vercel), and analytics providers (such as PostHog and Vercel Web Analytics). These services process data in line with their own privacy policies.
Where these providers act as our processors, we remain responsible for how personal data is used. Where you separately interact with third parties (for example, visiting their websites or using their products), those activities are governed by the third party's own terms and privacy policy.
14. Cookies and similar technologies
We use cookies and similar technologies for several purposes, including:
Authenticating you and maintaining your session.
Delivering media securely via AWS CloudFront and related CDN mechanisms.
Remembering your preferences and cookie/analytics choices.
With your consent, measuring how the Service is used and capturing masked session replay to improve performance and UX.
Some of these technologies are strictly necessary for the Service to function and are set on the basis of contractual necessity and legitimate interests. Optional analytics and session replay are used only with your consent. For detailed information on the specific cookies and technologies we use, their purposes, and how you can manage your choices, please see our Cookie Policy.
15. Changes to this policy
We may update this Privacy Policy from time to time, for example to reflect changes in the Service, our processing activities, or applicable law. When we make material changes, we will notify you through the Service or by other appropriate means. The effective date at the top of this page shows when this policy was last updated.
16. Contact information
Controller: HUMMIFY LTD
82a James Carter Road, Mildenhall, England, IP28 7DE
For questions about this Privacy Policy or how we process personal data, contact us using the details above.
17. Regional information for UK and EU users
If you are located in the UK or EEA, you have the rights described in section 11. You also have the right to lodge a complaint with a supervisory authority, in particular in the country where you live or work, or where you believe a violation has occurred.
Controller vs processor: For account, billing, analytics, and authentication data, Hummify generally acts as a data controller. For user-generated content (including files, comments, collaboration data, and project content) that you or your organisation upload to the Service, we typically act as a data processor on behalf of the relevant account holder.
Automated decision-making: We do not use automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you.