logo
Personal Hits

PRIVACY NOTICE

Privacy & data protection at PersonalHits.

This page explains how we collect, use, share, store and protect your information when you use PersonalHits.

Last updated: October 27, 2025

For legal purposes, the full Privacy Notice is currently available in English only.

This Privacy Notice explains how information about you is collected, used, shared, stored, and secured by PersonalHits (“PersonalHits,” “we,” “our,” or “us”) when you use personalhits.com and related applications, products, and services (collectively, the “Services”), or when you otherwise interact with us. It also explains your choices regarding your information.

By using the Services, you consent to the practices described in this Privacy Policy.

We may update this Privacy Policy from time to time. If changes are material, we will notify you through the Services or by email.

Quick index

  • What information we collect
  • How we use your information (legal bases)
  • Cookies and similar technologies
  • How we share your information
  • International transfers
  • How we store and secure your information
  • How long we retain your information
  • Your choices (marketing opt-out, access, correction, deletion)
  • Payment processing (Stripe)
  • Rights of U.S. residents
  • Rights of EEA/UK residents (GDPR)
  • Rights of TĂĽrkiye residents (KVKK)
  • Children’s privacy
  • Changes to this Privacy Notice
  • Contact
  • Annex A – Data Processing Addendum (DPA)
  • Annex B – Sub-Processor List

What Information We Collect

We collect information you provide, information generated automatically by your use of the Services, and information from third parties. Broadly, we collect Contact Information, User Account Information, User Activity Information, and Content.

1) Information You Provide

  • Contact Information: name, surname, email address, country/region, billing contact details, and (if you choose to provide later) date of birth.
  • User Account Information: account identifiers (e.g., username), password, package/credit purchase history and account settings. (Note: we do not use auto-renewing subscriptions.)
  • Content: text you submit for creating a custom song and/or visual materials (e.g., dedications, prompts, names), any uploads, and related metadata. Please avoid sensitive personal information (e.g., health, religion, political opinions). If you include it voluntarily, we process it solely to deliver the requested Service, as permitted by law.
  • Support/communications: information you provide when contacting us (support tickets, emails, chat).

*Payment data (e.g., card numbers) is collected and processed directly by Stripe. See Payment Processing.

2) Information Collected Automatically

We collect User Activity Information such as pages viewed, actions taken (e.g., creating a song brief, generating visuals), access times, IP address, device/browser type, OS, referring/exit pages, and approximate location (via IP). We log media generation events and feature usage. We use cookies and similar technologies (see Cookies).

3) Information From Other Sources

We may receive Contact Information from partners (e.g., analytics/communication tools) and login providers if you use third-party sign-in (e.g., Google). We may also receive information from publicly available sources where lawful.

How We Use Your Information (and Legal Bases)

Under GDPR/KVKK, our legal bases include contract, legitimate interests, consent, and legal obligation:

  • Provide the Services (contract): create/manage accounts, authenticate login, configure features, generate and deliver custom songs and visual materials, provide support.
  • Communicate with you (legitimate interests / contract): service messages (security alerts, updates, purchase confirmations) and responses to inquiries.
  • Marketing & personalization (legitimate interests / consent where required): send news, offers, and updates; measure engagement. You can opt out anytime (see Your Choices).
  • Security & fraud prevention (legitimate interests / legal obligation): monitor usage, detect/prevent suspicious or illegal activity, protect the Services and our users.
  • Legal & compliance (legal obligation / legitimate interests): comply with laws, enforce terms, exercise/defend legal claims.
  • Improve the Services (legitimate interests / consent where required): analyze usage to enhance features and UX. We do not use your Content to train public models in a way that identifies you.
  • Special category data: We do not seek it. Please avoid including it; if you do, we process it only to fulfill your request and as permitted by law.

Cookies and Similar Technologies

We use cookies, pixels, and SDKs to operate the site, remember preferences, perform analytics, and (where permitted) for marketing.

  • Necessary: core functionality (e.g., login, checkout).
  • Functional: remember preferences (e.g., language).
  • Analytics: understand usage and improve Services.
  • Advertising/Targeting: delivery/measure campaigns

You can change preferences anytime. We currently do not respond to “Do Not Track.” Where Global Privacy Control (GPC) or similar signals are legally required, we honor them in those jurisdictions.

How We Share Your Information

We do not sell your personal information.

With other users/recipients by your action

  • Gifting & public sharing features: If you choose to gift a song/visual, create a public link, download/share a preview, or post on social platforms (e.g., using a share button), your Content and selected profile details (e.g., display name) may become visible to recipients and/or the public according to your settings.
  • Recipient data: If you provide recipient details (e.g., their name, email, or delivery address where applicable), you confirm you have permission to share that information with us for the purpose of delivering the gift. We process such recipient data solely to deliver gifts and related communications.
  • Social media: When you use social share features, the social network’s processing is governed by its own privacy policy.

Service providers (processors)

We use vendors for hosting, infrastructure, security, analytics, customer support, email/SMS delivery, payments (Stripe), and similar services. They process data under our instructions and must protect it appropriately. See Annex B – Sub-Processor List.

With your consent/direction

For example, testimonials or referrals, or third-party logins.

Legal and safety

To comply with law, enforce terms, or protect rights, users, or the public.

Business transfers

In a merger, acquisition, financing, or sale of assets, subject to appropriate safeguards.

International Transfers

We operate globally. Where we transfer EEA/UK personal data to countries without an adequacy decision, we rely on appropriate safeguards such as EU/UK Standard Contractual Clauses (SCCs) plus additional measures as needed. For TĂĽrkiye personal data under KVKK, we use adequate safeguards and, where required, obtain explicit consent or rely on PDPL-compliant mechanisms.

How We Store and Secure Your Information

We implement technical and organizational measures (e.g., encryption in transit, access controls, least privilege, monitoring). No system is 100% secure. You are responsible for safeguarding your password and logging out after sessions.

How Long We Retain Your Information

We retain personal data only as long as necessary for the purposes described, including:

  • while your account is active and for a reasonable period thereafter.
  • as required by law (e.g., tax/accounting records);
  • as needed to enforce terms and protect rights.
We may retain de-identified or aggregated data for lawful business purposes.

Your Choices (Marketing Opt-Out, Access, Correction, Deletion)

  • Marketing opt-out: Unsubscribe anytime via the email link or by contacting us. Transactional/service messages will continue.
  • Access/Update/Delete: Request access, correction, or deletion by contacting us (see Contact). In some cases, we must retain certain data (e.g., to complete transactions, meet legal obligations, prevent fraud).

Payment Processing (Stripe)

Payments are processed by Stripe. You provide payment details directly to Stripe. We do not store your full card details. Stripe may act as an independent controller/processor depending on the activity. See Stripe’s own private documentation for details.

Rights of U.S. Residents

Residents of U.S. states with comprehensive privacy laws (e.g., CA, CO, CT, VA, UT) may have rights to know/access, correct, delete, and (where applicable) opt-out of certain processing. We do not “sell” or “share” personal information as defined by these laws, nor do we knowingly sell/share personal information of consumers under 16. Submit requests via Contact. We verify requests as required and do not discriminate for exercising rights.

Rights of EEA/UK Residents (GDPR)

If you are in the EEA/UK, PersonalHits is the data controller (unless stated otherwise). Subject to conditions/exemptions, you have the right to access, rectify, erase, restrict, object (including to direct marketing), portability, and withdraw consent where processing is based on consent. You may lodge a complaint with your local DPA (or the UK ICO). Please contact us first so we can help.

Rights of TĂĽrkiye Residents (KVKK)

For data subjects in TĂĽrkiye, we process personal data per KVKK No. 6698 and secondary legislation.

Your KVKK rights include (subject to legal conditions):

  • to learn whether your personal data is processed;
  • to request information regarding processing;
  • to learn the purpose of processing and whether it is used accordingly;
  • to know third parties to whom data is transferred domestically or abroad;
  • to request correction if data is incomplete or inaccurate;
  • to request deletion/destruction within KVKK conditions;
  • to request notification of correction/deletion to third parties;
  • to object to results arising from exclusively automated processing;
  • to claim compensation for damages due to unlawful processing.

Application method: You can submit KVKK applications to us via the Contact details below. We will respond within statutory time limits. For international transfers under KVKK, we use appropriate safeguards and, where required, obtain explicit consent.

Children’s Privacy

You must be at least 13 years old to use the Services. If you are under 18, you may only use the Services with the consent and supervision of a parent or legal guardian. We do not knowingly collect personal information from children under 13. If we learn that a child under 13 has provided personal information, we will take steps to delete such information promptly.

Changes to this Privacy Notice

We may update this Notice from time to time. We will post changes here with the updated “Last Modified” date. If changes are material, we may provide additional notice (e.g., on our homepage or via email). If you disagree with the updated Notice, you should stop using the Services.

Contact

For questions, requests (including GDPR/KVKK/US state law requests), or complaints, contact us at:
 Email: contact@personalhits.com

(You can also reach support via the same address. Please specify your country of residence to help route your request.)

Annex A – Data Processing Addendum (DPA)

Purpose. This DPA forms part of the agreement between PersonalHits and a business customer (the “Customer”) where PersonalHits processes personal data on behalf of Customer (e.g., corporate gifting or managed accounts). For consumer/end-user relationships in which PersonalHits determines purposes/means, PersonalHits acts as controller, and this DPA does not apply.

Roles. Customer is controller; PersonalHits is processor (EEA/UK GDPR) and/or data processor (KVKK). For U.S. state laws, PersonalHits acts as processor/service provider.

Processing Details.

  • Subject matter: Provision of the Services per the main agreement.
  • Duration: During the agreement term and retention period.
  • Nature/Purpose: Hosting, generation, and delivery of custom songs and visual materials and related support.
  • Categories of data subjects: Customer’s users, gift recipients, and others whose data Customer submits.
  • Categories of personal data: Contact data, account identifiers, usage logs, and any data Customer uploads (avoid special categories where possible).
  • Special categories: Not intended; if included by Customer, processed only as necessary and lawful.

Processor Obligations. PersonalHits shall:
(a) process personal data only on documented instructions from Customer;
(b) ensure confidentiality;
(c) implement appropriate technical/organizational measures (TOMs);
(d) assist Customer with data subject requests, security, DPIAs, and consultations as reasonably necessary;
(e) delete or return personal data at termination (unless law requires storage);
(f) make available information necessary to demonstrate compliance and allow reasonable audits (subject to confidentiality and scheduling);
(g) promptly notify Customer of personal data breaches affecting Customer data.

Sub-processing. Customer authorizes PersonalHits to engage sub-processors listed in Annex B and replacements/additions with prior notice. PersonalHits will impose data protection terms no less protective than this DPA on all sub-processors.

International Transfers. For EEA/UK personal data, the EU/UK SCCs (controller-to-processor, Module 2) are incorporated by reference, including relevant Annexes. For KVKK transfers, PersonalHits will use PDPL-compliant mechanisms and, where required, obtain explicit consent.

Liability & Precedence. This DPA prevails over conflicting terms in the main agreement concerning data protection. Each party remains responsible for its own compliance obligations.

(Signature blocks may be added offline if needed.)

Annex B – Sub-Processor List

Current sub-processors (last updated: September 26, 2025)

  • Stripe, Inc. / Stripe Payments – Payment processing and billing operations; global infrastructure.
    Data processed: payer identifiers, transaction metadata, fraud signals.
    Location: EU/US and other regions (per Stripe infrastructure).
    Safeguards: PCI DSS; SCCs where applicable.
  • Suno – Music generation via API.
    Data processed: prompts and minimal context needed to generate music; technical logs.
    Location: as disclosed by provider; SCCs/adequacy or equivalent safeguards where applicable.
  • Google (Gemini) – Lyrics and visual generation via API.
    Data processed: prompts and minimal context needed to generate lyrics/visuals; technical logs.
    Location: as disclosed by provider; SCCs/adequacy or equivalent safeguards where applicable.

Categories of additional sub-processors we may use (subject to update/notice):

  • Cloud hosting & infrastructure (compute, storage, CDN).
  • Email/notification delivery (transactional emails, optional marketing).
  • Analytics/monitoring (product analytics, error monitoring).
  • Customer support tools (ticketing, live chat).
  • Logging/security services (WAF, bot mitigation, security monitoring).

We will update this Annex when we add or replace a sub-processor and will provide customers with a method to subscribe to updates (e.g., a changelog or email notice). Objections may be raised per the DPA.