Avelir Music

AI Music Competition

best with sound

Legal

Privacy Policy

Last updated: May 27, 2026

Avelir ("we", "us", or "our") is committed to protecting your personal data. This Privacy Policy explains what data we collect, how we use it, and your rights under the General Data Protection Regulation (GDPR), Romanian Law No. 190/2018 implementing the GDPR, and, where applicable, the California Consumer Privacy Act (CCPA).

The data controller is Avelir, reachable at AvelirCS@outlook.com.

1. Data We Collect

We collect and process the following categories of personal data:

  • Account data: email address, username, display name, password (hashed — never stored in plain text).
  • Profile data: avatar image, biography, and any other information you voluntarily add to your profile.
  • Submission data: music track titles, audio URLs, platform links, and metadata associated with your submissions.
  • Activity data: votes cast, shares logged, contest participation history.
  • Technical data: IP address, browser type, device information, and usage logs collected automatically when you access the Service.
  • Communications: any messages you send to us via email.

2. How We Use Your Data

We process your personal data for the following purposes and on the following legal bases:

  • To provide the Service (legal basis: contract performance) — creating and managing your account, processing contest entries and votes, displaying leaderboards.
  • To administer contests and award prizes (legal basis: contract performance) — identifying winners, contacting prize recipients.
  • To maintain platform security (legal basis: legitimate interest) — detecting and preventing fraud, vote manipulation, and abuse; enforcing bans.
  • To comply with legal obligations (legal basis: legal obligation) — responding to lawful requests from authorities, maintaining required records.
  • To improve the Service (legal basis: legitimate interest) — analysing aggregated, anonymised usage data to improve features and performance.
  • To send transactional emails (legal basis: contract performance) — account verification, password reset, prize notifications. We do not send marketing emails without your explicit consent.

3. Cookies and Tracking

We use only strictly necessary cookies and local storage tokens required for authentication (session tokens) and basic platform functionality. We do not use advertising cookies, tracking pixels, or third-party analytics cookies. No consent banner is required for strictly necessary cookies under Article 5(3) of the ePrivacy Directive; however, you are informed of this use here.

If we introduce non-essential cookies in the future, we will update this policy and implement a consent mechanism before deploying them.

4. Data Sharing and Third Parties

We do not sell your personal data. We share data only in the following circumstances:

  • Supabase (infrastructure provider): Our database, authentication, and file storage are hosted on Supabase, Inc. (USA). Supabase acts as a data processor on our behalf under a Data Processing Agreement. Data may be stored on servers in the European Economic Area or the United States. Where transferred outside the EEA, Supabase relies on Standard Contractual Clauses approved by the European Commission.
  • Legal obligations: We may disclose your data to law enforcement or regulatory authorities when required by applicable law or a valid court order.
  • Business transfers: In the event of a merger, acquisition, or sale of all or substantially all assets, your data may be transferred as part of that transaction. You will be notified in advance.

5. Data Retention

  • Account data: retained for the duration of your account. If you delete your account, we will delete or anonymise your personal data within 30 days, except where retention is required by law.
  • Submission and contest data: winner records and contest history are retained for a minimum of 3 years for legal and auditing purposes.
  • Security logs: retained for up to 12 months.
  • Backups: data in encrypted backups may persist for up to 90 days after deletion before being permanently purged.

6. Your Rights (GDPR)

If you are located in the EU/EEA or Romania, you have the following rights:

  • Right of access: request a copy of the personal data we hold about you.
  • Right to rectification: request correction of inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten"): request deletion of your personal data, subject to legal retention obligations.
  • Right to restriction of processing: request that we limit how we use your data in certain circumstances.
  • Right to data portability: receive your data in a structured, machine-readable format.
  • Right to object: object to processing based on legitimate interests.
  • Right to withdraw consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at AvelirCS@outlook.com. We will respond within 30 days.

7. Your Rights (California — CCPA)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, disclose, and sell.
  • Delete your personal information (subject to certain exceptions).
  • Opt out of the sale of your personal information. We do not sell personal information.
  • Non-discrimination for exercising your CCPA rights.

To submit a CCPA request, email AvelirCS@outlook.com with "CCPA Request" in the subject line.

8. Data Security

  • All data is transmitted over encrypted HTTPS connections (TLS 1.2+).
  • Passwords are hashed using bcrypt and are never stored in plain text.
  • Access to production data is restricted to authorised personnel only.
  • We use row-level security policies on our database to ensure users can only access their own data.
  • Avatar images and uploaded files are stored in access-controlled cloud storage.
  • We conduct periodic security reviews of our infrastructure and dependencies.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, affected users without undue delay — in compliance with GDPR Article 33 and 34.

9. Children's Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe we have inadvertently collected data from a child under 13, contact us at AvelirCS@outlook.com and we will promptly delete it.

10. International Data Transfers

Your data may be processed in countries outside the European Economic Area, including the United States. In such cases, we ensure adequate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, to protect your data to a standard equivalent to EU law.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a prominent notice on the platform at least 14 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

12. Contact and Data Protection Inquiries

For any questions, requests, or concerns about this Privacy Policy or the processing of your personal data, contact:

Avelir — Data Controller

Email: AvelirCS@outlook.com

Terms and ConditionsBack to Avelir