GDPR Compliance

1. Introduction

Foundational Creations ("Company," "we," "us," or "our") is committed to protecting the privacy and personal data of all individuals, particularly users residing in the European Union ("EU"), European Economic Area ("EEA"), and the United Kingdom ("UK"). This GDPR Compliance page provides comprehensive information about how we comply with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), and related data protection legislation.

This document supplements our Privacy Policy and provides additional details specifically relevant to individuals whose personal data is subject to GDPR protections. In the event of any conflict between this document and our Privacy Policy regarding GDPR-specific matters, this document shall prevail.

We recognize the importance of data protection and privacy as fundamental rights. Our commitment extends beyond mere legal compliance; we strive to embody the principles of privacy by design and privacy by default throughout our operations, product development, and service delivery. We continuously review and update our data protection practices to ensure they meet the highest standards of compliance and reflect evolving best practices in the field of data privacy.

LoveVerse is an AI-powered platform that generates personalized songs, lyrics, and music based on user stories and inputs. This processing involves the use of personal data in connection with artificial intelligence services provided by third parties such as OpenAI, Anthropic, and ElevenLabs, as well as cloud infrastructure services from Google Cloud and Cloudflare R2. We are transparent about how personal data flows through our systems and the safeguards we have implemented at every stage.

2. Data Controller Information

Foundational Creations is the data controller responsible for your personal data collected and processed through the LoveVerse application (available on web, iOS, and Android), the website located at loveverse.cc, and all related services, features, and functionality (collectively, the "Service"). As the data controller, we determine the purposes and means of processing your personal data and are accountable for ensuring compliance with all applicable data protection laws.

Although Foundational Creations is registered in India, we are fully committed to complying with the GDPR and UK GDPR with respect to the personal data of individuals in the EU, EEA, and UK. We have implemented comprehensive data protection measures, policies, and procedures to ensure that the personal data of European data subjects is processed in accordance with the requirements of the GDPR, regardless of where the processing takes place.

If you have any questions or concerns about how we process your personal data, or if you wish to exercise any of your rights under the GDPR, please contact our data protection team at support@loveverse.cc. We are committed to responding to all data protection inquiries promptly and thoroughly.

3. Legal Basis for Processing

We process your personal data only when we have a valid legal basis to do so, as required by Article 6 of the GDPR. The specific legal basis depends on the type of data being processed and the purpose of the processing. Below we detail each legal basis we rely upon, the specific processing activities associated with each basis, and the safeguards we have implemented.

3.1 Performance of a Contract (Article 6(1)(b))

We process certain personal data because it is necessary for the performance of a contract to which you are a party (our Terms of Service), or in order to take steps at your request prior to entering into a contract. The following processing activities are carried out under this legal basis:

• Account creation, registration, and authentication, including processing data received from Google Sign-In and Apple Sign-In identity providers
• Processing and storing your personal stories, memories, and descriptions that you submit for AI-powered song generation
• Generating personalized songs, lyrics, music, and vocal performances using AI models including those provided by OpenAI, Anthropic, and ElevenLabs
• Payment processing and transaction management through Razorpay and other payment processors
• Delivering generated content to you, including storing and serving audio files via Google Cloud and Cloudflare R2
• Managing your account preferences, song library, and content history
• Providing customer support and resolving technical issues related to the Service
• Sending transactional communications such as purchase confirmations, account notifications, and service updates

3.2 Legitimate Interests (Article 6(1)(f))

We process certain personal data where it is necessary for our legitimate interests or the legitimate interests of a third party, provided that such interests are not overridden by your fundamental rights and freedoms. We have conducted a Legitimate Interest Assessment ("LIA") for each of the following processing activities to ensure our interests do not override your rights:

• Service improvement, optimization, and enhancement based on aggregated usage patterns and user behavior analytics
• Fraud prevention, abuse detection, and security monitoring to protect our Service, users, and business operations
• Performance monitoring, error tracking, and debugging to ensure the reliability and stability of the Service
• Internal analytics and business intelligence to understand feature adoption, user engagement, and service performance
• Ensuring network and information security, including preventing unauthorized access, malicious code distribution, and denial of service attacks
• Maintaining and enforcing our Terms of Service and other policies to protect our rights and the rights of other users
• Communicating important service updates, security alerts, and changes to our policies that may affect your use of the Service

You have the right to object to processing based on legitimate interests at any time. If you do so, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where we need to process the data for the establishment, exercise, or defense of legal claims. To exercise your right to object, please contact us atsupport@loveverse.cc.

3.3 Consent (Article 6(1)(a))

For certain processing activities, we rely on your freely given, specific, informed, and unambiguous consent. Where consent is the legal basis, you have the right to withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. Processing activities based on consent include:

• Marketing and promotional email communications about new features, offers, and updates
• Placement and use of non-essential cookies, including analytics and marketing cookies, as described in our Cookie Policy
• Optional analytics and usage tracking beyond what is strictly necessary for service provision
• Newsletter subscriptions and periodic content updates
• Participation in surveys, feedback programs, and user research initiatives
• Processing of special categories of data, if any, that may be inferred from the personal stories you voluntarily provide for song generation

To withdraw your consent, you may use the unsubscribe link in marketing emails, adjust your cookie preferences through our consent banner, modify your account settings, or contact us directly atsupport@loveverse.cc. Withdrawal of consent will not affect the lawfulness of processing carried out prior to the withdrawal.

3.4 Legal Obligation (Article 6(1)(c))

We process certain personal data where it is necessary for compliance with a legal obligation to which we are subject. This includes:

• Tax reporting, financial record-keeping, and accounting obligations under Indian tax law and applicable international tax treaties
• Responding to lawful requests from law enforcement agencies, regulatory authorities, and courts of competent jurisdiction
• Compliance with court orders, subpoenas, and other legal process requirements
• Maintaining records as required by the Information Technology Act, 2000 (India) and its associated rules and regulations
• Compliance with anti-money laundering ("AML") and know-your-customer ("KYC") requirements where applicable to our payment processing activities
• Reporting obligations related to data breaches, as required by applicable data protection laws

3.5 Vital Interests (Article 6(1)(d))

In rare and exceptional circumstances, we may process personal data where it is necessary to protect the vital interests of you or another natural person. This may include situations involving the protection of life, health emergencies, or the prevention of serious harm. We do not anticipate relying on this legal basis in the ordinary course of our operations, but we reserve the right to do so in genuinely exceptional circumstances.

3.6 Public Interest (Article 6(1)(e))

We do not currently rely on the public interest legal basis for any of our processing activities. Should this change in the future, we will update this document accordingly and notify affected data subjects.

4. Categories of Personal Data Processed

We process the following categories of personal data, depending on how you interact with the Service:

• Identity Data: Full name, display name, username, and profile identifiers received from Google or Apple Sign-In authentication providers
• Contact Data: Email address associated with your Google or Apple account
• Profile Data: Profile photograph, account preferences, language settings, and notification preferences
• Content Data: Personal stories, memories, descriptions, and prompts you provide for song generation; photographs and images you upload for video collages
• Transaction Data: Purchase history, credit balances, payment amounts, transaction identifiers, and payment method details (processed through Razorpay)
• Technical Data: IP address, browser type and version, device type, operating system, unique device identifiers, time zone settings, and browser plug-in types and versions
• Usage Data: Information about how you use the Service, including features accessed, pages viewed, interaction patterns, session duration, navigation paths, and error logs
• Communication Data: Messages, feedback, support requests, and correspondence you send to us
• Generated Content Data: AI-generated songs, lyrics, music, vocals, and videos produced through the Service on your behalf

We do not intentionally collect or process special categories of personal data (also known as sensitive data) as defined in Article 9 of the GDPR, including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation. However, we acknowledge that the personal stories and memories you voluntarily provide for song generation may incidentally contain such information. Where this occurs, your explicit consent to the processing of such data is deemed to have been given by virtue of your voluntary submission of the content.

5. Data Subject Rights

Under the GDPR and UK GDPR, you have comprehensive rights regarding your personal data. We are committed to facilitating the exercise of these rights and have implemented processes and procedures to ensure that you can exercise them effectively. Below is a detailed explanation of each right.

5.1 Right of Access (Article 15)

You have the right to obtain confirmation as to whether or not we are processing your personal data, and where we are, to access that personal data and obtain a copy. You are also entitled to receive the following supplementary information:

• The purposes of the processing
• The categories of personal data concerned
• The recipients or categories of recipients to whom the personal data has been or will be disclosed
• The envisaged period for which the personal data will be stored, or the criteria used to determine that period
• The existence of your rights to rectification, erasure, restriction, and objection
• The right to lodge a complaint with a supervisory authority
• Where the personal data is not collected from you, any available information as to its source
• The existence of automated decision-making, including profiling, and meaningful information about the logic involved
• Where personal data is transferred to a third country, information about the appropriate safeguards in place

We will provide a copy of your personal data free of charge. For any further copies requested, we may charge a reasonable fee based on administrative costs. We will provide the information in a commonly used electronic form unless you request otherwise.

5.2 Right to Rectification (Article 16)

You have the right to obtain the rectification of inaccurate personal data concerning you without undue delay. Taking into account the purposes of the processing, you also have the right to have incomplete personal data completed, including by means of providing a supplementary statement. If we have disclosed your inaccurate or incomplete personal data to third parties, we will inform those third parties of the rectification where possible and where it would not involve disproportionate effort.

5.3 Right to Erasure ("Right to be Forgotten") (Article 17)

You have the right to obtain the erasure of your personal data without undue delay where one of the following grounds applies:

• The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed
• You withdraw your consent on which the processing is based (under Article 6(1)(a) or Article 9(2)(a)) and there is no other legal basis for the processing
• You object to processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or you object to processing pursuant to Article 21(2) (direct marketing)
• The personal data has been unlawfully processed
• The personal data must be erased for compliance with a legal obligation under EU or member state law
• The personal data was collected in relation to the offer of information society services referred to in Article 8(1) (children's data)

Please note that the right to erasure is not absolute. We may retain certain personal data where processing is necessary: (a) for exercising the right of freedom of expression and information; (b) for compliance with a legal obligation; (c) for reasons of public interest in the area of public health; (d) for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes; or (e) for the establishment, exercise, or defense of legal claims.

When you request account deletion, we will erase your personal data from our active systems and instruct our processors (including Google Cloud, Cloudflare R2, and our AI service providers) to delete your data. Some data may persist in encrypted backups for up to 30 days following deletion before being permanently removed.

5.4 Right to Restriction of Processing (Article 18)

You have the right to obtain restriction of processing where one of the following applies:

• You contest the accuracy of the personal data, for a period enabling us to verify the accuracy of the data
• The processing is unlawful and you oppose the erasure of the personal data and request restriction of its use instead
• We no longer need the personal data for the purposes of processing, but you require it for the establishment, exercise, or defense of legal claims
• You have objected to processing pursuant to Article 21(1) pending the verification of whether our legitimate grounds override yours

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent, or for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest. We will inform you before the restriction of processing is lifted.

5.5 Right to Data Portability (Article 20)

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format (such as JSON or CSV). You also have the right to transmit that data to another controller without hindrance from us, where:

• The processing is based on consent (Article 6(1)(a) or Article 9(2)(a)) or on a contract (Article 6(1)(b)); and
• The processing is carried out by automated means

Where technically feasible, you have the right to have the personal data transmitted directly from us to another controller. This right does not adversely affect the rights and freedoms of others. The data we can provide under this right includes your account information, generated content metadata, and story content you have provided.

5.6 Right to Object (Article 21)

You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data which is based on Article 6(1)(e) (public interest) or Article 6(1)(f) (legitimate interests), including profiling based on those provisions. When you object, we shall no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.

Where personal data is processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, including profiling to the extent that it is related to such direct marketing. Where you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes. This right is absolute and we will comply with your objection without requiring any justification from you.

5.7 Right Not to be Subject to Automated Decision-Making (Article 22)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This right does not apply if the decision:

• Is necessary for entering into, or performance of, a contract between you and us
• Is authorized by EU or member state law to which we are subject, which also lays down suitable measures to safeguard your rights, freedoms, and legitimate interests
• Is based on your explicit consent

Our AI-powered song generation constitutes automated processing but does not produce legal effects or similarly significantly affect you within the meaning of Article 22. The AI processing is used solely for creative content generation at your request. We do not use automated decision-making for purposes such as credit scoring, employment decisions, or other determinations that could produce legal or similarly significant effects. However, if you have any concerns about automated processing in connection with the Service, please contact us and we will review your specific situation.

5.8 Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, your place of work, or the place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint, including the possibility of a judicial remedy pursuant to Article 78.

While we encourage you to contact us first so we can address your concerns directly, you always have the right to approach the relevant supervisory authority. A list of EU data protection authorities can be found on the European Data Protection Board website athttps://edpb.europa.eu.

5.9 Right to an Effective Judicial Remedy

Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, you have the right to an effective judicial remedy where you consider that your rights under the GDPR have been infringed as a result of the processing of your personal data in non-compliance with the GDPR.

6. Exercising Your Rights

To exercise any of the rights described above, please submit your request to our data protection team using the following contact information:

6.1 Response Timeline

We will respond to your request in accordance with the following timelines:

• Acknowledgment: Within 3 business days of receiving your request
• Standard Requests: Within 30 calendar days of receiving your request
• Complex or Numerous Requests: We may extend the response period by up to an additional 60 calendar days (90 days total), in which case we will inform you of the extension and the reasons for it within the initial 30-day period

6.2 Identity Verification

To protect your privacy and security, we may need to verify your identity before processing your request. We may ask you to provide information that allows us to reasonably verify that you are the person about whom we collected personal data or an authorized representative. The verification steps may include confirming your email address, account details, or providing additional identification documentation. We will not use personal data collected for verification purposes for any other purpose.

6.3 No Fee Usually Required

You will not have to pay a fee to exercise any of your GDPR rights. However, if your request is clearly unfounded, repetitive, or excessive, we may charge a reasonable fee based on administrative costs, or refuse to comply with the request. If we decide to charge a fee or refuse to act on your request, we will notify you and explain our reasons.

6.4 Third-Party Requests

If you are submitting a request on behalf of another data subject (as an authorized agent or representative), we will require written authorization from the data subject confirming that you are authorized to act on their behalf, along with verification of both your identity and the identity of the data subject.

7. International Data Transfers

As Foundational Creations is registered in India, your personal data is transferred to and processed in India and potentially other countries outside the EU/EEA that may not provide the same level of data protection as your country of residence. We ensure that all international transfers of personal data are made in compliance with the GDPR, using appropriate safeguards to protect your personal data.

7.1 Transfer Mechanisms

We rely on the following mechanisms to ensure lawful international transfers of personal data:

• Standard Contractual Clauses (SCCs): We use the EU Commission-approved Standard Contractual Clauses (adopted pursuant to Commission Implementing Decision (EU) 2021/914) with our service providers and sub-processors located outside the EU/EEA. These clauses provide contractual guarantees that personal data will be protected to the standard required by EU law.
• Data Processing Agreements (DPAs): We have entered into comprehensive Data Processing Agreements compliant with Article 28 of the GDPR with all processors and sub-processors that handle personal data on our behalf. These agreements specify the subject matter, duration, nature, and purpose of processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller.
• Supplementary Measures: In addition to SCCs and DPAs, we implement supplementary technical, organizational, and contractual measures as recommended by the European Data Protection Board (EDPB) to ensure that the level of protection guaranteed by the GDPR is not undermined by the transfer to a third country.
• Transfer Impact Assessments (TIAs): We conduct Transfer Impact Assessments for all international transfers to evaluate the laws and practices of the recipient country and determine whether supplementary measures are necessary to ensure an essentially equivalent level of protection.

7.2 Third-Country Recipients

Your personal data may be transferred to the following countries and service providers:

• United States: OpenAI (text generation), Anthropic (text generation), ElevenLabs (vocal synthesis), Cloudflare (CDN and R2 storage) - with SCCs and supplementary technical measures including encryption
• India: Foundational Creations (data controller), Razorpay (payment processing) - with DPAs in place
• Multiple Locations: Google Cloud Platform (cloud infrastructure and storage) - with SCCs and Google's GDPR compliance measures
• Countries with EU Adequacy Decisions: We may transfer data to countries that the European Commission has determined provide an adequate level of data protection

7.3 Technical Safeguards for Transfers

All international data transfers are protected by the following technical measures:

• End-to-end encryption using TLS 1.3 for data in transit
• AES-256 encryption for data at rest in all storage systems
• Pseudonymization and anonymization where possible and appropriate
• Access controls and authentication mechanisms at every point of the transfer chain
• Regular security assessments of all international data transfer pathways

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required or permitted by applicable law. Our retention periods are determined based on the nature of the data, the purposes of processing, applicable legal requirements, and our legitimate business needs. Below is a detailed overview of our retention periods:

• Account Data (identity, contact, profile): Retained for the duration of your account, plus 30 days after account deletion to allow for backup removal and data integrity processes. After this period, data is permanently and irreversibly deleted.
• Generated Content (songs, lyrics, music, videos): Retained for the duration of your account or as needed to provide the Service. Upon account deletion, generated content is deleted within 30 days.
• Story Content and User Inputs: Processed in real-time for song generation purposes. Raw story content is not permanently stored after the generation process is complete. Generated outputs are retained as described above.
• Transaction and Payment Data: Retained for 7 years as required by applicable Indian tax and financial regulations, or as otherwise required by law. Limited payment details are held by Razorpay under their own retention policies.
• Analytics and Usage Data: Identifiable usage data is retained for up to 26 months. Aggregated and anonymized analytics data that cannot be linked back to individual data subjects may be retained indefinitely for statistical purposes.
• Communication Data: Support correspondence is retained for up to 3 years after your last interaction for quality assurance, training, and dispute resolution purposes.
• Cookie Data: Varies by cookie type; see our Cookie Policy for specific retention periods for each cookie category.
• Legal and Compliance Records: Retained as required by applicable law, which may be up to 10 years depending on the nature of the record and the applicable legal requirement.

Upon expiration of the applicable retention period, personal data is securely deleted or anonymized using industry-standard methods. Where anonymization is used, the resulting data cannot be linked back to any identified or identifiable natural person and is therefore no longer considered personal data under the GDPR.

9. Data Protection Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the GDPR. These measures are designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.

9.1 Technical Measures

• TLS 1.3 encryption for all data in transit between clients, servers, and third-party services
• AES-256 encryption for all data at rest across our storage systems, including Google Cloud and Cloudflare R2
• Regular security assessments, vulnerability scanning, and penetration testing conducted by qualified security professionals
• Intrusion detection and prevention systems (IDS/IPS) with real-time monitoring and alerting
• Secure software development lifecycle (SSDLC) following OWASP guidelines and best practices
• Multi-factor authentication (MFA) for all administrative access to systems containing personal data
• Network segmentation and firewalls to isolate systems containing personal data
• Automated backup systems with encrypted backup storage and regular restoration testing
• Rate limiting, DDoS protection, and bot mitigation through Cloudflare
• Database encryption, parameterized queries, and input validation to prevent injection attacks

9.2 Organizational Measures

• Data protection awareness training for all team members with access to personal data
• Strict access control policies based on the principle of least privilege, ensuring that personnel only have access to personal data necessary for their specific role
• Documented incident response procedures with defined roles, responsibilities, and escalation paths
• Comprehensive vendor due diligence and ongoing management processes for all processors and sub-processors
• Regular review and updating of data protection policies, procedures, and practices
• Confidentiality agreements and data protection clauses in employment contracts for all personnel
• Regular audits of data processing activities and access logs
• Data minimization practices ensuring that we collect and process only the personal data strictly necessary for each specific purpose
• Privacy by design and privacy by default principles integrated into product development and system design processes

10. Data Breach Notification

We have implemented comprehensive procedures for detecting, reporting, and investigating personal data breaches in compliance with Articles 33 and 34 of the GDPR.

10.1 Notification to Supervisory Authorities

In the event of a personal data breach, we will notify the relevant supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of the breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where notification is not made within 72 hours, it shall be accompanied by reasons for the delay. The notification shall include:

• A description of the nature of the personal data breach, including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned
• The name and contact details of our data protection team
• A description of the likely consequences of the personal data breach
• A description of the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects

10.2 Notification to Data Subjects

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, we shall communicate the personal data breach to the affected data subjects without undue delay. The communication shall describe in clear and plain language the nature of the personal data breach and contain at least the information required by Article 34 of the GDPR. We will make this communication via email, in-app notification, or other appropriate means to ensure effective communication.

10.3 Internal Breach Documentation

We document all personal data breaches, regardless of whether they meet the threshold for notification, comprising the facts relating to the personal data breach, its effects, and the remedial action taken. This documentation enables supervisory authorities to verify compliance with the GDPR and serves as an internal record for continuous improvement of our security measures.

10.4 Processor Breach Notification

Our Data Processing Agreements require all processors to notify us without undue delay after becoming aware of a personal data breach. This enables us to meet our obligations to supervisory authorities and affected data subjects within the required timeframes.

11. Children's Data

Our Service is not directed at children under 16 years of age in the EU/EEA (or such lower age as may be set by individual member states under Article 8 of the GDPR, but not below 13 years). We do not knowingly collect, process, or store personal data from children under the applicable age threshold without verifiable parental or guardian consent.

We have implemented the following measures to protect children's data:

• Our Terms of Service clearly state the minimum age requirements for using the Service
• Our authentication process through Google Sign-In and Apple Sign-In provides a layer of age verification based on the account holder's profile
• We regularly review our user base and take action if we identify accounts that may belong to individuals below the minimum age threshold
• If we become aware that we have collected personal data from a child below the applicable age threshold without proper parental consent, we will take immediate steps to delete that data and terminate the associated account

If you are a parent or guardian and believe that your child has provided us with personal data without your consent, please contact us immediately at support@loveverse.ccso that we can take appropriate action. We will make reasonable efforts to delete such data from our systems within a reasonable timeframe.

12. Data Protection Impact Assessments (DPIAs)

In accordance with Article 35 of the GDPR, we conduct Data Protection Impact Assessments for processing operations that are likely to result in a high risk to the rights and freedoms of natural persons, taking into account the nature, scope, context, and purposes of the processing.

12.1 When We Conduct DPIAs

We carry out DPIAs in the following circumstances:

• Before implementing any new processing activity that involves a systematic and extensive evaluation of personal aspects relating to natural persons, based on automated processing, including profiling
• Before processing special categories of data on a large scale
• Before systematic monitoring of publicly accessible areas on a large scale
• When introducing new AI models or significantly changing existing AI processing systems
• When implementing new data processing technologies or approaches
• When making significant changes to how we share data with third-party processors
• When processing activities appear on the relevant supervisory authority's list of processing operations requiring a DPIA

12.2 DPIA Process

Our DPIA process includes:

• A systematic description of the envisaged processing operations, the purposes of processing, and the legitimate interests pursued by the controller
• An assessment of the necessity and proportionality of the processing operations in relation to the purposes
• An assessment of the risks to the rights and freedoms of data subjects
• The measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and demonstrate compliance with the GDPR

12.3 AI Processing DPIAs

Given that our Service relies heavily on AI processing through third-party services (OpenAI, Anthropic, ElevenLabs), we have conducted specific DPIAs for these processing activities. These assessments evaluate the risks associated with transmitting user content to AI processors, the safeguards in place to protect personal data during AI processing, and the measures taken to ensure that AI-generated outputs do not inadvertently expose personal data. We regularly review and update these DPIAs as our AI processing activities evolve.

13. Records of Processing Activities

We maintain comprehensive records of all processing activities carried out under our responsibility, as required by Article 30 of the GDPR. These records are maintained in writing (including electronic form) and are made available to the relevant supervisory authority upon request.

13.1 Controller Records

Our records of processing activities include the following information:

• The name and contact details of the controller (Foundational Creations) and our data protection team
• The purposes of each processing activity
• A description of the categories of data subjects and the categories of personal data processed
• The categories of recipients to whom the personal data has been or will be disclosed, including recipients in third countries or international organizations
• Details of transfers of personal data to a third country or international organization, including the identification of the third country or international organization and the documentation of suitable safeguards
• Where possible, the envisaged time limits for erasure of the different categories of data
• Where possible, a general description of the technical and organizational security measures referred to in Article 32(1)

13.2 Processor Records

Where we act as a processor (if applicable), we maintain records containing the name and contact details of each controller on behalf of which we act, the categories of processing carried out on behalf of each controller, details of transfers to third countries, and a general description of our technical and organizational security measures.

13.3 Regular Review

We review and update our records of processing activities on a regular basis, and whenever there is a material change to our processing operations. This ensures that our records accurately reflect our current data processing practices and support our ongoing compliance with the GDPR.

14. Data Processors and Sub-Processors

We engage various third-party service providers ("Processors") to process personal data on our behalf. All Processors are bound by Data Processing Agreements that comply with Article 28 of the GDPR and include obligations regarding data protection, security, confidentiality, and cooperation with our compliance efforts.

14.1 List of Key Processors

• Google Cloud Platform: Cloud infrastructure, hosting, computing, and storage services. Processes account data, generated content, and usage data. Location: Multiple global data centers.
• Cloudflare (including R2 Storage): Content delivery network (CDN), DDoS protection, edge computing, and object storage for media files. Processes technical data and generated content. Location: Global edge network.
• OpenAI: AI text generation for creating lyrics, stories, and text-based content. Processes story content and user inputs. Location: United States.
• Anthropic: AI text generation for creating lyrics, stories, and text-based content. Processes story content and user inputs. Location: United States.
• ElevenLabs: AI vocal synthesis for generating singing and spoken vocals. Processes generated lyrics and voice parameters. Location: United States.
• Razorpay: Payment processing for web-based transactions. Processes transaction data and limited payment information. Location: India.
• Google (Authentication): Google Sign-In for user authentication. Processes identity and contact data. Location: United States/Global.
• Apple (Authentication): Apple Sign-In for user authentication. Processes identity and contact data. Location: United States/Global.
• Pexels: Stock photography provider for background images used in the Service. Limited or no personal data processing. Location: Global.

14.2 Sub-Processor Management

We maintain an up-to-date list of sub-processors and will inform data subjects of any intended changes concerning the addition or replacement of sub-processors, giving data subjects the opportunity to object to such changes. We conduct due diligence on all sub-processors before engagement and monitor their compliance on an ongoing basis.

15. Privacy by Design and by Default

In accordance with Article 25 of the GDPR, we implement data protection by design and by default throughout our product development and service delivery processes.

15.1 Privacy by Design

We integrate data protection considerations into every stage of our product development lifecycle, including:

• Conducting privacy reviews during the design phase of new features and systems
• Implementing data minimization principles, ensuring that we only collect and process the minimum amount of personal data necessary for each specific purpose
• Building security controls and privacy safeguards into the architecture of our systems from the ground up, rather than adding them as an afterthought
• Considering the privacy implications of all technology choices, including the selection of third-party services and AI models
• Regularly reviewing and updating our privacy engineering practices in light of evolving technologies and regulatory requirements

15.2 Privacy by Default

We ensure that, by default, only personal data which is necessary for each specific purpose is processed. This applies to the amount of personal data collected, the extent of their processing, the period of their storage, and their accessibility. Specifically:

• Default privacy settings are configured to the most privacy-protective option
• Marketing communications are opt-in, not opt-out
• Non-essential cookies are not placed until the user provides explicit consent
• Personal data is not made publicly accessible by default without an affirmative action from the data subject
• Data sharing with third parties is limited to what is strictly necessary for service provision

16. Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our website and Service. For comprehensive information about the cookies we use, their purposes, retention periods, and how to manage your cookie preferences, please refer to our dedicated Cookie Policy.

Under the GDPR, non-essential cookies require your explicit consent before being placed on your device. We use a cookie consent banner that allows you to accept or reject different categories of cookies. Essential cookies that are strictly necessary for the operation of the Service do not require consent but are disclosed in our Cookie Policy for transparency.

17. Changes to This GDPR Information

We may update this GDPR Compliance page from time to time to reflect changes in our data processing practices, applicable laws, or regulatory guidance. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page
• Post the updated document on our website
• Send an email notification to affected data subjects for significant changes that impact their rights
• Where required, obtain fresh consent for any new processing activities that rely on consent as their legal basis

We encourage you to review this page periodically to stay informed about how we protect your personal data and comply with the GDPR. Your continued use of the Service after changes are posted constitutes your acknowledgment of the updated practices, though it does not constitute consent where consent is required as a separate legal basis.

18. Contact Information

For all GDPR-related inquiries, requests to exercise your data subject rights, or concerns about our data protection practices, please contact us:

We are committed to working with you and, where applicable, relevant supervisory authorities to resolve any concerns about our data protection practices. We aim to respond to all GDPR-related inquiries within 30 calendar days and will keep you informed of the progress and outcome of your request.

If you are not satisfied with our response, you have the right to lodge a complaint with a data protection supervisory authority in the EU member state where you habitually reside, where you work, or where the alleged infringement took place.