Privacy Policy
Last updated: 21 May 2026 · Effective: 21 May 2026
This Privacy Policy explains how ANNA POLOVNIKOVA PR NOVI SAD("GiveThemChills", "we", "us") collects, uses and protects your personal data when you visit givethemchills.comand use our AI-generated song service (the "Service"). We comply with the EU General Data Protection Regulation (GDPR), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act / CPRA, and the Serbian Personal Data Protection Law (ZZPL).
1. Data controller
ANNA POLOVNIKOVA PR NOVI SAD
Registration number (MB): 68295203 · Tax number (PIB): 115346500
Kralja Aleksandra 12, floor 1, apt. 30, 21102 Novi Sad, Serbia
Email: [email protected]
For data-protection matters originating in the EU you may also contact us at the same address; we will respond within 30 days as required by GDPR Art. 12(3).
2. What data we collect
- Account & contact — email address you provide when you start a song or pay; optional display name.
- Song brief — the recipient name, occasion, relationship, style and any free-form details you submit so the AI can generate lyrics and music for you. These may include personal data about a third party (the gift recipient); by submitting them you confirm you have a lawful basis to do so.
- Generated content — the lyrics, audio previews and final tracks produced for your order.
- Payment metadata — order ID, amount, currency, country, payment status. Card and bank-account data are processed by FastSpring (see §4) and never reach our servers.
- Technical — IP address, browser, device fingerprint, language, referrer, error logs. Used for fraud prevention and reliability.
- Cookies / local storage — see our Cookie Policy.
3. Purposes & legal bases
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Generate the song you requested, deliver it, and provide post-purchase support | Performance of a contract — Art. 6(1)(b) |
| Process payments and issue invoices/receipts (via FastSpring as Merchant of Record) | Performance of a contract — Art. 6(1)(b); Legal obligation — Art. 6(1)(c) |
| Prevent abuse, fraud, and service disruption | Legitimate interest — Art. 6(1)(f) |
| Comply with accounting, tax and consumer-protection laws | Legal obligation — Art. 6(1)(c) |
| Send transactional emails (order confirmations, delivery links, refund updates) | Performance of a contract — Art. 6(1)(b) |
| Send marketing emails (only if you opt in) | Consent — Art. 6(1)(a) · You may withdraw consent at any time |
4. Recipients & sub-processors
We share the minimum data necessary with the following processors:
| Processor | Purpose | Location |
|---|---|---|
| Bright Market, LLC d/b/a FastSpring | Merchant of Record — payment processing, tax remittance, invoicing, refunds, chargebacks (global) | Santa Barbara, California, United States |
| Suno, Inc. | AI music generation | United States |
| OpenRouter, Inc. | LLM gateway for lyrics generation | United States |
| Railway Corp. | Application hosting, managed Postgres database, file storage | United States (us-east region) |
| Cloudflare, Inc. | DNS resolution and security | Global edge network |
We do not sell your personal data and we do not disclose it for cross-context behavioral advertising as defined by the CCPA/CPRA.
5. International transfers
Some processors above are located outside the EU/EEA and the UK. Where required we rely on the European Commission's Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum, and we carry out a transfer impact assessment in line with the EDPB Recommendations 01/2020.
6. Retention
- Order records (incl. brief, generated lyrics, audio files): 24 months from delivery, then deleted or anonymized.
- Payment metadata (for accounting): 10 years, as required by Serbian Law on Accounting (Art. 14).
- Server access logs: 90 days.
- Email-marketing consent records: until withdrawn, plus 3 years for proof of consent.
7. Your rights
Subject to the conditions in applicable law, you have the right to:
- Access a copy of your personal data (GDPR Art. 15)
- Rectify inaccurate data (Art. 16)
- Erase your data ("right to be forgotten", Art. 17)
- Restrict processing (Art. 18)
- Portability — receive your data in a machine-readable format (Art. 20)
- Object to processing based on legitimate interest (Art. 21)
- Withdraw consent at any time without affecting prior lawful processing
- Lodge a complaint with your supervisory authority. In Serbia, this is the Commissioner for Information of Public Importance and Personal Data Protection (poverenik.rs).
To exercise any right, email [email protected]. We respond within 30 days (extendable by 60 days for complex requests, per GDPR Art. 12(3)).
8. California residents (CCPA / CPRA)
If you reside in California you also have the right to:
- Know what categories of personal information we collect and the purposes
- Request a copy or deletion of your personal information
- Correct inaccurate information
- Opt out of any "sale" or "sharing" of personal information (we do neither)
- Limit use of sensitive personal information (we do not use sensitive PI for any secondary purpose)
- Non-discrimination for exercising any of the above
You may submit requests via [email protected]. We verify identity using the email associated with your order. Authorized agents must provide written permission and proof of identity.
9. Children
The Service is not directed to children. We do not knowingly collect personal data from anyone under 16 (or under 13 in the United States, per COPPA). If you believe a child has provided us their data, contact us and we will delete it.
10. Security
We use HTTPS/TLS for all traffic, encrypted Postgres-managed storage, scoped API tokens for sub-processors, and least-privilege access controls. No system is perfectly secure; if a breach affects you, we will notify you and the relevant authority within 72 hours as required by GDPR Art. 33–34.
11. AI processing & automated decisions
Your brief is sent to large language models and music-generation models (see §4) to produce your song. No legal or similarly significant decision about you is made by these models — they only generate creative output you have ordered. You always have a human contact (us) for any concern.
12. Changes
We may update this Policy. Material changes are announced at least 14 days before they take effect via email (for active customers) and a notice at the top of this page.
13. Contact
Questions, requests, complaints: [email protected]