amma
App

Privacy Policy — AMMA Music

Last updated: 1 May 2026

Operator: Intallaga Tech and its owner (together, “we,” “us,” “our”).

Not legal advice: This Policy explains how we aim to handle information in connection with AMMA Music. It is not legal advice. Privacy obligations depend on your users’ locations (e.g. GDPR, UK GDPR, CPRA). Have counsel review entity details, lawful bases, DPA wording, subprocessors list, international transfers (SCCs), and minors’ policies.

1. Scope

This Privacy Policy describes how we collect, use, disclose, and retain personal information when you use our websites, applications, and backend services (“AMMA Music,” “Services”).

Some features use external systems that produce audio or related assets. Those external systems impose their own privacy notices; we do not control their practices.

2. Categories of information we may collect

Depending on how you use the Services, we may collect:

(a) Account and authentication data. Name, username, email, password hashes, session identifiers, OAuth subject identifiers (if used), billing customer IDs (via payment processors).

(b) User content. Prompts, lyrics, titles, uploads, waveform or audio files you store with us, cover art, publishing metadata (e.g. visibility flags, disclosures), posts or comments where applicable.

(c) Generation configuration. We may store which generation options you selected, prompt routing configuration, and related metadata needed to create and troubleshoot songs.

(d) Usage, device, and integrity data. Log data, IP address, coarse location from IP, user agent, timestamps, diagnostic events, feature usage, approximate performance metrics, account status, block status, and moderation signals.

(e) Payment data for our fees. Song-credit purchases are typically processed by a PCI-DSS-aligned processor (for example Stripe); we generally receive tokens and payment status rather than full card numbers.

(f) Support and integrity. Messages you send to support, fraud signals, reports, admin review notes, moderation notices, removed or restored content status, blocked accounts, blocked email or IP records, and related records tied to lawful enforcement of our Terms.

We generally do not request government ID or precise geolocation for core features unless you voluntarily provide them during KYC for payouts (if launched later).

3. How we use information

We process personal information to:

  • Provide, operate, secure, troubleshoot, and improve the Services

  • Authenticate accounts and prevent fraud or abuse

  • Host, synchronize, transcoding, CDN delivery, backups, caching

  • Moderate compliance with Terms (including copyright/IP reports)

  • Review reports, investigate abuse, remove or restore comments and posts, dismiss groups, block or unblock accounts, email addresses, IP addresses, or other access points, and notify affected users

  • Bill song-credit purchases owed to Intallaga Tech (credit-pack revenue from users is retained solely by Intallaga Tech and its owner, subject only to applicable taxes and payment-processor fees—not distributed to other users as royalties)

  • If deployed: calculate and settle participant shares pursuant to MonetizationTerms / checkout disclosures

  • Comply with law, lawful requests, and enforce contracts

  • Analyze aggregated or de-identified analytics where permitted

4. Legal bases (GDPR / UK illustrative)

Depending on context:

BasisTypical use
ContractProvide Services you request; deliver paid plans
Legitimate interestsSecurity, anti-abuse, product improvement analytics, notifying you about material incidents
ConsentOptional marketing emails, strictly necessary cookies banners where required
Legal obligationTax invoicing retention, lawful court orders

You may withdraw consent for non-essential communications where withdrawal does not undermine contract performance.

5. Sharing and subprocessors

We may disclose information to:

  • Infrastructure providers (cloud hosting, database, CDN, observability — e.g. AWS/Azure/GCP — list exact subprocessors in an annex after counsel signing DPAs).

  • Payment processors.

  • Email / transactional messaging vendors.

  • Analytics (privacy-configured).

  • Music Generation Providers, only as strictly necessary to route requests when you supplied credentials, or when we orchestrate integrations on your behalf under product design — limited to payloads required for inference and billing attribution.

We do not sell personal information as “sale” defined in U.S. state laws, except where we disclose to payment processors, integrations you enable, or under merger disclosures as customary — update this sentence per counsel for CPRA “share/sell” definitions.

International transfers outside your country use appropriate safeguards (e.g., Standard Contractual Clauses) where required — implement explicitly.

6. AI / automated moderation

Moderation MAY use statistical models before human review outputs are surfaced. Automated decisions MAY affect availability of publish or monetization. European users — provide meaningful human review avenue where required Art 22 GDPR thresholds are met (counsel determines).

7. Retention

  • Account data: life of account + short post-deletion window for restore.

  • Your Content: until you delete, or statutory hold; backups may linger encrypted typically ≤ 90 days (tune realistically).

  • Logs/security: rotating windows (e.g., 30–365 days tiered).

  • Billing/tax logs: statutory periods (often 7–10 years jurisdiction-dependent).

8. Security

We implement commercially reasonable technical and organizational safeguards (encryption in transit, e.g. TLS 1.2 or higher; access controls; least-privilege segmentation). No system is flawless — breaches will be communicated per law.

9. Your rights

Subject to verifying identity and exemptions:

  • Access, rectification, deletion

  • Restrict or object processing (where applicable)

  • Portability (structured machine-readable subset)

  • Withdraw marketing consent

  • lodge complaint with supervisory authority

Respond within statutory timelines.

10. Children’s privacy

AMMA Music is not directed to children under the minimum age required by applicable law. In Australia, children under 13 may not use the Services. Other places may require a higher age or parental consent, and that local rule controls. We do not knowingly collect minors’ personal data improperly. If we learn that an account violates applicable age restrictions, we may delete, block, or restrict it without notice where needed to protect the child, comply with law, or protect the Services. Parents or guardians may contact us at hi@intallaga.com for removal requests.

11. California residents (supplement sketch)

Residents of CA may include rights to know/access/delete/opt-out limited sale-share (CPRA-era nuances). Identify whether you Honor GPC browsers. Provide financial incentive disclosures if differential pricing exists.

12. Cookies

We classify cookies into Necessary, Functional, and Analytics where applicable. Where required by law, we seek appropriate consent before using non-essential cookies.

13. Changes

We revise this Policy materially by posting update + notifying where needed. The latest policy text is hosted at: https://www.amma.live/legal/privacy. Earlier dated versions may be requested from hi@intallaga.com.

14. Contact

Privacy requests: hi@intallaga.com