Privacy Policy — MelodyCrafters

This Privacy Policy explains how Kirusa Inc. (“Kirusa,” “we,” “us,” or “our”), a U.S. corporation, collects, uses, shares, and protects personal information when you visit or use https://melodycrafters.com/ (the “Site”) and when you place a paid request for a custom song and/or video (the “Services”). We are committed to complying with global data protection laws, including the GDPR (EU/EEA), DPDP Act, 2023 (India), CCPA/CPRA (California), and applicable African data protection laws (e.g., Senegal Law No. 2008-12; Ghana Data Protection Act, 2012; Burkina Faso Law No. 010-2004/AN; Côte d’Ivoire Law No. 2013-450), as well as other relevant local laws in Mali, Togo, Malawi, Zambia, Lesotho, Eswatini, and Benin. By visiting the Site or using the Services, you consent to the collection, use, disclosure, processing, and storage of your information as described in this Policy or as otherwise required or permitted by applicable law. 1. What Data We Collect Depending on how you use the Site and Services, we may collect: ● Device & Usage Data. Device type, browser, operating system, IP address, general location (derived from IP), pages viewed, time on page, referring/exit pages, clickstream, and interactions with the Site. We may collect this via cookies, web beacons, pixels, and analytics tools (e.g., Google Analytics, Microsoft Clarity). ● Account Data. Name, email address, password, phone number (optional), and—if you act for an organisation—company name and role. ● Order & Billing Data. Purchase details, billing address, and limited payment metadata required by our payment processor(s). We do not store full payment card numbers; payments are handled by compliant third-party processors (e.g., Razorpay in supported regions, or other region-appropriate gateways). ● Identity Verification Data (enterprise/corporate only). Government ID (e.g., passport, driver’s license) or business documents (e.g., tax ID, incorporation certificate, VAT, PAN (India), EIN (USA)) to verify identity, prevent fraud, and meet AML/KYC and sanctions screening requirements. ● User Content (your creative inputs). Stories, prompts, reference materials, voice samples/recordings, images, and other materials you submit so we can craft your custom song and/or video. We do not directly view or access User Content except as reasonably necessary to provide the Services, ensure safety/compliance, or meet legal obligations. ● Communications. Messages you send to us (e.g., support requests, feedback), and our communications with you (e.g., delivery emails, service notices). Links on our Site may take you to third-party websites. Their privacy practices are their own; please review their policies. 2. How We Collect Data We collect data through various methods: ● Directly from you. When you create an account, place an order, submit User Content, complete verification, or contact support. ● Automatically. When you browse or interact with the Site, we use cookies, pixels, and analytics to collect Device & Usage Data. ● From service providers. For example, payment status from payment processors, basic analytics from measurement partners. ● Compliance checks (enterprise/corporate only). Identity and document verification for AML/KYC, sanctions screening, and fraud prevention. 3. How We Use Data We use your information to: ● Provide the Services. Process User Content to craft your custom song/video and deliver up to four (4) iterations per purchase. ● Process Orders. Handle one-time payments, send confirmations/receipts, and manage invoices and taxes. ● Verify Identity (as applicable). Authenticate enterprise/corporate users and comply with AML/KYC and sanctions screening requirements (e.g., ECOWAS rules, U.S. Patriot Act, India’s PMLA/KYC norms). ● Communicate. Send service messages (order status, delivery, policy updates) and respond to your inquiries. Where required, notices may be provided in English or French (e.g., Senegal, Côte d’Ivoire, Mali, Benin, Togo). ● Safety & Compliance. Monitor for and prevent harmful or illegal content (e.g., terrorism, hate speech, child exploitation) and comply with legal requests under applicable laws (e.g., GDPR Art. 6, DPDP Act Sec. 8, African frameworks). ● Improve & Secure the Site. Use de-identified or aggregated information to troubleshoot, analyse performance, improve features, and enhance security. ● Marketing (optional). Provide offers or updates. Where required, we obtain consent or provide a clear opt-out (e.g., GDPR Art. 21; DPDP Act Sec. 7). Model training. We do not use your User Content to train our models without your explicit opt-in. De-identified or aggregated insights may be used to improve operations and security, but will not identify you. 4. How We Share Data We share information only as needed and with safeguards: ● Service Providers. Payment processors (e.g., Razorpay, where supported), cloud hosting, analytics, verification, and customer support partners. Contracts bind them and must protect your data and act only on our instructions, consistent with GDPR Art. 28, DPDP Act obligations, and relevant African laws. ● Legal & Safety. To courts, regulators, law enforcement, or other authorities when required by law or to protect rights, safety, and security (e.g., GDPR Art. 6(1)(c); DPDP Act Sec. 8; Côte d’Ivoire 2013-450; Senegal 2008-12). ● Business Transfers. If we undergo a reorganisation, merger, sale, or similar event, your data may be transferred subject to confidentiality and applicable law. We do not sell personal data. We also do not “share” personal data for cross-context behavioural advertising within the meaning of California law unless you have consented or such sharing is permitted by law and you have not opted out. We do not train models on your User Content without your opt-in. 5. Behavioural Advertising & Analytics We may use Device & Usage Data to tailor content and measure performance. You can opt out of interest-based advertising via: ● Network Advertising Initiative: http://www.networkadvertising.org/understanding-online-advertising/how-does-it-work ● Digital Advertising Alliance: http://optout.aboutads.info/ ● Google Ads: https://www.google.com/settings/ads/anonymous ● Facebook: https://www.facebook.com/settings/?tab=ads Opting out does not stop all ads, only targeted ones. For Google's privacy practices, see https://www.google.com/policies/privacy/. To opt out of Google Analytics, visit https://tools.google.com/dlpage/gaoptout. 6. Cookies & Similar Technologies We use cookies, pixels, and similar tools to operate the Site, remember preferences, analyse traffic, and support security. You can manage cookies through your browser settings and (where provided) our cookie controls. If you block cookies, parts of the Site may not work correctly. 7. “Do Not Track” We currently do not change our data collection practices in response to browser “Do Not Track” signals. We do honour advertising opt-outs as described above and comply with applicable consent and objection rights under GDPR, DPDP Act, CCPA/CPRA, and relevant African laws. 8. Government ID & Enterprise Verification For enterprise/corporate transactions in Relevant Jurisdictions (e.g., Senegal, DRC, Ghana, Mali, Burkina Faso, Togo, Malawi, Zambia, Lesotho, Eswatini, Côte d’Ivoire, Benin, India, USA), we may collect and process government-issued ID and business documents solely to: ● Prevent fraud and verify identity; ● Meet AML/KYC and sanctions screening requirements (e.g., U.S. Patriot Act, India’s PMLA/KYC norms, ECOWAS AML frameworks, African financial crime laws such as Ghana’s Anti-Money Laundering Act, 2008); and ● Respond to lawful requests from authorities, consistent with GDPR Art. 6(1)(c), DPDP Act Sec. 8, and local laws (e.g., Senegal 2008-12). Verification data is encrypted, access-controlled, and retained only as long as necessary for verification or legal obligations, then deleted or archived in accordance with applicable laws. 9. Your Privacy Rights Your rights vary by region, but may include: ● Access. Ask for a copy of the personal data we hold about you. ● Correction. Ask us to fix inaccurate or incomplete data. ● Deletion. Ask us to delete your data, subject to legal retention obligations (e.g., AML/tax). ● Restriction. Ask us to limit specific processing (including withdrawing consent for SPDI where applicable). ● Objection. Object to processing for particular purposes (e.g., direct marketing). ● Portability. Receive your data in a structured, machine-readable format where technically feasible. EU/EEA/UK: GDPR Arts. 15–22. India: DPDP Act (notably Sections 6–11). Africa: e.g., Ghana DPA 2012 (Secs. 28–35); Senegal 2008-12; Côte d’Ivoire 2013-450. California: CCPA/CPRA (Cal. Civ. Code §1798.100 et seq.). To exercise your rights, email support-melodycrafts@kirusa.com. We may need to verify your identity before acting on your request and may deny requests where an exemption applies (we’ll explain why, if so). 10. Data Retention We keep personal data only as long as necessary for the purposes described here or as required by law: ● Orders & Billing: kept to meet tax, accounting, and AML/KYC obligations (for example, certain jurisdictions require 5–7 years). ● User Content & Deliverables: kept for the life of your account and to provide the Services (e.g., delivery and up to four (4) iterations), unless you request deletion and we have no legal reason to retain it. ● Verification Data: retained only for the period required to verify or comply with law and then securely deleted or archived. When data is no longer needed, we delete it or irreversibly de-identify it. 11. Account & Data Deletion To delete your account or request deletion of specific data, email support-melodycrafts@kirusa.com. We typically begin processing within 14 days. If you do not cancel your request within that window, we aim to complete deletion within 30 days, subject to lawful retention needs (e.g., AML/tax). This aligns with GDPR “right to erasure” (Art. 17), the DPDP Act, and applicable African laws. 12. Security We use industry-standard technical and organisational measures (encryption in transit/at rest where appropriate, secure cloud infrastructure, access controls, logging, least-privilege access) consistent with GDPR Art. 32, the DPDP Act, and relevant African laws. No system is perfect; connectivity and infrastructure constraints in some regions may affect security or availability. Please keep your credentials secure and maintain backups of your User Content and deliverables. If a security incident materially affects your data, we will notify you and/or regulators as required by law and guide you on steps you can take. 13. International Transfers We may process data in the United States and in other cloud regions (e.g., EU or Africa). Where required, we use appropriate safeguards—such as Standard Contractual Clauses (SCCs) or similar mechanisms—to protect personal data transferred across borders (e.g., GDPR Art. 46; DPDP Act Sec. 16; Senegal cross-border rules under Law No. 2008-12). By using the Site, you consent to these transfers subject to such safeguards. 14. Children’s Privacy The Site is intended for adults (18+) and is not directed to children under 13. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 13 (or under the age of consent in your country), we will delete it promptly. 15. Changes to This Policy We may update this Policy to reflect changes in our practices or the law. The “Last Updated” date shows the latest version. Material changes will be announced by email or Site notice where legally required. The use of information is governed by the Policy in effect at the time we collected it, unless the law requires otherwise. 16. Contact Us Email: support-melodycrafts@kirusa.com Address: Kirusa Inc., 85 Swenson Circle, Berkeley Heights, NJ 07922, USA Please include a detailed description of your question or complaint. We aim to acknowledge and address grievances within two working days or within the timeframe required by applicable law. If you are not satisfied, you may contact your local data protection authority (e.g., CNIL (France), ICO (UK), Senegal’s CDP, Ghana’s Data Protection Commission, or the competent authority in India under the DPDP Act once established). Notes ● We intentionally do not name specific creative tools used to generate songs/videos. ● We align with the Terms of Service: no model training on your User Content without opt-in and full commercial rights in your Generated Content, subject to others’ rights and the law.