Privacy Policy
Effective date: 9 April 2026
Responsible party (Verantwortlicher): Sofilab GmbH, Akademiestr. 3, 80799 Munich, Germany
Commercial register: HRB233361, Munich District Court
Represented by: Mathis Nitschke
Contact: hello@corpus.music
1. Overview
This Privacy Policy explains how we collect, use, and protect personal data when you use the CORPUS platform at https://app.corpus.music (“Platform”). We process personal data in accordance with the EU General Data Protection Regulation (GDPR/DSGVO) and the German Federal Data Protection Act (BDSG).
2. What Data We Collect
2.1 Account data
When you create an account, we collect:
- First name, last name
- Email address
- Password (stored only in hashed form)
If you register via Google or Apple login, we receive your name and email address from the respective provider. We do not receive or store your Google or Apple password.
2.2 Profile data (optional)
You may choose to provide:
- Display name / artist name
- Profile picture
- Short bio
- Website or social media links
- Collecting society membership and name
2.3 Uploaded content
When you upload music files, we store:
- The audio file itself
- Metadata generated by our analysis systems (e.g., genre, mood, quality assessment, novelty estimation)
- File metadata (upload date, file format, file size)
2.4 Usage and analytics data
We collect usage data through the tools described in Section 5 (Matomo, Sentry). The scope of data collection depends on your consent choices.
3. How We Use Your Data
| Data | Purpose | Legal basis |
|---|---|---|
| Account data (name, email, password) | Account creation and authentication | Art. 6(1)(b) DSGVO — contract performance |
| Profile data | Display on your public profile if you choose to use community features | Art. 6(1)(a) DSGVO — consent (voluntary) |
| Uploaded audio files | Storage and analysis to provide Platform functionality (metadata extraction, quality assessment, novelty estimation) | Art. 6(1)(b) DSGVO — contract performance |
| Compressed audio excerpts sent to Aurismatic | Cover detection — identifying whether an upload reproduces a known copyrighted work | Art. 6(1)(b) DSGVO — contract performance; Art. 6(1)(f) DSGVO — legitimate interest in catalog integrity |
| Email address | Operational notifications (e.g., upload status, account information) | Art. 6(1)(b) DSGVO — contract performance |
| Email address | Newsletter | Art. 6(1)(a) DSGVO — consent; you can unsubscribe at any time |
| Usage data (Matomo) | Understanding how the Platform is used | Art. 6(1)(a) DSGVO — consent |
| Error and performance data (Sentry) | Error monitoring, performance tracing, session replay | Art. 6(1)(a) DSGVO — consent |
4. Who Receives Your Data
4.1 Hosting: Hetzner Online GmbH
All Platform data is stored on servers operated by Hetzner Online GmbH, located in Germany. Hetzner acts as our processor (Auftragsverarbeiter) under Art. 28 DSGVO.
4.2 Cover detection: Aurismatic (Germany)
For cover detection, we transmit audio data to Aurismatic in a heavily compressed form that makes unauthorized use of the music impossible. Aurismatic acts as our processor under Art. 28 DSGVO. Aurismatic uses Google Cloud infrastructure.
4.3 Authentication: Google / Apple
If you register via Google or Apple login, your authentication data is processed by the respective provider under their own privacy policies. We receive only your name and email address.
4.4 Analytics: Matomo (self-hosted)
Matomo runs on our own servers. No data is transmitted to third parties. See Section 5.1.
4.5 Error monitoring and performance: Sentry
Sentry (Functional Software, Inc., USA) processes error, performance, and session replay data on our behalf. Data is sent to Sentry's EU ingestion endpoint (*.ingest.de.sentry.io). The data transfer is governed by EU Standard Contractual Clauses (Art. 46(2)(c) DSGVO).
4.6 Email: EmailJS
Emails like collaboration invitations and bug/issue reports are sent via EmailJS (api.emailjs.com) directly from your browser (client-side). EmailJS processes the recipient email address and message content for delivery. No tracking cookies are set.
4.7 Payment Processing
Payment processing is not currently active. When a payment provider is integrated, payment data will be processed by that provider. Any payment provider iframes may set cookies for fraud detection and session management, treated as strictly necessary for payment processing.
4.8 Real-time features: Supabase
Real-time functionality uses Supabase WebSocket connections (*.supabase.co). No cookies are set (persistSession: false). Supabase acts as a processor for real-time data transmission only.
4.9 No other third-party sharing
We do not sell, rent, or otherwise share your personal data with third parties for their own purposes. We do not use your data for advertising.
5. Cookies and Tracking Technologies
5.1 Strictly necessary cookies (no consent required)
These cookies are essential for the Platform to function. They cannot be disabled.
| Cookie | Purpose |
|---|---|
corpus_access_token | Authentication |
corpus_refresh_token | Session continuity |
corpus_oauth_state | Login security (PKCE) |
corpus_oauth_verifier | Login security (PKCE) |
corpus_return_to | Post-login redirect |
Legal basis: §25(2) TDDDG — strictly necessary for the service requested by the user.
5.2 Functional cookies (no consent required)
These cookies store your interface preferences. They contain no personal data and are not transmitted to third parties.
| Cookie | Purpose |
|---|---|
sidebar_state | Sidebar open/closed |
Legal basis: §25(2) TDDDG — strictly necessary for functionality explicitly requested by the user.
5.3 Analytics and performance (consent required)
These tools are only activated if you consent via the cookie banner.
Matomo (self-hosted)
- Sets first-party cookies (
_pk_id.*,_pk_ses.*) for visitor identification and cross-session analysis - All data stays on our servers — no third-party transfer
- If you decline consent, no Matomo cookies are set
Sentry
- Error monitoring, browser performance tracing, and session replay
- May store identifiers in the browser
- Data sent to Sentry's EU endpoint (
*.ingest.de.sentry.io)
5.4 Local storage
The Platform uses browser local storage for:
corpus-query-cache— offline data caching- UI state (sidebar, panels, tabs) — layout preferences
Local storage data is not transmitted to any server and remains on your device.
5.5 Cookie consent banner
On your first visit, you will see a cookie consent banner that allows you to accept or decline non-essential cookies:
- Analytics / Performance (Matomo, Sentry)
You can change your consent preferences at any time via the cookie settings.
6. Uploaded Content — Special Provisions
6.1 Uploaded audio files are stored exclusively on our servers at Hetzner in Germany.
6.2 The only exception is cover detection: for this purpose, a heavily compressed version of the audio is transmitted to Aurismatic (see Section 4.2). This compressed form does not allow playback or reproduction of the original recording.
6.3 Visitor uploads are not included in the CORPUS dataset and are not used for AI model training. They are processed solely to provide you with analysis results within the Platform.
6.4 You can delete your uploads at any time via the Platform. Deleted files are removed from our servers within 30 days.
7. Your Rights
Under the DSGVO, you have the following rights:
- Access (Art. 15) — Request information about what personal data we hold about you.
- Rectification (Art. 16) — Request correction of inaccurate data.
- Erasure (Art. 17) — Request deletion of your data, subject to legal retention obligations.
- Restriction of processing (Art. 18) — Request that we restrict processing in certain circumstances.
- Data portability (Art. 20) — Request your data in a structured, machine-readable format.
- Objection (Art. 21) — Object to processing based on legitimate interest at any time.
- Withdrawal of consent (Art. 7(3)) — Withdraw consent at any time (e.g., for newsletter, analytics, session recording) without affecting the lawfulness of prior processing.
To exercise these rights, contact: hello@corpus.music
Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. The competent authority for Sofilab GmbH is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach, Germany
https://www.lda.bayern.de
8. Data Retention
| Data | Retention period |
|---|---|
| Account data | Duration of account + 30 days after deletion |
| Profile data | Duration of account + 30 days after deletion |
| Uploaded audio files | Until deleted by User, or 30 days after account deletion |
| Analysis metadata | Same as uploaded audio files |
| Matomo data | Anonymized, retained for up to 26 months |
| Sentry data | Retained for up to 90 days |
Longer retention applies where required by law (e.g., §147 AO, §257 HGB — up to 10 years for tax-relevant records).
9. Data Security
We implement technical and organizational measures to protect your data, including encrypted data transmission (TLS), encrypted storage, access controls, and regular security reviews. Our primary infrastructure is hosted within Germany (Hetzner).
10. Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated via the Platform or email. The current version is always available on the Platform.
11. Language
This Privacy Policy is provided in English. A German translation may be made available at a later date. In the event of any discrepancy, the English version shall prevail.