Who We Are

Cue ("Cue", "we", "us", "our") is an AI-powered music production assistant operated as a sole proprietorship based in Sweden. Cue is accessible at startcue.io and related subdomains.

For GDPR purposes, Cue acts as the data controller for the personal data described in this policy.

Contact: For all privacy-related inquiries, reach us at legal@startcue.io.

What Data We Collect

We collect data in two ways: data you provide directly, and data collected automatically when you use the service. The amount of data we hold depends on whether you use Cue anonymously or create an account.

2.1 Data You Provide

• Session context: Genre, DAW, BPM, and musical key, entered voluntarily through the context controls. Stored locally in your browser (localStorage) and, if you are signed in, included in the saved session record.
• Chat messages: The text of your questions and the AI-generated responses. For anonymous users these are processed in real time and not stored on our servers. For signed-in users, the full conversation is saved to your account (see Section 2.5).
• Email address: If you choose to create an account, you provide an email address. This is used solely to authenticate you via a one-time passcode (OTP) and to bind your saved sessions to your identity. We do not send marketing email to this address without separate consent.

2.2 Data Collected Automatically

When you consent to analytics, we collect the following through PostHog:

Event	What it captures	Purpose
session_start	Session number, session ID, timestamp	Retention measurement
session_end	Session duration (seconds), message count	Engagement measurement
message_sent	Genre, DAW, BPM, key, message count, types of visualizations generated	Understanding usage patterns
visualizer_rendered	Visualizer type (EQ, Compressor, Reverb, etc.)	Feature usage analysis
feedback_given	Thumbs up or down on a response	Response quality measurement
landing_view	Page path, referrer (no personal data)	Traffic source measurement
cta_clicked	Destination path, CTA label (no personal data)	Conversion measurement
email_gate_shown / email_submitted / otp_verified / otp_failed	Step reached in sign-in flow (no email address captured in the event)	Sign-in funnel measurement
daily_limit_hit	Whether a user reached their daily message limit	Capacity planning
account_deleted / session_deleted	Whether a user exercised self-service deletion	Compliance and product quality

All analytics events are tied to a pseudonymous identifier (see Section 2.3). Your email address is never sent as an event property to PostHog.

2.3 Identifiers

We use the following identifiers:

• cueai_uid: a random anonymous UUID generated after you give analytics consent. Never linked to your name or email address. Used only to measure session retention.
• cue_email: your email address, stored in your browser's localStorage after you sign in. Used to restore your sign-in state on return visits. Cleared when you sign out or delete your account.
• cueai_token: an authentication token stored in your browser's localStorage after you sign in. Used to verify your identity when syncing sessions to our servers. Valid for 30 days; cleared on sign-out or account deletion.

2.4 Technical Data

Our hosting provider (Vercel) and analytics platform (PostHog) may process standard web server data including IP addresses and browser information as part of their infrastructure. This processing is governed by their respective privacy policies (see Section 5).

2.5 Account Data (Signed-In Users)

If you create an account, the following additional data is stored on our servers (hosted on Supabase in the EU; see Section 5):

• Email address: Stored as the account identifier in your session records and your daily usage counter.
• Chat sessions: Each conversation is saved to your account, including the session title (automatically derived from your first message), your session context (genre, DAW, BPM, key), and the full message history. This enables you to access your conversations from any device.
• Daily message counter: A per-day count of messages sent (used to enforce the daily usage limit). Contains your email and a count; no message content.

Anonymous users (up to 5 messages, no account) have no server-side data. Their session history is stored only in their own browser's localStorage.

Legal Basis for Processing

We process your data under the following legal bases as defined by GDPR Article 6:

Processing activity	Legal basis
Analytics tracking via PostHog (session events, visualizer usage, etc.)	Consent (Art. 6(1)(a)). You must actively accept analytics before any tracking occurs. You may withdraw consent at any time.
Processing chat messages to generate AI responses	Contract performance (Art. 6(1)(b)). Processing is necessary to provide the service you requested.
Email collection and OTP authentication	Contract performance (Art. 6(1)(b)). Authentication is necessary to create and access an account and to bind your sessions across devices.
Storing chat sessions server-side (signed-in users)	Contract performance (Art. 6(1)(b)). Session persistence across devices is a core feature of the signed-in service.
Daily message usage counter (signed-in users)	Legitimate interest (Art. 6(1)(f)). Necessary to enforce fair-use limits, prevent abuse, and manage API costs. The counter contains only an email and a count, no message content.
Storing session context (genre, DAW, BPM, key) in localStorage	Legitimate interest (Art. 6(1)(f)). Necessary for core functionality and improves usability without meaningful privacy impact.
Hosting and infrastructure (Vercel)	Legitimate interest (Art. 6(1)(f)). Necessary to provide the service.

How We Use Your Data

We use the data collected for the following purposes only:

• Providing the service: Processing your messages through the AI model to generate responses and visualizations
• Account and session management: Authenticating you via email OTP, saving your conversations, and syncing them across devices
• Fair-use enforcement: Counting messages against the daily limit to prevent abuse and manage costs
• Product improvement: Understanding which features are used, which visualizations are most helpful, and whether users return to the product
• Quality measurement: Measuring response quality through feedback events to improve the AI system prompt and output
• Bug detection: Identifying errors and crashes through analytics

We do not use your data for advertising, profiling, sale to third parties, or any purpose beyond operating and improving Cue.

Third-Party Data Processors

Cue uses a small number of trusted third-party services. Each acts as a data processor under GDPR, processing data only on our behalf and under our instructions.

Processor	Purpose	Data shared	Location
Anthropic, Inc.	AI response generation (Claude API)	Your chat messages	United States
Supabase, Inc.	Database storage (chat sessions, authentication, daily usage counter)	Email address, chat session content, daily usage count	European Union (Ireland region)
PostHog, Inc.	Product analytics	Anonymous usage events, pseudonymous ID (cueai_uid)	European Union (PostHog EU cloud)
Vercel, Inc.	Web hosting and CDN	Standard server logs (IP, headers)	United States / Global CDN

For transfers to the United States (Anthropic, Vercel), we rely on Standard Contractual Clauses (SCCs) as the transfer mechanism under GDPR Chapter V. Supabase and PostHog store data in the EU; no third-country transfer mechanism is required for those processors. Links to each processor's privacy documentation:

• Anthropic: anthropic.com/privacy
• Supabase: supabase.com/privacy
• PostHog: posthog.com/privacy
• Vercel: vercel.com/legal/privacy-policy

Data Retention

• Anonymous chat messages: Not stored beyond your active session. Once the session ends, message content is not retained on our servers.
• Signed-in chat sessions: Stored on our servers until you delete them. You can delete individual sessions from your session history, or delete your entire account (which permanently removes all sessions and associated data).
• Daily usage counter: One record per active day per account. Retained until account deletion. No automatic expiry.
• Analytics events: Retained in PostHog for 12 months, after which they are automatically deleted.
• Authentication token (cueai_token): Valid for 30 days from issue. Cleared immediately on sign-out or account deletion.
• Local storage: The anonymous ID, email, context preferences, and cached session list remain in your browser's localStorage until you sign out, delete your account, or clear your browser data.

Your Rights Under GDPR

As a resident of the European Economic Area (EEA) or United Kingdom, you have the following rights:

Right	What it means
Right of access	You can request a copy of the personal data we hold about you (email, chat sessions, usage records).
Right to rectification	You can ask us to correct inaccurate data.
Right to erasure	You can delete your data at any time. Self-service: use "Delete account" in the app to permanently remove all your chat sessions and usage records. Individual sessions can also be deleted from your session history. By email: contact legal@startcue.io for full erasure including PostHog analytics events.
Right to restrict processing	You can ask us to pause processing while a dispute is resolved.
Right to data portability	You can request your data in a structured, machine-readable format (JSON). Contact legal@startcue.io.
Right to object	You can object to processing based on legitimate interest (analytics, usage counter).
Right to withdraw consent	You can withdraw analytics consent at any time via "Manage privacy" in the app. Withdrawing consent does not affect the lawfulness of prior processing.

To exercise any of these rights, contact us at legal@startcue.io. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority. In Sweden, that is Integritetsskyddsmyndigheten (IMY).

Cookies and Local Storage

Cue does not use advertising or tracking cookies. We use browser localStorage for the following purposes:

Key	Purpose	Consent required?
cueai_context	Your session context preferences (genre, DAW, BPM, key)	No, strictly necessary for functionality
cue_consent	Your analytics consent decision	No, necessary to remember your choice
cue_email	Your email address (signed-in users only). Restores your sign-in state	No, necessary for authentication
cueai_token	Authentication token (signed-in users only). Valid for 30 days	No, necessary for authentication
cueai_sessions	Locally cached session list (signed-in users). Speeds up loading	No, strictly functional
cue_anon_count	Message counter for anonymous users (0–5)	No, strictly functional
cueai_session_count	Per-visit session counter (used to derive a session number for analytics)	No, strictly functional
cueai_v2_onboarded	Flag indicating you have seen the genre onboarding screen (so it isn't shown again)	No, strictly functional
cueai_genre_skipped	Flag indicating you skipped the optional genre selection	No, strictly functional
cueai_uid	Anonymous analytics identifier	Yes, only created after analytics consent

PostHog may set its own cookies for analytics purposes. These are only activated after you have given consent.

Children's Privacy

Cue is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Continued use of Cue after changes are posted constitutes acceptance of the updated policy.

Contact

For any questions about this Privacy Policy or your data, please contact us:

• Email: legal@startcue.io
• Website: startcue.io

We aim to respond to all privacy inquiries within 5 business days, and will always respond within the 30-day statutory period required by GDPR.