Privacy Policy

The following Privacy Policy sets out the rules for storing and accessing data on the Users' Devices using the Service for the purpose of providing electronic services by the Administrator, as well as the rules for collecting and processing Users' personal data, which have been provided by them personally and voluntarily through the tools available in the Service.

The following Privacy Policy is an integral part of the Service's Terms and Conditions, which define the rules, rights, and obligations of Users using the Service.

1. Definitions

  • Service - the verselab service available as a web app at https://verselab.ai and as a mobile app
  • External Service - internet services of partners, service providers, or service recipients cooperating with the Administrator
  • Service/Data Administrator - The Service Administrator and Data Administrator (hereinafter Administrator) is Jon-Tec Labs Jonatan Łoś, conducting business at the address: ul. Kaliskiego 15a, 01-476 Warszawa, with the assigned tax identification number (NIP): 9512374671, providing electronic services via the Service
  • User - a natural person for whom the Administrator provides services electronically via the Service
  • Device - an electronic device along with software through which the User gains access to the Service
  • Cookies - text data collected in the form of files placed on the User's Device
  • GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data
  • Personal Data - information about an identified or identifiable natural person
  • Processing - an operation or set of operations performed on personal data
  • Profiling - any form of automated processing of personal data
  • Consent - a voluntary, specific, informed, and unambiguous indication of the data subject's wishes
  • Personal Data Breach - a breach of security leading to the accidental or unlawful destruction, loss, alteration of personal data
  • Pseudonymization - processing of personal data in such a way that it cannot be attributed to a specific person without the use of additional information
  • Anonymization - an irreversible process of operations on data, making it impossible to identify a natural person

2. Data Protection Officer

Based on Art. 37 GDPR, the Administrator has not appointed a Data Protection Officer.

For matters related to data processing, including personal data, please contact the Administrator directly at: support@verselab.ai.

3. Types of Cookie Files

  • Internal Cookies - files placed and read from the User's Device by the Service's system
  • External Cookies - files placed and read by the systems of External Services
  • Session Cookies - files placed and read during a single session
  • Persistent Cookies - files placed and read until manually deleted

4. Data Storage Security

Cookie Storage and Reading Mechanisms

  • Internal Cookies - files used by the Administrator are safe for Users' Devices
  • External Cookies - the Administrator is not responsible for the security of files from partners

Personal Data Storage

The Administrator ensures that all efforts are made to keep processed personal data secure, and access to them is limited and compliant with processing purposes.

5. Purposes of Using Cookie Files

  • Improving and facilitating access to the Service
  • Personalizing the Service for Users
  • Conducting statistics
  • Serving multimedia services

Cookies that require User consent (in particular analytical and marketing cookies) are only activated after consent is given via the consent mechanism (cookie banner) displayed on the first visit to the Service.

6. Purposes and Legal Bases for Personal Data Processing

Personal data is processed for the following purposes and on the following legal bases:

| Processing Purpose | Legal Basis | |---|---| | Provision of electronic services (registration, account management, Service features) | Art. 6(1)(b) GDPR — performance of a contract | | Payment and billing processing | Art. 6(1)(b) GDPR — performance of a contract | | Communication with Users (responding to inquiries, complaints) | Art. 6(1)(f) GDPR — legitimate interest of the Administrator | | Statistics and analytics (PostHog) | Art. 6(1)(f) GDPR — legitimate interest of the Administrator | | Marketing and advertising (Meta Pixel, Google Tag Manager) | Art. 6(1)(a) GDPR — User consent | | Fulfilling legal obligations (e.g., storing billing data) | Art. 6(1)(c) GDPR — legal obligation |

7. External Services' Cookie Files and Integrations

The Service uses the following external services.

Web app:

Authentication and Authorization:

  • Clerk (clerk.com)

Payments:

  • Polar.sh (polar.sh) — Merchant of Record for new subscriptions
  • Stripe (stripe.com) — payment processor for subscriptions purchased before Polar.sh implementation

Statistics:

  • PostHog (posthog.com)

Marketing (requiring User consent):

  • Google Tag Manager (google.com)
  • Meta Pixel (facebook.com)

Mobile app:

The mobile app is a native app and does not use browser cookies. The following integrations are used in the mobile app:

  • Clerk (clerk.com) - authentication and authorization
  • RevenueCat (revenuecat.com) - subscription status handling and In-App Purchase integration
  • Apple App Store / Google Play - In-App Purchase billing and transaction processing
  • Anthropic, OpenAI, and Google (Gemini) - AI model providers used for assistant chat, rhymes, syllables, synonyms, quick replies, and title suggestions

In the mobile app, data for AI features is sent only after explicit user consent. Consent can be withdrawn at any time in app settings.

8. Types of Collected Data

Web app - Automatically Collected Data:

  • IP address
  • Browser type
  • Screen resolution
  • Approximate location
  • Data on activity in the Service
  • Technical information about the device
  • Demographic data

Mobile app - Data Collected During App Usage:

  • Account and session identifiers required for sign-in
  • Technical information about the app and the device operating system
  • Subscription status and transaction identifiers provided by Apple App Store / Google Play and RevenueCat
  • Data sent to AI features (after consent): lyrics text, chat messages with the AI assistant, song title, selected text fragments, and song metadata (e.g., genre, emotion, additional context)
  • AI usage metadata (e.g., action type, model used, timestamps, usage stats) used for limits, quality monitoring, and service security
  • The mobile app does not use data for tracking Users across third-party apps and websites (tracking as defined by App Tracking Transparency)

Data Collected During Registration:

  • First name / last name / nickname
  • Email address
  • IP address

Data Collected During Newsletter Signup:

  • First name / nickname
  • Email address

9. Data Retention Period

  • User account data — for the duration of the agreement (account activity), and after account deletion — removed within 30 days
  • Billing data — for the period required by tax law (up to 5 years)
  • Analytical and statistical data — stored in anonymized form, without time limitations
  • Marketing data — until consent is withdrawn

10. User Rights

Under the GDPR, Users have the following rights:

  1. Right of access (Art. 15 GDPR) — the right to obtain information about processed personal data and a copy of that data.
  2. Right to rectification (Art. 16 GDPR) — the right to request correction of inaccurate or completion of incomplete data.
  3. Right to erasure ("right to be forgotten") (Art. 17 GDPR) — the right to request deletion of personal data if there is no basis for further processing.
  4. Right to restriction of processing (Art. 18 GDPR) — the right to request restriction of data processing in certain cases.
  5. Right to data portability (Art. 20 GDPR) — the right to receive data in a structured format and transfer it to another controller.
  6. Right to object (Art. 21 GDPR) — the right to object to data processing based on the Administrator's legitimate interest, including profiling.
  7. Right to withdraw consent — at any time, without affecting the lawfulness of processing carried out before the withdrawal.
  8. Right to lodge a complaint — with the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warszawa, Poland, https://uodo.gov.pl.

To exercise these rights, please contact the Administrator at: support@verselab.ai.

11. Data Transfers Outside the European Economic Area (EEA)

In connection with the use of external services, Users' personal data may be transferred to entities based outside the EEA, in particular in the United States:

  • Clerk (authentication) — USA
  • Polar.sh (payments) — USA
  • Stripe (payments) — USA
  • PostHog (analytics) — USA
  • Google (Google Tag Manager) — USA
  • Meta (Meta Pixel) — USA
  • RevenueCat (mobile subscription handling) — USA
  • Apple (App Store, In-App Purchase payments) — USA
  • Google (Google Play, In-App Purchase payments) — USA
  • Anthropic (AI request processing) — USA
  • OpenAI (AI request processing) — USA
  • Google (Gemini, AI request processing) — USA

Data transfers are carried out based on:

  • The European Commission's adequacy decision regarding the EU-US Data Privacy Framework (for entities certified under the DPF), or
  • Standard Contractual Clauses (SCCs) approved by the European Commission.

The Administrator makes efforts to use only service providers that ensure an adequate level of personal data protection.

12. Changes to the Privacy Policy

  1. The Administrator reserves the right to change the Privacy Policy.
  2. Users will be informed about significant changes regarding personal data processing via email with 14 days' notice.
  3. Continued use of the Service after changes take effect does not constitute automatic acceptance of new data processing terms — where changes require consent, the Administrator will request it again.
  4. Changes take effect on the date specified in the notification.