Privacy Policy
Last updated: March 2026
1. Data controller
The controller responsible for data processing on this website pursuant to the General Data Protection Regulation (GDPR) is:
Schall-In e.U.
Daniel Schallmeiner
Prinz Eugen-Straße 37/4
4840 Vöcklabruck, Austria
Email: daniel@schall-in.at
UID: ATU70159268
2. Data we collect
Account data
When you create an account, we store your email address, display name, and an optional profile picture. Authentication is handled by Supabase Auth.
Setlist data
Setlists you create or scan are stored in our database so you can access them across devices. This includes song titles, artist names, and section dividers.
Scanned images
When you upload a photo or document for scanning, the file is sent to Google Cloud Vision for text recognition and then to an AI model for song matching. We do not permanently store the uploaded images after processing.
Payment data
Payments are processed by Stripe. We never see or store your full credit card number. Stripe handles all payment data in accordance with PCI DSS standards.
Usage analytics
We use PostHog (EU cloud) for product analytics. If you accept cookies, PostHog tracks page views and feature usage with cookies. If you decline, we still collect anonymous, cookieless analytics that cannot be linked to your identity. You can change your preference at any time by clearing your browser's local storage and revisiting the site.
Performance monitoring
We use Vercel Analytics for Core Web Vitals and Sentry for error tracking. These tools collect technical data (browser, OS, error stack traces) but no personally identifiable information.
3. How we use your data and legal basis
We process your personal data based on the following legal grounds (Art. 6 GDPR):
| Purpose | Legal basis |
|---|---|
| Providing the Service (account, setlists, exports) | Contract performance (Art. 6(1)(b)) |
| Processing payments via Stripe | Contract performance (Art. 6(1)(b)) |
| Sending transactional emails (welcome, export links) | Contract performance (Art. 6(1)(b)) |
| OCR scanning and AI-based song matching | Contract performance (Art. 6(1)(b)) |
| Analytics (PostHog) with cookies | Consent (Art. 6(1)(a)) |
| Anonymous, cookieless analytics | Legitimate interest (Art. 6(1)(f)) |
| Error tracking (Sentry) and performance monitoring | Legitimate interest (Art. 6(1)(f)) |
| Security and abuse prevention | Legitimate interest (Art. 6(1)(f)) |
We do not sell your data. We do not use your data for advertising.
4. Third-party services
| Service | Purpose | Data location |
|---|---|---|
| Supabase | Database & authentication | EU (Frankfurt) |
| Vercel | Hosting & CDN | Global (Edge) |
| Stripe | Payment processing | EU/US |
| PostHog | Product analytics | EU |
| Sentry | Error tracking | EU/US |
| Resend | Transactional email | US |
| Google Cloud Vision | OCR for setlist scanning | US |
| OpenRouter | AI song matching after OCR | US |
5. Your rights (GDPR)
Under the GDPR, you have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Delete your account and all associated data
- Export your data in a portable format
- Object to processing for analytics purposes
- Withdraw consent (e.g., cookie consent) at any time
To exercise any of these rights, email us at daniel@schall-in.at.
Right to lodge a complaint: If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with the supervisory authority:
6. Data retention
- Account data: Stored as long as your account is active.
- Setlists and songs: Stored as long as your account is active.
- Scanned images: Processed in memory only, not permanently stored. Deleted immediately after processing.
- Payment records: Retained for 7 years after the transaction as required by Austrian tax law (BAO §132).
- Export purchase tokens: Expire 72 hours after creation and are deleted automatically.
- Analytics data: PostHog data is retained for 12 months.
- Error logs (Sentry): Retained for 90 days.
- Account deletion: When you delete your account, all associated data (setlists, profile, band memberships) is permanently removed within 30 days.
7. Cookies
SetlistBaby uses cookies only for analytics (PostHog) and authentication (Supabase session). We show a consent banner on your first visit. Essential cookies (authentication) are always active. Analytics cookies are only set if you accept.
8. Changes to this policy
We may update this privacy policy from time to time. Changes will be posted on this page with an updated date.