Sheemu is a sheet-music editor that turns what you play or sing into notation. Doing that requires handling some of your personal data — this policy explains exactly what we collect, why, how long we keep it, and the rights you have over it. We've tried to keep it readable; if anything is unclear, write to privacy@sheemu.com.
1. Who is responsible for your data
The data controller for Sheemu is Sheemu (Sheemu Music BV), Voorbeeldstraat 12, 2000 Antwerp, Belgium ("Sheemu", "we", "us"). For any privacy matter, contact privacy@sheemu.com.
2. What we collect and why
Account data
When you create an account we store your name, email address, and a hash of your password (we never store the password itself). We use this to operate your account, sign you in, and send you essential service email such as verification codes and password resets. For each signed-in session we also record the IP address and browser (user agent) it was started from, to secure your account and let us revoke stolen sessions; these are deleted with the session. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
Your music
Scores you create — notes, titles, instrument choices — are stored so you can access them from any device. Your music is yours: we don't use it for anything except providing the service to you. Legal basis: performance of a contract.
Audio while recording
When you press Record, audio from your microphone is streamed to our servers and transcribed to notation in real time. The resulting notation is saved to your score. The recording itself is stored too, together with the transcription data derived from it, linked to your account and the score you recorded into. We use these recordings to operate the service (so we can diagnose a transcription that went wrong for you) and to improve our transcription technology. Your recordings are never published, never shared with other users, and never sold. We also keep a record of how long you recorded, for the daily recording budget of your plan. Capture only happens while you have actively started a recording — never in the background. Your recordings are deleted when you delete your account. Legal basis: performance of a contract for storing and transcribing your recordings; legitimate interest (Art. 6(1)(f) GDPR) in improving transcription quality — contact privacy@sheemu.com to object to that use.
Payments
Paid plans are sold through Polar (Polar Software Inc.), who act as merchant of record. Card and payment details go directly to Polar — we never see or store your payment card data. Polar shares with us your subscription status and a billing reference so we can activate your plan. See Polar's privacy policy. Legal basis: performance of a contract.
Analytics, session replay & error tracking (opt-in)
With your consent — and only with it — we use PostHog (hosted in the EU, Frankfurt) to understand how Sheemu is used: which features get used (product & web analytics), pseudonymous session replays of rough edges in the interface — linked to your account id but never your name or email, with keystrokes and form inputs masked — and reports of errors you run into. You give or refuse this consent in the cookie banner and can change your mind any time via Cookie settings in the footer. Refusing has no effect on how Sheemu works. Legal basis: consent (Art. 6(1)(a) GDPR).
Independent of consent, our servers report technical errors (stack traces, request metadata — not your scores or audio) so we can fix crashes. Legal basis: legitimate interest in providing a reliable service (Art. 6(1)(f) GDPR).
Onboarding answers
The optional questions after signup (musical background, instruments, how you found us) tune Sheemu's defaults and tell us where new users come from. Answering is optional. Legal basis: legitimate interest; the answers are deleted with your account.
3. Cookies and similar technologies
Sheemu uses as few cookies as we can get away with:
| Name | Kind | Purpose | Lifetime |
|---|---|---|---|
| __Secure-better-auth.session_token | Essential cookie | Keeps you signed in. | 7 days |
| sheemu:consent | Essential (localStorage) | Remembers your cookie choice. | Until cleared |
| ph_* (PostHog) | Analytics — only after opt-in | Distinguishes visitors, powers analytics & session replay. | 1 year |
Essential cookies don't require consent (they're strictly necessary to provide the service you asked for). Analytics storage is only set after you accept it in the banner. Withdraw any time via Cookie settings in the footer.
4. Who processes data on our behalf
- Polar Software Inc. — payment processing and subscription billing (merchant of record).
- PostHog (EU cloud, Frankfurt) — analytics, session replay, and error tracking, only after your consent (client-side) or for server error reports (legitimate interest).
- Twilio SendGrid — delivery of transactional email (verification codes, password resets, beta notifications), configured for EU data residency.
- Our hosting provider — runs the Sheemu servers and database where your account and scores live.
Each processor is bound by a data-processing agreement. Where a processor is established outside the EEA, transfers are protected by the EU Standard Contractual Clauses or an adequacy decision.
5. How long we keep your data
- Account, scores, settings: for as long as your account exists.
- Account deletion: deleting your account (Settings → Delete account) deactivates it immediately and starts a 7-day grace period during which you can change your mind. After 7 days your account, scores, recordings (audio and history), subscription record, and onboarding answers are permanently and irreversibly deleted, and we ask Polar to delete your customer record.
- Recording usage counters: per-day totals used to enforce your plan's recording budget; deleted with your account.
- Recorded audio: kept for as long as your account exists so we can diagnose and improve transcription; deleted with your account.
- Invoices & payment records: kept by Polar for as long as tax law requires.
6. Your rights
Under the GDPR you can, at any time and free of charge:
- Access the personal data we hold about you and receive a copy;
- Rectify inaccurate data (name and email can be changed in Settings);
- Erase your data (the in-app account deletion does this end-to-end);
- Export your data in a portable format — your scores belong to you;
- Restrict or object to processing based on legitimate interest;
- Withdraw consent for analytics via Cookie settings, with effect for the future;
- Complain to your supervisory authority — in Belgium the Data Protection Authority, or the authority of your own EU member state.
To exercise any of these, email privacy@sheemu.com. We respond within one month.
7. Security
All traffic is encrypted in transit (TLS). Passwords are stored as salted hashes. Access to production systems is limited to the people who operate the service. Should a breach ever affect your personal data, we will notify the supervisory authority and, where required, you — within the legal deadlines.
8. Children
Sheemu is not directed at children under 16, and we don't knowingly collect their data. If you believe a child has created an account, contact us and we will delete it.
9. Changes to this policy
When we change this policy we'll update the date at the top; for material changes we'll notify you by email or in the app before they take effect. Earlier versions are available on request.
10. Contact
Sheemu (Sheemu Music BV) · Voorbeeldstraat 12, 2000 Antwerp, Belgium · privacy@sheemu.com. General questions: support@sheemu.com or the contact page.