Privacy Policy

Effective date: 7 January 2026

This Privacy Policy explains how Soundsteps ("we", "us") collects, uses, shares, and protects personal data when you use our website and application (together, the "Service").

Data controller

Soundsteps is a service provided by Enholm Holding AS, a limited liability company registered in Norway.

Organisation number: NO-889265922

Privacy contact: privacy@soundsteps.eu

General contact: post@soundsteps.eu

1. Scope

This policy covers personal data that we handle when you:

  • visit our website
  • create and use an account
  • use paid features (if applicable)
  • contact us

Links to third-party services have their own privacy notices.

2. What we collect

2.1 Account and support data

  • Email address
  • Password (stored as a secure hash)
  • Account settings and preferences
  • Support messages and feedback you send to us

2.2 Service operation and security data

We collect data that we need to run and protect the Service:

  • IP address
  • Device and browser information
  • Operating system and app version
  • Log data (events, errors, security events)
  • Basic usage data that helps administration and maintenance (for example performance metrics and error diagnostics)

2.3 Website analytics data (tracking)

We use cookies and similar technology to track website usage. This can include:

  • pages viewed
  • approximate location from IP address (country/region level)
  • referral source and session metadata

Details appear in section 7.

2.4 User content inside Soundsteps

Soundsteps lets you store and manage content such as pieces, practice sessions, notes, uploads of sheet music images/PDFs, and recordings.

Important: You control this content. We store it and show it back to you as part of the Service. We do not use this content for our own purposes. We do not read it for profiling or marketing.

We only use it to:

  • deliver the functions you request (storage, display, sync, backups)
  • produce aggregated, anonymised statistics (for example counts of practice sessions, feature usage, and system-level trends)

If you ask support for help that requires access to specific content, we access only what the request requires.

2.5 Payments (if you subscribe)

We use a payment provider ("Padde", as configured by Soundsteps). We receive billing status and transaction references that we need to manage subscriptions, fraud prevention, and accounting. We do not store full card details.

3. Why we use personal data and our legal basis (GDPR)

A) Provide the Service (GDPR Art. 6(1)(b): contract)

  • create and manage accounts
  • deliver core functions and keep your account signed in
  • store and sync your user content
  • send service emails you need (password reset, confirmations, important notices)

B) Operate, secure, and improve the Service (GDPR Art. 6(1)(f): legitimate interests)

  • monitor uptime and performance
  • fix bugs and prevent misuse
  • maintain security logging and incident handling
  • produce aggregated, anonymised statistics about usage and practice activity (counts and trends)

C) Legal obligations (GDPR Art. 6(1)(c))

  • accounting and tax duties for paid plans
  • respond to lawful requests

D) Consent (GDPR Art. 6(1)(a))

  • AI analysis features (section 4)
  • marketing emails and newsletters
  • website tracking cookies where consent is required (section 7)

You can withdraw consent at any time. Withdrawal affects future processing that depends on consent.

4. AI analysis (ChatGPT / OpenAI)

Soundsteps offers optional AI analysis features. We run AI analysis only with your consent. You start the analysis inside the Service.

When you start an analysis, we may send to the AI provider:

  • audio recordings you select
  • sheet music files you select (if the feature needs them)
  • technical metadata (file type, duration)

Provider: OpenAI (ChatGPT).

Purpose: return analysis results to you inside Soundsteps.

International transfers can occur if the provider processes data outside the EEA/UK. We use valid transfer mechanisms such as Standard Contractual Clauses and apply safeguards where needed.

5. Who we share data with

5.1 Service providers

We use vendors that support the Service:

  • Clever Cloud (hosting/infrastructure)
  • OpenAI (ChatGPT) (AI analysis, only when you consent)
  • Padde (payments)

Some providers act as processors under our instructions. Some providers can act as independent controllers for parts of their processing, in particular payment processing and fraud prevention. In those cases, the provider's own privacy notice also applies.

5.2 Legal and safety disclosures

We share data when law requires it, or when we need it to protect users, the Service, or our rights.

5.3 Business changes

If we restructure or sell assets, personal data can transfer as part of that transaction, subject to applicable law.

6. International transfers

If personal data moves outside the EEA/UK, we use an approved transfer mechanism, such as:

  • an adequacy decision, or
  • Standard Contractual Clauses, plus additional safeguards where needed

7. Cookies and similar technology

Soundsteps uses:

  • Necessary cookies: sign-in, session security, and core site functions.
  • Analytics/tracking cookies: understand website usage and improve the website.

Where consent is required for analytics/tracking cookies, we rely on consent and offer controls through the cookie settings on the website (if enabled).

8. Data retention

We keep personal data only for as long as we need it for the purposes in this policy.

Typical retention:

  • Account data: until account deletion, plus a limited period for security, dispute handling, and backups
  • Service operation logs: limited retention for security and troubleshooting
  • Billing records: retention that matches accounting and tax rules
  • Aggregated anonymised statistics: no personal identifiers

Backups can retain deleted data for a limited time until rotation completes.

9. Security

We use measures that match the risk, including:

  • encryption in transit (TLS)
  • encryption at rest
  • access control and least-privilege permissions
  • monitoring, logging, and incident handling routines

10. Your rights (GDPR)

You have rights under GDPR, subject to conditions:

  • access
  • rectification
  • erasure
  • restriction
  • data portability
  • objection (when we rely on legitimate interests)
  • withdrawal of consent (when consent applies)
  • complaint to a supervisory authority

Send requests to privacy@soundsteps.eu.

Norway: Datatilsynet.

11. Children

Soundsteps does not target children under 13. If a child under 13 has provided personal data, contact privacy@soundsteps.eu and we will delete it.

12. Marketing and service emails

  • Marketing emails: consent-based. We plan a maximum of one marketing email per month.
  • Service emails: we can send important messages about maintenance, incidents, security, changes that affect the Service, and account-related notices. These emails form part of the Service.

13. Changes to this policy

We can update this policy. We publish the current version on our website and show the effective date. For material changes, we notify users in the Service or by email.

14. Contact

Privacy questions: privacy@soundsteps.eu

General questions: post@soundsteps.eu

Back to Registration Home