Privacy Policy
How BirdSings collects, processes, and protects your personal data — applies worldwide, with extra rights for residents of the EU/EEA, the UK, Switzerland, California, Brazil, and other jurisdictions noted below.
Last updated: 2026-06-29
1. Who we are
BirdSings ("we", "us", "our") operates the marketplace at https://birdsings.com. Data controller contact: privacy@birdsings.com. EU/UK representative requests and DPO inquiries use the same address.
2. What we collect
- Order data: email, billing name, country, purchased sound IDs, transaction ID. Legal basis: contract performance (GDPR Art. 6(1)(b)).
- Operational data: language, theme, cart contents (stored in your browser's
localStorage, not on our servers unless you sign in). Legal basis: legitimate interest (Art. 6(1)(f)).
- Newsletter: email plus explicit consent flag. Legal basis: consent (Art. 6(1)(a)). Withdrawable at any time.
- Analytics (only if cookie consent = "Accept all"): pseudonymous page views via Google Analytics 4 with IP anonymization enabled (
anonymizeIp: true). No demographics, no ad personalization.
- Anti-fraud signals: hashed IP, country (derived from IP), User-Agent on checkout. Legal basis: legitimate interest in preventing fraud (Recital 47 GDPR).
3. What we do NOT collect
- We do not store payment card details — Stripe handles all card data in its PCI-DSS Level 1 environment.
- We do not sell, rent, or trade your data to third parties. (For California residents: this includes no "sale" or "share" of personal information as defined by the CCPA/CPRA.)
- We do not track you across other websites and do not use advertising trackers.
- We do not knowingly collect data from anyone under 16. If a minor's data was provided, contact us for deletion.
4. Cookies
Three categories:
- Necessary (always on): cart, language, theme. Required for the site to function. No opt-out.
- Analytics (opt-in): GA4 with IP anonymization. Off by default in the EU/EEA, the UK, and Switzerland.
- Marketing: none currently. Will require explicit consent if introduced.
Change your choice anytime by clearing the consent cookie or contacting us.
5. Anti-piracy tokens
When you purchase, we mint a download token tied to your order. The token records the first IP address and User-Agent that successfully downloads, to prevent account sharing. The IP is processed strictly for fraud-prevention and is deleted 30 days after the token expires.
6. Your rights
If you live in the EU, EEA, UK, or Switzerland (GDPR / UK GDPR / FADP):
- Right of access — request a copy of your data.
- Right of rectification.
- Right of erasure ("right to be forgotten").
- Right to data portability.
- Right to restrict or object to processing based on legitimate interest.
- Right to withdraw newsletter consent at any time.
- Right not to be subject to solely automated decisions (we do not make any).
If you live in California (CCPA/CPRA): right to know, delete, correct, opt-out of sale/share (we do not sell or share), and non-discrimination.
If you live in Brazil (LGPD), Türkiye (KVKK), or other jurisdictions with comparable laws: equivalent access, rectification, deletion, portability, and objection rights apply.
Send requests to privacy@birdsings.com. We respond within 30 days (45 days for California requests where extension permitted).
7. Data retention
- Order records: 10 years (the longest applicable tax-record requirement among countries we ship to; specific local minima are shorter). After this period, records are deleted or anonymized.
- Download tokens: 12 hours (active) + 30 days (audit log).
- Newsletter subscribers: until you unsubscribe, then anonymized.
- Anti-fraud signals: 90 days, unless tied to a confirmed chargeback dispute (then 24 months).
8. International data transfers
Your data may be processed outside your country, including in the United States. Where this happens, we rely on the EU Standard Contractual Clauses (2021/914), the UK International Data Transfer Addendum, the Swiss FDPIC clauses, and — for transfers to certified US recipients — the EU–US Data Privacy Framework. Stripe, Resend, Netlify, and Google are all DPF-certified.
9. Third-party processors
- Stripe (payments) — Ireland / USA. SCCs + DPF.
- Cloudflare R2 (file storage) — EU region.
- Resend (transactional email) — USA. SCCs + DPF.
- Netlify (hosting) — USA. SCCs + DPF.
- Google Analytics 4 (optional) — IP-anonymized, no remarketing features enabled. DPF.
10. Security
TLS 1.3 in transit, AES-256 at rest. Stripe handles card data. Access to production systems is limited to authorized personnel under written confidentiality. We will notify affected users and the competent supervisory authority within 72 hours of becoming aware of a personal data breach, where required.
11. Complaint
You may lodge a complaint with your local supervisory authority. Examples:
12. Changes
We may update this policy. Material changes will be announced on the site banner at least 30 days before taking effect, except where a shorter period is required by law.