HLIUMA

Privacy Policy

Last updated · June 2026 · Version 2

This Privacy Policy explains how Hliuma LLC ("we", "us", "Hliuma") collects, processes and stores personal data when you use hliuma.org and the Xampler application. It is written to comply with the EU General Data Protection Regulation (GDPR) and the ePrivacy Directive.

1. What Data We Collect and Why

1.1 Account data

  • Email address — for authentication and service notifications.
  • Username (optional) — display only.
  • Password — stored as a salted hash, never in plain text.
Legal basisPerformance of a contract (GDPR Art. 6(1)(b)).

1.2 Payment data

  • Card payments are handled by third-party payment processors. We do not see or store your card numbers.
  • We store the processor's customer / transaction IDs, transaction amounts, and credit balances.
  • Each payment processor acts as an independent controller for the payment data it collects directly from you, under its own privacy policy.
Legal basisPerformance of a contract (Art. 6(1)(b)); legal obligation for accounting (Art. 6(1)(c)).

1.3 Audio files

  • WAV files you upload are not stored on our servers. All audio analysis — pitch detection, loop detection and drum processing — runs in your browser using your own CPU (WebAssembly). The audio is decoded and analysed locally and never leaves your device.
  • Decoded audio may be cached in your browser's IndexedDB so you can keep editing without re-uploading. Clearing browser storage removes it.
  • We do not access, listen to, or analyse the content of your audio.
Legal basisPerformance of a contract (Art. 6(1)(b)).

1.4 Usage data

  • Number of conversions, timestamps, file extensions — not the audio content.
  • Credit balance changes and purchase history.
  • Server access logs (IP address, user-agent, timestamp) kept for 14 days for security and abuse prevention.
Legal basisLegitimate interest in operating and securing the service (Art. 6(1)(f)).

1.5 Browser storage (localStorage / sessionStorage)

Hliuma does notuse HTTP cookies set by our own domain. We use your browser's localStorage and sessionStorage. The detailed inventory is in our Cookie Policy. Categories:

  • Essential (always active): authentication token, anti-loop flags. Legal basis: strictly necessary (Art. 6(1)(b); ePrivacy Art. 5(3) exception).
  • Functional preferences (opt-in): audio device, MIDI device, export options. Legal basis: consent (Art. 6(1)(a)).
  • Payment (opt-in, future): payment processor checkout integration. Legal basis: consent (Art. 6(1)(a)) + contract.
  • Analytics (opt-in, currently inactive): future anonymous metrics. Legal basis: consent (Art. 6(1)(a)).
  • Marketing (opt-in, currently inactive): reserved.

2. International Transfers

Hliuma LLC is established in Delaware, USA. Our application servers are located in the European Union. Payment processors may process payment data partly outside the European Economic Area. Transfers outside the European Economic Area rely on Standard Contractual Clauses (Commission Decision 2021/914) and, where applicable, the EU-US Data Privacy Framework.

3. Retention

  • Audio: never persisted on our servers — analysed only in your browser.
  • Account data: kept while your account exists. Deleted within 30 days after account deletion.
  • Conversion records: kept while your account is active.
  • Payment records: retained for up to 10 years under tax / accounting law.
  • Server logs: 14 days.
  • Consent records: kept as long as needed to prove your choice, with a maximum of 24 months from your last visit.

4. Your Rights Under GDPR

You have the following rights, exercisable free of charge:

  • Access (Art. 15) — get a copy of the data we hold about you.
  • Rectification (Art. 16) — correct inaccurate data.
  • Erasure (Art. 17) — delete your account and data, subject to legal retention obligations.
  • Restriction (Art. 18) — limit processing in certain cases.
  • Portability (Art. 20) — receive your data in a structured, machine-readable format (JSON).
  • Objection (Art. 21) — object to processing based on legitimate interest.
  • Withdraw consent (Art. 7(3)) — at any time, without affecting prior processing.
  • Lodge a complaint (Art. 77) with the data-protection supervisory authority in your EU/EEA country of residence or place of work.

You can exercise access, deletion and portability from your Dashboard or by emailing [email protected]. We respond within 30 days (extendable by another 60 days for complex requests, with notice).

5. Security

All traffic uses HTTPS / TLS. Passwords are hashed with industry-standard algorithms. Audio is never persisted on our servers — it is analysed entirely in your browser and never uploaded. .hli / .hld project files are saved locally in your browser and never uploaded.

6. Children

The service is not intended for children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.

7. Changes to this Policy

We will update this policy when we change processing practices. The version number and date at the top of the page reflect the current version. Material changes will be announced by email and in-app banner.

8. Contact

For any privacy question or to exercise your rights, email [email protected].

See also: Cookie Policy · Terms of Service · Imprint