Policy on Privacy, Data Protection, International Data Transfers, Cookies
We respect your privacy and want you to feel confident about how we handle your personal data. This policy explains what data we collect, why we collect it, how long we keep it, and your rights under the General Data Protection Regulation (GDPR).
1. The Data We Collect
Depending on how you use our website sayitwithasong.me and our services, we may collect:
Usage data: IP address, browser type, device information, and how you interact with our website.
Account data: name, email address, and login details if you create an account.
Enquiry data: information you provide when you contact us with a question or request.
Transaction data: contact and payment details if you purchase something from us.
Marketing preferences: your choice to receive newsletters or updates.
We do not intentionally collect sensitive personal data (e.g. health information, political opinions). Please do not provide such data to us.
2. Why We Use Your Data
We only use your personal data when we have a valid legal basis under GDPR as far as applicable:
To operate our website and provide our services (performance of a contract).
To answer your questions and enquiries (legitimate interests and pre-contractual steps).
To process payments and comply with accounting and tax obligations (contract and legal obligations).
To improve our website and services (legitimate interests, with analytics based on consent).
To send marketing communications (consent).
To protect our rights, comply with legal requirements, or defend claims (legal obligations and legitimate interests).
3. International Data Transfers
Some of our service providers and partners are located outside the EU/EEA, including companies such as e.g Google, Squarespace, Microsoft, Vimeo, Wistia.
When personal data is transferred outside the EU/EEA, we generally ensure that an appropriate legal basis is in place. This may include:
Adequacy decisions by the European Commission (such as the EU–US Data Privacy Framework),
The European Commission’s Standard Contractual Clauses (2021),
Binding Corporate Rules, or
Other safeguards permitted under GDPR.
These measures are taken to ensure that your data continues to be protected at a level essentially equivalent to that in the EU. When placing an order, additional rules apply as specified below in section 4.
4. When You Place an Order
If you place an order through our website, or in some cases if request to receice a custom proposal for services, we will need to collect additional personal details in order to fulfil your request.
This may include your full name, billing information, delivery information, and any personal content you provide that is necessary for us to create the product (for example, the text or details used to create a personalised song).
This processing is necessary for the performance of the contract between you and us.
1. Processing, Third-Party Data, and Purpose
When the Customer orders the customised song creation service, the Customer expressly instructs and authorises the Company to process their personal data (such as name, biographical or life-event details, and other user-provided content) on their behalf. The Customer may also provide personal data relating to a third party (for example, the name, stories, or other personal anecdotes of the song gift recipient). By doing so, the Customer confirms that they are authorised to supply any such third-party personal data for the purpose of creating the customised song as a gift or otherwise. We advise the customer to use, and we strive to use, only as little personal information as strictly necessary to achieve the desired outcome (e.g. normally only first names in songs).
2. International Transfers
To fulfil the service, the Customer gives consent and explicitly instructs the Company to transfer their personal data (and any third-party personal data provided) to trusted third-party service providers, independent contractors such as song writers, musicians, creative professionals, or content-creation tools, AI-tools, SaaS solutions located outside the European Economic Area (EEA). Current example jurisdictions include, without limitation, the United States, Switzerland and Thailand. These third parties may in some cases further transfer the data to additional countries. The Customer understands that data protection standards outside the EEA may differ and, in some jurisdictions, may offer lower levels of protection.
3. Safeguards and Providers
The Company will only use providers which have been assessed with reasonable effort as trustworthy and will take appropriate safeguards to protect the data, including, where applicable:
Use of recognised protections such as the EU-U.S. Data Privacy Framework;
European Commission approved Standard Contractual Clauses (SCCs);
Other legally recognised transfer mechanisms under GDPR Chapter V;
Data processing agreements binding third parties to respect confidentiality, security, and deletion obligations.
4. Withdrawal of Consent and Deletion
If the Customer withdraws their consent, the Company will take reasonable steps to request deletion of Customer data (and third-party data provided) from all relevant third-party providers. The Customer acknowledges that although the Company will make its best efforts, it cannot guarantee full deletion in every case due to legal, technical, or contractual limitations in third-party jurisdictions.
5. Condition for Service
The Customer understands and agrees that their explicit instruction and consent (including for international transfers and third-party data usage) is a necessary condition for the Company to be able to deliver the customised song service. Without this consent, the Company cannot process those parts of the service that require international data transfers or third-party processing. All services currently offered rely on such transfers, with the exception of bespoke premium projects, where entirely local processing can be agreed upon as part of negotiated custom terms.
5. Sharing Your Data
We only share your data when necessary:
With IT, hosting, SaaS business solution and email service providers.
With professional advisers (lawyers, accountants, insurers).
With payment processors and e-commerce partners if you make purchases, and as specified in section 4.
All providers and partners are bound by contracts to process data securely and in compliance with GDPR.
6. Data Retention
We keep your personal data only as long as needed for the purposes described:
Usage data: up to 2 years.
Account data: for the lifetime of the account + up to 5 years.
Enquiry data: up to 2 years.
Transaction data: 5 years under the Danish Bookkeeping Act, and up to 10 years if needed for legal claims.
Marketing data: until you withdraw your consent.
We may retain data longer if required by law or necessary to defend legal claims.
7. Your Rights
Under GDPR, if and where applicable, you may have rights, including the following:
Access to the personal data we hold about you.
Correction of inaccurate or incomplete data.
Erasure of your data (“the right to be forgotten”).
Restriction of how we process your data.
Objection to processing based on our legitimate interests.
Data portability.
Withdrawal of consent.
You can exercise these rights by contacting us using the details provided on this website.
8. Cookies and Similar Technologies
We use cookies to:
Keep the website secure and functional.
Remember your preferences.
Analyse how our website is used (with consent).
Provide e-commerce and video functionality.
When you first visit our website, you will be asked to set your cookie preferences. You can change or withdraw your consent at any time through the cookie banner or your browser settings.
Blocking certain cookies may affect website functionality.
9. Updates to This Policy
We may update this policy from time to time. The latest version will always be available on our website, and significant changes may be notified to you directly.
Last updated: 2025-09-24 V2