PRIVACY POLICY

Last updated: January 18, 2026

1. General Provisions

1.1. This Privacy Policy (hereinafter - "Policy") defines the procedure for processing and protecting personal data of users of:

• The website https://guitarsongs.club (hereinafter - "Website")
• The mobile application "Guitar Songs" for Android (hereinafter - "Application")

The Website and Application are collectively referred to as the "Service".

1.2. The personal data controller is an individual (hereinafter - "Operator"):

• Full name: Aleksandr Suslov
• Location: Germany
• Contact email: guitarsongs.club@gmail.com

1.2.1. Data Protection Officer (DPO): Given the scale of our operations and the nature of data processing activities, we have not designated a separate Data Protection Officer. The Operator personally handles all data protection matters. For any data protection inquiries, please contact us at the email address above with the subject line "Data Protection Inquiry".

1.3. By using the Service, you acknowledge that you have read and understood this Policy. Your use of the Service constitutes your acceptance of this Policy. Where consent is required as a legal basis for specific processing activities (such as Firebase Analytics, Firebase Crashlytics, or personalized advertising), we will request your explicit consent separately through clear affirmative action. If you disagree with the terms of this Policy, you must stop using the Service.

1.4. This Policy has been developed in accordance with:

• EU General Data Protection Regulation (GDPR)
• Other applicable regulations in the field of personal data protection

2. Basic Definitions

2.1. Personal data - any information relating to a directly or indirectly identified or identifiable natural person. This includes both direct identifiers (name, email) and indirect identifiers (unique device identifiers), which in combination with other data can be used to identify a natural person.

2.2. Processing of personal data - any action or set of actions performed with personal data, including collection, recording, systematization, accumulation, storage, clarification, use, transfer, anonymization, blocking, deletion, destruction.

2.3. Operator - a person who independently or jointly with other persons organizes and/or carries out the processing of personal data.

2.4. User - a natural person using the Service.

3. What Personal Data We Collect

3.1. When Using the Website

Registration is not required to view content on the Website. When authorizing via Google OAuth 2.0 to add or edit content, we receive:

• Username (can be changed by the user in profile settings)
• Email address (stored exclusively as a SHA-256 hash)
• Google unique user identifier

3.2. When Using the Application

Registration is not required to view content in the Application. When voluntarily authorizing to synchronize data between devices, we receive:

When authorizing via Firebase Authentication (email/password):

• Email address (stored locally on the user's device; only the SHA-256 hash is transmitted during synchronization)
• Firebase unique user identifier

When authorizing via Google Sign-In:

• Email address (stored locally on the user's device; only the SHA-256 hash is transmitted during synchronization)
• Google unique user identifier

3.3. Synchronized Data

When authorizing in the Application or on the Website, the following are automatically synchronized:

• List of favorite songs
• User-created playlists
• User-added songs
• Artists removed by the user
• Personal display settings (font size, scroll speed, etc.)

3.4. Fraud Prevention and Synchronization Identifiers

To ensure data synchronization and prevent fraud, we use two types of identifiers:

3.4.1. Client device identifier (userGuid):

• Created automatically on the first launch of the Application
• Stored locally on your device
• Transmitted to our server on any server request
• Used for:
  • Preventing fraud with in-app purchases
  • Detecting suspicious activity and abuse
  • Ensuring technical operation of synchronization
• Persists on the device until the Application is uninstalled

3.4.2. Server user identifier (userDbGuid):

• Created on our server only after authorization based on your email hash
• Transmitted to the Application and stored locally
• Used together with the client identifier for:
  • Linking synchronized data (favorites, playlists, settings) to your account
  • Preventing fraud with in-app purchases
  • Ensuring data consistency during cross-device synchronization
• Automatically deleted from the Application upon sign-out

Important: These identifiers are separate and independent from Analytics and Crashlytics identifiers. They are not shared with Google or third-party services. They are used exclusively for the operation of our Service and fraud prevention.

3.5. Technical Data and Analytics (Optional)

You can voluntarily provide consent to use:

• Firebase Analytics - to analyze application usage and improve functionality. Details: Analytics Consent
• Firebase Crashlytics - to identify and fix errors. Details: Crashlytics Consent

Important: These features are entirely optional. Declining them does not limit the functionality of the application.

The Website web server automatically collects:

• IP address
• Browser type and operating system
• Date and time of access
• Address of the page from which the transition was made
• Pages viewed

3.6. Data for Personalized Advertising

Advertisements may be displayed when using the Application. To show personalized advertising, we use:

• User Messaging Platform (UMP) - to collect your consent for personalized advertising in accordance with GDPR requirements and the IAB Europe Transparency and Consent Framework (TCF 2.2)
• Advertising ID - an anonymous device identifier used to personalize advertising

You can:

• Consent to the display of personalized advertising
• Refuse personalized advertising (in which case contextual advertising will be shown)
• Change your decision at any time in the Application settings

3.7. Voluntary Log Submission

You can voluntarily submit diagnostic logs to help us troubleshoot issues. This can happen in two ways:

1. Through the engineering/debug menu - You can manually access diagnostic tools and send logs
2. When a critical error occurs - The Application may offer you the option to send an error report via email

When you voluntarily submit logs, we may receive:

• Application logs (error messages, feature usage traces, technical diagnostic data)
• Device information (model, manufacturer, Android version, app version)
• All identifiers present in the application at the time of log generation:
  • Client device identifier (userGuid) - always present
  • Server user identifier (userDbGuid) - if you are logged in
  • Firebase Analytics identifier (if Analytics is enabled)
  • Firebase Crashlytics identifier (if Crashlytics is enabled)
• Timestamp of the error or log generation
• Your email address (used as the sender address for correspondence about the issue)

Important: Log submission is entirely voluntary. The Application will never send logs automatically without your explicit action. You always control when and whether to send logs.

4. Purposes of Personal Data Processing

We process your personal data for the following purposes:

4.1. Providing Access to Service Features

• User authorization on the Website and in the Application
• Ability to add and edit content on the Website
• Synchronization of favorites, playlists, and settings between devices
• Account recovery

4.2. Improving Service Quality

• Analysis of feature usage (via Firebase Analytics - optional)
• Identification and correction of errors (via Firebase Crashlytics - optional)
• Improvement of user interface
• Development of new features

4.3. Communication with Users

• Responses to user inquiries
• Notification of changes in Service operation
• Notifications of important updates

4.4. Compliance with Legislation

• Fulfillment of applicable legal requirements
• Prevention of fraud and abuse
• Protection of the rights and security of the Operator and other users

4.5. Troubleshooting and Technical Support

• Analysis of voluntarily submitted diagnostic logs
• Diagnosis of complex technical issues and critical errors
• Providing personalized technical support via email
• Improving Application stability based on reported issues

5. Legal Bases for Processing Personal Data

Personal data processing is carried out on the following legal bases (in accordance with Article 6 GDPR):

5.1. Consent of the Data Subject (Art. 6(1)(a) GDPR)

• When registering and authorizing, you give explicit consent to data processing
• When first launching the Application, you confirm consent to the Policy
• When using UMP, you give consent to personalized advertising
• When using Firebase Analytics and Firebase Crashlytics, you give voluntary consent to the collection of technical data (details in the respective consent documents)
• When voluntarily submitting diagnostic logs via email, you give explicit consent to process the log data and your email address for troubleshooting purposes

5.2. Performance of a Contract (Art. 6(1)(b) GDPR)

• Data processing is necessary to provide you access to Service features
• Synchronization of data between devices at your request

5.3. Legitimate Interests of the Operator (Art. 6(1)(f) GDPR)

• Collection of server logs to ensure security, diagnose technical issues, and protect against fraud and abuse
• Creation and processing of client device identifier (userGuid) to prevent fraud with in-app purchases, detect abuse, and ensure technical operation of the Service
• Processing of server user identifier (userDbGuid) to prevent fraud, detect abuse, and ensure synchronization integrity
• Improvement of Service quality and security
• Protection against fraud and abuse

Justification of legitimate interest for client identifier (userGuid): Creating this identifier on first launch of the Application is necessary to protect our legitimate interest in preventing fraud with in-app purchases and Service abuse. This interest is balanced with your rights because: (1) the identifier is completely anonymous and contains no personal information, (2) cannot be used to identify you as a natural person without additional data, (3) is technically necessary for the functioning of the billing system and protecting other users from dishonest actions, (4) the impact on your individual privacy rights is minimal given its anonymous nature, (5) the identifier protects our legitimate business interests and ensures fair access to the Service for all users.

Balancing test conducted: Our legitimate interest in fraud prevention (protecting revenue from in-app purchases, ensuring fair access for all users, detecting abuse patterns) outweighs the minimal impact on individual privacy rights because the identifier alone cannot identify natural persons without additional data that we do not collect or link to this identifier. The processing is necessary and proportionate to achieve our legitimate aims.

Justification of legitimate interest for server logs: Processing of IP addresses and technical data in server logs is necessary to ensure security of our systems, diagnose technical issues, detect and prevent attacks, and protect against abuse. This interest is balanced with your rights because: (1) IP addresses are retained for a limited period (12 months) and then automatically deleted, (2) data is used only for security, diagnostic, and fraud prevention purposes, (3) we do not link IP addresses to user accounts or other personal identifiers to create profiles, (4) the processing is a standard and expected practice for any web service, (5) without this processing, we would be unable to maintain the security and stability of the Service.

You have the right to object to processing based on legitimate interests under GDPR Art. 21, such as server log collection or the use of identifiers for fraud prevention. If you object, we will immediately cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims. We will respond to your objection within 30 days.

6. Methods of Processing and Storing Personal Data

6.1. Collection of Personal Data

• When authorizing via Google OAuth 2.0 on the Website, the user grants access to their name and email address
• In the Application, the user can authorize by email via Firebase Authentication or via Google Sign-In
• Technical data is collected automatically when using the Service

6.2. Storage of Personal Data

• User data is stored on secure Firebase servers (Google Cloud Platform)
• Website data is stored on hosting provider servers
• Synchronized data (favorites, playlists, settings) is stored on hosting provider servers

6.3. Security Measures

We apply the following technical and organizational measures to protect your data:

• Encryption in transit: All data transmission between your device and our servers is encrypted using SSL/TLS protocols
• Email hashing (privacy by design): Email addresses are NEVER stored in plain text. We store only irreversible SHA-256 cryptographic hashes, making it impossible to recover the original email address even in the event of a data breach
• Access control: Strict limitation of access to personal data on a need-to-know basis
• Modern authentication: Use of industry-standard OAuth 2.0 and Firebase Authentication protocols
• Third-party security: Reliance on Google Cloud Platform's enterprise-grade security infrastructure for Firebase services

While we implement robust security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but continuously work to protect your personal data using industry best practices.

6.4. Retention Periods

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:

• Account data: stored until account deletion by the user or upon their request
• Synchronized data: stored until account deletion
• Client device identifier (userGuid): stored locally on the device until the Application is uninstalled; on the server - for up to 12 months from the last request or until deletion upon user request
• Server user identifier (userDbGuid): automatically deleted from the Application upon sign-out; stored on the server until account deletion or upon user request
• Server logs: stored for up to 12 months from the date of collection, then automatically deleted
• Firebase Analytics data (optional): stored by Google for up to 14 months from the date of collection, then automatically deleted
• Firebase Crashlytics data (optional): stored by Google for up to 90 days from the date of collection, then automatically deleted
• Voluntarily submitted logs: stored in our email correspondence until the user requests deletion. We recommend requesting deletion once your issue has been resolved. Upon your deletion request, logs are permanently deleted from our email and backup systems within 7 days

After the specified retention periods, personal data is either deleted or irreversibly anonymized.

7. Transfer of Personal Data to Third Parties

We transfer your personal data to the following categories of recipients:

7.1. Google LLC / Google Ireland Limited

Data is transferred to Google when using:

• Google OAuth 2.0 for authorization on the Website
• Firebase Authentication for authorization in the Application
• Google Sign-In (CredentialManager) in the Application
• Optional services: Firebase Analytics, Firebase Crashlytics (details in separate consent documents)
• AdMob for advertising display (if enabled)
• User Messaging Platform (UMP) for consent collection

Google processes data in accordance with their Privacy Policy.

International data transfers: Google may transfer and process your data outside the European Economic Area (EEA), including in the United States. These transfers are protected by appropriate safeguards, including:

• EU Standard Contractual Clauses (SCCs) approved by the European Commission
• Google's compliance with relevant data protection frameworks
• Technical and organizational measures to ensure data security

For more information about Google's data transfer mechanisms, see Google's GDPR Compliance.

7.2. Website Hosting Provider

To host the Website, hosting provider services are used, which may have access to technical data (IP addresses, server logs).

7.3. Advertising Networks and Mediation Platforms

The Application uses the following advertising networks and platforms to display advertisements:

• Google AdMob (Google LLC / Google Ireland Limited) — an advertising network. Data processing is carried out in accordance with the Google Privacy Policy
• CAS.AI (CleverAdsSolutions) — an advertising mediation platform that dynamically combines multiple advertising networks to optimize ad delivery. CAS.AI may transfer your data (including Advertising ID and technical device information) to advertising network partners from the following categories: mobile ad networks, demand-side platforms (DSPs), and supply-side platforms (SSPs). Examples include: Google AdMob, Unity Ads, AppLovin, ironSource, Vungle, Chartboost, InMobi, Pangle (TikTok), Meta Audience Network, and others. For the most current and complete list of active CAS.AI advertising partners, please visit https://cas.ai. Data processing is carried out in accordance with the CAS.AI Privacy Policy and the privacy policies of individual advertising networks. You will be notified of material changes to partner categories that significantly affect your rights.

Important: Because advertising mediation involves dynamic partner selection, we recommend reviewing the current list of CAS.AI partners periodically if you have concerns about specific ad networks. You can always opt out of personalized advertising in the Application settings, which will limit data sharing with advertising partners.

7.4. Data Transfer as Required by Law

We may disclose personal data if required:

• By request of competent authorities
• To comply with applicable law
• To protect our rights and security
• To prevent fraud

Important: We do not sell or transfer your personal data to third parties for commercial purposes.

7.5. International Data Transfer Safeguards

When your personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place to protect your data:

• EU Standard Contractual Clauses (SCCs): All transfers to third countries are protected by EU Standard Contractual Clauses approved by the European Commission under GDPR Art. 46
• Additional security measures: We implement technical and organizational measures beyond SCCs, including encryption, access controls, and regular security assessments
• Adequacy assessments: We regularly evaluate the level of data protection in recipient countries and adjust our safeguards as necessary
• Your rights: You can request a copy of the safeguards we have in place by contacting us at guitarsongs.club@gmail.com

Countries involved in data transfers: Your personal data may be transferred to and processed in the United States (Google services, advertising networks) and other countries where our service providers operate.

8. Cookies and Similar Technologies

8.1. What are Cookies

Cookies are small text files that are saved on your device when you visit the Website.

8.2. What Cookies We Use

On the Website:

• Essential cookies: for authorization and session management
• Functional cookies: for saving user settings
• Analytics cookies: for traffic analysis

In the Application:

• Firebase uses similar technologies to save authorization state
• Advertising ID is used to personalize advertising (with your consent)

8.3. Cookie Consent (ePrivacy Directive Compliance)

In accordance with EU ePrivacy Directive (2002/58/EC) and applicable national laws:

• Essential cookies: These cookies are strictly necessary for the Website to function (authentication, session management) and do not require your consent. You cannot opt out of essential cookies while using the Service.
• Non-essential cookies: Analytics and advertising cookies require your explicit consent. Upon your first visit to the Website, you will see a cookie banner requesting your consent for these non-essential cookies.

Your cookie consent choices:

• Accept all cookies (essential + non-essential)
• Accept only essential cookies
• Customize your preferences by cookie category

8.4. Cookie Management

You can manage your cookie preferences at any time:

• On the Website: Access cookie settings through the footer link or banner that appears on your first visit
• Browser settings: Manage cookies through your browser settings (note: disabling essential cookies may limit Website functionality)
• In the Application: Reset Advertising ID in Android device settings or revoke consent for personalized advertising in Application settings

Withdrawing cookie consent will not affect the lawfulness of processing based on consent before withdrawal, but may limit certain Website features.

9. Your Rights (GDPR)

In accordance with GDPR, you have the following rights regarding your personal data:

9.1. Right of Access (Art. 15 GDPR)

You have the right to obtain confirmation of whether your personal data is being processed, and if so, to obtain access to that data.

9.2. Right to Rectification (Art. 16 GDPR)

You have the right to request rectification of inaccurate personal data.

9.3. Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR)

You have the right to request deletion of your personal data.

How to delete your account:

1. In the Application: open Settings -> Synchronization -> Account and tap the "Delete Account" button
2. On the Website: go to Profile -> Edit and click "Delete Account"
3. By email: send a request to guitarsongs.club@gmail.com

When deleting your account, the following will be permanently deleted:

• Your username
• Email address (hash)
• Server user identifier (userDbGuid)
• Client device identifier (userGuid) from our server
• Favorites list
• All created playlists
• Personal settings
• Authorization data
• List of removed artists

Note: The client device identifier (userGuid) will remain locally on your device until the Application is uninstalled, as it is stored in the application's Preferences. You can completely delete it by uninstalling the Application from your device.

Important - Songs You Added: Songs that you added through the Website will remain available to other users, as they are part of the Service's publicly available database. However, to comply with your right to erasure, your username (authorship information) will be removed and replaced with "Deleted User" or similar anonymized designation. This ensures your personal data is deleted while maintaining the availability of publicly contributed content for other users.

If you want specific songs to be completely deleted (not just anonymized), you must delete them manually through the Website before deleting your account, or contact us at guitarsongs.club@gmail.com with specific song URLs prior to account deletion.

Voluntarily Submitted Logs: If you have previously sent diagnostic logs via email and wish to have them deleted, send a deletion request to guitarsongs.club@gmail.com with the subject line "Delete Submitted Logs". We will permanently delete all logs associated with your email address within 7 days.

9.4. Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request restriction of processing of your personal data in certain cases.

9.5. Right to Data Portability (Art. 20 GDPR)

You have the right to receive your personal data in a structured, commonly used machine-readable format and transfer it to another operator.

How to request data: send a request to guitarsongs.club@gmail.com. We will provide your data in JSON format within 30 days.

9.6. Right to Object (Art. 21 GDPR)

You have the right to object to the processing of your personal data based on the legitimate interests of the operator (Art. 6(1)(f) GDPR), including processing for server logs, fraud prevention identifiers, and similar processing activities.

How to exercise your right to object:

1. Send an email to guitarsongs.club@gmail.com with the subject line "Objection to Processing"
2. Specify which processing activities you object to and the reasons for your objection
3. Upon receiving your objection, we will immediately cease processing your personal data based on legitimate interests, unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims
4. We will respond within 30 days to explain our decision and the reasoning behind it

Note: If we cannot demonstrate compelling grounds to continue processing, your data subject to the objection will be immediately deleted or anonymized. In some cases, this may affect your ability to use certain Service features.

9.7. Right to Withdraw Consent (Art. 7(3) GDPR)

You have the right to withdraw your consent to the processing of personal data at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

How to withdraw consent:

• To withdraw consent for Firebase Analytics and Firebase Crashlytics: see respective consent documents or go to Settings → Information → Legal in the Application
• To withdraw consent for personalized advertising: change settings in the Application
• To withdraw general consent: delete your account or write to guitarsongs.club@gmail.com

9.8. Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR)

You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates GDPR.

Lead supervisory authority (operator is based in Germany):
Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Graurheindorfer Str. 153
53117 Bonn, Germany
Phone: +49 (0)228-997799-0
Email: poststelle@bfdi.bund.de
Website: www.bfdi.bund.de

Alternative: You may also lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. You can find your local data protection authority at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

9.9. Exercising Your Rights

To exercise any of the specified rights, contact us:

• Email: guitarsongs.club@gmail.com
• Subject line: "GDPR Request"

We will respond to your request within 30 days of receipt. In complex cases, the period may be extended to 60 days with notification of the reasons for the delay.

9.10. Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Your California Rights:

• Right to Know: You have the right to request information about the categories and specific pieces of personal information we have collected about you, the sources of collection, the purposes for collection, and the categories of third parties with whom we share it
• Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions provided by law
• Right to Correct: You have the right to request correction of inaccurate personal information we maintain about you
• Right to Opt-Out of Sale/Sharing: We do not sell your personal information to third parties, nor do we share it for cross-context behavioral advertising
• Right to Limit Use of Sensitive Personal Information: We do not collect sensitive personal information as defined by CPRA
• Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising your privacy rights

Categories of Personal Information We Collect:

• Identifiers: Email address (stored as SHA-256 hash only), unique user identifiers (userGuid, userDbGuid, Google/Firebase IDs)
• Internet or Network Activity: Pages viewed on Website, app usage data (if Analytics consent given), server logs (IP address, browser type)
• Geolocation Data: Country and region (derived from IP address)
• Inferences: None - we do not create consumer profiles

We do NOT sell personal information. We disclose the following categories to service providers for business purposes: Identifiers and Internet Activity (to Google for authentication, optional analytics, and advertising services).

Exercising Your California Rights:

• Email: guitarsongs.club@gmail.com
• Subject line: "California Privacy Rights Request"

We will verify your identity and respond to your request within 45 days. In complex cases, the period may be extended by an additional 45 days with notification. You may designate an authorized agent to make requests on your behalf by providing written authorization.

California "Shine the Light" Law: California Civil Code Section 1798.83 permits California residents to request information about disclosure of personal information to third parties for direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

10. Data Breach Notification

10.1. We implement robust technical and organizational measures to protect your personal data from unauthorized access, loss, destruction, or alteration. However, no security system is completely infallible.

10.2. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with GDPR Art. 34. The notification will include:

• A description of the nature of the personal data breach, including the categories and approximate number of data subjects and data records affected
• The likely consequences of the breach
• The measures taken or proposed to address the breach and mitigate its possible adverse effects
• Contact information for obtaining further information

10.3. Notification methods:

Important: Due to our privacy-by-design approach (email addresses are stored only as SHA-256 hashes), we cannot send direct email notifications to registered users. Instead, we will notify you through the following channels:

• Prominent notice in the Application: A mandatory notification screen will appear upon next launch for all users
• Notice on the Website: A prominent banner will be displayed on the homepage and all pages

This limitation is a direct consequence of our strong privacy protection measures. While we cannot proactively email you, the hashing of email addresses ensures that even in the event of a data breach, your actual email address remains protected and cannot be recovered by unauthorized parties.

10.4. We will also notify the relevant supervisory authority (BfDI in Germany) of any data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to your rights and freedoms.

10.5. We maintain documentation of all data breaches, including their effects and the remedial action taken, as required by GDPR Art. 33(5).

11. Personal Data of Minors

11.1. The Service is not intended for persons under 16 years of age.

11.2. We do not knowingly collect personal data from persons under 16 years of age. If we become aware that we have collected personal data from a minor without parental consent, we will take steps to delete such data.

11.3. If you are a parent or guardian and have learned that your child has provided us with personal data, please contact us at guitarsongs.club@gmail.com.

12. Automated Decision-Making and Profiling

12.1. We do not use automated decision-making that produces legal effects concerning you or similarly significantly affects you, as defined in Art. 22 GDPR.

12.2. Analytics (optional): Firebase Analytics and Firebase Crashlytics use automated analysis to create statistics. This analysis does not result in decisions that affect you individually. For details, see separate consent documents.

12.3. Advertising Personalization: When you consent to personalized advertising, advertising networks (AdMob, CAS.AI partners) use automated processing to select ads based on:

• Your Advertising ID
• Device characteristics
• General location (country/region)
• Interaction with previous advertisements

This automated ad selection does not produce legal effects and does not significantly affect you in a way that requires human intervention under GDPR Art. 22. You retain full control and can:

• Opt out of personalized advertising at any time (you will see contextual ads instead)
• Reset your Advertising ID in Android device settings
• Withdraw consent through the Application settings

12.4. No Profiling for Service Access: We do not create profiles that determine your access to features, pricing, or core functionality of the Service. All users have equal access to content and features regardless of their usage patterns or personal characteristics.

13. Changes to the Privacy Policy

13.1. We reserve the right to change this Policy at any time to reflect changes in our practices, legal requirements, or Service features.

13.2. We will notify you of changes by one of the following methods:

• Minor changes: Publication of a notice on the Website with updated "Last updated" date
• Significant changes: Prominent notification in the Application on next launch and/or notice on the Website

13.3. For material changes that affect your rights or how we process your personal data (such as new purposes, new categories of recipients, or changes to legal bases), we will:

• Provide clear notice of the changes
• Request your renewed consent where required by law
• Give you the opportunity to review and accept the updated Policy before continuing to use features affected by the changes

13.4. Continued use of the Service after non-material changes take effect constitutes your acceptance of the updated Policy.

13.5. The date of the last update is indicated at the beginning of this document.

14. Contact Information

14.1. For all questions related to the processing of personal data and this Policy, you can contact us:

Email: guitarsongs.club@gmail.com

14.2. We undertake to respond to your requests within 30 days of receipt.

15. Final Provisions

15.1. This Policy is an integral part of the User Agreement.

15.2. In case of contradictions between this Policy and other documents, this Policy takes precedence in matters relating to personal data processing.

15.3. If any provision of this Policy is found to be invalid, the remaining provisions remain in force.

By using our Service, you confirm that you have read, understood, and agree to the terms of this Privacy Policy.