Privacy Policy
Last updated: 1 June 2026
At LOVINOA (lovinoa.com), operated by Ezfice Ltda (CNPJ 21.667.320/0001-70, Brazil), we take your privacy seriously. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our service. This policy applies to all users worldwide and complies with the EU General Data Protection Regulation (GDPR), Brazil's Lei Geral de Proteção de Dados (LGPD), and other applicable data protection laws in the jurisdictions where we operate.
1. What Data We Collect
We collect information you provide directly, including: your name, email address, phone number (for email and SMS delivery), quiz responses (story details, occasion, recipient name, musical preferences, language preference), and payment information processed through Stripe (we never receive or store your full card number, CVV, or expiration date). We may also collect your preferred language, country, and any promotional codes you use.
We automatically collect technical data when you visit our site, including: IP address (anonymized for analytics), browser type and version, device type and operating system, pages visited and time spent, referring URLs, and cookie identifiers. We use cookies for essential functionality (session management, language preference, cookie consent), analytics (Google Analytics with IP anonymization), and marketing (Meta Pixel for conversion tracking and advertising performance measurement).
2. How We Use Your Data
Your personal data is used for the following purposes and legal bases: (a) Contract performance — to create your personalized song based on quiz responses, process your payment via Stripe, deliver your song via email and SMS, and provide order confirmations and updates; (b) Legitimate interest — to improve our service quality and AI algorithms (using aggregated, anonymized data only), prevent fraud and abuse, provide customer support, and ensure platform security; (c) Consent — to send marketing communications (only with your explicit opt-in), use analytics cookies and marketing pixels, and share anonymized usage statistics with partners.
We do NOT use your personal story details for marketing purposes. Your song creation data (story, names, occasion) is used solely for generating your requested song and is not shared with third parties for their own purposes. We do not engage in automated decision-making or profiling that produces legal effects concerning you. We do not sell, rent, or trade your personal information to any third party.
3. Payment Processing
All payment transactions are processed securely through Stripe, a PCI DSS Level 1 certified payment processor — the highest level of security certification in the payment industry. LOVINOA never receives, processes, or stores your credit card numbers, CVV codes, expiration dates, or full payment card details on our servers. Your payment data is transmitted directly from your browser to Stripe's secure servers using TLS encryption.
Stripe processes your payment data in compliance with the highest industry security standards, including PCI DSS Level 1, SOC 1 and SOC 2 compliance, and strong encryption protocols. We only receive from Stripe: a confirmation of payment success or failure, the last 4 digits of your card (for reference), the payment amount, and a transaction ID. For more information about how Stripe handles your data, please review Stripe's privacy policy at stripe.com/privacy.
4. Data Storage and Security
Your data is stored on secure, encrypted servers provided by Supabase (database) and AWS (infrastructure), both of which maintain SOC 2 Type II compliance and implement industry-leading security measures. All data is encrypted in transit using TLS 1.2+ (HTTPS) and at rest using AES-256 encryption. Access to personal data is strictly restricted to authorized personnel on a need-to-know basis, protected by multi-factor authentication and role-based access controls.
We implement comprehensive security measures including: regular security audits and vulnerability assessments, automated monitoring for unauthorized access attempts, secure backup procedures with encryption, incident response procedures for potential data breaches, and staff training on data protection. While we strive to protect your personal information using industry-best practices, no method of internet transmission or electronic storage is 100% secure. In the unlikely event of a data breach affecting your personal data, we will notify you and the relevant supervisory authorities as required by applicable law (within 72 hours under GDPR).
5. Cookies
We use cookies and similar technologies categorized as follows: (a) Essential cookies — required for the site to function properly, including session management, language preferences, and cookie consent status (these cannot be disabled); (b) Analytics cookies — Google Analytics (with IP anonymization enabled) to understand how visitors interact with our website, measure page performance, and identify areas for improvement; (c) Marketing cookies — Meta Pixel (Facebook) for measuring advertising conversion rates and optimizing ad delivery for users who have interacted with our site.
For users in the European Union, we display a cookie consent banner that allows you to accept or reject non-essential cookies before they are placed. You can change your cookie preferences at any time through our cookie settings. You can also disable cookies through your browser settings, though this may affect site functionality. We honor Do Not Track (DNT) browser signals. Analytics data is retained for 26 months, after which it is automatically deleted. We do not use cookies for cross-site tracking beyond the services listed above.
6. Third-Party Services
We use the following third-party services, each with their own privacy policies: (a) Stripe (stripe.com/privacy) — payment processing; receives payment data directly from your browser; (b) Google Analytics (policies.google.com/privacy) — website analytics with IP anonymization; collects anonymized usage data; (c) Meta/Facebook Pixel (facebook.com/privacy) — conversion tracking and advertising measurement; receives page visit events and conversion data; (d) Supabase (supabase.com/privacy) — database hosting; stores user and order data with encryption; (e) Suno AI — music generation engine; receives only song parameters (genre, mood, language, lyrics) and NO personal data (no names, emails, or story details are shared with Suno).
We carefully select third-party partners who maintain high standards of data protection and are compliant with applicable privacy regulations. We have data processing agreements in place with all processors handling personal data on our behalf. We do NOT sell, rent, or trade your personal information to any third party for their marketing purposes. Data transfers outside the EEA (European Economic Area) are protected by appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission.
7. Your Rights
Under the GDPR (for EU/EEA users), LGPD (for Brazilian users), and other applicable data protection laws, you have the following rights: (a) Right of access — obtain a copy of your personal data we hold; (b) Right to rectification — correct inaccurate or incomplete personal data; (c) Right to erasure ("right to be forgotten") — request deletion of your personal data; (d) Right to restriction — restrict the processing of your personal data in certain circumstances; (e) Right to data portability — receive your data in a structured, commonly used, machine-readable format; (f) Right to object — object to processing based on legitimate interest or direct marketing; (g) Right to withdraw consent — withdraw previously given consent at any time.
To exercise any of these rights, please contact us at [email protected] with the subject line "Privacy Request" and include your full name and the email associated with your order. We will verify your identity and respond to your request within 30 days (extendable by 60 days for complex requests, with notification). We will not charge a fee for reasonable requests. You also have the right to lodge a complaint with your local data protection supervisory authority (e.g., your national DPA in the EU, or the ANPD in Brazil). We will cooperate fully with any supervisory authority investigation.
8. Data Retention
We retain your data for the following periods: (a) Order data (name, email, quiz responses, order details) — 24 months from the date of purchase, for customer support, legal compliance, and warranty purposes; (b) Song files (generated audio) — 12 months after creation, after which they are permanently deleted from our servers; (c) Analytics data (anonymized usage statistics) — 26 months, as configured in Google Analytics; (d) Payment records — as required by applicable tax and accounting laws (typically 5-7 years for financial records); (e) Cookie data — session cookies expire when you close your browser; persistent cookies expire after 13 months maximum.
After the applicable retention period, your data is securely deleted or irreversibly anonymized. You may request early deletion of your data at any time by contacting us at [email protected], subject to any legal obligations requiring us to retain certain data (such as tax records). When you request deletion, we will remove your personal data from our active systems within 30 days, and from backup systems within 90 days.
9. Contact for Privacy Requests
For any privacy-related questions, requests, or concerns, please contact our Data Protection team at: [email protected]. Please include "Privacy Request" in the subject line. We are committed to addressing your privacy concerns promptly, transparently, and in accordance with applicable law. Our Data Protection Officer (DPO) can be reached at the same email address.
We aim to respond to all privacy requests within 30 days of receipt. For urgent matters that require immediate attention, please include "PRIVACY URGENT" in the subject line of your email and we will prioritize your request. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.