Privacy Policy

MAI ("we," "us," or "our") operates the MAI music AI platform accessible at mai.music and its sub-domains. MAI is the data controller responsible for your personal information collected through the Service.

If you have any questions, concerns, or requests regarding this Privacy Policy or the handling of your personal data, please contact us at:

privacy@mai.music
MAI — Music AI
United States

We will respond to privacy requests within 30 days, or sooner where required by applicable law.

Information you provide directly:

• Account information: email address and hashed password at registration
• Profile preferences: instrument, secondary instruments (Pro), clef, and skill level
• User Content: sheet music pieces you generate, translate, or scan; community posts you publish; personal notes attached to posts
• Communications: messages you send to MAI's chat assistant; feedback or support emails you send to us
• Payment information: when subscribing to a paid plan, payment details are collected by our third-party payment processor (we do not store raw card numbers)
• Audio uploads: optional MP3 or audio files you upload as generation references (processed and not retained beyond the generation session)
• Image uploads: photos or PDFs of physical sheet music submitted for AI scanning (processed and not retained beyond the scanning session)

Information collected automatically:

• Log data: IP address, browser type and version, operating system, referring URLs, pages visited, timestamps, and actions taken within the Service
• Device information: device type, screen resolution, and browser capabilities used to optimize the rendering of sheet music
• Usage data: features accessed, generation history (song links, vibe descriptions, settings used), sheets saved to your history, sheets liked or bookmarked in Discover
• Error and performance data: crash reports, error logs, and performance metrics used to diagnose and fix issues
• Local storage: authentication tokens stored in your browser's localStorage to keep you signed in across sessions

Information we do not collect: We do not collect your physical location beyond IP-based country estimation. We do not collect audio from your microphone. We do not use third-party advertising trackers or sell your data to advertisers.

We use the personal data we collect for the following purposes:

• Account management: to create, authenticate, and maintain your account
• Service delivery: to process your generation, translation, and scanning requests; to render and display your sheet music; to operate the MAI chat assistant
• Personalization: to pre-fill instrument, clef, and skill level settings based on your profile; to surface relevant community content
• Community features: to publish User Content you choose to share in Discover; to display your username alongside posts
• Payments and billing: to process subscription payments, send receipts, and manage your billing history through our payment processor
• Service improvement: to analyze aggregate usage patterns, identify bugs, and guide product development decisions
• Security and fraud prevention: to detect suspicious activity, enforce our Terms of Service, and protect the integrity of the Service
• Legal compliance: to comply with applicable laws, respond to legal process, and enforce our agreements
• Communications: to send transactional emails (account verification, password reset, billing receipts) and, where you have opted in, product update announcements

We do not use your personal data to train external AI models, build advertising profiles, or sell data to third parties under any circumstances.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:

• Contract performance: processing necessary to provide the Service you requested and fulfill our agreement with you (e.g., generating sheet music, managing your account)
• Legitimate interests: processing necessary for our legitimate business interests, such as improving the Service, preventing fraud, and ensuring security, where such interests are not overridden by your rights
• Legal obligation: processing required to comply with applicable laws and regulations
• Consent: where we rely on your consent (e.g., optional marketing emails), you may withdraw consent at any time without affecting the lawfulness of prior processing

Storage. Your data is stored on secure servers located in the United States. If you are located outside the United States, your data will be transferred to and processed in the United States, a jurisdiction that may not have the same data protection laws as your country.

Security. We implement industry-standard technical and organizational measures to protect your personal data, including:

• Passwords are hashed using bcrypt with a per-user salt and never stored in plain text
• All data in transit is encrypted using HTTPS/TLS
• Authentication tokens are signed JWTs with a 30-day expiry stored in browser localStorage
• Database access is restricted to authorized services and personnel
• Regular security reviews and dependency updates

Despite these measures, no security system is impenetrable. We cannot guarantee absolute security, and you use the Service at your own risk. If you believe your account has been compromised, contact us immediately at privacy@mai.music.

Retention. We retain your personal data for as long as your account is active or as needed to provide the Service. Specifically:

• Account information and profile: retained until you request account deletion
• Generation history and saved sheets: retained until you delete individual pieces or your account
• Community posts: retained until you delete them or your account is terminated
• Payment records: retained for up to 7 years to comply with financial recordkeeping requirements
• Log and usage data: retained for up to 12 months, then aggregated or deleted
• Audio and image uploads: deleted immediately after processing; not stored beyond the generation session
• Backup copies: purged within 30 days of account deletion

We do not sell, rent, or trade your personal information. We share your data only in the following limited circumstances:

• Service providers: trusted third parties who assist in operating the Service, including payment processors (Stripe), email delivery providers, and cloud infrastructure providers. These providers are contractually bound to use your data only to provide services to us and in accordance with this Privacy Policy
• Community features: User Content you choose to post to Discover is visible to all MAI users. Your username or display name may appear alongside your posts. Posts you delete are removed from public view promptly
• Legal requirements: we may disclose your information if required to do so by law, court order, or governmental authority, or if we believe disclosure is necessary to protect the safety or rights of MAI, our users, or the public
• Business transfers: in the event of a merger, acquisition, sale of assets, or bankruptcy, your personal data may be transferred to the successor entity, subject to equivalent privacy protections
• With your consent: we may share your information for purposes not listed here if we obtain your explicit consent

The Service integrates with or depends on certain third-party services. The key integrations are:

• Anthropic (Claude AI): your messages to the MAI chat assistant and generation prompts are processed by Anthropic's API. Anthropic's privacy policy governs data processed through their API
• Stripe (payments): subscription billing is handled by Stripe. Your payment card data is collected and stored by Stripe, not MAI. Stripe's privacy policy governs payment data
• YouTube and external links: when you paste a YouTube link, MAI accesses publicly available metadata (title, artist) via YouTube's data API. We do not download or store audio
• Email delivery: transactional emails are sent via a third-party email provider. Your email address is shared only for the purpose of sending you messages

We encourage you to review the privacy policies of these third-party services.

We use browser localStorage (not cookies) to store your authentication token, which keeps you signed in between sessions. This token is signed and expires after 30 days. You can clear it at any time by signing out or clearing your browser storage.

We do not use advertising cookies, cross-site tracking cookies, or third-party analytics cookies. We may use essential first-party session data to maintain your preferences during a browsing session.

If we introduce cookies in the future, we will update this Policy and, where required by law, seek your consent before setting non-essential cookies.

Depending on your location, you may have the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you
• Correction: request correction of inaccurate or incomplete data
• Deletion: request deletion of your personal data (the 'right to be forgotten'), subject to legal retention requirements
• Portability: request your data in a structured, machine-readable format
• Restriction: request that we restrict processing of your data in certain circumstances
• Objection: object to processing based on legitimate interests
• Withdrawal of consent: withdraw consent at any time where processing is based on consent, without affecting prior lawful processing

To exercise any of these rights, contact us at privacy@mai.music. We will respond within 30 days (or sooner as required by law). We may need to verify your identity before processing your request. We will not discriminate against you for exercising your privacy rights.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: you may request that we disclose what personal information we collect, use, disclose, and sell about you
• Right to Delete: you may request deletion of personal information we have collected, subject to certain exceptions
• Right to Correct: you may request correction of inaccurate personal information
• Right to Opt-Out of Sale or Sharing: we do not sell or share your personal information for cross-context behavioral advertising
• Right to Limit Use of Sensitive Personal Information: we do not use sensitive personal information beyond what is necessary to provide the Service
• Right to Non-Discrimination: we will not discriminate against you for exercising your CCPA rights

To submit a CCPA request, contact us at privacy@mai.music or use your account settings. We will verify your request and respond within 45 days, extendable by an additional 45 days with notice.

Categories of personal information collected in the past 12 months: identifiers (email address, IP address); commercial information (subscription plan, transaction history); internet activity (pages visited, features used); inferences drawn to create a profile about your musical preferences.

Categories of sources: directly from you; automatically through your use of the Service.

Business or commercial purpose for collection: to provide and improve the Service, as described in Section 3.

Categories shared with third parties: identifiers shared with email delivery providers and Stripe (payment); internet activity shared in aggregate with analytics tools. No categories are sold.

MAI operates from the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. We take steps to ensure that such transfers comply with applicable data protection laws, including implementing standard contractual clauses where required for transfers from the EEA or UK.

By using the Service, you consent to the transfer of your personal information to the United States and acknowledge that data protection laws may differ from those in your home country.

The Service is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. Users between 13 and 17 must have parental or guardian consent before using the Service.

If we become aware that we have collected personal data from a child under 13 without verifiable parental consent, we will take steps to delete that information promptly. If you believe a child under 13 has provided us with personal data, please contact us at privacy@mai.music.

In the event of a security breach that affects your personal data and is likely to result in a risk to your rights and freedoms, we will notify you without undue delay and, where required by law, within 72 hours of becoming aware of the breach. Notification will be provided via the email address associated with your account and/or a prominent notice on the Service.

Notifications will include: a description of the nature of the breach; the categories and approximate number of users affected; the likely consequences of the breach; and the measures taken or proposed to address the breach and mitigate its effects.

Some browsers include a "Do Not Track" (DNT) feature that signals websites not to track user activity. Because there is no universally accepted standard for how to respond to DNT signals, we do not currently alter our data practices in response to DNT signals. However, we do not engage in cross-site behavioral tracking regardless of DNT status.

You may request deletion of your account and personal data at any time by contacting privacy@mai.music. Upon receiving a verified deletion request, we will:

• Deactivate your account within 5 business days
• Delete or anonymize your personal data from active databases within 30 days
• Remove your community posts from public view within 5 business days
• Purge backup copies within 30 days of active deletion
• Retain certain financial records for up to 7 years as required by law

Please note that content you have posted to the community may remain visible in anonymized form or may have been saved by other users before deletion. We cannot guarantee recovery of any data after a deletion request has been processed.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Post the updated policy with a revised 'Last updated' date at the top of this page
• Notify you by email at the address associated with your account
• Display a prominent notice within the Service for at least 30 days following a material change

Your continued use of the Service after the effective date of the updated Privacy Policy constitutes your acceptance of the changes. If you do not agree with the updated policy, you must stop using the Service and may request account deletion.

For any questions, concerns, or requests related to this Privacy Policy or our data practices, please contact:

privacy@mai.music
MAI — Music AI
United States

EEA/UK users may also have the right to lodge a complaint with your local data protection supervisory authority if you believe we have processed your personal data in violation of applicable law.