1. Introduction
This Privacy Policy explains how Chord ("we," "us," "our") collects, uses, stores, shares, and protects your personal information when you use the Chord mobile application (the "App"), the Chord website at chordapp.in (the "Website"), and any related services (collectively, the "Services").
Chord is operated from Mumbai, Maharashtra, India.
We are committed to protecting your privacy. Chord is designed with privacy as a foundational principle. We do not sell your data. We do not serve ads. We do not track you across apps or websites. Your memories are private, encrypted, and yours.
2. Information We Collect
2.1 Information You Provide Directly
| Data type | What we collect | Why |
|---|---|---|
| Account info | Email address (or Apple ID / Google account) | To create and authenticate your account |
| Memories | Photos, videos (up to 60s), notes (up to 500 chars), memory names, mood tags, location tags | Core content of the App |
| Voice notes | Audio recordings you attach to memories | Personal voice context |
| Song info | Song titles and artist names (via search or detection) | Connect music to your memories |
| Note to Self | A personal note for Support mode | To display your own words during grounding |
| Safety contacts | Name and phone of your designated "My Person" | To offer you the option to reach out |
2.2 Information Collected Automatically
| Data type | What | Why |
|---|---|---|
| Usage metadata | Session type, timestamps, session outcome, memory view counts | Improve App experience |
| Device info | Device type, OS version, App version, language | Ensure correct functionality |
| Crash reports | Anonymised crash logs (no personal content) | Identify and fix bugs |
What we do NOT collect: Background location, contacts, call logs, browsing history, app usage outside Chord, advertising identifiers (IDFA/GAID), or device fingerprinting data.
2.3 Health and Biometric Data (Wearable — Optional)
If you connect a wearable (Apple Watch, Fitbit, WHOOP, Oura Ring, Garmin, Samsung Watch), the following is accessed: heart rate, HRV, EDA, skin temperature, respiratory rate, SpO2, sleep stages, activity, and platform-computed scores.
2.4 Audio Data (Song Detection — Optional)
The "Detect song" feature captures a short audio sample (5–10 seconds) sent to our song-detection partner for identification only. The sample is not stored by Chord after identification.
2.5 Voice Data, Smart Glasses, Location
Voice search is processed by your device's native speech recognition — Chord receives only transcribed text. Smart glasses captures are stored with the same encryption as other memories. Location is only used at the moment of memory creation if you grant permission — no background tracking.
3. How We Use Your Information
We use your information solely to provide the Services, authenticate your account, process memories through on-device ML, send transactional emails, analyse anonymised patterns, respond to support, and comply with legal obligations.
We NEVER use your information for:
- Advertising, ad targeting, or ad personalisation
- Selling, renting, or sharing your data with third parties
- Training general-purpose AI models
- Cross-app tracking or device fingerprinting
- Creating user profiles for marketing
4. Storage and Protection
| Layer | Standard |
|---|---|
| Data in transit | TLS 1.3 |
| Data at rest (database) | AES-256 encryption |
| Data at rest (media) | AES-256 encryption |
| Sensitive fields (notes, contact, voice notes) | Application-layer AES-256-GCM with authenticated additional data (AAD) |
| Health data on device | Processed in volatile memory (RAM), cleared after processing |
Row-Level Security (RLS) is enabled at the database layer so accounts cannot read each other's rows. Sensitive fields (notes, voice notes, contact info) are encrypted with AES-256-GCM keys held server-side — meaning Chord can decrypt to serve your own authenticated requests, but the data is never browsable in plaintext from the database itself.
5. Third-Party Services
| Service | Purpose | Data shared |
|---|---|---|
| Anthropic Claude | AI memory assistant | Memory metadata you reference in a chat (song, artist, mood, location, date) and your message text. Used to generate a response — not used for training. |
| Spotify Web API | Song search, metadata, album art | Search queries only. Spotify never receives your memory content, notes, or photos. |
| Song-detection partner | Identify a song from a short audio clip | 5–10s audio sample, discarded after identification |
| Apple HealthKit / Fitbit / WHOOP / Oura / Garmin / Samsung | Optional wearable data access | Chord reads wearable data with your permission |
| Netlify | Website hosting and forms (waitlist, contact, privacy requests) | Submitted form data + standard request logs |
| AWS CloudFront | Image CDN and DDoS protection | Standard request metadata |
| Google Analytics 4 | Anonymous traffic measurement (only if you accept analytics cookies) | IP address (anonymised by Google), page paths, session duration |
Services we do NOT use: Facebook SDK, Firebase Analytics, Mixpanel, Amplitude, any advertising SDK, any data broker.
6. Data Sharing
We do not sell, rent, or trade your personal data. We share data only for: service operation (encrypted, with infrastructure providers), legal requirements, safety emergencies, or business transfers (with advance notice and opt-out).
7. Your Rights
GDPR (UK/EU): Access, rectification, erasure, portability, restriction, objection, withdrawal of consent. We respond within 30 days.
India DPDP Act 2023: Access, correction, erasure, grievance redressal, nomination. We respond within 30 days.
CCPA (California): Right to know, right to delete, right to opt out of sale of personal data. We do not sell personal data.
Use the controls below to exercise these rights. We confirm every request by email before acting, and we always respond — even if you don't have an account.
Exercise your rights
Requests are processed within 30 days. We may contact you to verify identity before completing a deletion. If you'd rather email us, write to privacy@chordapp.in.
8. Children's Privacy
Chord is not intended for anyone under 16. We do not knowingly collect data from children under 16.
9. Cookies and Tracking
The Chord website uses only the cookies you explicitly accept. On your first visit you'll see a cookie banner with three options: Essential only (default), Accept analytics, or Customise. Essential cookies (theme preference, session) are always set — they're required for the site to function and don't track you. Analytics cookies (Google Analytics 4) only load if you opt in. You can revisit your choice anytime via the "Cookie preferences" link in the footer. The App does not use cookies, tracking pixels, or advertising identifiers.
10. Security Incident Response
In the event of a data breach, we will notify the relevant authority within 72 hours and affected users without undue delay via email.
11. Medical Disclaimer
Chord is NOT a medical device, therapeutic tool, diagnostic system, or healthcare service. The wearable features detect physiological patterns and offer optional grounding moments — they do not diagnose, treat, cure, or prevent any condition. Support Mode is not a substitute for professional care. Contact iCall (9152987821) or Samaritans (116 123) for crisis support.
12. Contact Us
Privacy: privacy@chordapp.in
Grievance Officer (India): Ameya Bhanushali — grievance@chordapp.in
General: hello@chordapp.in
Chord | Privacy Policy v1.1 | May 2026
You read the policy. Now save your seat for the app for live music that actually means it.
Encrypted at the application layer. No third-party trackers. No ad targeting. We’ll let you know the moment Chord ships.