How drumbeet handles data

Who operates drumbeet

Drumbeet is operated by the drumbeet project. For privacy questions or data requests, contact [email protected] or [email protected].

Data we collect

• Account data such as email address, display name, OAuth provider identity, and sign-in status.
• Authentication data such as session cookies, CSRF cookies, OAuth state cookies, magic-link challenge data, and login attempt metadata.
• Creative data such as saved patterns, favorites, library items, uploaded MIDI, generated MIDI, and exported output metadata.
• Prompt and search data such as text searches, song prompts, artist/style references, and generation settings.
• Technical data such as IP address, user agent, device/browser details, API logs, frontend error logs, and rate-limit identifiers.
• Support communications you send through email, Discord, or another support channel.

How we use data

• Provide account sign-in, account security, saved libraries, favorites, and exports.
• Generate, search, transform, preview, and download drum MIDI.
• Protect the service from abuse, spam, credential attacks, and automated misuse.
• Debug errors, measure reliability, improve search/generation quality, and respond to support requests.
• Comply with legal requests, copyright notices, safety obligations, and policy enforcement.

Third-party services

Drumbeet may use service providers to operate the app. Depending on enabled production settings, these can include:

• Hosting and runtime infrastructure such as Railway.
• OAuth sign-in providers such as Google, Discord, or GitHub.
• Email sign-in providers such as Resend or Postmark.
• Cloudflare services, including Turnstile bot protection and R2 object storage.
• AI routing/model providers such as OpenRouter and underlying model providers when AI-assisted text features are enabled.
• Music metadata sources used by drumbeet tooling, such as MusicBrainz, ListenBrainz, Last.fm, or Wikidata, where applicable.

Cookies and local storage

Drumbeet uses required cookies for sign-in sessions, CSRF protection, OAuth state, and email magic-link flows. The app may also use browser storage for preferences such as theme, library display settings, and local UI state. Drumbeet does not currently use advertising cookies.

Retention

• Session data is kept for the active session lifetime and expires after inactivity or absolute session limits.
• Email magic-link challenges are short-lived.
• Generated output downloads are temporary and may expire automatically; production configuration currently targets short retention for output files.
• Logs, prompt/search telemetry, and diagnostic records are kept only as long as needed for security, debugging, abuse prevention, and product improvement.
• Deleted account data may remain in backups for a limited period before backup rotation removes it.

Your choices

• You can stop using account features or sign out at any time.
• You can request access, correction, deletion, or export of account data by contacting [email protected].
• You can ask us to remove saved creative data associated with your account.
• Some data may be retained when needed for security, abuse prevention, legal obligations, or dispute handling.

Children

Drumbeet is not directed to children under 13. If you believe a child under 13 has provided personal information, contact us so we can delete it.

No sale of personal information

Drumbeet does not sell personal information. If advertising, tracking, or data-sharing practices change, this policy will be updated before those changes are used.