Privacy Policy
Last updated: February 25, 2026
1. Who We Are
SongSplit is operated by Echo VQ Pty Ltd, an Australian company. This Privacy Policy explains how we collect, use, and protect your information when you use the SongSplit audio separation service.
2. Information We Collect
SongSplit is designed to work without requiring an account. We collect minimal information:
- Session ID: A random identifier stored in a browser cookie to associate your uploads with your browser session.
- IP address: Logged for rate limiting and abuse prevention.
- Referrer & UTM parameters: Captured on first visit for analytics (e.g. how you found SongSplit).
- Uploaded audio: The audio files you upload for processing.
We do not collect your name, email address, or any other personal information unless you voluntarily link an EchoVQ account.
3. How Audio Is Processed
When you upload an audio file:
- The file is uploaded to AWS S3 (Sydney region) via encrypted connection.
- Our separation engine (Demucs by Meta) processes the audio into individual stems on a dedicated server.
- If you request lyrics transcription, the vocal stem is sent to OpenAI's Whisper API, which processes data in the United States.
- Processed stems are stored on AWS S3 until they expire and are permanently deleted.
4. Cookies & Sessions
SongSplit uses a single Django session cookie to identify your browser session. This cookie is:
- httpOnly: Not accessible to JavaScript.
- Secure: Only transmitted over HTTPS.
- Session-scoped: Expires when you close your browser or after 72 hours.
We do not use advertising cookies, tracking pixels, or third-party analytics cookies.
5. Third-Party Services
SongSplit uses the following third-party services to operate:
| Service | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| AWS S3 | File storage | Uploaded and processed audio | AWS Privacy |
| OpenAI Whisper | Lyrics transcription | Vocal audio (only when transcription is requested) | OpenAI Privacy |
| CloudFlare | CDN & DDoS protection | IP address, request metadata | CloudFlare Privacy |
6. Data Retention
We retain data for the minimum period necessary:
- Browser sessions: 72 hours.
- Anonymous tracks: 7 days after upload, then permanently deleted.
- Free account tracks: 60 days after upload, then permanently deleted.
- Plus/Student account tracks: 1 year after upload, then permanently deleted.
- Teacher account tracks: Stored permanently.
When files expire, all associated data is permanently deleted from our servers, including original uploads, separated stems, lyrics, and metadata. This deletion is irreversible.
7. Data Sharing
- We do not sell your data to third parties.
- Your uploaded audio is not used for AI model training.
- Share links are public by design — anyone with the link can access the player page. You control who you share links with.
8. Your Rights
Under the Australian Privacy Principles (APP), you have the right to:
- Access: Request a copy of data associated with your session.
- Deletion: Request early deletion of your tracks (or simply wait for auto-expiry).
- Portability: Download your separated stems before they expire.
For anonymous users, data is automatically deleted within 7 days. If you need to exercise these rights, contact us at legal@echovq.com.
If you believe we have breached the Australian Privacy Principles, you may lodge a complaint by emailing legal@echovq.com. We will acknowledge your complaint within 7 days and provide a response within 30 days.
9. Children's Privacy
SongSplit is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will take steps to delete it.
10. International Transfers
All data is stored in AWS's ap-southeast-2 (Sydney, Australia) region. Audio sent for transcription is processed by OpenAI's API servers, which may be located outside Australia. By using the Service, you consent to this transfer.
11. Security
We take reasonable measures to protect your data:
- All connections use HTTPS/TLS encryption.
- Files are stored in encrypted S3 buckets with restricted access.
- Sessions are identified by random UUIDs — no personally identifiable information is required.
- Automatic file deletion enforces data minimisation.
12. Changes & Contact
We may update this Privacy Policy from time to time. The "Last updated" date at the top indicates when the policy was last revised.
For privacy-related questions or requests, contact us at legal@echovq.com.