Privacy policy

1. Who is responsible for your data

Singa is the data controller for the personal data described on this page. You can reach us at the address and email below.

• Contact: [email protected]

2. What we collect

The exact data we hold about you depends on what you do on the service. The categories below are the full set.

Account

When you create an account we store your email address, first and last name, your password as a salted hash (we never see the plain password), your preferred language, and timestamps for when you submitted and verified your email.

Form submission

Each form has its own set of fields, configured by an admin. Depending on the form you may be asked for:

• User details: name, email, optionally a photo.
• Postal address: street, city, postal code, country.
• Free text area fields.
• Song details: title, artist, key, songwriters, copyright label, and ISRC code.
• Uploaded files such as photos and audio or video backing tracks. Files are stored on our server outside the public web area; only you and administrators can access them.

If your manager or someone else with their own Singa upload portal account submits a form on your behalf, the user email and name on the form may belong to you rather than to the account holder. In that case our submission emails (confirmation, reminders) are sent both to the account holder and to the user email on the form.

Payments

Card payments are handled by Stripe. We never see your card details — we only receive a payment confirmation. After a successful payment we store, on our server, an immutable receipt snapshot containing your name, email, the form name, and the amounts and tax involved. Stripe stores its own records of the transaction under its own privacy policy.

Technical data

When you use the service we record IP addresses, browser User-Agent strings, and timestamps in our session, audit, rate-limit, and notification logs. Failed login attempts are written to a server log file. We use this data to keep the service secure and to investigate problems.

3. Why we use your data, and on what legal basis

We process personal data for the following purposes (GDPR Article 6):

• To provide the submission service, let you take part in forms — Article 6(1)(b), performance of a contract.
• To issue and keep VAT-compliant receipts and accounting records — Article 6(1)(c), legal obligation under Finnish bookkeeping law.
• To keep the service secure, prevent abuse, and investigate incidents — Article 6(1)(f), legitimate interest.

4. Who else sees your data

We share data only with the service providers we need to run the platform. Each of them processes data on our behalf and under contract.

• Stripe (Stripe Payments Europe and Stripe, Inc.) — handles card payments. You enter card details directly on a Stripe-hosted page; we receive only the payment status, amount, and tax computation.
• Google Fonts — every page loads a font stylesheet from Google's servers, which means Google sees your IP address.

We do not sell your personal data and we do not share it with advertising or marketing networks.

5. Transfers outside the EEA

Stripe may process some data on servers in the United States. These transfers happen under the Standard Contractual Clauses approved by the European Commission. All other data stays on servers within the EEA.

6. Cookies and similar technologies

We use only the cookies we need to make the service work:

• A session cookie ("rp_sess") that keeps you signed in. It expires after 30 days and is removed when you sign out.
• A language cookie ("rp_lang") that remembers whether you prefer English or Finnish. It expires after one year.
• A CSRF token stored inside your session. It protects forms from cross-site request forgery and is not visible across sites.

7. How long we keep your data

We currently keep most data until it is manually deleted. The rules are:

• Account data: kept while your account is active. We delete it when you ask us to (see Section 8).
• Submission form answers and uploaded files: kept until you or an administrator delete the submission. Archived forms stay in our records so we can answer later questions about who took part.
• Receipts and payment records: kept for six (6) years from the end of the financial year, as required by Finnish bookkeeping law (kirjanpitolaki 2:10). We keep these records even if you delete your account, but we disconnect them from your active account.
• Technical logs (sessions, audit log, notification log, failed-login log, rate-limit data): kept until manually purged. We will tighten this with automated retention as the system matures.

8. Your rights

Under the GDPR you have the right to:

• Access — ask for a copy of the personal data we hold about you.
• Rectification — ask us to correct data that is wrong or incomplete.
• Erasure — ask us to delete your personal data (subject to the bookkeeping retention above).
• Restriction — ask us to stop processing your data while a question about it is being resolved.
• Portability — ask us to provide your data in a common machine-readable format.
• Objection — object to processing we base on legitimate interest.

To exercise any of these rights, email us at [email protected]. We respond within one month of receiving your request, as required by GDPR Article 12(3).

You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) at tietosuoja.fi.

9. How we protect your data

The site is served over HTTPS. Passwords are stored as bcrypt hashes. Session tokens are stored on our server only as SHA-256 hashes. Uploaded files are kept outside the public web area and served only after we check that you are signed in and allowed to see them.

10. Age limit

Forms are open to people aged 18 and over only, and accounts on this service are intended for adults. If you become aware that someone under 18 has been entered on a form, please contact us using the details in Section 1 and we will delete the account.

11. Changes to this policy

When we change how we handle data we update this page and bump the "last updated" date at the top. If a change materially affects you we will also send a notification by email to the address on your account.