Privacy Policy

Last updated: March 5, 2026

1. Introduction

Stemix ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use the Stemix platform ("the Service"). Stemix is operated from Switzerland and is subject to the Swiss Federal Act on Data Protection (DSG/nDSG). Where applicable, we also comply with the EU General Data Protection Regulation (GDPR).

2. Data Controller

The data controller responsible for your personal data is:
Stemix
Zurich, Switzerland
support@stemix.ch

3. Data We Collect

We collect the following categories of personal data:

  • Account data — full name, email address, username, artist/stage name, role, profile picture.
  • Audio content — music files, stems, master tracks, and associated metadata (track titles, descriptions, tags) that you upload to the Service.
  • Usage data — login timestamps, features used, pages visited, device and browser information.
  • Payment data — subscription status and billing history. Card details are processed and stored exclusively by Stripe; Stemix does not have access to your full card number.
  • Communication data — comments, messages, and feedback you submit within the platform.

4. How We Use Your Data

  • To provide, operate, and maintain the Service.
  • To process subscriptions and payments.
  • To send transactional emails (account verification, password reset, project notifications).
  • To improve the Service based on usage patterns.
  • To enforce our Terms of Service and prevent abuse.
  • To respond to support requests.

5. Legal Basis for Processing

We process your data on the following legal grounds:

  • Contract performance (DSG Art. 31 / GDPR Art. 6(1)(b)) — processing necessary to provide the Service you signed up for.
  • Legitimate interest (DSG Art. 31 / GDPR Art. 6(1)(f)) — analytics and service improvement.
  • Consent (GDPR Art. 6(1)(a)) — where you have explicitly consented, such as marketing communications.

6. Third-Party Services

We use the following third-party services to operate the platform:

  • Supabase — database hosting, authentication, and file storage. Data is hosted on AWS infrastructure in the EU region.
  • Stripe — payment processing for Pro subscriptions. Stripe is PCI DSS compliant and handles all card data directly.
  • Resend — transactional email delivery (verification emails, notifications, password resets).
  • Netlify — web application hosting and content delivery network (CDN).

Each third-party provider processes data in accordance with their own privacy policies and applicable data protection regulations.

7. Cookies & Local Storage

Stemix uses cookies and browser local storage for the following purposes:

  • Authentication — session cookies managed by Supabase to keep you logged in.
  • Preferences — local storage to remember your UI preferences (e.g., theme, sidebar state).

We do not use third-party advertising or tracking cookies.

8. Data Retention

  • Account data is retained for as long as your account is active.
  • Audio files are retained until you or a project owner deletes the associated project.
  • Upon account deletion, your profile data is removed promptly. Audio files in projects you own are deleted within 30 days.
  • Anonymized usage data may be retained for analytics purposes.

9. Your Rights

Under the Swiss DSG and EU GDPR, you have the following rights regarding your personal data:

  • Right of access — request a copy of the personal data we hold about you.
  • Right to rectification — request correction of inaccurate or incomplete data.
  • Right to erasure — request deletion of your personal data ("right to be forgotten").
  • Right to data portability — receive your data in a structured, machine-readable format.
  • Right to object — object to processing of your data for specific purposes.
  • Right to lodge a complaint — file a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) or the relevant EU supervisory authority.

To exercise any of these rights, contact us at support@stemix.ch.

10. International Data Transfers

Your data may be processed in the European Union (Supabase AWS EU region) and the United States (Stripe, Resend, Netlify). Where data is transferred outside of Switzerland or the EEA, we ensure appropriate safeguards are in place, including standard contractual clauses or adequacy decisions recognized by the Swiss FDPIC and the European Commission.

11. Security

We take reasonable technical and organizational measures to protect your data, including row-level security policies on our database, encrypted storage, HTTPS for all communications, and secure authentication via Supabase Auth.

12. Children

The Service is not intended for users under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete such data.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated at least 30 days in advance via email or in-app notification. The "Last updated" date at the top of this page indicates when the policy was last revised.

14. Contact

For questions or concerns about this Privacy Policy or your personal data, contact us at support@stemix.ch.