LIA LIA
Home Features Demo Pricing
DAW
Ableton LiveLive FL StudioComing Soon Logic ProComing Soon CubaseComing Soon Studio OneComing Soon Pro ToolsComing Soon ReaperComing Soon Bitwig StudioComing Soon ReasonComing Soon
View all DAWs →
Blog About
Login

Privacy Policy

Version 2.0 · Last updated 27 April 2026 · Effective 27 April 2026

This Privacy Policy explains how LIA ("we", "us", "our") collects, uses, transfers, and protects your personal data when you use the LIA service at liaplugin.com, including the LIA web application at app.liaplugin.com, the LIA Bridge for Ableton Live, and all related services (collectively, the "Service"). It is written in line with Regulation (EU) 2016/679 (GDPR).

If you have read a previous version of this policy: this v2.0 rewrite was driven by our pre-launch GDPR review. Material changes from v1.x: we removed any AI inference provider based in jurisdictions without an EU adequacy decision (no providers in China, Russia, or other non-adequacy jurisdictions); we added explicit references to the EU-US Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs); we documented the full data retention schedule; and we added a logged-in endpoint exposing the live sub-processors list under Article 15 (right of access).

1. Data Controller

The data controller is Jacopo Di Loreto, sole proprietor (Italian SRL in costituzione, P.IVA in attivazione), Abruzzo, Italy. Contact: [email protected].

We have not designated a Data Protection Officer (DPO). The activities described here do not meet the GDPR Art. 37 thresholds that would require a mandatory DPO. The privacy contact above answers all data-protection enquiries.

2. Types of Data We Collect

2.1 Account data

  • Email address (always)
  • Hashed password and session tokens (managed by Supabase Auth, EU region), we never see plaintext passwords
  • Display name (optional)
  • Current plan and subscription status

2.2 Subscription and payment data

Payments are processed by our merchant of record (see §4). We receive a Polar customer ID, your subscription status, and metadata such as the plan SKU. We never see your full card number or billing details.

2.3 Service usage

  • Chat messages you send to the assistant and the responses generated
  • Bridge sessions (DAW name, version, IP-derived region, timestamps)
  • Daily message counters and wallet balances
  • Notification preferences

2.4 Technical data

  • IP address (collected at request time, hashed before storage in audit logs, never persisted in raw form)
  • User-Agent string (hashed before storage in audit logs)
  • Caddy access logs (see §7 for retention; query strings are stripped, see §8)

2.5 What we do NOT collect

  • No tracking cookies and no advertising identifiers by default. The Meta (Facebook) Pixel is loaded only after you grant the "marketing" cookie category via the consent banner (see §8). No Google Analytics.
  • No third-party retargeting scripts
  • No biometric, location-precise, or sensitive special-category data (Art. 9 GDPR)
  • No payment card details

3. Legal Basis for Processing (Art. 6 GDPR)

  • Performance of a contract (Art. 6(1)(b)) for account, subscription, payment, bridge session, and chat-message processing.
  • Consent (Art. 6(1)(a)) for marketing communications (waitlist, drip campaigns) and for setting non-essential cookies (we currently do not set any). Consent can be withdrawn at any time via the unsubscribe link in every marketing email.
  • Legitimate interest (Art. 6(1)(f)) for security logging (rate-limit counters, auth audit log) and for cookieless aggregate analytics (Plausible) limited to traffic-volume measurement. Balanced against your rights, this processing is minimal and high-relevance for service operation.
  • Legal obligation (Art. 6(1)(c)) for the GDPR-rights audit trail (see §7) and for tax/accounting records related to subscriptions.

4. Service Providers / Processors

We engage the following named processors. The current list with country, transfer basis, and DPA links is also available to logged-in users via API (see §10).

  • Supabase Inc. (EU region): authentication, database storage, file storage. DPA.
  • Polar Software, Inc. (United States): merchant of record, subscription billing, one-time payments. Transfer basis: EU-US DPF + SCCs (Art. 46(2)(c)). Legal.
  • Resend, Inc. (United States), transactional and marketing email delivery. Transfer basis: EU-US DPF + SCCs (Art. 46(2)(c)). DPA.
  • Cloudflare, Inc. (United States): DNS, TLS termination, CDN, DDoS protection. Transfer basis: EU-US DPF + SCCs (Art. 46(2)(c)). Customer DPA.
  • Plausible Insights OÜ (Estonia, EU): cookieless aggregate website analytics. Within EEA, no third-country transfer. DPA.

5. AI Inference Providers

To process your prompts and generate responses, LIA uses AI inference providers based in the United States. All transfers are covered by the EU-US Data Privacy Framework (DPF) and Standard Contractual Clauses under Art. 46(2)(c) GDPR. AI providers process your prompts solely to generate responses; under our agreements they do not use your prompts to train their models.

We do NOT transfer data to providers based in jurisdictions without an EU adequacy decision (e.g., we do not use providers based in China, Russia, or other non-adequacy jurisdictions). This is enforced both contractually and in code (the routing layer cannot reach a non-listed provider).

Logged-in users may obtain the current list of named AI sub-processors at any time, see §10.

6. International Data Transfers

The Service is operated from Italy. Most of your data resides in the EEA (Supabase EU region, Plausible EU). Transfers to processors outside the EEA are limited to those listed in §4 and §5, and rely on the following safeguards:

  • EU-US Data Privacy Framework: for processors that have self-certified under the DPF.
  • Standard Contractual Clauses under Art. 46(2)(c) GDPR, as an additional layer for all transfers to the United States.

We do not currently rely on any Art. 49 derogation. If we ever needed to (e.g., your explicit consent for a one-off transfer), we would request that consent separately and document it.

7. Retention

  • Waitlist email: kept until you unsubscribe, or 24 months of inactivity, whichever comes first.
  • User account: kept until you request deletion via account settings (see §9). Deletion is hard-delete: cascading removal of profile, daily usage, message-cost log, wallet transactions, conversations, messages, bridge sessions, and Telegram sessions.
  • Chat logs (conversations + messages): 90 days, then automatically purged. They are also deleted earlier if you delete the conversation or your account.
  • Caddy access logs: 30 days maximum, query strings stripped at log time (see §8).
  • GDPR-rights audit trail: 6 years from request completion (legal obligation under Italian / EU recordkeeping rules). The audit row contains email snapshot, request type, status, and hashed request fingerprints, no message content.
  • Subscription / accounting records: 10 years from invoice date (Italian fiscal law).

8. Cookies and Analytics

We use only essential session storage required for authentication and language preference (browser localStorage). By default, no tracking pixels or advertising cookies are loaded. We use the Meta (Facebook) Pixel for advertising attribution only after you grant the "marketing" cookie category through our consent banner. If you decline (or have not yet interacted with the banner) no data is sent to Meta. You can withdraw consent at any time via the "Cookie preferences" link in the footer. We do not use Google Analytics.

For aggregate traffic analytics we use Plausible Analytics: an EU-hosted, cookieless service that does not collect personal data and does not require a consent banner under EDPB guidance. We strip query strings from server-side access logs to avoid accidentally storing tokens or email addresses that may be passed in URLs.

9. Your Rights (Art. 15-22 GDPR)

You have the right to:

  • Access the personal data we hold about you (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Erase your data, "right to be forgotten" (Art. 17)
  • Restrict processing (Art. 18)
  • Receive your data in a portable format (Art. 20)
  • Object to processing based on legitimate interests (Art. 21)
  • Withdraw consent at any time, without affecting the lawfulness of prior processing (Art. 7(3))

To exercise any of these rights, email [email protected]. Account holders can also delete their account directly from Settings → Account → Delete account: this triggers a hard delete plus an audit row for our records.

We will respond within 30 days. We may require proof of identity for sensitive requests.

10. Right of Access to Sub-Processors List (Art. 15)

The full named list of our current sub-processors (with country, transfer basis, DPA URL, and purpose) is available to logged-in users at any time:

  • API: GET /api/legal/subprocessors (authenticated). Each request is logged in our GDPR audit trail as a subprocessors_list access event.
  • By email for non-logged-in users or anyone preferring text: [email protected] with subject "Sub-processors list". We will reply within 7 days.

The list is versioned and includes a last_updated timestamp. The API supports If-Modified-Since for clients that want to detect changes efficiently.

11. Children's Privacy

The Service is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us data, contact [email protected] and we will delete it promptly.

12. Security Measures

  • TLS 1.2+ for all data in transit, HSTS enforced
  • At-rest encryption on managed databases (Supabase EU)
  • Row-level security on all multi-tenant tables; service-role-only access on the GDPR audit table
  • Hashed password storage (Supabase Auth, bcrypt-derived); we never see plaintext
  • IP and User-Agent hashed before storage in audit rows
  • Rate-limit and abuse-detection layers in front of all public endpoints
  • Restricted SSH access, no public bastion, periodic credential rotation

13. Complaints

If you believe our processing infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. The competent authority for Italy is:

Garante per la protezione dei dati personali
Piazza Venezia 11, 00187 Roma, Italy
Web: garanteprivacy.it

14. Changes to This Policy

We may update this policy as the Service evolves. Material changes are announced by email to all account holders and waitlist subscribers, and the Last updated date at the top is bumped. Older versions are kept for reference and provided on request.

15. Contact

[email protected]

Which DAW do you use?

Tell us which DAW you produce in. We use this to plan support priorities.