Privacy Policy
Melafz
Last updated: 26 June 2026
This Privacy Policy explains how Melafz ("Melafz", "we", "us", "our") collects, uses, shares and protects your personal data when you use the Melafz mobile application and any related websites and services (together, the "Service"), and your rights in relation to that data.
We are committed to protecting your privacy and handling your personal data in line with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).
Please read this Policy alongside our Terms & Conditions.
1. Who we are (data controller)
Melafz is the "controller" of your personal data. This means we are responsible for deciding how and why your personal data is processed.
- Service / trading name: Melafz
- Operated by: Ahmed Rasooli, a sole trader trading as "Melafz" (England & Wales)
- Registered / business address: Unit 1, Watling Gate, 297-303 Edgware Road, London, NW9 6NB
- Privacy contact email: privacy@melafz.com
If you have any questions about this Policy or how we handle your data, please contact us using the details above.
Data Protection Officer
We are not legally required to appoint a Data Protection Officer (DPO) under Article 37 of the UK GDPR, because our core activities do not consist of large-scale systematic monitoring or large-scale processing of special category data. Our privacy contact above is responsible for data protection matters. We keep this position under review as the Service grows.
2. The personal data we collect
We collect and process the following categories of personal data:
a) Account data — when you create an account: your name, email address, and a password (which we store only in an irreversible, hashed form — we never store or see your actual password).
b) Content you create ("User Content") — the information you choose to add to the Service, which may include:
- song titles, lyrics, transliterations, translations, and notes;
- notebooks and setlists;
- gig / booking entries, which may contain details about other people that you choose to enter — for example a client's name and phone number, a venue name and address, a fee, and your own notes.
c) Technical and usage data — collected automatically when you use the Service: a secure authentication token (to keep you signed in), basic device and app information, and server log data including your IP address, request times and error logs. We use this to operate, secure and debug the Service.
d) Communications — if you contact us (for example by email), we keep a record of that correspondence.
e) Transactional email data — your email address is used to send service emails such as a password-reset code or a sign-up verification code (OTP).
What we do NOT collect
- Voice recordings stay on your device. The app lets you record yourself singing as a personal practice memo. These recordings are stored locally on your own device only and are not uploaded to, or accessible by, us. If you delete them on your device, they are gone.
- We do not use third-party advertising or analytics/tracking SDKs in the app.
- We do not knowingly collect special category data (such as health, religious or political data). Please do not enter such data into free-text fields.
3. How we collect your data
We collect data: (a) directly from you when you register, create content, or contact us; and (b) automatically through your use of the app (technical and log data).
4. Why we use your data, and our lawful basis
Under the UK GDPR we must have a lawful basis for each use of your data. The table below sets out our purposes and bases.
| Purpose | Data used | Lawful basis (UK GDPR Art. 6) |
|---|---|---|
| Create and manage your account; let you sign in | Account data | Contract — to provide the Service you sign up for |
| Store and display your songs, notebooks, setlists and gigs back to you | User Content | Contract |
| Send service/transactional emails (password reset, verification code) | Email address | Contract, and legal obligation / legitimate interests in securing accounts |
| Keep the Service secure, prevent abuse, debug and maintain it | Technical & usage data | Legitimate interests — running a safe, reliable service |
| Respond to your enquiries and provide support | Communications | Legitimate interests |
| Comply with legal and regulatory obligations | As required | Legal obligation |
| Send you optional product news or marketing (only if offered and you opt in) | Email address | Consent (you can withdraw at any time) |
Where we rely on legitimate interests, we have considered whether those interests are overridden by your rights, and we believe they are not. You can ask us for more information about this assessment.
Information about other people that you enter
If you add another person's details to a gig/booking (e.g. a client's name and phone number), you are responsible for making sure you are allowed to share that information with us, and that it is accurate. We process it on your behalf solely to provide the calendar feature to you, on the basis of our and your legitimate interests in you being able to manage your engagements. If someone whose details you have entered asks us to remove them, we may contact you or remove the data.
5. Who we share your data with
We do not sell your personal data. We share it only with the service providers ("processors") that help us run Melafz, and only as needed:
| Recipient | Purpose | Location |
|---|---|---|
| Railway (hosting + PostgreSQL database) | Hosting the app and storing your account and content | United States |
| Resend (email delivery) (being introduced) | Sending transactional emails (verification & password-reset codes) | United States / EU |
| Apple App Store / Google Play | Distributing the app and (in future) processing any in-app purchases | Global |
We require our processors to protect your data and to act only on our instructions, under written agreements that meet Article 28 of the UK GDPR.
We may also disclose data if required by law, to enforce our Terms, or to protect the rights, safety or property of Melafz, our users, or others.
6. International transfers
Some of our processors (including our hosting provider) are located outside the UK, including in the United States. Where we transfer your personal data outside the UK, we ensure an appropriate safeguard is in place, such as:
- transfers to a country covered by UK "adequacy" regulations; or
- the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses; together with appropriate technical measures.
You can ask us for more detail about the safeguards that apply to a particular transfer using the contact details in section 1.
7. How long we keep your data
- Account & User Content: for as long as your account is active.
- If you delete your account (or ask us to delete it): we delete your account and associated User Content from our live systems without undue delay, and from routine backups within 90 days, except where we must keep limited information to meet a legal obligation or to resolve disputes.
- Server logs: typically kept for a short period (for example up to 90 days) for security and troubleshooting.
(Where this Policy gives a maximum period as "up to 90 days", we may keep data for a shorter time.)
- Password-reset / verification codes: these expire shortly after they are issued and are then deleted.
8. Your rights
Under the UK GDPR you have the right to:
- Be informed about how we use your data (this Policy);
- Access a copy of your data (a "subject access request");
- Rectify inaccurate or incomplete data;
- Erase your data ("right to be forgotten"), in certain circumstances;
- Restrict our processing, in certain circumstances;
- Data portability — receive certain data in a portable, machine-readable format;
- Object to processing based on legitimate interests, and to direct marketing at any time;
- Withdraw consent at any time, where we rely on consent; and
- Not be subject to automated decision-making that has legal or similarly significant effects (we do not carry out such automated decision-making).
How to exercise your rights: email us at privacy@melafz.com. We will respond within one month (we may extend this by up to two further months for complex requests, and will tell you if so). Exercising these rights is free, although we may charge a reasonable fee or refuse a request that is manifestly unfounded or excessive. We may need to verify your identity first.
You can delete your account at any time by contacting us, and (where available) from within the app.
9. Complaints
If you are unhappy with how we have handled your data, please contact us first so we can try to put it right. You also have the right to complain to the UK's data protection regulator:
Information Commissioner's Office (ICO) — https://ico.org.uk — helpline 0303 123 1113.
10. Children's data
Melafz is intended for users aged 16 and over. We do not knowingly collect personal data from children under 16. (Under the UK GDPR, children aged 13 or over can in principle consent to online services themselves, but we have set our minimum age at 16 to keep things simple and protective.) If you believe a child under 16 has given us personal data, please contact us and we will delete it.
11. How we protect your data
We use appropriate technical and organisational measures to protect your data, including: encryption of data in transit (HTTPS), storing passwords only as salted hashes, access controls, and using reputable hosting and email providers. No system can be 100% secure, but we work to protect your data and to keep our measures under review.
12. Data breaches
If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it where required, and we will inform affected users without undue delay where the breach is likely to result in a high risk to them.
13. Cookies and similar technologies
The Melafz app uses a secure token stored on your device to keep you signed in — this is strictly necessary for the Service to work. The app does not use advertising or analytics cookies. Our public web pages (such as this policy) use only essential cookies, if any. Because we do not set non-essential cookies, we do not currently show a cookie banner; if this changes, we will update this Policy and seek your consent where required by PECR.
14. Changes to this Policy
We may update this Policy from time to time. If we make material changes, we will update the "Last updated" date above and, where appropriate, notify you in the app or by email. Please review it periodically.
15. Contact us
Questions, requests or complaints about this Policy or your data:
Melafz — privacy@melafz.com — Unit 1, Watling Gate, 297-303 Edgware Road, London, NW9 6NB