Privacy Policy
How Fretly handles your data under the GDPR and similar laws.
1. Who we are
Fretly (“we”, “us”, “our”) is a web application for visualising guitar scales and chords on a fretboard. This page explains what personal data we collect, why we collect it, how long we keep it, and the rights you have under the General Data Protection Regulation (GDPR) and equivalent laws.
Controller: {{REVIEW, legal name of the individual
or entity running Fretly}}
Contact: {{REVIEW, email address for privacy
enquiries}} (see Contact page).
2. What data we collect
We deliberately collect as little as possible. In normal use we only process:
- Account data: the username, password hash and role you provide when an account is created for you. We do not collect real names or phone numbers.
- Technical data: the IP address and user agent made available by your browser whenever you make an HTTP request, used only for server logs and rate-limiting failed login attempts. These logs are kept for a maximum of 30 days.
- User content: any charts, collections, custom boards or presets you save while logged in. This data is stored so we can show it back to you on your next visit.
- Bug reports: if you use the Report a bug page, the text you submit (and, optionally, the email address you provide) is stored so we can respond and fix the issue.
3. Cookies and local storage
Fretly uses the following browser storage mechanisms:
- Session cookie (strictly necessary): a PHP session cookie keeps you signed in. Without it, login cannot work. No consent is required for strictly necessary cookies.
-
Theme preference (localStorage): the key
fretly-themeremembers whether you chose light or dark mode. It is a functional preference and never leaves your browser. -
Consent record (localStorage + cookie): the
keys
fretly-consent(localStorage) andfretly_consent(cookie) record your choices on the cookie banner so we can respect them on later visits.
We currently run no analytics, no advertising pixels and no third-party trackers. If that ever changes, you will see those categories in the consent banner before they are activated, and nothing optional will be set unless you accept it.
You can re-open the consent banner at any time using the “Cookie choices” link in the footer.
4. Legal basis for processing
- Contract (Art. 6(1)(b) GDPR): we process your account data so we can provide the service you signed up for.
- Legitimate interests (Art. 6(1)(f) GDPR): we process technical data to keep the service secure, prevent abuse and debug problems.
- Consent (Art. 6(1)(a) GDPR): if we ever add optional categories such as analytics or marketing, they will only run after you have opted in via the consent banner.
5. Who we share data with
Your data is stored on {{REVIEW, name the hosting provider and country, e.g. “a shared host located in Germany”}}. We do not sell your data. We do not share it with third parties for advertising. Data may be disclosed only when required by law.
6. International transfers
{{REVIEW, confirm whether any of your processors are outside the European Economic Area. If they are, list them and the safeguards in place (e.g. Standard Contractual Clauses).}}
7. How long we keep it
- Account data, for as long as your account exists, plus 30 days after deletion.
- Server logs, maximum 30 days.
- Bug reports, up to 12 months after the issue is resolved.
- Consent records, 180 days, then you will be asked again.
8. Your rights under the GDPR
You have the right to:
- request a copy of your data (right of access);
- ask us to correct inaccurate data (rectification);
- ask us to delete your data (erasure, “right to be forgotten”);
- object to processing based on legitimate interests;
- receive your data in a portable format;
- withdraw consent at any time (for anything based on consent);
- lodge a complaint with your local supervisory authority, a list is available at edpb.europa.eu/members.
To exercise any of these rights, contact us via the Contact page. We will respond within one month of receiving your request.
9. Security
Passwords are stored as salted hashes. Sessions are protected with HttpOnly, SameSite=Lax cookies and (where HTTPS is available) the Secure flag. We apply basic brute-force protection on the login endpoint.
10. Changes to this policy
If we change this policy we will update the “Last updated” date above and, for material changes, notify you inside the app.