Legal

The Terms of Service, Privacy Notes, and Cookie Policy for Global MIDI DAW. These documents are templates and should be reviewed by counsel before operating a public instance.

Terms of Service

TEMPLATE — REVIEW BY COUNSEL REQUIRED. This document is a good-faith starting point written by engineers, not lawyers. It has not been reviewed by a qualified attorney. Before you operate a public instance of global-midi-daw you must have these terms reviewed and adapted to your jurisdiction, business model, and the actual data you process. Do not present this text to real users as a binding legal agreement until counsel has signed off on it. Placeholders are marked [LIKE THIS].

Last updated: [DATE] · Operator: [LEGAL ENTITY NAME], [ADDRESS]

These Terms of Service ("Terms") govern your access to and use of the

global-midi-daw service (the "Service") operated by [OPERATOR] ("we", "us",

"our"). By creating an account or otherwise using the Service you agree to be

bound by these Terms. If you do not agree, do not use the Service.

1. The Service

global-midi-daw is a browser-based, collaborative music-production environment

(a node-canvas DAW with arrangement, rack, visualization, real-time jam rooms,

project persistence, and asset storage). The Service is provided on an "as is"

and "as available" basis. We may add, change, or remove features at any time.

2. Accounts

You may use parts of the Service anonymously; projects created without an

account are stored only in your browser and are not transmitted to us.

To use account-based features you must register with a valid email address

and choose a password. You are responsible for keeping your credentials

confidential and for all activity that occurs under your account.

You must be at least [16] years old (or the minimum age of digital consent in

your jurisdiction) to create an account.

You agree to provide accurate information and to keep it up to date. We may

require email verification before enabling certain actions (for example

sharing or collaboration).

You must not share, sell, or transfer your account, nor create an account on

behalf of someone else without authorization.

3. Acceptable use

You agree not to, and not to permit anyone else to:

use the Service to create, upload, store, or share content that is unlawful,

infringing, defamatory, hateful, harassing, or that violates the rights

(including intellectual-property and privacy rights) of others;

upload audio samples, recordings, images, or other assets that you do not

have the rights to use;

attempt to gain unauthorized access to the Service, other accounts, or the

underlying infrastructure; probe, scan, or test the vulnerability of the

Service except under a sanctioned disclosure process;

interfere with or disrupt the Service, including via excessive automated

requests, denial-of-service attempts, or circumventing rate limits or

security controls;

reverse engineer, decompile, or attempt to extract source code except to the

extent that restriction is prohibited by applicable law;

use the Service to transmit malware, or to mine cryptocurrency or otherwise

consume disproportionate resources;

impersonate any person or misrepresent your affiliation with any person or

entity.

We may suspend or terminate access that we reasonably believe violates these

Terms or that creates risk or legal exposure for us or other users.

4. Your content and ownership

You retain ownership of the projects, compositions, recordings, samples,

and other material you create or upload ("Your Content"). These Terms do not

transfer any ownership of Your Content to us.

You grant us a limited, non-exclusive, worldwide, royalty-free licence to

host, store, reproduce, transmit, and display Your Content solely to the

extent necessary to operate and provide the Service to you and to the

collaborators you choose to share with. This licence ends when you delete the

content or your account, except for backups retained for a limited period and

content that other users have separately copied within their own projects.

You are solely responsible for Your Content and for ensuring you have all

necessary rights to it.

In real-time collaboration ("jam") rooms, shared musical material may be

rendered locally on each participant's device on a shared clock; what other

participants in a room can see or hear is inherent to the collaborative

feature you chose to use.

5. Our intellectual property

The Service itself — including its software, design, trademarks, and

documentation, but excluding Your Content and any third-party open-source

components under their own licences — is owned by us or our licensors and is

protected by intellectual-property laws. These Terms grant you a limited,

revocable, non-transferable licence to use the Service for its intended

purpose, subject to these Terms.

6. Privacy and data rights

Our handling of personal data is described in the Privacy Notes

and Cookie Policy, which are incorporated into these

Terms by reference. The Service provides in-app tools to export your data

and to delete your account. If you are in a jurisdiction that grants

data-subject rights (such as the EU/EEA under the GDPR), those rights apply in

addition to the in-app tools.

7. Third-party and open-source components

The Service incorporates open-source software and may rely on third-party

infrastructure (for example STUN/TURN relays for real-time connectivity).

Open-source components are licensed under their respective licences. We are not

responsible for third-party services we do not control.

8. Disclaimers

TO THE MAXIMUM EXTENT PERMITTED BY LAW, THE SERVICE IS PROVIDED "AS IS" AND "AS

AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, OR

STATUTORY, INCLUDING ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A

PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT. WE DO NOT WARRANT THAT THE

SERVICE WILL BE UNINTERRUPTED, SECURE, ERROR-FREE, OR THAT DATA WILL NEVER BE

LOST. You are responsible for maintaining your own backups of Your Content.

9. Limitation of liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, WE WILL NOT BE LIABLE FOR ANY INDIRECT,

INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR FOR ANY LOSS OF

PROFITS, DATA, OR GOODWILL, ARISING OUT OF OR RELATED TO YOUR USE OF THE

SERVICE. OUR TOTAL AGGREGATE LIABILITY FOR ALL CLAIMS RELATING TO THE SERVICE

WILL NOT EXCEED THE GREATER OF [AMOUNT, e.g. EUR 100] OR THE AMOUNTS YOU PAID US

(IF ANY) IN THE [12] MONTHS BEFORE THE EVENT GIVING RISE TO THE CLAIM. Some

jurisdictions do not allow certain limitations, so some of the above may not

apply to you; nothing in these Terms limits liability that cannot be limited by

law (such as for death or personal injury caused by negligence, or fraud).

10. Indemnity

You agree to indemnify and hold us harmless from claims, damages, and expenses

(including reasonable legal fees) arising from Your Content or your breach of

these Terms, to the extent permitted by applicable law.

11. Suspension and termination

You may stop using the Service at any time and may delete your account in-app.

We may suspend or terminate your access if you materially breach these Terms,

if required by law, or if continued operation poses a security or legal risk.

On termination, the licences you granted us end (subject to limited backup

retention), and provisions that by their nature should survive (ownership,

disclaimers, limitation of liability, governing law) survive termination.

12. Changes to these Terms

We may update these Terms from time to time. If we make material changes we

will provide reasonable notice (for example, by posting the updated Terms with

a new "Last updated" date and, where appropriate, an in-app notice). Your

continued use of the Service after changes take effect constitutes acceptance.

13. Governing law and disputes

These Terms are governed by the laws of [GOVERNING-LAW JURISDICTION], without

regard to its conflict-of-laws rules. The courts located in

[VENUE / COURTS] will have [exclusive / non-exclusive] jurisdiction over

disputes, except where mandatory consumer-protection law gives you the right to

bring proceedings in your place of residence. **[Counsel to confirm venue,

arbitration, and consumer-law carve-outs.]**

14. Contact

Questions about these Terms can be sent to [CONTACT EMAIL / ADDRESS].

_This is a non-binding engineering template. It must be reviewed and adapted by

qualified legal counsel before it is relied upon for a public deployment._

Privacy Notes

Privacy notes

This document describes what data global-midi-daw stores about authenticated

users, how long it is retained, and how to exercise the GDPR-style export /

delete rights the studio exposes today.

It is intentionally lightweight — it documents the current implementation,

not a legal commitment. If you operate a public instance you are responsible

for your own privacy policy and lawful basis for processing.

What we store

When you sign up with email + password the server records the following in

its SQLite database (single file under DB_PATH):

User account (users table): a generated user id, your normalized

email address, an scrypt password hash + salt (the plaintext password is

never stored), an account-created timestamp, and a role.

Sessions (sessions table): one row per active login, containing the

random session token, your user id, and timestamps. Sessions are deleted

on logout, on account deletion, and when they expire.

Projects (projects table): id, your user id, project name, project

graph (JSON), created/updated timestamps. The project graph contains the

musical content you build in the Studio.

Assets (assets table + local filesystem under ASSET_ROOT): id,

your user id, asset kind (audio sample / recording), filename, byte size,

optional duration / sample-rate / channel metadata, and the binary

content on disk under a per-user directory.

Error logs (error_logs table): if the client or server reports an

error, the level, message, optional stack, and optional context. Reports

may be associated with your user id if you were logged in at the time.

We do not track marketing/analytics identifiers and do not share data with

third parties from the server.

Anonymous mode

If you use the Studio without signing in, projects are stored only in your

browser's IndexedDB. The server never sees them. Clearing browser storage

deletes that data.

Export your data

Authenticated users can request a one-click ZIP export of their data:

```

GET /api/account/export

Cookie: gmd_sid=<your session>

```

The response is a ZIP archive (application/zip) containing:

meta.json — your user id, email, account-creation timestamp, export

timestamp, and counts.

projects/<id>.json — one file per project (name + graphJson).
assets/manifest.json — metadata for each of your assets.

By default the export does not include the binary asset payloads (they

can be very large). Pass ?include=assets to also include them under

assets/binaries/.

The endpoint is rate-limited (default 3 requests per minute per IP).

Delete your account

Authenticated users can permanently terminate their account:

```

DELETE /api/account

Cookie: gmd_sid=<your session>

```

On success (HTTP 204) the server:

Sets users.deletedAt to the current timestamp (soft delete).
Deletes all of your active sessions (any other browsers / devices

are logged out immediately).

Soft-deletes (deletedAt) every project and asset belonging to you.
Subsequent calls to GET /api/auth/me return 401 not_authenticated.

The endpoint is rate-limited (default 3 requests per minute per IP).

Soft-delete means the rows remain in the database with a non-NULL deletedAt so we can audit accidental deletes for a short period; they are filtered out of every user-facing query. A future operator-side hard-purge job will remove them after a retention window (TBD).

Requesting deletion outside the app

If you have lost access to your account and cannot reach the

DELETE /api/account endpoint yourself, contact the instance operator

directly with proof of email ownership and they can flip the same flag

manually:

```sql

UPDATE users SET deletedAt = strftime('%s','now') * 1000 WHERE email = ?;

DELETE FROM sessions WHERE userId IN (SELECT id FROM users WHERE email = ?);

UPDATE projects SET deletedAt = strftime('%s','now') * 1000 WHERE userId IN (SELECT id FROM users WHERE email = ?);

UPDATE assets SET deletedAt = strftime('%s','now') * 1000 WHERE userId IN (SELECT id FROM users WHERE email = ?);

```

Future work

Hard-purge job that removes soft-deleted rows + asset files after a

configurable retention window.

Operator dashboard for handling deletion requests received by email.
Per-jurisdiction retention overrides.

Cookie Policy

TEMPLATE — REVIEW BY COUNSEL REQUIRED. This document describes the cookies the current implementation actually sets. It is written by engineers, not lawyers, and has not been reviewed by an attorney. Before operating a public instance, have it reviewed and adapt it to your jurisdiction (for EU/EEA users the ePrivacy Directive and local consent rules apply). Placeholders are marked [LIKE THIS].

Last updated: [DATE] · Operator: [LEGAL ENTITY NAME]

This Cookie Policy explains how global-midi-daw (the "Service") uses cookies and

similar browser storage. It supplements the Privacy Notes

and the Terms of Service.

What is a cookie?

A cookie is a small text file a website stores in your browser. "Similar

technologies" include localStorage, sessionStorage, and IndexedDB, which the

Service also uses to keep your work in your browser.

Cookies we set

The Service is deliberately minimal: it sets only strictly necessary cookies

required for authentication and security. It does not set advertising,

marketing, or third-party analytics cookies.

Name	Purpose	Type	Lifetime
`gmd_sid`	Authenticated session token (keeps you logged in). HMAC-signed.	Strictly necessary	Until logout / expiry
`gmd_csrf`	Cross-Site Request Forgery (CSRF) double-submit token for security.	Strictly necessary	Session

These cookies are set only after you log in. If you use the Service

anonymously, no authentication cookies are set.

Cookie attributes

The authentication cookies are configured as HttpOnly (where applicable),

Secure in production (HTTPS), and SameSite=Lax to reduce cross-site attack

surface. The CSRF token is readable by the app so it can be echoed back as a

request header (double-submit pattern).

Browser storage (not cookies)

localStorage / sessionStorage — UI preferences such as your chosen

language, and a per-tab client id used by diagnostics.

IndexedDB — when you use the Service without an account, your projects are

stored here, in your browser only. Clearing browser storage deletes them.

Consent

Because the cookies above are strictly necessary to provide a service you

explicitly requested (logging in), most jurisdictions do not require prior

consent for them. We do not set any non-essential cookies that would require

opt-in consent. A cookie-consent notice is shown to inform you of this and to

record acknowledgement where required. **[Counsel to confirm whether a notice

or consent banner is required in your jurisdiction.]**

Managing cookies

You can delete or block cookies through your browser settings. Blocking the

strictly necessary cookies will prevent you from logging in and using

account-based features. Using the Service anonymously avoids them entirely.

Changes

We may update this policy as the implementation evolves; the "Last updated"

date reflects the latest revision.

Contact

Questions can be sent to [CONTACT EMAIL / ADDRESS].

_This is a non-binding engineering template. It must be reviewed and adapted by

qualified legal counsel before it is relied upon for a public deployment._