Skip to main content
MELOMINGSonglist
Back to home

Privacy Policy

Last updated: 2026-05-03Effective: 2026-05-03

This document is currently provided in English only. Translations are in progress.

1. Who We Are (Controller)

MELOMING Songlist (meloming.gg, the "Service") is operated by DYLabs (the "Company", "we", "us"), based in the Republic of Korea. For the purposes of the EU/UK General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act ("CCPA/CPRA"), Brazil's LGPD, Japan's APPI, and other applicable data-protection laws, the Company is the data controller of personal data processed on the Service.

Contact: meloming+privacy@dylabs.app (data-protection inquiries) / admin@dylabs.app (general).

2. What Data We Collect

The Service is browse-only — there is no account creation, login, or payment. We process the following categories of personal data:

  • Automatically collected technical data: IP address, user-agent string, device/OS/browser information, referrer, pages viewed, timestamps.
  • Cookies and similar storage: language preference cookie, cookie-consent state cookie, and (with your consent) analytics cookies set by PostHog. See our Cookie Policy.
  • Aggregated analytics events: page views, channel views, search queries — only when you have given analytics consent.

We do not collect names, email addresses, payment data, precise location, biometric data, or special categories of data on the Service.

3. Why We Process Your Data and Legal Basis (GDPR Art. 6)

  • Operating the Service (loading pages, language detection, security, abuse prevention) — legal basis: legitimate interests (Art. 6(1)(f)).
  • Analytics and product improvement via PostHog — legal basis:your consent (Art. 6(1)(a)). You can withdraw consent at any time via the Cookie Preferences link in the footer.
  • Compliance with legal obligations (responding to lawful government requests, fraud prevention) — legal basis: legal obligation(Art. 6(1)(c)).

4. Sub-processors and International Transfers

We use the following sub-processors. Some of these are located outside your country of residence; transfers are made under appropriate safeguards.

Sub-processorLocationPurpose
Vercel, Inc.USAFrontend hosting and CDN
Amazon Web Services, Inc.Republic of KoreaBackend infrastructure and data storage
PostHog, Inc.USAAggregated product analytics (only with your consent)

EU/EEA & UK transfers to Korea: The European Commission has adopted an adequacy decision for the Republic of Korea (December 2021), and the United Kingdom has recognised Korea under its UK-Adequacy framework. Transfers of personal data from the EU/EEA and the UK to our Korean infrastructure rely on these adequacy decisions; no Standard Contractual Clauses are required.

Transfers to the USA (Vercel, PostHog) are made under Standard Contractual Clauses or, where applicable, the EU-US Data Privacy Framework.

5. Retention

  • Server access logs: up to 90 days.
  • Cookie-consent and language preference cookies: up to 1 year.
  • PostHog analytics events (consented): per PostHog's default retention (typically up to 7 years), or shorter where required.

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access — request a copy of your data.
  • Rectification — correct inaccurate data.
  • Erasure ("right to be forgotten") — request deletion.
  • Restriction of processing.
  • Portability — receive your data in a machine-readable format.
  • Objection to processing based on legitimate interests.
  • Withdraw consent at any time, without affecting the lawfulness of prior processing.
  • California residents (CCPA/CPRA): right to know, delete, correct, opt out of sale or sharing of personal information, and limit use of sensitive personal information. We do not sell or share personal information for cross-context behavioural advertising.
  • Brazilian residents (LGPD): rights of access, correction, anonymisation, portability, deletion, and information about sharing.
  • Right to lodge a complaint with your supervisory authority (e.g., your national data protection authority in the EU/EEA, the ICO in the UK, the PIPC in Korea, the CNIL in France, the BfDI in Germany).

To exercise any of these rights, see our Contact & Data Rights page. We will respond within the timeframes required by applicable law (within 30 days under GDPR; 45 days under CCPA, extendable once).

7. Children

The Service is not directed at children under the age of 16 (or the age of digital consent in your jurisdiction). We do not knowingly process personal data of children. If you believe a child has used the Service, contact us and we will take appropriate steps.

8. Security

We maintain technical and organisational measures appropriate to the risks of processing, including TLS for data in transit, access controls, multi-factor authentication for administrative access, and periodic internal review.

9. Automated Decision-Making

We do not use automated decision-making, including profiling, that produces legal or similarly significant effects on you.

10. People's Republic of China (Mainland) Visitors

The Service is not actively targeted at, marketed to, or operated within the People's Republic of China (mainland). The Company does not maintain infrastructure, ICP filings, or a representative office in mainland China.

For visitors whose IP address is identified (on a best-effort basis) as originating from mainland China, the Service applies the following safeguards in line with the spirit of the Personal Information Protection Law of the People's Republic of China (PIPL, 中华人民共和国个人信息保护法):

  • No third-party analytics: the PostHog SDK is not loaded; no behavioural events are captured or transmitted to any cross-border recipient.
  • Functional cookies only: the Service stores the language preference cookie and the cookie-consent state cookie. No advertising or tracking cookies are set.
  • No active solicitation: the Service does not provide account creation, payment, or other transactional features.
  • Cookie consent banner: not displayed, as the only cookies used are strictly necessary for the operation of the Service.

Geographic detection relies on IP-level signals provided by our hosting providers and may be inaccurate (e.g., due to VPN, mobile carriers, or edge location resolution). If you believe your personal information was processed in error, please contact us at meloming+privacy@dylabs.app and we will investigate.

This section does not constitute a representation that the Service is compliant with all PIPL obligations applicable to entities offering services within mainland China. Mainland-resident users access the Service at their own discretion and are responsible for compliance with local laws regarding cross-border access.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the revised version on this page with an updated "Effective" date. Material changes will be communicated via a banner on the Service.