What the iOS app collects, why, and how you stay in control.
Last updated: 20 May 2026 · Effective: 20 May 2026
This policy covers the Songbook Master iOS and iPadOS app. For privacy practices on the main ffgcvs.com website, see the main privacy policy.
Short version: Songbook Master is local-first by default. Your songs, chord charts, setlists, and folders live on your device — we never see their content. There is no account to create with your name, email, or password. The app does create an anonymous, opaque identifier on first launch so server-side limits can be enforced (see "Anonymous identification" below). Two paths cause data to leave your device: the optional AI PDF conversion (which sends only the specific PDF you ask to convert through our Cloud Function to Google's Gemini API) and subscription processing (handled entirely by Apple). The app uses Firebase Analytics to log a small set of anonymous subscription-funnel events (e.g. paywall shown, subscribe tapped) — no song content, lyrics, or personal information is included.
Songbook Master and ffgcvs.com are operated by Felipe Goncalves, a sole trader based in London, United Kingdom. For the purposes of UK GDPR and the EU GDPR, Felipe Goncalves is the data controller.
Contact: [email protected]
The content you create or import — song titles, artists, keys, tempos, time signatures, capo settings, transpose offsets, chord charts, lyrics, song sections, setlists, and folders — is stored locally on your iPhone or iPad using Apple's SwiftData framework. This data does not leave your device, is not synced to any server we control, and is not visible to us. If you delete the app, this data is removed with it.
When you import song files — for example .sbp, .cho, .chordpro, .onsong, .pdf, or .txt — parsing happens on your device by default. The file's contents are turned into a song record locally; nothing is uploaded to a server we operate. If you pick a file from a cloud source through iOS's standard file picker (e.g. iCloud Drive), the file is fetched by iOS using your own account and then processed locally on the device. One exception: if you choose to use the AI PDF conversion feature (see the AI conversion section below) on a PDF song, that specific PDF leaves your device. The default rule-based PDF converter, by contrast, still runs entirely on-device.
On first launch, the app creates an anonymous Firebase user. This is an opaque random identifier (a UID) stored in your device's Keychain. It is not tied to your name, email, Apple ID, or any other personally identifying information. Its sole purpose is to let our Cloud Function enforce the per-user usage limits described in the AI conversion and subscriptions sections (for example, capping the free AI conversion to one per user, or capping Pro subscribers to twenty AI conversions per month). The UID persists across app launches via Keychain so that reinstalling the app does not reset the limits.
We keep two small server-side records, both stored in Google Firebase Firestore, both keyed on opaque identifiers rather than personal data:
/aiFreeDemo/{anonymous-uid} — a single document indicating that the anonymous user has consumed their one-time free AI conversion. Contains the UID and a timestamp./aiUsage/{apple-original-transaction-id}_{YYYY-MM} — a Pro subscriber's monthly AI conversion counter, keyed on Apple's original transaction ID (a random number assigned by Apple to your subscription) and the calendar month. Contains the transaction ID, the year-month, and the count.Neither record contains your name, email, Apple ID, song titles, lyrics, chords, or any content you create. The iOS app does not query these documents directly; only the Cloud Function reads and writes them.
The app offers an optional AI conversion feature that turns a PDF chord chart into a native, transposable song record. When — and only when — you tap "Convert with AI" on a PDF song, the following happens:
We do not store the PDF or the extracted text on our infrastructure. The PDF is held only in memory during the Cloud Function invocation. Google's processing of the PDF is governed by Google's Generative AI terms and the Vertex AI / Gemini API data-handling commitments — Google states that data sent to its paid Gemini API endpoints is not used to train Google's foundation models.
If you do not use the AI conversion feature, no PDF or song content ever leaves your device. The rule-based "Convert locally" option in the same menu does the conversion on-device with no network call.
Songbook Master Pro, when available, is sold as a subscription through Apple's App Store. Apple processes the purchase. We never see your payment card, your billing address, or your Apple ID. The app receives only an entitlement signal indicating whether your subscription is active. Subscriptions can be managed or cancelled at any time in Settings → Apple ID → Subscriptions on your device.
Songbook Master uses Firebase Analytics (operated by Google LLC) to log a small set of anonymous events related to the subscription funnel. The complete list of events is:
paywall_shown / paywall_dismissed — when the upgrade screen opens or closes, along with the context that triggered it (e.g. setlist cap, folder cap, AI gate).subscribe_tapped / subscribe_succeeded / subscribe_failed — when you tap the subscribe button and the resulting outcome, along with the product identifier (monthly or yearly).restore_tapped / restore_succeeded / restore_failed — when you use Restore Purchases.cap_hit — when you reach the free-tier setlist or folder cap.ai_demo_used / ai_pro_used — when an AI conversion completes successfully.These events do not contain song content, lyrics, chord charts, file names, your name, your email, or any personally identifying information. They exist to understand which screens convert and to detect failed purchase flows so the app can be improved.
Firebase Analytics may, however, collect the standard set of automatic events and properties that Google's SDK gathers — for example device type, OS version, app version, broad geography, and a Google-assigned app instance ID. We do not use this data for advertising or cross-app tracking, and we do not enable Google Signals or remarketing. No Apple advertising identifier (IDFA) is read, and the app does not use Apple's App Tracking Transparency framework because it does not track you across other apps and websites.
The app does not currently bundle Crashlytics or any third-party advertising, attribution, or A/B testing SDK.
Songbook Master does not request access to your camera, microphone, photo library, location, or contacts. It does not record audio, take photos, or use your device's location at any point.
Stage mode renders songs and setlists from your local library on the device's screen. It is a display mode — it does not stream, record, broadcast, or upload any of the content shown.
Under UK GDPR / EU GDPR, every processing activity needs a legal basis. Ours are:
We do not sell your data. The service providers that may be involved are:
We may also disclose data if required by law (e.g. a valid court order) or to protect the rights and safety of users and third parties.
Apple Inc. and Google LLC are both headquartered in the United States, and the Firebase / Google Cloud regions used by the app's back end (Cloud Functions, Firestore, Analytics, Gemini API) are primarily US-based. Where personal data is transferred outside the UK or European Economic Area as a result, the transfer is protected by Standard Contractual Clauses, the UK International Data Transfer Addendum, and (where applicable) the EU–US Data Privacy Framework. We rely on Apple's and Google's published certifications and contractual commitments for this purpose.
/aiFreeDemo/{uid} document, and any monthly /aiUsage documents are kept indefinitely while you continue to use the app, so the usage limits can be enforced. You can request deletion at any time by emailing us with the UID you would like removed (find it under Settings → About — coming soon, or contact us and we will help locate it).If you are in the UK or the European Economic Area, the GDPR gives you the right to:
Because Songbook Master does not collect your name or email, the only identifier we hold for you is the anonymous Firebase UID generated on your device. The most direct way to exercise your rights is:
/aiFreeDemo document and any monthly /aiUsage documents) — email us with the anonymous UID you would like removed; we will delete the matching documents from Firestore. Deleting and reinstalling the app resets the Keychain entry on most iOS configurations, which generates a fresh UID on next launch.If you have a specific concern or need help with any of the above, email us and we will do our best to assist.
Songbook Master is not directed at children under 13 (or under 16 in the EEA). We do not knowingly collect personal data from children. If you believe a child has used the app and you would like that data removed, please contact us.
Because Songbook Master is local-first by default, the strongest security control is the one already on your device: your iOS passcode, Face ID or Touch ID, and full-disk encryption on modern Apple hardware. The anonymous Firebase UID lives in your device's Keychain, which is encrypted and protected by the device passcode.
Communication with the back-end services (Firebase Authentication, Cloud Functions, Firestore, Firebase Analytics, and the Gemini API) is encrypted in transit over HTTPS / TLS using the official Firebase SDK. Subscription transaction tokens (JWS) are verified server-side against Apple's PKI root certificates; the iOS client cannot forge a Pro entitlement. Data at rest in Firestore and Google Cloud is encrypted by Google using their standard infrastructure controls.
If we make material changes to this policy — for example, adding a new third-party service, an analytics SDK, or a new category of data — we will update the "Last updated" date at the top of this page and, where the change is significant, surface a notice inside the app on next launch.
If anything here is unclear, or you'd like to exercise a data right, just send a quick email.