Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Luxembourg based AI music composition platform that generates royalty free soundtracks and stores user prompts, generation parameters and download history.
AIVA is a generative artificial intelligence platform built by AIVA Technologies SARL, a Luxembourg company, that composes royalty free music in many styles and orchestrations. Creators interact through a web application at aiva.ai and creators.aiva.ai, configure prompts, generation parameters and reference uploads, then download the resulting tracks under the licence purchased.
AIVA sets first party session cookies and CSRF tokens, and uses product analytics tooling that may store identifiers (Google Analytics 4 _ga, Mixpanel mp_xxx, or Segment ajs_user_id). Generation prompts, model parameters, track metadata, billing data and account preferences are stored on EU infrastructure.
Authentication and contract performance cover the core music generation flow. Optional analytics, embedded marketing pixels, and any device identifier set for usage analysis require consent under Art. 5(3) ePrivacy. Special attention should be paid to prompt content that may contain personal data of third parties.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Core data stays in the EU, but billing (Stripe), customer support, email delivery and most product analytics tools route data through the United States. Transfers rely on Standard Contractual Clauses and on the EU US Data Privacy Framework. Buyers can request an EU only analytics configuration (Plausible, Matomo on premise) for additional safety.
Sign the AIVA Data Processing Addendum, document AIVA in the privacy notice and the record of processing as a processor, gate optional analytics behind a consent banner, restrict prompts that may contain personal data of identifiable individuals, and clarify copyright and licensing of AI generated outputs in the terms.
Websites using AIVA must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when AIVA is integrated into editorial or commercial workflows that involve large volumes of authenticated users, when prompts may contain personal data, or when generation logs are reused for model improvement. Address purpose limitation between composition delivery and AI training, retention of prompts, and rights of authors when AI generated content is reused.
Sample consent text
We use the AIVA platform to generate, edit and download AI composed soundtracks. Account and generation data are processed on EU servers. With your consent, optional analytics cookies help us understand how creators interact with the application.
Third-party domains contacted
aiva.aicreators.aiva.aiapi.mixpanel.comjs.stripe.comapi.segment.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| aiva_session | Strictly necessary (authentication) | Session | Maintains the user authentication session on aiva.ai |
| aiva_csrf | Strictly necessary (CSRF protection) | Session | CSRF token for authenticated requests |
| mp_*_mixpanel | Analytics (Mixpanel) | 1 year | Product analytics events tracked by Mixpanel |
| __stripe_mid | Payment (Stripe) | 1 year | Stripe machine identifier for fraud prevention |
AIVA places tracking cookies for advertising — comply with GDPR using FlowConsent.
AIVA sets first party session and CSRF cookies for authentication, plus Mixpanel and Segment cookies for product analytics, and Stripe cookies for payment processing. Only the session and CSRF cookies are strictly necessary; the analytics and payment cookies require consent or contractual basis.
Authentication cookies do not require consent. Product analytics (Mixpanel, GA4) and any marketing cookies must be gated behind a Consent Management Platform. The AIVA web app itself is opt in: users sign up before AIVA stores any prompt or generation.
Account data and generation history rely on Art. 6(1)(b) GDPR contract performance. Stripe billing on 6(1)(b). Product analytics and marketing on 6(1)(a) consent. Sub processor sharing relies on the AIVA DPA and SCCs where applicable.
Core processing is hosted on AWS Frankfurt and Ireland. Stripe (US), Mixpanel (US), Segment (US) and customer support tooling are US based sub processors. AIVA relies on SCCs and the EU US Data Privacy Framework where the sub processor is certified.
Individual creator use is usually not high risk. A DPIA is appropriate when an organisation deploys AIVA at scale, uses it on sensitive content, or feeds creators' personal data into the AIVA platform beyond what a typical SaaS would receive.
Sign the AIVA DPA, configure your CMP to block analytics scripts on AIVA embeds, prefer the EU region where AIVA offers it, document AIVA in your record of processing and disclose the royalty free licence terms to end clients.
Yes: Suno (US), Udio (US), Soundraw (Japan), Boomy (US), Mubert (Latvia EU), Beatoven.ai (India). For an EU friendly stack, Mubert and AIVA itself are strong options. Each provider has different rights, retention and consent requirements.
Disclose AIVA Technologies SARL as a processor when you embed AIVA. List Mixpanel, Segment, Stripe and any other AIVA sub processor with their categories and retention. Link to the AIVA privacy policy and DPA.