Privacy Policy

Audiomus ("we", "us", "our") is a SaaS platform for audio professionals. We operate audiomus.com and all associated services.

This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights. If you have questions, contact privacy@audiomus.com.

ACCOUNT DATA: When you register, we collect your email address and, optionally, a display name. Passwords are hashed using bcrypt and never stored in recoverable form.

AUDIO & PROJECT DATA: Files you upload, project names, track titles, timestamps, and revision notes you create. This is Your Content — we store it to power the Service.

COMMENTS: Timestamped text comments submitted by you or your guest reviewers, including the commenter's display name (entered at review time by guests).

USAGE DATA: Pages visited, features used, session length, and interaction events. Collected via PostHog for product analytics. PostHog is deployed in a privacy-preserving configuration.

PAYMENT DATA: Subscription tier and billing status. Payment card details are handled entirely by Polar.sh — we never receive or store card numbers, CVVs, or full PAN data.

IP ADDRESSES (HASHED): Guest reviewer IP addresses are collected for abuse detection and rate limiting. We hash all IPs with HMAC-SHA256 before storage — raw IPs are never retained.

COOKIES: Session cookies (authentication), preference cookies (e.g., last-accessed project), and analytics cookies (PostHog). See our Cookie Policy for details.

To provide the Service: store and serve your audio files to invited reviewers, process comments, manage project access, and authenticate users.

To communicate with you: send transactional emails (project invitations, payment receipts, security alerts) via Resend. We do not send marketing email without your opt-in.

To improve the product: aggregate, anonymized usage analytics to understand how features are used and where friction occurs.

To prevent abuse: hashed IP addresses and rate limiting to detect and block spam, brute force, and other malicious activity.

To comply with law: retain records as required by applicable law, respond to valid legal requests.

We do not sell your data. We do not share your audio, project content, or personal data with advertisers or data brokers.

We use the following sub-processors to operate the Service:

— Supabase: database and authentication (SOC 2 Type II, ISO 27001)

— Cloudflare R2: audio file storage (Cloudflare Privacy Shield)

— Vercel: application hosting and serverless functions (SOC 2 compliant)

— Polar.sh: subscription and payment processing

— Resend: transactional email delivery

— Upstash Redis: rate limiting (no persistent personal data storage)

— PostHog: product analytics (EU region; no raw IP storage)

All sub-processors are bound by data processing agreements. We only share the minimum data needed for each service to function.

We may disclose data if required by law, court order, or to protect the rights and safety of Audiomus, its users, or the public.

Account and project data is retained for as long as your account is active.

If you delete your account, we remove your personal data and audio files within 30 days, except where retention is required by law (e.g., payment records for tax purposes — retained up to 7 years).

Guest reviewer names and comments associated with a project are retained as long as the project owner's account is active. Project owners can delete individual comments or entire projects at any time.

Analytics events are anonymized after 90 days.

Depending on your jurisdiction, you may have rights including:

— Access: request a copy of data we hold about you

— Correction: request that inaccurate data be corrected

— Deletion: request deletion of your personal data

— Portability: receive your data in a machine-readable format

— Objection: object to certain processing activities

— Restriction: request we restrict processing of your data

To exercise any of these rights, email privacy@audiomus.com. We will respond within 30 days. Identity verification may be required before we can fulfill the request.

If you are in the European Economic Area (EEA) or UK, you also have the right to lodge a complaint with your local data protection authority.

We use cookies for authentication (session management), preferences, and analytics. Our Cookie Policy provides a full breakdown of cookies used, their purpose, and how to opt out.

Audiomus is not directed at children under 16. We do not knowingly collect data from anyone under 16. If we discover we have inadvertently collected data from a child, we will delete it promptly.

If you believe we have data from a child, contact privacy@audiomus.com.

We take reasonable technical and organizational measures to protect your data. See our Security page at audiomus.com/security for a detailed breakdown.

No system is perfectly secure. In the event of a data breach affecting your personal data, we will notify affected users in accordance with applicable law.

Data may be processed in countries outside your own, including the United States, where our sub-processors operate. We ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses for EEA data).

We may update this policy. Material changes will be communicated to registered users by email. The "Effective date" at the top of this page shows when it was last updated.

Continued use of the Service after an update constitutes acceptance of the revised policy.

Privacy questions or requests: privacy@audiomus.com

Security disclosures: security@audiomus.com

General legal: legal@audiomus.com