Privacy Policy

Last updated: June 2026. This notice explains how we process personal data under the EU General Data Protection Regulation (GDPR) and the German BDSG. Placeholders in [brackets] must be completed before launch; have a lawyer review.

1. Controller

The controller responsible for data processing on ToneTwin (“the Service”) is the provider named in our Impressum. Privacy enquiries: [[email protected]]. We have not appointed a Data Protection Officer as we are not legally required to; if that changes, the contact will be listed here.

2. What we collect

• Account: your email address and a user ID, received from Sign in with Apple or Google. We never receive your Apple/Google password.
• Profile & app data: display name, gear you select, presets, saved tones, the songs/parts you research, upvotes, and support requests you send.
• Subscription: your plan and status from our billing providers. We do not receive or store card or bank details.
• Technical: a session/authentication cookie set when you log in, plus standard server log data (IP address, timestamp, user-agent) processed by our hosting provider to deliver and secure the Service.

3. Purposes & legal bases

• Provide the Service (accounts, tone matching, saving gear/tones) — performance of a contract, Art. 6(1)(b) GDPR.
• Billing & subscriptions — contract, Art. 6(1)(b) GDPR.
• Security, abuse prevention, and keeping the Service running — legitimate interests, Art. 6(1)(f) GDPR.
• Support and communication you initiate — contract / legitimate interests, Art. 6(1)(b)/(f) GDPR.
• Legal obligations (e.g. tax/retention duties) — Art. 6(1)(c) GDPR.

4. Processors & recipients

We use vetted service providers (processors under Art. 28 GDPR) only to run the Service, and never sell your data:

• Supabase — database, authentication, and storage.
• OpenRouter and a web-search provider — the song/part you research is sent to generate the tone result.
• Polar — web subscriptions and payment processing.
• Apple / RevenueCat — iOS subscriptions and their status.
• Our hosting provider — runs the application servers.

5. International transfers

Some processors (e.g. OpenRouter, Apple) are based outside the EU/EEA. Where data is transferred to such countries, we rely on the EU Standard Contractual Clauses or an adequacy decision to ensure an appropriate level of protection.

6. Retention

We keep account and app data for as long as you have an account. If you delete your account, your profile, presets, and saved tones are deleted promptly. Data we must keep for legal reasons (e.g. invoices) is retained only for the statutory period and then deleted.

7. Your rights

Under the GDPR you have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), and to object to processing based on legitimate interests (Art. 21). Where processing is based on consent, you may withdraw it at any time. You can delete your account and all associated data yourself from the Account screen, or contact us using the address above. You also have the right to lodge a complaint with a supervisory authority, for example the data-protection authority of your German federal state (Landesdatenschutzbehörde).

8. Cookies

We use only strictly necessary cookies needed to keep you signed in. We do not use advertising or third-party tracking cookies, so no consent banner is required.

9. Children

The Service is not directed at children under 16. We do not knowingly collect their data.

10. Changes

We may update this policy; the “last updated” date above reflects the current version. Material changes will be communicated in the app.

See also our Terms of Use and Impressum.