Privacy Policy

Last updated: May 12, 2026

✓ Designed with GDPR Principles in Mind

Rhythmica™ is built with privacy-by-design. Optional, pseudonymous analytics help us improve the product and are not used to sell your data or to profile you for third-party ads. If you create a Rhythmica account, we also process a limited set of account and subscription-related information so you can sign in, sync certain app data across devices, and manage Rhythmica Premium—described in detail below.

1. Scope of this Policy

This Privacy Policy applies to information collected through Rhythmica™ websites, mobile applications, and related online services (collectively, the "Service"). By using the Service, you agree to the collection and use of information in accordance with this Policy.

2. Data Controller

The data controller responsible for your personal information is Rhythmica LLC, the owner and operator of Rhythmica™ (referred to as "we," "us," or "our" in this Policy).

If you have questions about this Policy or our data practices, you can contact us at:

Email: rob@rhythmica.app

Address: Rhythmica LLC, 312 W. 2nd St Suite 4209, Casper, WY 82601, USA

3. What Data We Collect

3.1 Non-Identifying Analytics Data

We collect non-identifying usage analytics to understand how users interact with our apps and improve the Service. We design this layer to be pseudonymous: analytics events are keyed to random client and session identifiers, not to your email address or account id. We do not use this analytics layer to build advertising profiles across other companies' sites or apps.

We use a pseudonymous device identifier and, when you use a campaign link, a campaign code; we may infer a campaign from a recent visit from the same network within a short window; we do not need your name or email for this.

On our websites we ask you to accept or decline this anonymous analytics before we store the analytics cookie or send usage events. If you decline, we do not run that analytics pipeline for your browser.

Data Point What We Collect Purpose
Client ID Random UUID generated on device; stored in browser local storage and, on rhythmica.app, a first-party cookie (so the same anonymous id can follow you across our subdomains without logging in) Track unique devices (not users)
Marketing campaign (optional) Short code from tracked links (e.g. ad landing URLs), stored with the same anonymous client identifier Understand which campaigns drive installs and product usage in aggregate
Session ID Random UUID per browser tab session (marketing pages reuse one id while you navigate in the same tab) Track individual sessions
App Version e.g., "1.2.3" Track which app version is being used
Platform ios, macos, web, or android (as reported by the client) Understand platform usage
Session Duration Number of seconds Understand engagement patterns
Actions Per Session Count of user interactions Measure engagement
Songs Started Count of songs played Content usage analytics
Content viewed (verbs / lemmas) Dictionary headword (lemma), part of speech, and related anonymous context (e.g. learning path) Understand which vocabulary is used; improve lessons and catalog quality
Approximate region (country) Coarse country code (e.g. US, DE) derived when events reach our servers Regional usage trends, reliability, and high-level marketing planning—not street-level location
Audio Load Errors Count of errors Technical debugging

We may also store individual interaction events (for example, opening a verb, switching tabs, opening or closing the expanded player, changing loop or transport mode, opening a browse detail screen, or interacting with Rhythmica Premium preview prompts) in the same pseudonymous form, linked only to your random client and session identifiers. When you are signed in, your account-backed favorites are stored separately under §3.2 and are not required for these analytics events to function.

Those events may be grouped into batches and sent when you leave the app, after a short delay, or when the network is available. On your device we may keep a small temporary queue of the same anonymous events so delivery can survive app closure or poor connectivity; we do not use it for anything other than uploading this analytics payload.

For in-session behavior (for example opening a browse screen, switching tabs, or how you interact with optional Rhythmica Premium preview and upgrade prompts), we may record additional anonymous interaction events in the same way—linked only to your random client and session identifiers—so we can understand product usage and improve the learning experience.

3.2 Rhythmica accounts (authentication & profile)

You can use many parts of Rhythmica without registering. If you choose to create an account, we process additional information so you can sign in and use account-backed features (for example syncing saved words and related learning state across devices where that feature is available).

  • Authentication: We use Supabase Auth (hosted by Supabase) for email-and-password sign-in (and we may add other sign-in methods over time). Supabase stores your email address, a cryptographic password hash (not your plaintext password), a unique user id, and standard security metadata such as sign-in timestamps and email verification status.
  • Profile / sync data: With your account we may store a small JSON profile blob in our database (for example favorites and lightweight progress inputs you opt into syncing). That data is keyed to your user id and protected by row-level security so only your account can read or update it.
  • Communications: We use your email for account verification, password reset, and important service notices about your account or subscriptions. We do not require your legal name, phone number, or mailing address to register.

Creating an account does not replace our pseudonymous analytics design: usage analytics described in §3.1 remain keyed to a separate random client/session model unless and until we deliberately link flows in a way we describe in a future update.

3.3 Subscriptions (Rhythmica Premium)

If you purchase Rhythmica Premium, the payment is processed by a third-party store or payment processor (for example the Apple App Store, Google Play, or Stripe for web checkout, depending on where you subscribe). We do not receive your full card number.

To verify access and (where applicable) unlock features across devices, our billing backend may store subscription status, product identifiers, renewal and expiration timestamps, and provider-specific transaction or subscription references. When you are signed in, we typically associate that information with your account user id. For some legacy or device-only flows, subscription verification may also reference the same pseudonymous client identifier used for analytics until you link a purchase to an account in the app.

Our internal tools may show whether an install or account currently has premium access so we can provide support, prevent fraud, and understand product usage in aggregate.

3.4 Feedback data

When you submit feedback through the app, we collect:

  • Feedback type: bug, feature, improvement, general, or content_issue
  • Message: Your feedback text (5-5000 characters)
  • App version, platform, OS version: Technical context
  • Content path: Which content you were viewing (e.g., "en/es/verbs/hablar")
  • Rating: Optional 1-5 star rating
  • Sentiment: positive, neutral, or negative
  • Screen/feature: Where you were in the app
  • Locale/timezone: For context only (not precise location)

Note: In-app feedback is designed to be pseudonymous like our analytics layer. If you contact us while signed in, we may use your account email only to respond to you and to connect your report with your account for support—we do not add your email into the legacy anonymous feedback table fields by default.

4. What We Don’t Do With Your Data

❌ No data selling; minimal ad-tech

Regardless of whether you use Rhythmica anonymously or with an account, we do not sell your personal information and we do not use IDFA, Google Advertising ID, or similar cross-app ad identifiers for analytics.

Analytics layer (§3.1): we still do not store your email, name, or account id inside our pseudonymous analytics tables, and we do not keep full IP addresses in those analytics tables. Edge systems may derive a coarse country code; hosting providers (e.g. Vercel) may process IP addresses under their own policies.

Accounts (§3.2): if you register, we process your email address and authentication metadata as described there—we do not require your legal name, phone number, or home address to create an account.

Payments: card numbers are handled only by Apple, Google, Stripe, or other payment processors; we receive status and provider references as described in §3.3.

We do not collect biometric data from you, access your contacts, or use your camera or photo library for Rhythmica.

5. How We Use Your Information

We use the non-identifying data we collect for:

  • Improving the Service: Understanding usage patterns, identifying bugs, and developing new features.
  • Technical debugging: Identifying and fixing technical issues like audio loading errors.
  • Content optimization: Understanding which songs and languages are most popular.
  • User experience: Measuring engagement, session duration, and feature usage.
  • Security: Detecting unusual patterns that might indicate abuse or technical issues.
  • Accounts & subscriptions (when applicable): Authenticating you, syncing data you choose to associate with your account, verifying Rhythmica Premium, and responding to account-related support requests.

Because our analytics layer is designed to be pseudonymous and separate from account tables, we do not use it to:

  • Identify individual users
  • Track users across different apps or websites
  • Build user profiles for advertising
  • Sell or share data with third parties for marketing

7. How We Share Your Information

We do not sell your data. We may share non-identifying analytics and feedback data with:

  • Service providers: Trusted third-party vendors who help us operate the Service, such as:
    • Supabase (authentication, account profile storage, and non-identifying analytics storage in the configurations we operate)
    • Vercel (marketing site and web app hosting, CDN, and related infrastructure)
    • Apple & Google (in-app purchase processing and subscription management for mobile)
    • Stripe (card payments and customer billing flows where Rhythmica Premium is purchased on the web, subject to Stripe’s privacy policy)
    These providers are bound by strict confidentiality agreements and can only use data to provide services to us.
  • Legal requirements: If required by law, regulation, legal process, or governmental request.
  • Business transfers: In connection with a merger, acquisition, or sale of assets, subject to confidentiality protections.

Pseudonymous analytics remains structured to reduce re-identification risk when shared with infrastructure providers. Account and billing data are shared only as needed to perform the services above.

8. Cookies and Similar Technologies

We may use cookies and local storage to:

  • Remember your settings and preferences (e.g., language selection)
  • Maintain session information and keep you logged in on the web (including secure session cookies or tokens for your Rhythmica account where applicable)
  • Store anonymous client IDs for analytics (where you have consented on the web)

You can configure your browser to refuse cookies or alert you when cookies are being sent. However, some features of the Service may not function properly without them.

Cookie types we use:

  • Essential cookies: Required for the Service to function (session management)
  • Analytics cookies: Help us understand usage patterns (non-identifying)
  • Preference cookies: Remember your settings and choices

9. Data Retention

We retain non-identifying analytics and feedback data for:

  • Analytics data: Up to 2 years for trend analysis and service improvement
  • Account & profile data: For as long as your account exists, plus a short grace period for backups and legal obligations; you may request deletion as described in §11.
  • Billing records: Retained as required for tax, fraud prevention, and payment network rules (often several years), then minimized or deleted where permitted.
  • Feedback data: Indefinitely where it remains anonymous; if we later associate specific feedback with an account for support, we retain it only as long as needed for that purpose.
  • Aggregated data: We may retain aggregated, non-identifiable data indefinitely for statistical purposes

When we no longer need data, we will delete or anonymize it.

10. Data Security

We use industry-standard security measures to protect your information:

  • HTTPS encryption for all data transmission
  • Secure database hosting with Supabase
  • API key authentication to prevent unauthorized access
  • Regular security updates and monitoring

However, no method of transmission over the Internet is completely secure, and we cannot guarantee absolute security.

11. Your Rights (GDPR & Privacy Laws)

Depending on your location, you may have the following rights:

  • Right to access: Request access to personal data we hold about you (including your account profile and subscription records).
  • Right to rectification: Request correction of inaccurate account or billing data.
  • Right to erasure: Request deletion of your account and associated profile data, subject to legal retention requirements for billing and security logs.
  • Right to restriction: Request limitation of processing where applicable law allows.
  • Right to data portability: Request a copy of your account-held data in a portable format where technically feasible.
  • Right to object: Object to certain processing where applicable law allows.
  • Right to withdraw consent: Withdraw consent at any time (where consent is the legal basis), including revoking optional analytics cookies on the web.
  • Right to lodge a complaint: Contact your local data protection authority

Analytics note: Our pseudonymous analytics events are not stored with your email address or user id. That design improves privacy but means we usually cannot locate a specific analytics row from an email address alone. You can still clear or block analytics cookies / identifiers on your device, uninstall the app, or use in-app and web settings where available.

To exercise your rights or ask questions, contact us at rob@rhythmica.app.

12. Children's Privacy

The Service is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13 (or under the minimum age of digital consent in your jurisdiction) without appropriate parental consent.

Our analytics system does not differentiate between children and adults, as that layer is pseudonymous. If a child creates an account in violation of our age rules, or you believe a child has provided identifiable information through support or feedback, contact us at rob@rhythmica.app.

13. International Data Transfers

Rhythmica™ is operated from the United States. If you access the Service from outside the United States, your anonymous data may be transferred to, stored in, and processed in the United States or other countries.

For EU users: We rely on Standard Contractual Clauses (SCCs) and other appropriate safeguards when transferring data from the EU to third countries (including account, billing, and analytics processing on US-based infrastructure where applicable).

14. Third-Party Services

We use the following third-party services:

We do not use:

  • Google Analytics
  • Facebook Pixel or other social media tracking
  • Advertising networks
  • Cross-site tracking cookies

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. For material changes that affect how we use account or billing data, we will also provide reasonable notice where appropriate (for example by email to the address on your account or an in-app notice).

Your continued use of the Service after any changes constitutes acceptance of the updated Policy.

16. Data Protection Officer

For GDPR-related inquiries, you can contact our Data Protection Officer at:

Email: rob@rhythmica.app
Subject: "GDPR Request" or "Data Protection Inquiry"

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at:

Email: rob@rhythmica.app
Address: Rhythmica LLC, 312 W. 2nd St Suite 4209, Casper, WY 82601, USA