Privacy Policy — DeTonic AI Audio Studio

1. Overview

DeTonic ("we," "us," "our") is operated by Polsia. This Privacy Policy describes how we collect, use, and protect information when you use DeTonic at detonic.polsia.app.

We collect the minimum data necessary to operate the Service and improve it over time. We do not sell your personal data.

2. Data We Collect

Data Type	What We Collect	Why
Account	Email address, hashed password, subscription status	Authentication, billing, service access
Generated Tracks	Session ID, mood/genre/tempo/duration inputs, AI prompt, audio file URL, generation status	Delivery, download access, service improvement
Payment	Stripe customer ID, subscription plan, billing status	Subscription management. Card details are held by Stripe — we never see raw card numbers.
Usage	Page views, events (generation, download), session ID, referrer, UTM parameters	Analytics, feature improvement
Technical	IP address (server logs, not stored long-term), browser type, timestamps	Security, debugging
Content Filter	Flagged prompts, violation type, session strike count	Platform safety, abuse prevention

No uploaded audio. DeTonic does not accept uploaded audio files. The mood-match feature (if introduced) will analyze audio client-side only — no audio data is transmitted to our servers.

3. How We Use Your Data

We use collected data to:

Deliver Generated Tracks and enable downloads.
Manage your account and subscription.
Process payments through Stripe.
Improve synthesis quality using anonymized generation data.
Detect and prevent policy violations and abuse.
Send transactional emails (account confirmation, billing receipts, policy change notices).

We do not use your data for advertising targeting or sell it to data brokers. We do not use your Generated Tracks to train third-party AI models without explicit consent.

4. Analytics & Tracking

DeTonic uses first-party analytics to understand how users interact with the platform. We track:

Page views: Which pages are visited, referrer URL, UTM campaign parameters.
Events: Track generation completions, downloads, and conversion actions.
Sessions: Pseudonymous session IDs (no persistent cross-site identifiers).

All analytics data is stored in our own database on Neon PostgreSQL. We do not currently use third-party analytics services (Google Analytics, Mixpanel, etc.). If we add third-party analytics in the future, this policy will be updated with 14 days' notice.

5. Third-Party Services

Service	Purpose	Data Shared	Privacy Policy
Stripe	Payment processing	Email, payment details	stripe.com/privacy
OpenAI	AI composition brief generation	Your mood/genre prompt text	openai.com/privacy
Neon	PostgreSQL database hosting	All database records	neon.tech/privacy-policy
Render	Application hosting	Server logs, application data	render.com/privacy
Cloudflare R2	Audio file storage (CDN)	Generated WAV audio files	cloudflare.com/privacypolicy

We enter into data processing agreements with sub-processors where required by applicable law.

6. Data Retention

We retain data for the following periods:

Data Type	Retention Period	Notes
Generated Tracks — Free tier	30 days from generation	Auto-deleted after 30 days. We'll send a reminder 7 days before expiry.
Generated Tracks — Creator tier	90 days from generation	Auto-deleted after 90 days. Reminder sent 7 days before expiry.
Generated Tracks — Pro tier	365 days from generation	Pro users can also flag individual tracks to keep indefinitely (permanent storage).
Account data	Life of account + 90 days after deletion	Allows for recovery requests after account deletion.
Usage analytics	24 months	Aggreated or deleted after this period.
Payment records	7 years	Required by financial regulations.
Content filter violation logs	12 months	Platform safety and abuse prevention.
Server logs	30 days	Security and debugging only.

Track metadata (mood, genre, tempo, description) is retained for 90 days after the audio file is deleted, to support account history queries. Pro users with permanent storage retain metadata for the life of the track.

7. GDPR Rights

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under GDPR and equivalent laws:

Right of access: Request a copy of the personal data we hold about you.
Right to rectification: Correct inaccurate or incomplete data.
Right to erasure ("right to be forgotten"): Request deletion of your personal data. We will delete your account and associated data within 30 days, except data we are required to retain by law.
Right to data portability: Request your data in a machine-readable format (JSON or CSV).
Right to restrict processing: Ask us to limit how we use your data.
Right to object: Object to processing based on legitimate interests.

To exercise any of these rights, email privacy@detonic.app with the subject line "Data Rights Request." We will respond within 30 days.

Our legal basis for processing personal data is: contract performance (delivering the Service), legitimate interests (security, fraud prevention, analytics), and consent (marketing communications).

8. Cookie Policy

DeTonic uses minimal cookies:

Session cookie: A pseudonymous session ID stored in localStorage (not a browser cookie) to associate page views and events within a session. Cleared when you close your browser or clear site data.
Auth cookie (logged-in users): A secure, httpOnly cookie to maintain your login session. Expires after 30 days of inactivity.

We do not use third-party tracking cookies, advertising cookies, or cross-site tracking identifiers. Because we use only essential cookies, a cookie banner is not required under GDPR's ePrivacy Directive. If we add non-essential cookies in the future, we will implement a consent mechanism first.

9. Security

We protect your data using:

TLS encryption for all data in transit.
AES-256-GCM encryption for stored OAuth tokens and sensitive credentials.
Parameterized queries throughout to prevent SQL injection.
Sandboxed execution environments that block access to production credentials.
Access controls limiting internal data access to authorized personnel only.

No system is perfectly secure. If you discover a security vulnerability, please report it responsibly to security@detonic.app before public disclosure.

10. Children's Privacy

DeTonic is not directed to children under 13. We do not knowingly collect personal data from children under 13. If we learn that we have collected data from a child under 13, we will delete it promptly. Contact us at privacy@detonic.app if you believe a child's data was submitted.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email to registered users and by updating the "Last updated" date on this page. We will provide at least 14 days' notice before material changes take effect.

12. Contact

Privacy questions and data requests:

Email: privacy@detonic.app
General support: support@detonic.app
Mailing: DeTonic / Polsia, Detroit, MI 48201