Privacy Policy
Overview
Archtone ("we", "our", or "us") operates the Archtone mobile application and the website at https://archtone.app (together, the "Service"). This Privacy Policy explains what personal data we collect, how we use it, and what rights you have over it.
Archtone is developed and operated by an individual developer. We are committed to handling your data with care and transparency. If you have questions at any time, contact us at privacy@archtone.app.
Short version: We collect only the data needed to provide tone recommendations and manage your account. We do not sell your data, and we do not include analytics or advertising SDKs.
Data We Collect
We collect the following categories of data when you use Archtone.
Account Information
When you sign in we receive and store:
- Email address — optional, provided by your authentication provider (Apple or Google)
- Display name — optional, provided by your authentication provider
- Unique user ID — an auto-generated UUID created by our server
- Authentication provider — whether you signed in with Apple or Google
Guitar Profile Data
To generate relevant tone recommendations, we store the guitar profile you create:
- Guitar model name
- Pickup type (humbucker, single-coil, active, or P90)
- Pickup position (bridge, neck, or split)
- Tuning (standard, drop D, etc.)
Tone Request Data
- Target tone descriptions — artist name, track name, or free-text descriptions you enter
- Plugin selection for each request
- Generated recommendations and any follow-up refinement conversations
Usage Data
- Daily recommendation count — used to enforce free-tier rate limits
- Timestamps of individual requests
Subscription Data
In-app purchases and subscriptions are managed entirely by RevenueCat. Archtone does not directly process payments or store payment card information. We store only a premium-status flag on our server to unlock features for paying users.
Authentication
| Platform | Method | How it works |
|---|---|---|
| iOS | Sign in with Apple | An identity token is sent from your device and verified server-side by our backend. |
| Android | Google Sign-In | A Google ID token is sent from your device and verified server-side by our backend. |
Token Storage on Your Device
After you sign in, we issue our own JWT tokens. These are stored securely on your device using
flutter_secure_storage, which uses the iOS Keychain on Apple devices and the
Android Keystore on Android devices.
- Access tokens — expire after 15 minutes
- Refresh tokens — expire after 7 days
We never store your Apple or Google credentials directly. We only retain the unique identifier and optional profile information those services provide at the moment of sign-in.
How We Use Your Data
| Data | Purpose | Legal basis |
|---|---|---|
| Account information | Identify your account and authenticate API requests | Contract performance |
| Guitar profile | Generate accurate, personalised tone recommendations | Contract performance |
| Tone request data | Process requests via the AI model; cache results to improve response speed | Contract performance |
| Usage data | Enforce daily rate limits for free-tier users | Legitimate interest |
| Premium status flag | Enable or restrict premium features within the app | Contract performance |
| Email address (if provided) | Communicate material changes to this policy | Legitimate interest |
We do not use your data for advertising, profiling, or any purpose beyond providing the Service described above.
Third-Party Services
Archtone integrates with the following third-party services. Each operates under its own privacy policy governing data that flows through it.
| Service | Purpose | Data shared | Privacy policy |
|---|---|---|---|
| Anthropic (Claude API) | Processes tone requests to generate recommendations | Tone descriptions, guitar profile, plugin selection | anthropic.com/privacy |
| RevenueCat | Manages in-app subscriptions and purchase verification | Device identifiers, purchase receipts | revenuecat.com/privacy |
| Apple | Sign in with Apple — iOS authentication | Apple user identifier, optional email | apple.com/legal/privacy |
| Google Sign-In — Android authentication | Google account identifier, optional email and display name | policies.google.com/privacy | |
| Hostinger | VPS hosting for Archtone backend and database | All server-side data resides on Hostinger infrastructure | hostinger.com/privacy-policy |
We select third-party processors carefully and only share data that is necessary to deliver the Service. We do not share your data with any other third parties.
Data Storage & Security
Where your data is stored
| Location | Technology | Region | What is stored |
|---|---|---|---|
| Backend server | PostgreSQL on Hostinger VPS | Frankfurt, Germany | Account data, guitar profiles, tone request history |
| Backend cache | Redis | Frankfurt, Germany | Recommendation cache (90-day TTL) |
| Your device (app) | SQLite via Drift | Local only | Cached data for offline access |
| Your device (secure) | flutter_secure_storage (Keychain / Keystore) | Local only | JWT access and refresh tokens |
Security measures
- All data in transit is encrypted using TLS (HTTPS).
- JWT tokens are short-lived and stored in secure platform storage (iOS Keychain, Android Keystore).
- Authentication tokens from Apple and Google are verified server-side — we never trust client-provided identity claims directly.
- Database access is restricted to the backend application; there is no direct public access to the database.
While we take reasonable precautions, no method of electronic transmission or storage is 100% secure. If you discover a security vulnerability, please disclose it responsibly by emailing privacy@archtone.app.
Data Retention
| Data type | Retention period |
|---|---|
| Account data (profile, guitar profiles) | Retained until you delete your account |
| Tone recommendations (database) | Retained until you delete your account |
| Tone recommendations (Redis cache) | 90-day TTL — automatically expired |
| JWT access tokens | 15 minutes |
| JWT refresh tokens | 7 days |
| Daily usage counters | Reset daily; not retained beyond operational need |
When you delete your account, we permanently delete all account data, guitar profiles, and tone history from our database. Cached data in Redis expires automatically within 90 days.
Your Rights
Depending on your location, you may have rights regarding your personal data under GDPR, CCPA, or other applicable law. We honor these rights for all users regardless of jurisdiction.
Access
You can view all your guitar profiles and tone history directly within the Archtone app at any time.
Correction
You can update your guitar profile at any time within the app. Display name corrections depend on what your authentication provider (Apple or Google) supplies.
Deletion
You can request deletion of your account and all associated data by emailing privacy@archtone.app. We will process deletion requests within 30 days. After deletion, your data cannot be recovered.
Export / Portability
You can request a copy of your personal data in a machine-readable format by emailing privacy@archtone.app. We will respond within 30 days.
Objection
You may object to processing based on legitimate interest by contacting us. We will evaluate your objection and respond within 30 days.
To exercise any of these rights, email privacy@archtone.app with the subject line "Privacy Request" and include the email address or user ID associated with your account so we can verify your identity.
Data We Do Not Collect
We want to be explicit about what Archtone does not collect or use:
- No analytics or behavioral tracking SDKs (no Firebase Analytics, Amplitude, Mixpanel, or similar)
- No crash reporting SDKs in the app
- No location or GPS data
- No contacts or address book data
- No photos, camera, or microphone data
- No advertising identifiers (IDFA or GAID)
- No cross-app or cross-site tracking
- No data is sold or rented to third parties — ever
Children's Privacy
Archtone is not directed at children under the age of 13, and we do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us at privacy@archtone.app and we will promptly delete that data.
Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you either through an in-app update notification or, if you have provided an email address, by email. We will also update the "Last updated" date at the top of this page.
We encourage you to review this policy periodically. Continued use of the Service after changes take effect constitutes your acceptance of the revised policy.
Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or your data, please reach out — we aim to respond within 5 business days.