What runs where, and what we never transmit.

Soundscaper's composition pipeline runs on your own device. The on-device language model parses your intake. The safety classifier runs against the same input locally. The composition planner assembles the session manifest locally. The audio renderer produces the file locally.

What we host on our servers: your account state — display name, email, hashed password, subscription / entitlement, push tokens you opt to register — and cloud copies of the master files of your composed soundscapes while you have an active subscription (plus a 90-day grace period after lapse).

What we never transmit to any external service: your raw intake text, your journal entry text, your listening behaviour beyond what's needed to deliver downloads, your device health data, your microphone input, your location.

The wizard's intake — the words you write or speak about your state — is parsed by an on-device language model. The structured profile (intent, length, headphones, listening context, chosen surface, embedding visibility, cue selections) is sent to our server only as part of the POST /sessions request that queues the render. The raw intake text never leaves your device.

The optional free-text “state narrative” field on the Review step issent to our server as part of the request, and stored alongside the rest of the session profile. Treat that field like any text you put into a service: don't paste anything you wouldn't want stored. The on-device parser handles the load-bearing intake; the narrative field is optional context.

Journal entries (pre-session, post-session, standalone) are stored on our server because they need to be available to you across devices. They're tied to your account, never shared with anyone, and never analysed by us.

The Insights surface includes an opt-in “reflection signals” card. When opted in, only structured fields (entry type, optional 1–10 stress / energy values) are aggregated for your own dashboard. The body text of your entries is never read by the analytics path.

The minimum needed to run the product.

• Account fields: email (for sign-in and confirmation), hashed password, optional display name.
• Subscription state: plan, recording credit count, archive flag, billing identifiers from your payment provider.
• Recording metadata: session id, length, listening context, support areas, your optional display title, favourite flag, last-played-position seconds.
• Device tokens: push notification tokens you opt to register.
• Operational telemetry: backend access logs (request id, IP, status code) for uptime and abuse prevention only — never tied to user behaviour analytics.

This list is shorter than most. That's the point.

• We don't run third-party analytics — Google, Meta, TikTok, Mixpanel, Amplitude, Segment, Plausible, Fathom, or anything similar — on the public site or in the app.
• We don't sell, share, or trade any of your account data. Not to advertisers. Not to data brokers. Not to clinical research consortia. Not to anyone, ever.
• We don't train any AI model — ours or anyone else's — on your intake text, journal entries, or composed soundscapes.
• We don't retain logs of what you listened to, when, or for how long, beyond the last-played-position field that lets the player resume.
• We don't transmit anything from the app to our server in the background unless you've explicitly opted in to a feature that requires it (push registration, sync across devices, Insights reflection signals).

Every account has these controls in the Account hub at /account:

• Export: request a full export of your account data, journal entries, and recording metadata. Delivered by email.
• Delete: permanently delete your account, journal entries, server-stored masters, and all account state. Compressed downloads on your devices remain in your possession.
• Notifications: opt in or out of push and email notifications, per device and per channel.
• Insights signals: opt in or out of the structured reflection-signals aggregation on the Insights dashboard. Off by default.

We use the following processors. Each is in scope for the formal privacy policy. We list them here for transparency.

• Supabase — account database, authentication, file storage for cloud-hosted master recordings.
• Stripe — web payment processing for subscriptions and Single Session purchases.
• Apple App Store / Google Play — mobile in-app purchases per platform policy.
• RevenueCat — cross-platform subscription state reconciliation between web and mobile.
• Sentry — anonymised crash reporting on the mobile app. No personal data attached.
• Apple Push Notification service / Firebase Cloud Messaging — push delivery when you opt in.

We never share data with these providers beyond what each one needs to deliver its specific function.

We'll post material changes to this page with a new “last updated” date. Substantive changes affecting what we collect or share are notified by email to active accounts at least 14 days before they take effect.