LEGAL

Privacy Policy

Effective date: April 21, 2026 · Last updated: April 21, 2026

CymaTones LLC ("CymaTones," "we," "us," or "our") values your privacy. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the rights you have regarding your personal information when you use CymaTones.

Simple summary: We collect what we need to run the Service — your account info, your scans, your listening history, and payment details. We don't sell your data. We use trusted partners (Supabase, SamCart, Anthropic, Vercel) to store, bill, and process it. Your voice recordings stay private and are not shared with third parties for marketing.

1. What We Collect

Information You Provide

CategoryExamples
Account informationName, email address, password (hashed), profile preferences
Birth data (optional)Birth date, time, location for Cosmos personalized readings
Payment informationProcessed by SamCart — we receive transaction metadata (amount, product, status) but not full card numbers
Scan dataVoice recordings (processed in-browser, see below), spectrum analysis, harmony scores, scan results
Symptom selectionsSymptom checker inputs, duration, intensity (stored to your account)
User contentPlaylists you create, favorites, public comments or reviews
Support communicationMessages you send us, support request attachments

Information Collected Automatically

CategoryExamples
Usage dataWhich tracks you play, duration listened, features used, scan count, pages visited
Device & browser dataIP address, browser type, device type, operating system, user agent
Technical logsError reports, API request logs, security audit events
Cookies & similar techSession cookies, anonymous scan identifiers, preferences (see Cookies section)

2. How We Use Information

We use your information to:

  • Provide the Service: create your account, process scans, generate reports, stream frequency tracks, and deliver features you request
  • Personalize your experience: tailor Cosmos readings, Weekly Mix playlists, and scan protocols based on your preferences and history
  • Process payments: handle subscriptions, one-time purchases, refunds, and billing communications
  • Communicate with you: send service announcements, billing receipts, scan completion notifications, and support responses
  • Improve the Service: analyze usage patterns to identify bugs, optimize features, and develop new offerings
  • Security and fraud prevention: detect and prevent abuse, enforce our Terms, comply with law
  • Legal compliance: meet our legal, regulatory, and contractual obligations

We do not use your information to train external AI models, nor do we sell or rent your personal information to third parties for their marketing.

3. How We Share Information

We share information only as follows:

  • Service providers (subprocessors): trusted third parties that help us operate the Service (see next section)
  • Legal requirements: when required by law, court order, or to protect CymaTones' rights, users, or the public
  • Business transfers: in connection with a merger, acquisition, or sale of assets, with advance notice where practicable
  • With your consent: when you explicitly ask us to share information (e.g., publishing a playlist publicly)

We do not sell your personal information.

4. Subprocessors

We work with the following trusted partners to operate CymaTones:

PartnerPurposeData Shared
SupabaseDatabase, auth, file storageAccount, scan, playlist, and session data
SamCartPayment processing, subscription billingName, email, billing address, payment details
VercelWeb hosting and edge functionsRequest logs, deployment data
AnthropicAI-enhanced report generationScan spectrum data and Symptoms picker inputs (processed but not retained for training by Anthropic per its enterprise terms)
Google (Gmail)Transactional and support emailsEmail address, message content
Daily.co (future)Video meeting room for community callsDisplay name, email, meeting metadata

Each partner is bound by a data processing agreement or equivalent contractual protection. We review partners periodically to ensure they meet our privacy and security standards.

5. Voice & Scan Data

Your voice is processed in your browser. When you perform a CymaVoice scan, the audio is captured and analyzed locally in your browser using the Web Audio API. We do not upload or store raw voice recordings on our servers.

What we do store:

  • The numerical frequency spectrum (12-value array) derived from your voice
  • Calculated harmony scores and TCM-based analysis
  • Scan date, payment status, and associated report content

What we do not store:

  • Raw audio files from your scan
  • Voice recordings or waveform data
  • Any audio that could be played back to reconstruct your voice

The same principle applies to other scanners (Vision, Tongue, Face, Nails): where scans involve camera input, images are processed in your browser when possible. When server-side AI analysis is required, images are sent securely for analysis and retained only to the extent necessary to generate your report. You may request deletion of this data at any time.

6. AI Processing

CymaTones uses AI (currently Anthropic Claude) to enhance scan reports and generate personalized interpretations. When you complete a scan:

  1. Your scan data (spectrum values, scores, and demographic context if provided) is sent to Anthropic via secure API
  2. Anthropic processes the data and returns an enhanced analysis
  3. Per Anthropic's enterprise terms, your data is not used to train Anthropic's models
  4. Results are stored on CymaTones servers for you to access

You may opt out of AI-enhanced analysis by contacting us; in that case, you will receive the local (non-AI) version of your report.

7. Cookies & Local Storage

We use cookies and similar technologies to operate the Service. Types we use:

  • Essential cookies: required for login, session maintenance, and security (cannot be disabled)
  • Preference cookies: remember your settings (volume, visual mode, zen mode preference)
  • Anonymous scan cookies: on public pages, we set a 30-day cyma_anon cookie to associate your scans with your device if you are not logged in
  • Analytics cookies: help us understand how the Service is used (see Analytics section)

You can control cookies through your browser settings. Disabling essential cookies will break Service functionality.

Local storage: On public pages, we use your browser's local storage to save your scan history so you can return and review past results. This data stays on your device and is not transmitted to us unless you create an account.

8. Analytics

We use Vercel Analytics and may use similar privacy-respecting analytics tools to understand aggregate usage patterns. These tools collect anonymized or de-identified data about page visits, conversion events, and performance metrics.

We do not use Google Analytics, Facebook Pixel, or advertising trackers on the Service.

9. Data Retention

Data TypeRetention Period
Account dataWhile your account is active + 90 days after deletion
Scan resultsWhile your account is active (unless deleted by you)
Playback/session logs24 months, then aggregated/anonymized
Payment records7 years (tax and accounting law)
Support communications3 years
Anonymous scan data (public)6 months, then deleted
Security audit logs12 months

10. Security

We take security seriously:

  • Passwords are stored hashed (bcrypt)
  • Connections to the Service are encrypted via HTTPS/TLS
  • Database access uses row-level security (RLS) — you only see your own data
  • Audio files are served via signed URLs that expire in 60 seconds
  • Payment handling is delegated to PCI-compliant processors (SamCart)
  • Webhook signatures are verified with HMAC to prevent tampering
  • Access to internal admin tools requires a dedicated founder role with audit logging

No method of transmission or storage is 100% secure. If we become aware of a data breach affecting your information, we will notify you as required by law.

11. Your Rights

You have the right to:

  • Access your personal information
  • Correct inaccurate information
  • Delete your account and associated data
  • Export your data in a machine-readable format
  • Opt out of marketing communications (transactional emails continue for active accounts)
  • Withdraw consent for optional processing (e.g., AI enhancement)

To exercise any of these rights, email privacy@cymatones.com. We'll respond within 30 days.

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act and California Privacy Rights Act give you additional rights:

  • Right to know what personal information we collect, use, and share
  • Right to delete personal information
  • Right to correct inaccurate personal information
  • Right to opt out of the "sale" or "sharing" of personal information (we do not sell; we do not share for cross-context behavioral advertising)
  • Right to limit the use of sensitive personal information
  • Right to non-discrimination for exercising your rights

To exercise California rights, contact privacy@cymatones.com. We may need to verify your identity before fulfilling the request.

Shine the Light

California Civil Code § 1798.83 allows California residents to request certain information about our disclosure of personal information to third parties for direct marketing. We do not disclose personal information to third parties for their direct marketing.

13. EU/UK Users (GDPR/UK GDPR)

If you are in the European Economic Area or United Kingdom, the GDPR gives you rights including access, correction, deletion, restriction, portability, and objection to processing of your personal information.

Legal bases for processing:

  • Contract: to provide the Service you signed up for
  • Consent: for optional features like Cosmos birth data or marketing emails
  • Legitimate interests: for service improvement, security, and fraud prevention
  • Legal obligation: for tax, accounting, and compliance

You may contact a supervisory authority in your country if you believe we have violated data protection law. We would appreciate the opportunity to resolve your concern first — please contact privacy@cymatones.com.

International Transfers

Our servers are primarily located in the United States. By using the Service, you consent to the transfer of your information to the United States and other countries where our service providers operate. We use standard contractual clauses or equivalent safeguards for transfers from the EEA/UK where required.

14. Children's Privacy

CymaTones is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18. If you believe a child has provided us personal information, please contact privacy@cymatones.com and we will take steps to delete it.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top. For material changes, we will notify you via email and/or an in-app notice at least 30 days before the changes take effect where required by law.

16. Contact

Questions about this Privacy Policy or how we handle your information?

  • Privacy: privacy@cymatones.com
  • Support: support@cymatones.com
  • Mailing address: CymaTones LLC, Placerville, California, USA
© 2026 CymaTones LLC. All rights reserved.