Privacy Policy
Effective: May 24, 2026
This Privacy Policy explains how Brudne Brzmienie ("we," "us," or "our") collects, uses, and protects your information when you use Tonika — our music practice companion available as a web app and iOS application (the "Service").
We respect your privacy and are committed to transparency. We collect only what is necessary to provide the Service and never sell your data.
1. Data Controller
The data controller for information processed through Tonika is Brudne Brzmienie, based in Poland. For any privacy-related inquiries, contact us at privacy@playtonika.com.
2. Information We Collect
2.1 Account Data
When you create an account, we collect your email address (required) and an optional display name. You may sign in using email and password, Apple Sign In, or Google Sign In. Account data is stored securely in Supabase, our cloud database provider.
2.2 Practice Data
If you are signed in, your practice records are synced to the cloud. This includes:
- Scale and interval practice records (notes played, accuracy, duration)
- XP totals and level progression
- Practice streaks and daily minutes
- Mastery scores per scale and key
- Saved session templates
This data is also stored locally in your browser's localStorage. If you are not signed
in, practice data remains on your device only and is never transmitted.
2.3 Preferences
Your app settings — including theme, language, guitar configuration, and practice
preferences — are stored in localStorage and synced to Supabase if you are signed
in.
2.4 Microphone Audio
Tonika uses your device's microphone for real-time pitch detection only. The audio stream is processed in your browser to determine the pitch of the notes you play. We want to be very clear about this:
- Audio is never recorded
- Audio is never stored — not locally, not on any server
- Audio is never transmitted over the network
- The microphone stream is stopped immediately when you leave the practice view
2.5 Analytics
We use Vercel Analytics to understand general usage patterns. This collects:
- Page views
- Browser and operating system type
- Country-level geographic location (derived from IP address)
We do not use custom event tracking. Vercel Analytics does not use cookies and does not track individual users across sessions.
2.6 Authentication Tokens
If you sign in using Apple Sign In or Google Sign In, the OAuth tokens are passed directly to Supabase for authentication. These tokens are not stored locally on your device.
3. Information We Do Not Collect
We want to be explicit about what we never collect:
- Location or GPS data
- Contacts or address book
- Photos, camera, or media library access
- Health or fitness data
- Advertising identifier (IDFA) or cross-app tracking
- Financial information (Apple handles all payments)
- Phone number
4. How We Use Your Data
| Data | Purpose | Legal Basis (GDPR) |
|---|---|---|
| Email address | Account creation, authentication, essential communications | Consent (account registration) |
| Display name | Personalization within the app | Consent (optional provision) |
| Practice data | Progress tracking, XP calculation, mastery assessment, cross-device sync | Consent (account creation and sync opt-in) |
| Preferences | Persisting your settings across sessions and devices | Consent (account creation and sync opt-in) |
| Microphone audio | Real-time pitch detection during practice (processed locally, never stored) | Consent (microphone permission grant) |
| Analytics | Understanding usage patterns, improving the Service | Legitimate interest |
5. Third-Party Services
We work with the following third-party providers to operate the Service:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Authentication, cloud database, data sync | Account data, practice data, preferences |
| Vercel Analytics | Anonymized page-view analytics | Page views, browser/OS, country-level geo |
| Apple Sign In | Optional authentication method | OAuth token (passed to Supabase) |
| Google Sign In | Optional authentication method | OAuth token (passed to Supabase) |
We do not sell, rent, or share your data with any third party for advertising or marketing purposes.
6. International Data Transfers
Supabase and Vercel may process data on servers located in the United States. These transfers are governed by Standard Contractual Clauses (SCCs) as approved by the European Commission, ensuring an adequate level of data protection in compliance with the GDPR.
7. Data Retention
We retain your data for as long as your account is active. When you delete your account, all
associated data — including practice records, preferences, and account information — is
permanently deleted from our servers. Local data stored in your browser's
localStorage can be cleared through the app's Settings or by clearing your browser
data.
8. Your Rights Under GDPR
As a user based in the European Union or European Economic Area, you have the following rights regarding your personal data:
- Right of access — Request a copy of the personal data we hold about you
- Right to rectification — Request correction of inaccurate personal data
- Right to erasure — Request deletion of your personal data ("right to be forgotten")
- Right to data portability — Export your practice data in a machine-readable format (available in the app's Settings under Data Export)
- Right to restrict processing — Request limitation of how we process your data
- Right to object — Object to processing based on legitimate interest (e.g., analytics)
- Right to withdraw consent — Withdraw your consent at any time by deleting your account
To exercise any of these rights, contact us at privacy@playtonika.com. We will respond within 30 days as required by the GDPR. You also have the right to lodge a complaint with your local data protection authority.
9. Children's Privacy
Tonika is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected such data, we will delete it promptly. If you believe a child under 13 has provided us with personal information, please contact us at privacy@playtonika.com.
10. Security
We take reasonable measures to protect your data, including:
- All data transmitted between your device and our servers is encrypted via HTTPS/TLS
- Authentication is handled by Supabase Auth with industry-standard security practices
- Passwords are never stored in plaintext
- Server-side API keys are stored as environment variables and never exposed to the client
While we implement reasonable safeguards, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make changes, we will update the "Effective" date at the top of this page. For material changes, we will notify you through the app or via email. We encourage you to review this policy periodically.
12. Contact Us
If you have questions about this Privacy Policy or how we handle your data, contact us at:
- Email: privacy@playtonika.com
- Publisher: Brudne Brzmienie