Privacy Policy

Last updated: May 6, 2026

RhythmForge is an iOS app developed by Florian Preknya ("we," "our," "us"). We take your privacy seriously and have built the app to minimize the data we collect.

This policy explains what data RhythmForge handles, how it is used, and your rights.

Summary

We do not collect personal information. No name, no email, no account, no location.
Your audio never leaves your device. The microphone is used only for real-time timing detection. Nothing is recorded, stored, or transmitted.
We collect anonymous usage and crash data to improve the app.
If you subscribe, your purchase is processed by Apple, and your subscription status is managed via RevenueCat.

1. Data we collect

1.1 Microphone audio (processed on-device, never stored or transmitted)

RhythmForge uses your device's microphone to detect when you play a beat. This detection happens entirely on your device, in real time. No audio is recorded, saved to disk, or sent to any server — ours or anyone else's. The only information we extract from microphone input is the timestamp of each detected onset, which is used to score your timing during a session.

If you deny microphone access, the metronome and other audio-free features still work, but timing feedback and scoring will not be available.

1.2 Subscription and purchase data

If you subscribe to RhythmForge PRO, the following happens:

The purchase itself is handled by Apple's App Store. We do not see your payment method, Apple ID, email, or billing address.
We use a third-party service, RevenueCat, to validate your subscription and manage your access to PRO features. RevenueCat receives an anonymous identifier, your purchase receipt from Apple, the product purchased, and basic event information (purchase, renewal, cancellation).
RevenueCat does not receive your name, email, or any other personally identifiable information from us.
RevenueCat's privacy policy: https://www.revenuecat.com/privacy

1.3 Anonymous analytics and diagnostics

We use Firebase Analytics and Firebase Crashlytics (both by Google) to understand how the app is used in aggregate and to detect crashes.

Data collected by these services includes:

Anonymous usage events (e.g., "challenge started," "subscription purchased") with no personal identifiers.
Device model, iOS version, app version, locale, and time zone.
If the app crashes: a crash report with stack trace and device state at the time of crash.
An anonymous, device-generated identifier used by Firebase to deduplicate events — this is not linked to your identity.

We do not link this data to you personally. We do not use it to build an advertising profile. We do not share it with data brokers.

Firebase's privacy information: https://firebase.google.com/support/privacy

1.4 Data stored only on your device

The following information is stored locally on your device and is never transmitted to us or any third party:

Your session history, scores, and personal bests.
Your app settings (click sound, haptics, visual effects, timing calibration).
Any custom challenges or patterns you create.
Your free-practice session records.

This data is deleted when you uninstall RhythmForge.

2. What we do not collect or do

We do not collect your name, email address, or contact information.
We do not record or transmit audio.
We do not track your location.
We do not access your contacts, photos, or calendar.
We do not sell any data to third parties.
We do not display advertisements.
We do not track you across other apps or websites.
We do not use the AppTrackingTransparency framework because we do not track.
We do not require an account, email address, or phone number.

3. Third-party services

The only third-party services that receive any data are:

Apple App Store: processes subscription payments. Standard iOS flow; we receive no personal data.
RevenueCat: validates subscriptions and grants PRO access. Receives anonymous ID, Apple receipt, product, and purchase events.
Firebase Analytics (Google): anonymous usage analytics. Receives app events, device model, OS version, anonymous ID.
Firebase Crashlytics (Google): crash reporting. Receives crash stack traces and device state at crash time.
Cloudflare Web Analytics: anonymous website visitor counting on rhythmforge.app. No cookies, no tracking, no personal data. Aggregate visit counts only.

Each provider has their own privacy policy governing how they handle data. We have no control over their practices beyond the contractual agreements we have with them.

4. Your rights (GDPR, CCPA, and similar laws)

If you are in the European Economic Area, the United Kingdom, California, or another jurisdiction with data protection laws, you have the following rights regarding any data we hold about you:

Access: you may request a copy of the data we hold.
Deletion: you may request deletion of your data.
Correction: you may request correction of inaccurate data.
Portability: you may request your data in a machine-readable format.
Objection: you may object to how we use your data.
Withdraw consent: where processing is based on your consent, you may withdraw it at any time.

To exercise these rights, email [email protected].

Note: because we do not collect personal identifiers, the data we can associate with an individual is limited to subscription records (for active subscribers) and any device-linked anonymous identifiers. Deletion requests for subscription data will be relayed to RevenueCat.

5. Children's privacy

RhythmForge does not knowingly collect data from children under 13 (or under 16 in the EEA). The app is designed for general audiences and does not collect personal information from any user.

If you are a parent or guardian and have questions, contact [email protected].

6. Data retention

On-device data (session history, settings, custom challenges): retained until you delete the app.
Subscription records (held by RevenueCat): retained while you are a subscriber and for a reasonable period after cancellation for accounting and fraud-prevention purposes.
Anonymous analytics (held by Firebase): subject to Google's retention policy, typically 14–60 months depending on event type. Details: https://support.google.com/firebase/answer/7667196
Crash reports (held by Firebase): typically 90 days.

7. International data transfers

RevenueCat and Firebase are both based in the United States and may process data there. Where required, these providers use standard contractual clauses and other safeguards to ensure EU and UK data is protected.

8. Privacy manifest compliance

RhythmForge complies with Apple's privacy manifest requirements. The app declares all collected data types and the reasons for accessing system APIs in its bundled PrivacyInfo.xcprivacy file.

9. Changes to this policy

If we change this policy, we will update the "Last updated" date at the top. For significant changes, we will notify users via the app or via rhythmforge.app. Continued use of the app after changes constitutes acceptance.

10. Contact

For any privacy question, request, or concern:

Email: [email protected]
Mailing address: 8 de Març 90, 1-2, Esplugues de Llobregat, Barcelona, Spain

If you believe we are handling your data improperly and we have not resolved your concern, you have the right to lodge a complaint with your local data protection authority.