Privacy Policy.

We collect information in three ways: information you give us, information collected automatically as you use the service, and information from third parties.

Information you provide

• Account information — username, email address, password (stored as a salted hash), display name, profile photo, and any platform handles you choose to add (e.g., SoundCloud, Spotify).
• Authentication factors — if you enable two-factor authentication, your TOTP secret (encrypted), backup codes (hashed), and rate-limit records.
• Payment information — handled by Stripe. We receive transaction metadata (amount, status, card brand, last four digits) but do not store full card numbers.
• Content you submit— posts and comments in the community feed, audio uploads for Mix & Master orders, project metadata, revision notes.
• Communications — emails you send us, support tickets, and survey responses.

Information collected automatically

• Usage data — pages viewed, features used, training session results, plugin download events, and similar interactions.
• Device & log data — IP address, browser type, operating system, device identifiers, referring URL, and timestamps. We use IP addresses for security, rate-limiting, and abuse prevention.
• Cookies and similar technologies— see “Cookies and tracking” below.

Information from third parties

• Captcha — Cloudflare Turnstile may return signals about whether you are likely a human (we do not receive personal data, only the verification token).
• Payment processor — Stripe shares transaction and license-related metadata.
• OAuth providers — if you connect a Discord account (or any future social login), the provider shares your account identifier and any other fields you explicitly authorize.

We use information to operate the platform you signed up for and to keep it safe.

• Provide the service — create your account, deliver plugin downloads and licenses, run ear training, host courses, process Mix & Master orders, and operate the community feed.
• Process payments — issue licenses tied to your account, calculate revenue share, send receipts.
• Communicate with you — transactional email (password resets, verification, order updates, 2FA codes), and optional product email if you opt in.
• Improve our products — debugging, performance monitoring, and understanding which features are used.
• Security & abuse prevention — detecting fraud, account takeovers, license abuse, and policy violations. We use IP addresses, device data, and behavior signals for this purpose.
• Comply with the law — when we’re required to retain or disclose information by valid legal process.

We do not sell your personal information. We do not use your content to train machine-learning models. We do not run third-party advertising on the platform.

If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases under the GDPR:

• Contract — to provide the services you sign up for.
• Legitimate interests — to keep the service secure, prevent abuse, and improve it (where these interests are not overridden by your rights).
• Consent — where required, for example optional marketing email or non-essential cookies. You can withdraw consent at any time.
• Legal obligation — to comply with applicable law.

We share personal information only when it’s necessary to run the service, when you ask us to, or when we’re required to by law.

Service providers we use

• Stripe — payment processing, subscription billing, license issuance.
• Resend — transactional email delivery.
• Cloudflare — DNS, network security, Turnstile captcha, R2 object storage for plugin downloads and Mix & Master uploads.
• Database and hosting providers — to operate the application and store data.

These providers process data on our behalf under contracts that limit how they may use it.

When we may disclose information

• To comply with a valid subpoena, court order, or other lawful request.
• To protect the rights, property, or safety of Decibel Labs, our users, or the public.
• In connection with a merger, acquisition, or sale of assets, in which case you’ll be notified before your information becomes subject to a different privacy policy.

We use cookies and similar technologies to keep you signed in, remember your preferences, and protect the service.

• Essential — session cookies, CSRF tokens, and authentication tokens (including 2FA pending tokens). These are required for the service to function.
• Preferences — your theme (light/dark/system), language, and similar settings.
• Security — Cloudflare Turnstile cookies used to verify you are not a bot.

We do not use cookies for cross-site advertising. You can clear cookies through your browser settings; doing so may sign you out.

We retain personal data only as long as we have a reason to.

• Account data — retained for the life of your account. When you delete your account, we delete or anonymize your personal data within 30 days, except where we’re required to retain certain records (e.g., financial records for tax purposes).
• Plugin licenses & purchases — retained for as long as we provide the licenses, plus the period required by applicable tax and consumer-protection law.
• Mix & Master uploads — kept for the duration of the project and for a reasonable period after delivery so you can re-download. After that, source files are deleted on a rolling basis.
• Logs & security data — kept for up to 12 months for abuse prevention.

Depending on where you live, you may have the following rights regarding your personal data:

• Access — request a copy of the data we hold about you.
• Correction — ask us to fix inaccurate or incomplete data. Most of this can be done from your settings page.
• Deletion — ask us to delete your data, subject to the legal exceptions described above.
• Portability — ask for a machine-readable copy of certain information.
• Restriction or objection — limit or object to certain processing.
• Withdraw consent — where we rely on consent, you can withdraw it at any time without affecting prior processing.
• Complaint — lodge a complaint with your local data-protection authority (EEA/UK).

To exercise any of these rights, email [email protected]. We’ll respond within the timeline required by applicable law (typically 30 days).

California residents.Under the CCPA/CPRA you have the rights to know, delete, correct, and limit certain uses of sensitive personal information. We do not sell personal information, and we do not “share” it for cross-context behavioral advertising.

We take security seriously and apply industry-standard safeguards, including:

• TLS encryption in transit for all traffic.
• Encryption at rest for sensitive fields (passwords are bcrypt-hashed; TOTP secrets and backup codes are stored encrypted or hashed).
• Two-factor authentication available on every account.
• Principle-of-least-privilege access for staff; logging of administrative actions.
• Rate limiting, captcha, and abuse detection at the network and application layer.

No system is perfectly secure. If you believe your account has been compromised, contact [email protected] immediately.

The service is not directed to children under 13 (or under 16 where required by local law). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we’ll delete it.

We operate from the United States and may process data in countries other than your own. Where required, we use appropriate safeguards (such as the European Commission’s Standard Contractual Clauses) for transfers of personal data outside the EEA or UK.

We may update this policy. If we make material changes, we’ll notify you by email or by a notice in the app before the changes take effect. The “Last updated” date at the top of this page reflects the most recent revision.

For any privacy-related questions or requests:

• Privacy: [email protected]
• Legal: [email protected]
• Security: [email protected]