TF
ToneForgeBack to app

Privacy Policy

Last updated: March 11, 2026

This Privacy Policy describes how ToneForge ("we," "us," or "our") collects, uses, stores, and protects your personal data when you use our website and services. We are committed to safeguarding your privacy and handling your data in accordance with applicable data-protection laws, including the Swiss Federal Act on Data Protection (FADP) and, where applicable, the EU General Data Protection Regulation (GDPR).

1. Data We Collect

1.1 Account Data

When you register, we collect your email address, display name, and a hashed version of your password. We never store passwords in plain text.

1.2 Subscription and Payment Data

When you subscribe to a paid plan, PayPal processes your payment. We store your PayPal subscription ID, plan tier, and billing period dates. We do not store credit card numbers or full payment credentials.

1.3 Uploaded Audio Files

When you upload audio files for mastering, we temporarily store the original and processed files on our servers. Files are automatically deleted after the expiry window defined by your plan tier.

1.4 Technical and Usage Data

We collect IP addresses, browser type, operating system, referring URLs, pages visited, and timestamps for security, analytics, and service-improvement purposes.

1.5 Analysis Metadata

Audio analysis results (loudness, spectrum, dynamics metrics) are stored as part of your project data. These contain no personal information beyond being linked to your account.

2. How We Use Your Data

  • To provide, maintain, and improve the Service.
  • To process your audio files and deliver mastered results.
  • To manage your account, subscriptions, and billing.
  • To send transactional emails (verification, password resets, mastering notifications, billing confirmations).
  • To enforce our Terms of Service, Fair Use Policy, and prevent abuse.
  • To monitor system health, debug issues, and generate aggregate analytics.
  • To comply with legal obligations.

3. Legal Basis for Processing

We process your data under the following legal bases:

  • Contract performance: Processing necessary to provide the Service you signed up for.
  • Legitimate interest: Security monitoring, fraud prevention, and service improvement.
  • Consent: Where required, such as for optional marketing communications.
  • Legal obligation: Compliance with applicable law.

4. Data Retention

  • Audio files: Automatically deleted after the plan-specific expiry window (Free: 1 hour, Pro: 24 hours, Studio: 72 hours after processing).
  • Account data: Retained as long as your account exists. Deleted within 30 days of account deletion request.
  • Audit logs: Retained for up to 12 months for security and compliance.
  • Payment records: Retained as required by tax and accounting regulations (typically 7-10 years).

5. Third-Party Services

We share data with the following categories of third parties:

  • PayPal: Subscription and payment processing. Subject to PayPal's Privacy Policy.
  • Infrastructure providers: Server hosting and content delivery. Data is processed within the EU/Switzerland.
  • Email delivery: Transactional email services for account notifications.

We do not sell your personal data to third parties. We do not share your audio files with anyone.

6. International Transfers

Your data is primarily processed in Switzerland and the European Economic Area. If data is transferred to a jurisdiction without an adequate level of data protection, we ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses).

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate data.
  • Erasure: Request deletion of your data ("right to be forgotten").
  • Restriction: Request limited processing of your data.
  • Data portability: Request your data in a machine-readable format.
  • Objection: Object to processing based on legitimate interest.
  • Withdrawal of consent: Withdraw consent at any time where processing is consent-based.

To exercise any of these rights, contact us at privacy@toneforge.space. We will respond within 30 days.

8. Data Security

We implement industry-standard security measures to protect your data, including:

  • Encryption in transit (TLS/HTTPS) and at rest for sensitive data.
  • Bcrypt password hashing with per-user salts.
  • Signed, time-limited download tokens with access-count limits.
  • Rate limiting and abuse detection.
  • Regular security reviews and dependency updates.

9. Cookies

Our use of cookies is described in our Cookie Policy.

10. Children's Privacy

The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will take steps to delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the Service. The "Last updated" date at the top reflects the most recent revision.

12. Contact

For questions or concerns about this Privacy Policy, contact our Data Protection team at privacy@toneforge.space.