Who we are
The Service is operated by Capiscana, Inc., an Illinois corporation, doing business as TOMMY RUSH.
What we collect
We collect only what is needed to run the Service:
| Category | Data | Why |
|---|---|---|
| Account | Email address, bcrypt-hashed password, display name (your choice). | To create and authenticate your account. |
| Catalog metadata | Track titles, artists, durations, BPM, key, custom tags you add, folder structure, file names. | So your library is searchable and organized. |
| Audio files | The actual audio files you upload, stored on Backblaze B2 (encrypted at rest by B2) or in your own Google Drive (legacy users). We never make files public except via share links you explicitly create. | So we can stream them back to you and to recipients you invite. |
| Share records | Recipient name, email, optional company; share-link metadata (created-at, expires-at, password-protected flag); per-recipient watermark payload mappings. | So you can re-send, see who opened what, and trace leaks back to the recipient. |
| Usage analytics | Pages visited, features used, error events. We do not use Google Analytics or any third-party tracker. | So we can find bugs and understand which features are useful. |
| Security signals | IP address, user-agent string, device fingerprint hash. IP is hashed with a daily-rotating salt before long-term storage so we cannot reverse it later. | Rate-limiting, fraud detection, alert-on-new-device sign-in notifications, abuse investigations. |
| Billing | Paddle order/customer ID, subscription tier, billing email. Full card details are stored by Paddle, never by us. | So we can charge you for paid tiers and surface invoices. |
| Email engagement | Open and click events for transactional and (opt-in) marketing email; hard-bounce events. | To debug delivery issues and avoid sending to dead inboxes. |
How we use it
- Run the Service — store your catalog, deliver shares to people you invite, stream audio to authorized recipients, generate watermarked copies for leak forensics.
- Show you analytics — who opened your share, what they played, how far they got.
- Detect leaks — if an unauthorized copy of one of your tracks surfaces, match it back to the recipient who received the watermarked file.
- Send transactional email via Resend — share invites, sign-in alerts, password resets, verification links, billing receipts.
- Send marketing email via Klaviyo — only if you have opted in. You can opt out at any time via the unsubscribe link in any marketing email.
- Enforce security & abuse limits — rate-limiting, account allowlisting during closed beta, alert on new-device sign-ins.
- Comply with law — respond to valid legal process and protect rights, property, and safety.
What we do NOT do
What we don't do with your data
- We do not sell or share personal information with third-party marketers, data brokers, or advertising networks.
- We do not train AI models on your music, your catalog metadata, or any of Your Content. We do not license your audio to third parties for training.
- We do not have humans listen to your audio for QA, curiosity, demos, or analysis. The narrow server-side processing we do run is described in Section 3a below.
- We do not run ML genre classifiers, mood detectors, fingerprinting for content matching, or speech-to-text on your files.
- We do not track you across other websites. We don't use third-party advertising pixels, Google Analytics, Facebook Pixel, or similar cross-site trackers.
- We do not store full payment card numbers. Our payment provider and Merchant of Record, Paddle, handles card data directly.
3a. Server-side audio processing we do run
To make your library work, our servers perform a narrow, deterministic set of audio analyses. None of it leaves our infrastructure, none of it trains any model, and none of it is shared with third parties:
- BPM and musical key detection – runs automatically on every track at upload, so your library is searchable and sortable. This is signal-processing, not machine learning, and the only output stored is the BPM number and key string.
- Waveform peak generation – a low-resolution amplitude array used to draw the scrubber bar in the player. Not a recognition fingerprint.
- Stem separation – runs only when you (or a Pro/Max user on their own track) explicitly click "Separate stems" on a specific track. Output is written back to your private vault.
- Forensic watermark embedding – runs only when you create a share link from a tier that includes per-recipient watermarks (Max or above). The watermark is stored alongside the recipient mapping so you can trace leaks; the original audio is unchanged.
That is the complete list. We do not analyze your audio for any other purpose, ever.
The only "marketing" use of your email is the optional Klaviyo opt-in for our own service updates and product announcements — never sold, never shared with third parties for their marketing.
Third-party providers
We share data with a limited set of providers required to run the Service. Each operates under its own privacy policy and security practices. Categories of data shared and links to each provider's policy are below.
| Provider | Data shared | Their policies |
|---|---|---|
| Backblaze, Inc. (B2) | Audio files + file metadata (encrypted at rest). | Privacy · Terms |
| Hetzner Online GmbH | Application database, logs, encrypted backups (Ashburn, VA). | Privacy · Terms |
| Cloudflare, Inc. | Request metadata (IP, user-agent), TLS termination, edge caching. | Privacy · Terms |
| Paddle (paddle.com) | Email, billing address, payment-method tokens. Paddle is our Merchant of Record and processes all payments; the specific Paddle contracting entity depends on your location. Card data is handled by Paddle directly. | Privacy · Terms |
| Resend Inc. | Recipient email, transactional message content. | Privacy · Terms |
| Klaviyo, Inc. | Email, name, opt-in timestamp, engagement events — only with opt-in. | Privacy · Terms |
| Google LLC | Legacy: OAuth tokens + Drive file IDs you grant access to. Google account email and name for sign-in. | Privacy · Terms |
We may also disclose data when required by valid legal process (subpoena, court order) or to protect rights, property, and safety.
Provider liability disclaimer
Each third-party provider above operates under its own security controls, privacy policy, and terms. While we vet our providers and apply industry-standard practices on our side — TLS in transit, scoped credentials, principle of least privilege, encryption at rest where the provider supports it, secrets stored in a managed secrets vault, restricted admin access, audit logging — Capiscana is not liable for security incidents, data breaches, outages, or other failures originating from these providers' systems, except to the extent caused by our own gross negligence or willful misconduct.
If a provider notifies us of a confirmed breach affecting your data, we will pass that notification on to you per Section 7.
Breach notification
If we confirm a security breach affecting your account — whether the breach occurred at Capiscana or at any third-party provider listed in Section 5 — we will notify the email address on file within 72 hours of confirming the breach (or, where the breach was at a provider, within 72 hours of receiving the provider's notification to us).
Notification will describe, to the extent known: (a) what data was affected, (b) when the breach occurred, (c) what we believe caused it, (d) what we are doing in response, and (e) what you should do (if anything — for example, reset your password). We will follow up with material updates as we learn more.
This commitment is in addition to any statutory breach-notification obligations under applicable law (e.g., state data-breach notification statutes, GDPR Article 33-34, etc.).
Retention & deletion
8.1 Active-account retention
We retain your data for as long as your account is active.
8.2 Account deletion
You can delete your account at any time:
- Self-serve via account settings (which calls
POST /api/account/delete), - Or by emailing [email protected].
Deletion triggers a 30-day grace period, during which you can cancel via POST /api/account/delete/cancel or by contacting support. After 30 days, a scheduled purge job (running every 6 hours) removes your account, your library metadata, your share records, your B2-stored audio files, and the watermark forensic mappings you own from active systems.
8.3 Watermark forensic records
For shares you sent: we retain the watermark payload, recipient mapping, and the relevant access log for up to 24 months after the share is sent so we can investigate leaks reported during that window. After 24 months, the forensic mapping is deleted. If you delete your account during that window, the mappings tied to your sends are deleted with the rest of your data.
8.4 Backups
The Service maintains encrypted backups per our backup-restore runbook: 24 hours of hourly snapshots, 30 days of daily snapshots, 12 weeks of weekly snapshots. When you delete your account, your data is purged from new backups immediately, but persists in older backups until they age out per the schedule above. Backups are stored encrypted at rest and are restorable only by Capiscana operations staff.
8.5 Legal-hold exception
We may retain data longer than the windows above if required by valid legal process or to defend an active claim, in which case we'll retain only the minimum necessary for the duration required.
8.6 Email suppression list
Email addresses that hard-bounced are kept on a suppression list indefinitely so we don't re-send to known-bad inboxes. The suppression list contains email addresses only and no other personal data.
Your rights
Depending on where you live (CCPA / California, GDPR / EU + UK, Illinois BIPA where applicable, and similar laws elsewhere), you have rights over your personal information. We honor these rights for all users regardless of residency, where it's practical.
- Access & export — request a copy of what we hold on you. The Service exposes
GET /api/account/exportwhich returns a machine-readable bundle of your account record, library metadata, share records, and watermark mappings. For data not covered by that endpoint, email [email protected]. - Correction — edit your email and display name in account settings, or email support for anything else.
- Deletion — full account purge in 30 days via
POST /api/account/delete(also reachable from account settings). - Marketing opt-out — every marketing email has an unsubscribe link (provided by Klaviyo). Unsubscribing stops marketing email immediately. Transactional emails (sign-in alerts, password resets, billing receipts) are not opt-outable as long as your account is active.
- Withdraw Google Drive consent (legacy users) — revoke our access to your Google Drive at any time via myaccount.google.com/permissions.
- Right to know (CCPA) — the categories of personal information we collect, sources, business purposes, and categories of third parties we share with are all described in this policy.
- Right to non-discrimination (CCPA) — we won't deny service, charge different prices, or provide a different level of service because you exercised a privacy right.
- GDPR / UK GDPR rights — access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with your local supervisory authority. Our lawful bases for processing are: contract performance (running the Service for you), legitimate interests (security, fraud prevention, leak forensics), consent (marketing email), and legal obligation (responses to legal process).
- Illinois BIPA — we do not collect, store, or process biometric identifiers or biometric information as defined by 740 ILCS 14. Voice prints, retinal scans, fingerprints, hand or face geometry are out of scope of the Service.
To exercise any right, email [email protected]. We will respond within 30 days (45 days where permitted by CCPA, with notice). We may need to verify your identity before responding to a substantive request.
Security practices
- TLS in transit (TLS 1.2+) for all client-server traffic, terminated at Cloudflare and re-established to Hetzner over an encrypted tunnel.
- Passwords hashed with bcrypt at cost factor 12 or higher. Minimum 10-character password length enforced at signup.
- OAuth tokens encrypted at rest with a per-deployment key.
- Audio files encrypted at rest by Backblaze B2 (server-side encryption).
- Production secrets stored in 1Password and injected into the runtime via the `op` CLI — never committed to source control.
- Scoped admin credentials with audit logging on all admin endpoints.
- Rate-limiting on authentication endpoints, account-creation endpoints, and share-receive endpoints.
- New-device sign-in alerts emailed to the account holder.
- Daily-rotating salt for IP hashing so we cannot reverse-correlate IPs across days.
No system is perfect. If you discover a vulnerability, please report it to [email protected] with subject line "security report" — we will acknowledge within 72 hours.
International transfers
The Service is operated from servers in the United States (Hetzner Ashburn, VA). If you access the Service from outside the U.S., your data will be transferred to and processed in the U.S. By using the Service you consent to that transfer. For EEA / UK residents, where Capiscana relies on Standard Contractual Clauses or other approved transfer mechanisms with sub-processors, those mechanisms are documented in each provider's own legal terms (see Section 5).
Children's privacy
The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us information, contact us at [email protected] and we will delete it.
Changes to this policy
We may revise this Privacy Policy from time to time. For non-material changes (typo corrections, clarifications, formatting), we'll update the "Last updated" date at the top of this page. For material changes — changes that materially affect what we collect, how we use it, who we share it with, or your rights — we will give at least 30 days' notice via email to the address on file before the new Policy takes effect, and the effective date will be stamped at the top of this page.
Contact
Privacy Inquiries & Rights Requests
2222 Chestnut Ave STE 201
Glenview, IL 60026
[email protected]