PRIVACY · v1.0

Privacy Policy.

This Privacy Policy describes how Capiscana, Inc. dba TOMMY RUSH ("Capiscana", "we", "us") collects, uses, stores, shares, and protects information when you use Session™ Vault (also referred to as "session.am" or the "Service"). We try to keep this short and human. If anything is unclear, email [email protected].

EFFECTIVE MAY 4, 2026 LAST UPDATED MAY 4, 2026 READ TIME 9 MIN

The short version

  • We do not sell or sharepersonal information with third-party marketers, data brokers, or advertising networks.
  • We do not train AI modelson your music, your catalog metadata, or any of Your Content. We do not license your audio to third parties for training.
  • We do not have humans listen to your audiofor QA, curiosity, demos, or analysis. The narrow server-side processing we do run is described in Section 3a below.
  • We do not run ML genre classifiers, mood detectors, fingerprinting for content matching, or speech-to-texton your files.
  • We do not track you across other websitesWe don't use third-party advertising pixels, Google Analytics, Facebook Pixel, or similar cross-site trackers.
  • We do not store full payment card numbersOur payment provider and Merchant of Record, Paddle, handles card data directly.

Who we are

The Service is operated by Capiscana, Inc., an Illinois corporation, doing business as TOMMY RUSH.

What we collect

We collect only what is needed to run the Service:

How we use it

  • Run the Service — store your catalog, deliver shares to people you invite, stream audio to authorized recipients, generate watermarked copies for leak forensics.
  • Show you analytics — who opened your share, what they played, how far they got.
  • Detect leaks — if an unauthorized copy of one of your tracks surfaces, match it back to the recipient who received the watermarked file.
  • Send transactional email via Resend — share invites, sign-in alerts, password resets, verification links, billing receipts.
  • Send marketing email via Klaviyo — only if you have opted in. You can opt out at any time via the unsubscribe link in any marketing email.
  • Enforce security & abuse limits — rate-limiting, account allowlisting during closed beta, alert on new-device sign-ins.
  • Comply with law — respond to valid legal process and protect rights, property, and safety.

What we do NOT do

3a. Server-side audio processing we do run

To make your library work, our servers perform a narrow, deterministic set of audio analyses. None of it leaves our infrastructure, none of it trains any model, and none of it is shared with third parties:

  • BPM and musical key detection – runs automatically on every track at upload, so your library is searchable and sortable. This is signal-processing, not machine learning, and the only output stored is the BPM number and key string.
  • Waveform peak generation – a low-resolution amplitude array used to draw the scrubber bar in the player. Not a recognition fingerprint.
  • Stem separation – runs only when you (or a Pro/Max user on their own track) explicitly click "Separate stems" on a specific track. Output is written back to your private vault.
  • Forensic watermark embedding – runs only when you create a share link from a tier that includes per-recipient watermarks (Max or above). The watermark is stored alongside the recipient mapping so you can trace leaks; the original audio is unchanged.

That is the complete list. We do not analyze your audio for any other purpose, ever.

The only "marketing" use of your email is the optional Klaviyo opt-in for our own service updates and product announcements — never sold, never shared with third parties for their marketing.

Third-party providers

We share data with a limited set of providers required to run the Service. Each operates under its own privacy policy and security practices. Categories of data shared and links to each provider's policy are below.

We may also disclose data when required by valid legal process (subpoena, court order) or to protect rights, property, and safety.

Provider liability disclaimer

Breach notification

If we confirm a security breach affecting your account — whether the breach occurred at Capiscana or at any third-party provider listed in Section 5 — we will notify the email address on file within 72 hours of confirming the breach (or, where the breach was at a provider, within 72 hours of receiving the provider's notification to us).

Notification will describe, to the extent known: (a) what data was affected, (b) when the breach occurred, (c) what we believe caused it, (d) what we are doing in response, and (e) what you should do (if anything — for example, reset your password). We will follow up with material updates as we learn more.

This commitment is in addition to any statutory breach-notification obligations under applicable law (e.g., state data-breach notification statutes, GDPR Article 33-34, etc.).

Retention & deletion

8.1 Active-account retention

We retain your data for as long as your account is active.

8.2 Account deletion

You can delete your account at any time:

  • Self-serve via account settings (which calls POST /api/account/delete),
  • Or by emailing [email protected].

Deletion triggers a 30-day grace period, during which you can cancel via POST /api/account/delete/cancel or by contacting support. After 30 days, a scheduled purge job (running every 6 hours) removes your account, your library metadata, your share records, your B2-stored audio files, and the watermark forensic mappings you own from active systems.

8.3 Watermark forensic records

For shares you sent: we retain the watermark payload, recipient mapping, and the relevant access log for up to 24 months after the share is sent so we can investigate leaks reported during that window. After 24 months, the forensic mapping is deleted. If you delete your account during that window, the mappings tied to your sends are deleted with the rest of your data.

8.4 Backups

The Service maintains encrypted backups per our backup-restore runbook: 24 hours of hourly snapshots, 30 days of daily snapshots, 12 weeks of weekly snapshots. When you delete your account, your data is purged from new backups immediately, but persists in older backups until they age out per the schedule above. Backups are stored encrypted at rest and are restorable only by Capiscana operations staff.

8.5 Legal-hold exception

We may retain data longer than the windows above if required by valid legal process or to defend an active claim, in which case we'll retain only the minimum necessary for the duration required.

8.6 Email suppression list

Email addresses that hard-bounced are kept on a suppression list indefinitely so we don't re-send to known-bad inboxes. The suppression list contains email addresses only and no other personal data.

Your rights

Depending on where you live (CCPA / California, GDPR / EU + UK, Illinois BIPA where applicable, and similar laws elsewhere), you have rights over your personal information. We honor these rights for all users regardless of residency, where it's practical.

  • Access & export — request a copy of what we hold on you. The Service exposes GET /api/account/export which returns a machine-readable bundle of your account record, library metadata, share records, and watermark mappings. For data not covered by that endpoint, email [email protected].
  • Correction — edit your email and display name in account settings, or email support for anything else.
  • Deletion — full account purge in 30 days via POST /api/account/delete (also reachable from account settings).
  • Marketing opt-out — every marketing email has an unsubscribe link (provided by Klaviyo). Unsubscribing stops marketing email immediately. Transactional emails (sign-in alerts, password resets, billing receipts) are not opt-outable as long as your account is active.
  • Withdraw Google Drive consent (legacy users) — revoke our access to your Google Drive at any time via myaccount.google.com/permissions.
  • Right to know (CCPA) — the categories of personal information we collect, sources, business purposes, and categories of third parties we share with are all described in this policy.
  • Right to non-discrimination (CCPA) — we won't deny service, charge different prices, or provide a different level of service because you exercised a privacy right.
  • GDPR / UK GDPR rights — access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with your local supervisory authority. Our lawful bases for processing are: contract performance (running the Service for you), legitimate interests (security, fraud prevention, leak forensics), consent (marketing email), and legal obligation (responses to legal process).
  • Illinois BIPA — we do not collect, store, or process biometric identifiers or biometric information as defined by 740 ILCS 14. Voice prints, retinal scans, fingerprints, hand or face geometry are out of scope of the Service.

To exercise any right, email [email protected]. We will respond within 30 days (45 days where permitted by CCPA, with notice). We may need to verify your identity before responding to a substantive request.

Cookies & local storage

We use a small number of first-party cookies and local-storage entries strictly to operate the Service:

  • Session cookie (HTTP-only, Secure, SameSite=Lax) — keeps you signed in.
  • CSRF / OAuth state cookies (HTTP-only, short-lived) — protect sign-in flows.
  • Local storage — UI preferences, recently played, draft state. Not transmitted off-device.
  • Recipient cookies — if you receive a watermarked share, a session cookie remembers password unlock and watermark-consent for the listening session.

We do not use third-party advertising cookies, third-party analytics cookies, or cross-site tracking pixels.

Security practices

  • TLS in transit (TLS 1.2+) for all client-server traffic, terminated at Cloudflare and re-established to Hetzner over an encrypted tunnel.
  • Passwords hashed with bcrypt at cost factor 12 or higher. Minimum 10-character password length enforced at signup.
  • OAuth tokens encrypted at rest with a per-deployment key.
  • Audio files encrypted at rest by Backblaze B2 (server-side encryption).
  • Production secrets stored in 1Password and injected into the runtime via the `op` CLI — never committed to source control.
  • Scoped admin credentials with audit logging on all admin endpoints.
  • Rate-limiting on authentication endpoints, account-creation endpoints, and share-receive endpoints.
  • New-device sign-in alerts emailed to the account holder.
  • Daily-rotating salt for IP hashing so we cannot reverse-correlate IPs across days.

No system is perfect. If you discover a vulnerability, please report it to [email protected] with subject line "security report" — we will acknowledge within 72 hours.

International transfers

The Service is operated from servers in the United States (Hetzner Ashburn, VA). If you access the Service from outside the U.S., your data will be transferred to and processed in the U.S. By using the Service you consent to that transfer. For EEA / UK residents, where Capiscana relies on Standard Contractual Clauses or other approved transfer mechanisms with sub-processors, those mechanisms are documented in each provider's own legal terms (see Section 5).

Children's privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us information, contact us at [email protected] and we will delete it.

Changes to this policy

We may revise this Privacy Policy from time to time. For non-material changes (typo corrections, clarifications, formatting), we'll update the "Last updated" date at the top of this page. For material changes — changes that materially affect what we collect, how we use it, who we share it with, or your rights — we will give at least 30 days' notice via email to the address on file before the new Policy takes effect, and the effective date will be stamped at the top of this page.

Contact