Privacy Policy

Vybes Lab · operated as a sole proprietorship by Sean Twomey, Pennsylvania, USA
Effective date: the date you first access the Service. Last updated: 2026.

1. Summary

Vybes Lab is designed to collect as little personal information as possible. We do not require an account, we do not store the audio you upload after we finish processing it, and we never see your full payment card number. This policy explains exactly what we do collect, why, and what your rights are.

2. Who we are

The "data controller" for the purposes of this policy is Sean Twomey, an individual operating under the trade name "Vybes Lab" in Pennsylvania, USA. Contact details are listed in Section 12.

3. What we collect, and why

Data	Why	How long
The audio file you upload	To process it and return a mastered version.	Discarded after processing; not retained, not backed up.
A small signed value in your browser (`master_free`)	To track how many free exports your browser has used. Contains no personal information.	~365 days, or until you clear browser storage.
Payment information (card number, expiry, billing address)	To process payment via our payment processor, Stripe. We never see or store your card number; Stripe handles the entire transaction.	Retained by Stripe per their privacy policy.
Server logs (IP address, user agent, timestamps, request paths, response codes)	To operate the Service, debug errors, and detect abuse.	Up to 30 days, then automatically rotated out.
Album Pass credential	If you purchase an Album Pass, a signed credential is stored in your browser to remember your unlocked status for 30 days.	30 days from purchase, then expires.

We do not collect: names, email addresses, phone numbers, physical addresses, payment-card details, government IDs, demographic data, location data beyond what is incidental to your IP address, or any analytics-tracking identifiers. We do not run third-party analytics, advertising, or social tracking pixels.

4. What we do NOT do with your audio

Audio you upload is held in server memory only for the duration of one processing request, typically a few seconds. It is never:

Written to persistent storage on our servers.
Backed up.
Shared with any third party.
Used to train, fine-tune, or evaluate any machine-learning model.
Played back to anyone other than you.

5. Third-party services

We rely on a small number of third-party infrastructure providers. Each has its own privacy practices:

Stripe, Inc. — processes payments. Privacy policy: stripe.com/privacy.
Cloudflare, Inc. — hosts the website (Cloudflare Pages) and provides DNS / CDN / DDoS protection. Privacy policy: cloudflare.com/privacypolicy.
Fly.io — hosts the backend that runs the mastering chain. Privacy policy: fly.io/legal/privacy-policy.

6. Cookies

We use one strictly necessary cookie, master_free, to track the free-tier counter described above. It is HMAC-signed, contains no personal information, and is essential to the operation of the free tier. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

7. Your rights

Depending on where you live, you may have rights under data-protection law such as the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), or similar. In practice, because we hold almost no personal data about you, most of these rights are trivially satisfied:

Access: the data we hold about you, if any, is the identifier in your own browser storage (which you can inspect via your browser's developer tools) and short-lived server logs keyed by IP. Email the address in Section 12 if you would like a copy.
Deletion: clear your browser cookies to remove the device UUID. Server logs auto-rotate within 30 days. For payment records, contact Stripe directly.
Portability: the cookie value is small and inspectable; we can supply a JSON copy on request.
Objection / withdrawal of consent: stop using the Service.
"Do Not Sell or Share my Personal Information" (California): we do not sell or share personal information. There is nothing to opt out of.

8. Children

Vybes Lab is not intended for use by anyone under 13 years of age. We do not knowingly collect personal information from children. If you believe a child has used the Service, contact us and we will delete any associated server-log data.

9. Security

We use HTTPS for all traffic, apply cryptographic signing to the small amount of state stored in your browser, and isolate payment-card handling entirely with Stripe. No system is perfectly secure; we will notify users without undue delay in the event of a data breach affecting their personal information.

10. International transfers

Our servers are hosted in the United States. If you are located outside the United States, your information will be transferred to and processed in the United States. By using the Service, you consent to this transfer.

11. Changes to this policy

We may update this policy from time to time. Material changes will be indicated by an updated "Last updated" date at the top of this page. Continued use of the Service after an update constitutes acceptance of the revised policy.

12. Contact

Questions, privacy requests, data-access or deletion requests, and any other communications under this policy should be sent to: [CONTACT EMAIL — must be set before launch].

← Back to Vybes Lab