SYNTHSTUDY
// PRIVACY POLICY
Last updated: May 2026
This is a small, ad-free site. We don't sell data, we don't track you across the web, and we don't run third-party analytics that profile you. Here's exactly what we do and don't collect:
What we collect when you sign in
- Google account data: your name, email, profile picture URL, and Google's stable account ID. That's it. No access to your contacts, files, or other Google services.
- A session cookie (HttpOnly, Secure, SameSite=Lax) so we can keep you signed in.
- Last login timestamp so admins can see active users.
What we collect when you use the site
- Vibes you save: name, description, public/private flag, and the musical state (style, key, BPM, drum/bass/arp settings).
- Comments you post on public vibes (when comments feature is enabled).
- Likes you give on public vibes.
- Anonymous play counts per public vibe (no per-user history is stored).
What we do NOT collect
- No Google password (Google handles auth, we never see it).
- No third-party tracking or advertising cookies.
- No cross-site profiling.
- No precise location data.
- No private listening history (we do not log "user X played vibe Y at time Z").
Where data is stored
All user data is stored in Cloudflare D1 (a SQLite-based serverless database hosted on Cloudflare's network). Cloudflare may retain operational logs per their own privacy policy.
Who can see what
- Public vibes: visible to anyone who visits the Site.
- Private vibes: visible only to you.
- Comments: visible to anyone playing the same vibe with comments enabled.
- Your email and account ID: visible only to admins (currently a single seed admin) for moderation purposes.
Account deletion
You can delete your account at any time from the Account section. This permanently removes:
- Your account record (name, email, picture, Google ID)
- All vibes you created (private and public)
- All comments you posted
- All likes you gave
- All active sessions
Deletion is immediate and cannot be undone.
Cookies
We set exactly two cookies:
- session — your sign-in session (HttpOnly, Secure, expires after 30 days).
- oauth_state — short-lived (10 minutes) cookie used during the Google sign-in handshake to prevent CSRF.
No tracking cookies. No analytics cookies.
Third parties
- Google — for sign-in only. We send Google your auth code; Google sends us back your name, email, picture, and ID.
- Cloudflare — hosts the site and the database. Their privacy policy applies to network-level data.
- Tone.js — JavaScript library that runs in your browser to generate the audio. Does not phone home.
Children
Not directed at children under 13. Don't use this Site if you're under 13.
Changes
If this policy changes meaningfully, we'll update the "Last updated" date at the top.
← BACK TO SITE