Privacy Policy

Last updated: February 2026

1. Introduction

This Privacy Policy explains how PitchHighway (“we,” “us,” or “our”) collects, uses, stores, and protects your personal data when you use our web application and iOS application (collectively, the “Service”).

We are committed to protecting your privacy in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable Romanian data protection law. Please also review our Terms of Service.

2. Data Controller

The data controller responsible for your personal data is:

• Name: Gabriel Policiuc, operating as PitchHighway
• Address: Prof. Nicolae Oblu, nr. 18, Iasi, Romania
• Email: legal@pitchhighway.com

3. Categories of Personal Data

3.1 Account Data

When you create an account, we collect:

• Email address (optional for guest accounts)
• Display name
• Password hash (Argon2 — we never store your plaintext password)
• Apple ID identifier (if you use Apple Sign-In)
• Account tier (free or premium)
• Account creation and last-active timestamps

3.2 Voice & Audio Data

When you use pitch training features, we process:

• Pitch samples (MIDI note values, frequency in Hz, confidence scores, segment identifiers, timestamps)
• Computed vocal range (lowest and highest MIDI notes with confidence score)
• Audio recordings of your voice are stored only on your device and are never uploaded to our servers

Classification: Voice and audio data is personal data under the GDPR, but it is not biometric special-category data under Article 9. We use voice data for pitch training, scoring, and progress tracking — not for uniquely identifying you as a person. Therefore, processing is based on Article 6 (not Article 9) of the GDPR.

3.3 Subscription Data

If you subscribe to PitchHighway premium, we receive from Apple:

• Original transaction ID and product ID
• Subscription status (active, grace period, billing retry, expired, revoked)
• Expiration and renewal dates
• Subscription environment (Sandbox or Production)

We do not receive or store your payment card details. All payment processing is handled by Apple.

3.4 Device & Technical Data

• IP address (stored with refresh tokens for security)
• User-Agent string
• Device information (stored with refresh tokens)

3.5 Usage & Progress Data

• Exercise scores, completion counts, and personal bests
• Exercise attempt history with detailed results
• Daily activity records and streaks
• Journey progress (current level and node per journey)
• Favourited exercises

3.6 Launch Notification Data

If you sign up to be notified about PitchHighway’s app launch, we collect:

• Email address

This email address is stored in our database to send you a notification when the PitchHighway app is available, along with launch-related updates, early-access offers, and occasional promotional communications about PitchHighway. We do not share this email with third parties for their own marketing purposes. Email delivery is handled via AWS SES (eu-north-1, Stockholm). You may unsubscribe or request deletion of your email at any time by emailing legal@pitchhighway.com with the subject line “Unsubscribe.”

3.7 Authentication Tokens

• JWT access tokens (15-minute expiry, not stored server-side)
• Refresh tokens (7-day expiry, stored as hashed values with associated device info and IP address)
• Password reset tokens (stored as hashed values, single-use)

4. How We Collect Data

We collect personal data through three channels:

• Directly from you — When you create an account, complete exercises, or use pitch training features.
• Automatically — Device and technical data collected during your use of the Service (IP address, User-Agent, device info).
• From third parties — Apple Sign-In (authentication data) and App Store Server Notifications (subscription status updates via webhooks).

5. Purposes & Legal Bases

We process your personal data for the following purposes, each with a corresponding legal basis under GDPR Article 6(1):

Purpose	Data Used	Legal Basis
Account creation & authentication	Account data, OAuth data, auth tokens	Art. 6(1)(b) — Performance of contract
Providing pitch training features	Voice & audio data, usage data	Art. 6(1)(b) — Performance of contract
Tracking progress, scores & streaks	Usage & progress data	Art. 6(1)(b) — Performance of contract
Vocal range tracking	Voice data (pitch samples, MIDI range)	Art. 6(1)(b) — Performance of contract
Subscription management	Subscription data, Apple transaction IDs	Art. 6(1)(b) — Performance of contract
Security (fraud prevention, token management)	IP address, device info, auth tokens	Art. 6(1)(f) — Legitimate interest
Service email communications	Email address	Art. 6(1)(b) — Performance of contract
App launch notification & promotional communications	Email address (from launch signup)	Art. 6(1)(a) — Consent
Error monitoring & debugging	Technical/device data (no user PII)	Art. 6(1)(f) — Legitimate interest
Future anonymised ML training	Anonymised/aggregated voice data	Art. 6(1)(f) — Legitimate interest (with anonymisation)

6. Voice & Audio Data Provisions

Given the sensitive nature of voice data, we want to be fully transparent about how it is handled:

• On-device processing: Pitch detection is performed on your device using the CREPE neural network model. Raw audio is not sent to our servers for the purpose of pitch analysis.
• Server-side storage: Derived pitch data (MIDI values, frequency, confidence, timestamps) is sent to our servers to compute scores, track your progress, and record your vocal range.
• On-device audio storage: Audio recordings of your voice are stored only on your device and are never uploaded to our servers. Recordings may be removed if the operating system reclaims storage.
• Not biometric data: Your voice data is used exclusively for training feedback and scoring. We do not use it to identify you as an individual. This means it falls under Article 6 of the GDPR, not Article 9 (special categories).
• Future use: We may use anonymised and aggregated voice data for improving our pitch detection algorithms. Any such use will involve data that can no longer be linked to you as an individual.

7. Data Sharing & Third Parties

We share personal data only with the following third-party service providers, strictly for the purposes described:

Provider	Purpose	Data Shared	Location
Apple	Authentication (Sign-In with Apple) & subscription/payment processing (IAP)	Apple ID, transaction IDs, subscription status	USA (EU-US Data Privacy Framework)
Cloudflare R2	Storage of AI-generated song tracks used in exercises	Song audio files (no user personal data)	EU-preferred regions
AWS SES	Transactional email delivery	Email address, email content	eu-north-1 (Stockholm, EU)
Telegram	Internal error alerts & monitoring	Technical error data only (no user PII)	Global
OpenAI / xAI	Analysis of non-PII aggregated data	Anonymised, aggregated usage data only (no personal data)	USA
Simple Analytics	Privacy-first website analytics (page views, referrers)	No personal data — no IP addresses, no cookies, no tracking	Netherlands (EU)

We do not sell your personal data. We do not share data with advertisers or ad networks. We do not engage in profiling for marketing purposes.

8. International Data Transfers

Your personal data is primarily stored on servers within the European Union. Where data is transferred to service providers outside the EU (specifically Apple, in the USA), such transfers are protected by:

• The EU-US Data Privacy Framework (where the provider is certified), or
• Standard Contractual Clauses (SCCs) approved by the European Commission.

AWS SES email processing remains within the EU (eu-north-1 region, Stockholm). OpenAI/xAI only receive anonymised, aggregated data that does not constitute personal data.

9. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy:

Data Category	Retention Period
Guest account data	Automatically deleted after 30 days of inactivity
Registered account data	Until you delete your account
Voice data (pitch samples, vocal range)	Until you delete your account (server-side). Audio recordings are stored only on your device.
Usage & progress data	Until you delete your account
Subscription data	Until you delete your account (Apple retains its own records independently)
Launch notification email	Until the user requests deletion or unsubscribes, or 12 months after the app launch (whichever comes first)
Refresh tokens	7 days from issuance (or until revoked)
Password reset tokens	Until used or expired
Apple webhook logs	Retained for operational integrity and debugging

When you delete your account, all associated personal data is deleted via cascading database deletion. Audio recordings stored on your device are not affected by account deletion and remain under your control.

10. Your GDPR Rights

Under the GDPR, you have the following rights regarding your personal data:

1. Right of Access (Art. 15) — You have the right to obtain confirmation of whether we process your personal data and to request a copy of that data.
2. Right to Rectification (Art. 16) — You have the right to request correction of inaccurate personal data.
3. Right to Erasure (Art. 17) — You have the right to request deletion of your personal data (“right to be forgotten”).
4. Right to Restriction of Processing (Art. 18) — You have the right to request that we restrict the processing of your personal data in certain circumstances.
5. Right to Data Portability (Art. 20) — You have the right to receive your personal data in a structured, commonly used, machine-readable format.
6. Right to Object (Art. 21) — You have the right to object to processing based on legitimate interests.
7. Rights Related to Automated Decision-Making (Art. 22) — You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects.
8. Right to Withdraw Consent — Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
9. Right to Lodge a Complaint — You have the right to lodge a complaint with a supervisory authority. In Romania, this is the Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) at www.dataprotection.ro.

How to exercise your rights: You may exercise your rights by emailing legal@pitchhighway.com with the subject line “GDPR Request.” You may also delete your account and all associated data directly within the Service. We will respond to all requests within 30 days.

11. Cookies & Local Storage

PitchHighway uses a JWT-based authentication system, not traditional browser cookies for session management.

• On the web, authentication tokens are stored in memory and via secure HTTP mechanisms.
• On iOS, tokens are stored securely in the device Keychain.
• We do not use tracking cookies.
• We do not use advertising cookies or pixels.
• For website analytics, we use Simple Analytics, a privacy-first service based in the EU (Netherlands). Simple Analytics does not use cookies, does not collect IP addresses, and does not track personal data. It only measures aggregate page views and referrers. See their privacy policy at simpleanalytics.com/privacy.

12. Children’s Privacy

The Service is not directed at children under the age of 16 (the GDPR age threshold for consent to data processing). We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data promptly. If you believe a child under 16 has provided us with personal data, please contact us at legal@pitchhighway.com.

13. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Password hashing: All passwords are hashed using the Argon2 algorithm (never stored in plaintext).
• Encryption in transit: All data is transmitted over HTTPS/TLS.
• Short-lived access tokens: JWT access tokens expire after 15 minutes.
• Hashed refresh tokens: Refresh tokens are stored as hashed values with device and IP binding.
• Secure mobile storage: On iOS, tokens are stored in the device Keychain.
• Breach notification: In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly (GDPR Article 34).

14. Changes to This Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page will be revised accordingly. For material changes that affect how we process your personal data, we will notify registered users by email. Previous versions of this policy are available upon request.

15. Contact

For privacy-related inquiries or to exercise your GDPR rights, please contact us:

• Email: legal@pitchhighway.com (use subject line “GDPR Request” for data rights requests)
• Data Controller: Gabriel Policiuc
• Address: Prof. Nicolae Oblu, nr. 18, Iasi, Romania

We will respond to all GDPR requests within 30 days of receipt.