Privacy Policy

Last updated: March 2026

1. Introduction

This Privacy Policy explains how PitchHighway (“we,” “us,” or “our”) collects, uses, stores, and protects your personal data when you use our web application and iOS application (collectively, the “Service”).

We are committed to protecting your privacy in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable Romanian data protection law. Please also review our Terms of Service.

2. Data Controller

The data controller responsible for your personal data is:

Name: Gabriel Policiuc, operating as PitchHighway
Address: Prof. Nicolae Oblu, nr. 18, Iasi, Romania
Email: [email protected]

3. Categories of Personal Data

3.1 Account Data

When you create an account, we collect:

Email address (optional for guest accounts)
Display name
Password hash (Argon2 — we never store your plaintext password)
Apple ID identifier (if you use Apple Sign-In)
Account tier (free or premium)
Account creation and last-active timestamps

3.2 Voice & Audio Data

When you use pitch training features, we process:

Pitch samples (MIDI note values, frequency in Hz, confidence scores, segment identifiers, timestamps)
Computed vocal range (lowest and highest MIDI notes with confidence score)
Audio recordings of your voice are stored only on your device and are never uploaded to our servers

Classification: Voice and audio data is personal data under the GDPR, but it is not biometric special-category data under Article 9. We use voice data for pitch training, scoring, and progress tracking — not for uniquely identifying you as a person. Therefore, processing is based on Article 6 (not Article 9) of the GDPR.

3.3 Subscription Data

If you subscribe to PitchHighway premium, we receive from Apple:

Original transaction ID and product ID
Subscription status (active, grace period, billing retry, expired, revoked)
Expiration and renewal dates
Subscription environment (Sandbox or Production)

We do not receive or store your payment card details. All payment processing is handled by Apple.

3.4 Device & Technical Data

IP address (stored with refresh tokens for security)
User-Agent string
Device information (stored with refresh tokens)

3.5 Usage & Progress Data

Exercise scores, completion counts, and personal bests
Exercise attempt history with detailed results
Daily activity records and streaks
Journey progress (current level and node per journey)
Favourited exercises

3.6 Launch Notification Data

If you sign up to be notified about PitchHighway’s app launch, we collect:

Email address

This email address is stored in our database to send you a notification when the PitchHighway app is available, along with launch-related updates, early-access offers, and occasional promotional communications about PitchHighway. We do not share this email with third parties for their own marketing purposes. Email delivery is handled via Resend. You may unsubscribe or request deletion of your email at any time by emailing [email protected] with the subject line “Unsubscribe.”

3.7 Authentication Tokens

JWT access tokens (15-minute expiry, not stored server-side)
Refresh tokens (7-day expiry, stored as hashed values with associated device info and IP address)
Password reset tokens (stored as hashed values, single-use)

3.8 Uploaded Song Data

If you upload your own songs for processing into Highway exercises, we collect and process:

The original audio file you upload (up to 50 MB)
Metadata associated with the upload (filename, file type, upload timestamp)
Processed outputs derived from your upload (separated vocal and backing tracks)

Uploaded songs are stored in Cloudflare R2 (EU-preferred regions) and are associated with your user account. You retain full ownership of the songs you upload.

4. How We Collect Data

We collect personal data through three channels:

Directly from you — When you create an account, complete exercises, use pitch training features, or upload your own songs for processing.
Automatically — Device and technical data collected during your use of the Service (IP address, User-Agent, device info).
From third parties — Apple Sign-In (authentication data) and App Store Server Notifications (subscription status updates via webhooks).

5. Purposes & Legal Bases

We process your personal data for the following purposes, each with a corresponding legal basis under GDPR Article 6(1):

Purpose	Data Used	Legal Basis
Account creation & authentication	Account data, OAuth data, auth tokens	Art. 6(1)(b) — Performance of contract
Providing pitch training features	Voice & audio data, usage data	Art. 6(1)(b) — Performance of contract
Tracking progress, scores & streaks	Usage & progress data	Art. 6(1)(b) — Performance of contract
Vocal range tracking	Voice data (pitch samples, MIDI range)	Art. 6(1)(b) — Performance of contract
Subscription management	Subscription data, Apple transaction IDs	Art. 6(1)(b) — Performance of contract
Security (fraud prevention, token management)	IP address, device info, auth tokens	Art. 6(1)(f) — Legitimate interest
Service email communications	Email address	Art. 6(1)(b) — Performance of contract
App launch notification & promotional communications	Email address (from launch signup)	Art. 6(1)(a) — Consent
Error monitoring & debugging	Technical/device data (no user PII)	Art. 6(1)(f) — Legitimate interest
Future anonymised ML training	Anonymised/aggregated voice data	Art. 6(1)(f) — Legitimate interest (with anonymisation)
Processing user-uploaded songs into Highway exercises	Uploaded song audio, processed outputs	Art. 6(1)(b) — Performance of contract

6. Voice & Audio Data Provisions

Given the sensitive nature of voice data, we want to be fully transparent about how it is handled:

On-device processing: Pitch detection is performed on your device using the CREPE neural network model. Raw audio is not sent to our servers for the purpose of pitch analysis.
Server-side storage: Derived pitch data (MIDI values, frequency, confidence, timestamps) is sent to our servers to compute scores, track your progress, and record your vocal range.
On-device audio storage: Audio recordings of your voice are stored only on your device and are never uploaded to our servers. Recordings may be removed if the operating system reclaims storage.
Not biometric data: Your voice data is used exclusively for training feedback and scoring. We do not use it to identify you as an individual. This means it falls under Article 6 of the GDPR, not Article 9 (special categories).
Future use: We may use anonymised and aggregated voice data for improving our pitch detection algorithms. Any such use will involve data that can no longer be linked to you as an individual.
User-uploaded songs: If you upload your own songs for processing into Highway exercises, the original audio and its processed outputs (separated vocal and backing tracks) are stored on our servers in Cloudflare R2 (EU-preferred regions). These files are distinct from your voice recordings, which remain on-device only. You may delete your uploaded songs at any time, and they are automatically deleted when you delete your account.

7. Data Sharing & Third Parties

We share personal data only with the following third-party service providers, strictly for the purposes described:

Provider	Purpose	Data Shared	Location
Apple	Authentication (Sign-In with Apple) & subscription/payment processing (IAP)	Apple ID, transaction IDs, subscription status	USA (EU-US Data Privacy Framework)
Cloudflare R2	Storage of AI-generated song tracks and user-uploaded songs used in exercises	Song audio files; user-uploaded audio files and their processed outputs (linked to user account)	EU-preferred regions
Resend	Transactional email delivery	Email address, email content	USA
Telegram	Error alerts & in-app support chat	Error data, user email, chat messages	Global
OpenAI	AI-powered chat support	Chat messages, user questions	USA
Simple Analytics	Privacy-first website analytics (page views, referrers)	No personal data — no IP addresses, no cookies, no tracking	Netherlands (EU)

We do not sell your personal data. We do not share data with advertisers or ad networks. We do not engage in profiling for marketing purposes.

8. International Data Transfers

Your personal data is primarily stored on servers within the European Union. Where data is transferred to service providers outside the EU (specifically Apple, in the USA), such transfers are protected by:

The EU-US Data Privacy Framework (where the provider is certified), or
Standard Contractual Clauses (SCCs) approved by the European Commission.

Resend and OpenAI process data in the USA.

9. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy:

Data Category	Retention Period
Guest account data	Automatically deleted after 30 days of inactivity
Registered account data	Until you delete your account
Voice data (pitch samples, vocal range)	Until you delete your account (server-side). Audio recordings are stored only on your device.
Usage & progress data	Until you delete your account
Subscription data	Until you delete your account (Apple retains its own records independently)
Launch notification email	Until the user requests deletion or unsubscribes, or 12 months after the app launch (whichever comes first)
Refresh tokens	7 days from issuance (or until revoked)
Password reset tokens	Until used or expired
Apple webhook logs	Retained for operational integrity and debugging
Uploaded song data (original audio & processed outputs)	Until you delete the song or delete your account (whichever comes first)

When you delete your account, all associated personal data is deleted via cascading database deletion, including any songs you have uploaded and their processed outputs stored in Cloudflare R2. Audio recordings stored on your device are not affected by account deletion and remain under your control.

10. Your GDPR Rights

Under the GDPR, you have the following rights regarding your personal data:

Right of Access (Art. 15) — You have the right to obtain confirmation of whether we process your personal data and to request a copy of that data.
Right to Rectification (Art. 16) — You have the right to request correction of inaccurate personal data.
Right to Erasure (Art. 17) — You have the right to request deletion of your personal data (“right to be forgotten”).
Right to Restriction of Processing (Art. 18) — You have the right to request that we restrict the processing of your personal data in certain circumstances.
Right to Data Portability (Art. 20) — You have the right to receive your personal data in a structured, commonly used, machine-readable format. This includes any songs you have uploaded to the Service.
Right to Object (Art. 21) — You have the right to object to processing based on legitimate interests.
Rights Related to Automated Decision-Making (Art. 22) — You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects.
Right to Withdraw Consent — Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
Right to Lodge a Complaint — You have the right to lodge a complaint with a supervisory authority. In Romania, this is the Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) at www.dataprotection.ro.

How to exercise your rights: You may exercise your rights by emailing [email protected] with the subject line “GDPR Request.” You may also delete your account and all associated data directly within the Service. We will respond to all requests within 30 days.

11. Cookies & Local Storage

PitchHighway uses a JWT-based authentication system, not traditional browser cookies for session management.

On the web, authentication tokens are stored in memory and via secure HTTP mechanisms.
On iOS, tokens are stored securely in the device Keychain.
We do not use tracking cookies.
We do not use advertising cookies or pixels.
For website analytics, we use Simple Analytics, a privacy-first service based in the EU (Netherlands). Simple Analytics does not use cookies, does not collect IP addresses, and does not track personal data. It only measures aggregate page views and referrers. See their privacy policy at simpleanalytics.com/privacy.

12. Children’s Privacy

The Service is not directed at children under the age of 16 (the GDPR age threshold for consent to data processing). We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data promptly. If you believe a child under 16 has provided us with personal data, please contact us at [email protected].

13. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

Password hashing: All passwords are hashed using the Argon2 algorithm (never stored in plaintext).
Encryption in transit: All data is transmitted over HTTPS/TLS.
Short-lived access tokens: JWT access tokens expire after 15 minutes.
Hashed refresh tokens: Refresh tokens are stored as hashed values with device and IP binding.
Secure mobile storage: On iOS, tokens are stored in the device Keychain.
Breach notification: In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly (GDPR Article 34).

14. Changes to This Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page will be revised accordingly. For material changes that affect how we process your personal data, we will notify registered users by email. Previous versions of this policy are available upon request.

15. Contact

For privacy-related inquiries or to exercise your GDPR rights, please contact us:

Email: [email protected] (use subject line “GDPR Request” for data rights requests)
Data Controller: Gabriel Policiuc
Address: Prof. Nicolae Oblu, nr. 18, Iasi, Romania

We will respond to all GDPR requests within 30 days of receipt.