Privacy Policy

1. Introduction and scope

ThirdTone is a sound-based wellness service that delivers personalized audio protocols, journeys, and tones designed to support relaxation, focus, sleep, and other everyday wellbeing goals. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and the rights you have over it.

This policy applies to the ThirdTone mobile application (iOS and Android), the ThirdTone website at thirdtone.ai, and any related services that link to this policy. It does not apply to third-party services we link to but do not operate.

2. Who we are (data controller)

The data controller responsible for your personal data is:

Third Tone Project, Inc.
450 Sparrow Farm Rd
Montpelier, VT 05602
USA
Email: [email protected]

For any privacy, GDPR, or data subject access requests, please use the email address above.

3. Categories of personal data we collect

3.1 Account and identity data

When you create an account we collect the information needed to authenticate you and personalize your experience: your email address, your name (if you provide one), and a profile image (if you upload or import one). Authentication is handled by our auth provider, Clerk.

3.2 Onboarding data

During onboarding you select from fixed lists: one or more wellness goals, a priority benefit, a preferred reminder time slot, and your timezone. These are structured selections, not free-text health information. We do not ask for, and do not knowingly collect, medical diagnoses, conditions, or other special-category health data.

3.3 Usage and behavioral data

To deliver and personalize the service, we record how you interact with ThirdTone, including:

• Listen events (content identifier, duration listened, completion status)
• Session feedback ratings on a fixed scale of less, same, or more
• Favorites you save
• Daily personalization cards generated for you
• A rolling AI-generated narrative summary of your journey
• Streak counts and total session counts

3.4 Device and technical data

When you use the mobile app or website we and our service providers receive certain technical information automatically, including a push-notification token (if you grant notification permission), your timezone, IP address, and user-agent. IP and user-agent are typically collected by infrastructure and authentication providers as part of normal request handling.

3.5 Subscription data

Subscriptions are processed by the Apple App Store or Google Play and managed through RevenueCat. We receive a RevenueCat subscriber identifier, your current subscription status, and an original transaction identifier. We do not receive or store your full payment card or bank details.

4. How we use your data

• To provide and operate the service, including playback, library access, and account management.
• To personalize the experience, including generating daily personalization cards and recommendations.
• To schedule and send reminders and notifications you have opted into.
• To debug, monitor, and improve the service, including investigating crashes and errors.
• To measure aggregate usage and product performance.
• To process and manage your subscription.
• To detect, prevent, and respond to fraud, abuse, and security incidents.
• To comply with applicable legal obligations and enforce our Terms.

5. Legal bases under GDPR

If you are in the European Economic Area or the United Kingdom, we process your personal data on the following legal bases:

• Performance of a contract: processing necessary to provide the service you have signed up for, including authentication, content delivery, subscription management, and core personalization.
• Legitimate interests: processing necessary to keep the service secure, debug crashes, prevent abuse, and understand aggregate usage of our product.
• Consent: push notifications and certain analytics or tracking features rely on your consent. You can withdraw consent at any time via your device settings or by contacting us.
• Legal obligation: where we must process data to comply with applicable law.

6. AI and automated decision-making

ThirdTone uses an AI personalization layer to generate the daily cards you see in the app. Specifically, we send a structured prompt to OpenRouter, which routes the request to Anthropic's Claude (Haiku 4.5) model. The prompt includes your selected goals, your recent listening, your session feedback, and a rolling narrative summary of your journey. The model returns short suggestions for that day.

These outputs are wellness suggestions only. They do not produce decisions that have legal or similarly significant effects on you. We do not use solely automated decision-making in the sense of Article 22 GDPR.

7. Sub-processors and third parties

We rely on the following providers to operate ThirdTone. Each receives only the data needed to perform its role and is bound by appropriate contractual protections.

We do not sell your personal information, and we do not share it with third parties for their own independent marketing.

8. International data transfers

ThirdTone is operated from the United States, and most of our service providers process data in the United States. If you access the service from outside the United States, your personal data will be transferred to and processed in countries that may have different data protection laws than your home jurisdiction.

For transfers from the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum where applicable.

9. Data retention

• Account data is retained for as long as your account is active.
• Usage, listening, and feedback data is retained for as long as your account is active to power personalization and progress tracking.
• Subscription records are retained for the period required by tax, accounting, and consumer-protection law.
• Crash logs and error reports are retained for a limited period for debugging and security.
• AI prompts and outputs may be retained by us and our AI gateway provider for service quality, abuse prevention, and debugging, subject to those providers' own retention policies.
• When you delete your account, we delete or anonymize your personal data from our active systems within a reasonable period. Some data may persist in backups or with sub-processors for a limited time before being purged under their own schedules, and we may retain limited records as required by law.

10. Your rights

10.1 GDPR and UK GDPR rights

If you are in the EEA or the UK, you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate or incomplete data.
• Erase your personal data ("right to be forgotten").
• Receive your data in a portable, machine-readable format.
• Restrict processing in certain circumstances.
• Object to processing based on legitimate interests.
• Withdraw consent at any time, where processing is based on consent.
• Lodge a complaint with your national data protection supervisory authority.

10.2 California (CCPA / CPRA) rights

If you are a California resident, you have the right to:

• Know what personal information we collect, use, and disclose.
• Delete personal information we have collected from you.
• Correct inaccurate personal information.
• Opt out of the sale or sharing of personal information. We do not sell or share personal information as those terms are defined under the CCPA/CPRA.
• Limit the use of sensitive personal information.
• Be free from discrimination for exercising your rights.

11. How to exercise your rights

You can delete your account at any time from the in-app Settings screen, which removes your personal data from our active systems on the schedule described above.

For all other requests, including access, rectification, portability, restriction, objection, and California rights, please email [email protected]. We may need to verify your identity before fulfilling a request and will respond within the timeframes required by applicable law.

Self-serve data export is not currently available in the app. If you would like a copy of your data, please request one by email and we will provide it.

12. Children

ThirdTone is intended for users aged 16 and over, or 13 and over with verifiable parental consent in jurisdictions where that lower threshold is permitted. We do not knowingly collect personal data from children below these ages. If you believe a child has provided us with personal data, please contact [email protected] and we will take steps to delete it.

13. Cookies and tracking on the website

The ThirdTone marketing website uses minimal first-party requests to load its content, including a Convex client request that fetches sounds and journeys to render on the page. The marketing website does not currently run third-party advertising trackers or marketing cookies. Any analytics or cookies introduced in the future will be reflected here, and where required by law we will request your consent before setting non-essential cookies.

14. Security

We protect personal data using industry-standard safeguards. Data is encrypted in transit using TLS, and our infrastructure providers encrypt data at rest. We restrict access to personal data to personnel who need it, use authenticated administrative access, and monitor for security events. No system is perfectly secure, but we work to identify and respond to vulnerabilities promptly.

15. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and notify you in-app where appropriate. Continued use of ThirdTone after an update means you accept the revised policy.

16. Contact us

If you have questions about this Privacy Policy or how we handle your data, please contact:

Third Tone Project, Inc.
450 Sparrow Farm Rd
Montpelier, VT 05602
USA
Email: [email protected]