Privacy Policy

Harmonix (“we,” “us,” or “our”) operates the Harmonix web application at harmonix.sh. This Privacy Policy explains what information we collect, how we use it, and the choices you have regarding your data.

By using Harmonix, you agree to the collection and use of information in accordance with this policy.

Account Information: When you create an account, we collect your email address and a securely hashed password. We do not store your password in plain text.

Payment Information: If you subscribe to a paid plan, payment processing is handled entirely by Stripe. We do not store your credit card number, billing address, or other payment details on our servers. We retain only your Stripe customer ID and subscription status to manage your account tier.

Usage Data: We may collect anonymous usage analytics, including pages visited, browser type, and general geographic region. This data is aggregated and cannot be used to identify individual users.

Cookies: We use cookies solely for authentication session management. These cookies are essential for maintaining your logged-in state and are not used for tracking or advertising purposes.

API Keys: If you create API keys for programmatic access, we store a cryptographic hash of each key. The raw API key is shown to you once at creation and is never stored or retrievable by us.

We use the information we collect to:

• Provide, operate, and maintain the Harmonix service
• Authenticate your identity and manage your account
• Process subscription payments and manage billing
• Send transactional emails, including signal notifications for Pro subscribers
• Respond to your inquiries via the contact form
• Monitor and improve the performance and reliability of our service

We do not sell, rent, or share your personal information with third parties for marketing purposes.

We use the following third-party services to operate Harmonix. Each has its own privacy policy governing how they handle your data:

• Supabase — Authentication and database hosting. Stores your email and hashed password.
• Stripe — Payment processing. Handles all credit card and billing information directly. Harmonix never receives or stores your card details.
• Resend — Transactional email delivery. Used to send contact form responses and signal notification emails to Pro subscribers.
• Vercel — Application hosting and anonymous web analytics.
• Upstash — Ephemeral Redis caching for performance optimization. No personal data is stored permanently in the cache.

We retain your account information for as long as your account is active. If you delete your account, we will remove your personal data from our systems within 30 days, except where retention is required by law or for legitimate business purposes (such as fraud prevention or financial record-keeping).

Cached data in Redis is ephemeral and automatically expires within minutes to hours.

We implement industry-standard security measures to protect your data, including:

• Encrypted data transmission via HTTPS/TLS
• Securely hashed passwords (never stored in plain text)
• API keys stored as cryptographic hashes
• Service role keys and secrets stored as environment variables, never in code

While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

You have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your account and associated data
• Opt out of non-essential communications

To exercise any of these rights, please contact us.

Harmonix is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete the information.

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. Your continued use of Harmonix after any changes constitutes acceptance of the revised policy.

If you have questions about this privacy policy, please contact us.