Privacy Policy

We collect the minimum data needed to operate the service:

• Account data — email address, hashed password, account creation date.
• Uploaded audio — files you upload as source material for AI transformations.
• Generated outputs — files produced by our AI engine from your sources.
• Billing data — handled by Stripe (we never see or store full card details). We retain plan, subscription status, customer ID, and payment history metadata.
• Usage data — number of transformations, plan, login timestamps, basic technical logs (IP address, user agent) for security and abuse prevention.

• To run AI analysis and produce transformed audio outputs you request.
• To manage your subscription, credits, and billing.
• To provide customer support and respond to your requests.
• To detect abuse, fraud, and violations of our Terms of Service.
• To comply with legal obligations (tax records, lawful requests from authorities).

We do not use your uploaded audio or generated outputs to train public AI models.

• Source uploads are processed for the requested transformation and automatically deleted from active storage within a short window after processing completes (typically 24-72 hours).
• Generated outputs remain available in your account until you delete them or close your account.
• Account and billing records are retained as long as your account is active, plus the period required by tax and accounting law (typically up to 10 years for invoices in the EU).
• Logs are retained for up to 90 days unless required longer for security investigations.

We share data only with vendors strictly required to operate the service:

• Supabase — database and authentication (EU region).
• Google Cloud (Cloud Run, Cloud Storage) — backend hosting and audio file storage.
• Stripe — payment processing. Stripe's privacy policy applies to card data.
• Vercel — frontend hosting.

Each sub-processor is contractually bound to data protection terms compatible with GDPR.

If you are in the European Economic Area you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Request deletion of your account and associated data (subject to legal retention obligations).
• Export your data in a portable format.
• Object to processing or withdraw consent where processing is based on consent.
• Lodge a complaint with your local supervisory authority.

To exercise any of these rights, contact us at privacy@iomixo.com. We respond within 30 days.

We use TLS encryption in transit, encrypted storage at rest, scoped database access, and row-level security policies to limit data access. No system is perfectly secure: if we discover a breach affecting your data, we will notify you and the relevant authorities as required by law.

We use essential cookies for authentication and session management. We do not use third-party advertising cookies or cross-site tracking. Analytics, if any, are aggregated and anonymized.

IOMIXO is not directed to children under 16. If you become aware that a minor has provided us personal data without parental consent, contact us and we will delete it.

We may update this Privacy Policy. Material changes will be communicated via email to active account holders or via a notice on the service at least 14 days before they take effect.

Questions about this policy or your data: privacy@iomixo.com.