Privacy Policy

1. Information We Collect

1.1 Account Information (Sign In with Apple)

The app can be used without creating an account. Guest users can access the full sound visualization experience — no personal data is collected from guest users beyond what is described in Sections 1.5 (Microphone Audio) and 1.4 (Local Device Storage).

If you choose to create an account using Sign In with Apple (required only for community features such as publishing, commenting, and following), we receive and store:

• Apple User ID — a unique identifier assigned by Apple, stored securely in your device's Keychain
• Display name (first name only) — stored locally and in Apple CloudKit to identify you in the community

We do not collect your email address through Sign In with Apple.

1.2 Community & Social Data (CloudKit Public Database)

If you participate in the app's social features, the following data is stored in Apple's CloudKit public database:

• User profile: display name, bio, avatar preset, join date, follower count, following count
• Published waves: wave name, category, tags, visual settings snapshot, preview video, creator name and ID
• Comments: comment text, author name and ID
• Follow relationships: who you follow and who follows you
• Notifications: in-app notification records
• Content reports: report reason, reported content ID, reporter's device identifier (IDFV — see Section 1.6)

1.3 Subscription & Trial Data (CloudKit Private Database)

Trial start date — stored in your private CloudKit database to manage free trial eligibility. This record is only accessible to you and is not visible to other users or to us.

1.4 Local Device Storage

The following is stored only on your device and is never transmitted to us:

• Keychain: Apple User ID, Spotify authentication tokens, trial start timestamp
• UserDefaults: app theme, haptics toggle, onboarding progress, iCloud sync preference, display name, liked wave IDs, and other non-sensitive preferences
• iCloud Key-Value Store: your app preferences, synced across your own devices via Apple's iCloud infrastructure

1.5 Microphone Audio

The app uses your device microphone to create real-time cymatics visualizations. Here is exactly what happens with your audio:

• Audio is analyzed locally on your device in real time to drive the visualization. It is never recorded, stored, or transmitted for this purpose.
• When you choose to record a video within the app, microphone audio is captured as part of that video file and saved locally to your device. This audio is never sent to our servers.

1.6 Device Identifier

We use your device's Identifier for Vendor (IDFV) solely for content moderation purposes. It is included only when you submit a content report and is stored in the associated CloudKit report record. It is not used for tracking or advertising.

1.7 Music Services

Apple Music / MusicKit: The app accesses your Apple Music library and the Apple Music catalog for browsing and playback. No music data is stored or transmitted by us. Playback uses Apple's built-in system player.

Spotify: If you connect your Spotify account, the app authenticates using OAuth 2.0 with PKCE (no client secret is stored or transmitted). The following Spotify permission scopes are requested:

• user-read-private — read your account details
• user-library-read — read your saved library
• user-library-modify — save or remove items in your library
• user-top-read — read your top artists and tracks
• user-read-recently-played — read your recently played tracks
• playlist-read-private — read your private playlists

Authentication tokens are stored only in your device's Keychain. Audio playback is handled entirely by Spotify's own player. Album artwork is fetched using ephemeral network requests with no disk caching.

1.8 Photos and Video

Videos and photos you create in the app are saved locally on your device. If you choose to share them, sharing is handled through the standard iOS share sheet. We never upload your photos or videos to our servers.

1.9 In-App Purchases

All purchases are processed by Apple through StoreKit. We do not receive, process, or store your payment information.

2. How We Use Your Information

We use the information described above for the following purposes:

• Providing the app's core functionality: visualizing audio, playing music, recording video
• Community features: displaying your profile, publishing and browsing waves, following other users, commenting
• Content moderation: reviewing reported content to maintain community standards
• Trial management: tracking free trial eligibility
• Syncing preferences: keeping your settings consistent across your devices via iCloud

3. How Your Data Is Stored and Processed

All server-side data storage uses Apple CloudKit, which is part of Apple's iCloud infrastructure. Your data is processed by Apple under their iCloud Terms and Conditions and Apple Privacy Policy.

We do not operate our own servers for user data storage. We do not use any third-party analytics, advertising, or tracking services.

4. Data Sharing

We do not sell, rent, or share your personal information with third parties.

Your data may be visible to others only in the following ways:

• Public profile and published waves are visible to other Cymatics Lab users
• Comments you post are visible to other users
• Apple processes CloudKit data under their privacy policy
• Spotify receives authentication requests if you choose to connect your Spotify account, governed by Spotify's Privacy Policy

5. No Tracking or Advertising

Cymatics Lab does not:

• Track you across apps or websites
• Display advertisements
• Use third-party analytics or tracking SDKs
• Sell or share data with data brokers
• Create advertising profiles

6. Data Retention

• CloudKit data (profile, waves, comments, follows, notifications, reports) is retained until you request deletion.
• Keychain data (Apple User ID, Spotify tokens, trial timestamp) is retained until you sign out of the app or remove the app from your device.
• UserDefaults are cleared when the app is removed from your device.
• iCloud Key-Value Store data is managed by Apple's iCloud infrastructure and follows Apple's data retention policies.

7. Account Deletion

You can delete your account and all associated data directly in the app by going to Settings → Account → Delete Account. You will be required to type “DELETE” to confirm. When you do:

• Your CloudKit records (profile, published waves, comments, follow relationships, and notifications) will be permanently deleted.
• Published waves may retain a “deleted user” attribution to preserve community context, but all personally identifying information will be removed.
• Keychain data is cleared immediately.

You may also contact us at kevin@shalaworks.com to request account deletion.

8. Children's Privacy

You must be at least 13 years old (or the minimum age of digital consent in your jurisdiction) to create an account in Cymatics Lab. We do not knowingly collect personal information from children under this age. If you believe a child under 13 has created an account, please contact us at kevin@shalaworks.com and we will promptly delete the account.

9. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data
• Withdraw consent for data processing

To exercise any of these rights, contact us at kevin@shalaworks.com.

10. Security

We use Apple's built-in security infrastructure to protect your data:

• Sensitive credentials are stored in the iOS Keychain, which uses hardware-backed encryption
• Server-side data is stored in Apple CloudKit, which provides encryption in transit and at rest
• Spotify authentication uses OAuth 2.0 with PKCE, which does not require a client secret to be stored on device

11. Changes to This Policy

We may update this privacy policy from time to time. If we make significant changes, we will notify you through the app or by other appropriate means. The “Effective Date” at the top of this policy indicates when it was last updated.

12. Contact Us

If you have questions or concerns about this privacy policy or your data, contact us at:

Kevin Brian Kiefer, d/b/a ShalaWorks
Email: kevin@shalaworks.com