Privacy Policy — Rytmify

Rytmify (“we”, “our”, or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and disclose personal data in compliance with the Swiss Federal Act on Data Protection (FADP) and the General Data Protection Regulation (GDPR).

1. Age Requirement (16+)

Rytmify is intended exclusively for users aged 16 and over. During registration you must select your year of birth and confirm that you meet this requirement. The age check is enforced in the app before account creation. We do not knowingly collect or process data from individuals under 16 without verifiable parental consent.

2. Data We Collect and Third-Party Processors

Google Firebase Auth & Firestore: When you create an account, we process your email address and authentication credentials through Firebase Authentication (passwords are handled by Firebase; we do not store plain-text passwords). If you are signed in, we store application state in Firestore, including cloud playlists and synced favorites linked to your account UID. Your year of birth is used only for the in-app age gate at registration and is not stored on our servers after signup completes.
OpenAI API (AI Guide Assistant): When you use the Interactive Guide, your text prompts and current UI language are sent via a secure Cloudflare Worker proxy to OpenAI. No account identifiers (such as your email or Firebase UID) are transmitted to OpenAI. Prompts are used solely to generate in-app support responses about Rytmify features.
Google Play Billing: Premium subscriptions are processed entirely through the Google Play Store billing system. We do not collect or store payment card or financial data.
Jamendo API: Music streams and catalog metadata are delivered through the public Jamendo API. When you request a stream, your IP address may be processed temporarily by Jamendo to authorize playback.

3. Local On-Device Processing

Listening preferences, recommendation parameters, and related taste signals used for on-device features (such as AI Mix) are processed locally in an encrypted Jetpack DataStore where applicable. This local profile is not uploaded to third-party analytics platforms.

4. Data Retention and International Transfers

Your account profile and cloud playlists are retained while your account remains active. Because we use global infrastructure, data may be processed on servers operated by Google, Cloudflare, and OpenAI in the United States and the European Economic Area (EEA). We rely on appropriate contractual and technical safeguards for cross-border processing where required by FADP and GDPR.

5. Your Rights & Account Deletion

Under FADP and GDPR, you have the right to access, rectify, port, or restrict the processing of your personal data, and the right to object where applicable. You also have the right to erasure (“Right to be Forgotten”).

You can delete your account, cloud playlists, and synced favorites at any time using the “Delete Account” option in Rytmify Settings while signed in. Alternatively, contact us at privacy@rytmify.ch to request manual deletion or to exercise your privacy rights.

Contact: privacy@rytmify.ch · Compliance unit for Canton of Bern, Switzerland.