Privacy Policy
Last updated: March 2026
1. Introduction
Andorius ("we", "us", "our") operates andorius.app, a meditation and ambient sound platform. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our service.
2. Data We Collect
2.1 Account Data
- Display name
- Email address
- Password hash (for email sign-up; we never store plaintext passwords)
2.2 Authentication Data
- Google OAuth profile information (name, email, profile picture URL) when you sign in with Google
- Sign-in timestamps
2.3 Usage Data
- Daily playback minutes consumed
- App usage metrics (which WebApps you use, session duration)
- Preset configurations and saved settings
2.4 Payment Data
- Payments are processed by Stripe. We do not store your credit card numbers, bank account details, or full payment card information on our servers.
- We retain your Stripe customer ID and subscription status to manage your plan.
2.5 Technical Data
- IP address (used for rate limiting and abuse prevention)
- Browser and device information derived from cookies and HTTP headers
3. How We Use Your Data
- Provide and maintain the Andorius service
- Authenticate your identity and manage your session
- Track daily playback usage against your plan limits
- Process payments and manage subscriptions
- Send essential transactional emails (account verification, password resets, plan change confirmations)
- Improve the service based on aggregated, anonymized usage patterns
- Enforce rate limits and prevent abuse
3b. Legal Basis for Processing
We process your personal data under the following legal bases as defined by GDPR Article 6:
- Contract performance — Processing necessary to provide the Andorius service and fulfil your subscription (account management, playback, billing).
- Legitimate interest — Security measures (rate limiting, abuse prevention), service improvement based on aggregated usage data.
- Consent — Cookie consent for non-essential storage. You may withdraw consent at any time.
- Legal obligation — Retaining billing records as required by tax and financial regulations.
4. Data Sharing
We do not sell, rent, or trade your personal data. We share data only with the following service providers, strictly as needed to operate the service:
- Stripe — Payment processing (billing and subscription management)
- Resend — Transactional email delivery (verification, password reset, plan change notifications)
- Neon — Database hosting (encrypted data storage)
Each provider processes data under their own privacy policies and is bound by data processing agreements.
5. Cookies & Local Storage
We use only essential cookies and local storage. We do not use any tracking or analytics cookies.
| Name | Type | Purpose |
|---|---|---|
| andorius_session | Cookie | Session authentication (keeps you signed in) |
| andorius.demo_billing | Cookie | Demo billing mode indicator |
| andorius.cookie_consent | localStorage | Records your cookie consent preference |
| theme | localStorage | Stores your light/dark theme preference |
6. Data Retention
- Account data is retained for as long as your account is active.
- Upon account deletion, all personal data is permanently removed within 30 days.
- Usage logs (daily playback records) are retained for up to 365 days for service improvement purposes, then automatically purged.
- Stripe retains payment records according to their own retention policies and legal obligations.
7. Your Rights
Under the General Data Protection Regulation (GDPR) and applicable data protection laws, you have the following rights:
- Access — Request a copy of the personal data we hold about you
- Rectification — Request correction of inaccurate or incomplete data
- Erasure — Request deletion of your personal data
- Portability — Receive your data in a structured, machine-readable format
- Restriction — Request that we limit how we process your data
- Objection — Object to specific types of data processing
You can exercise these rights from your Account page or by emailing privacy@andorius.app.
7b. California Residents (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to Know — You may request details about the categories and specific pieces of personal information we collect about you.
- Right to Delete — You may request deletion of personal information we have collected from you.
- Right to Opt-Out of Sale — We do not sell your personal information to third parties. No opt-out is required.
- Right to Non-Discrimination — We will not discriminate against you for exercising your privacy rights.
To exercise these rights, visit your Account page or email privacy@andorius.app. We will respond to verified requests within 45 days.
8. Data Export & Deletion
You can export all your personal data or permanently delete your account at any time from your Account page. Data export includes your profile information, usage history, and saved preferences in a machine-readable JSON format.
9. Security
We implement industry-standard security measures to protect your data:
- HMAC-SHA256 session tokens for secure authentication
- scrypt password hashing with unique salts
- HTTPS encryption for all data in transit
- Rate limiting on authentication and API endpoints
- Encrypted database storage via Neon
10. Children
Andorius is not intended for use by children under the age of 16. We do not knowingly collect personal data from anyone under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.
12. Contact
If you have any questions or concerns about this Privacy Policy or your personal data, please contact us at:
Email: privacy@andorius.app
