Privacy Policy

Onomo Inc. (“onomo,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the onomo platform located at onomo.io and any associated subdomains, applications, or services (collectively, the “Service”).

By using the Service, you consent to the data practices described in this policy. If you do not agree, please do not use the Service. This policy should be read in conjunction with our Terms of Service, Cookie Policy, Acceptable Use Policy, and Copyright Policy.

2.1 Information You Provide Directly

• Account Information: Email address, username, and password (stored as a cryptographic hash — we never store plaintext passwords) when you create an account.
• Profile Information: Display name, avatar, and any other optional profile details you choose to provide.
• Payment Information: When you make a purchase, payment details (credit card number, billing address) are processed directly by our payment processor (Stripe). We do not store your full credit card number on our servers. We retain only a tokenized reference, the last four digits, card type, and billing country for transaction records.
• Support Communications: Any information you provide when contacting us for support, including email content, attachments, and metadata.
• Marketplace Creator Information: If you sell content on the marketplace, we collect additional information required for payment processing and tax reporting (e.g., legal name, tax identification number, payout details).

2.2 Information Generated Through Use

• Project Data: Music projects, patterns, presets, synth parameters, drum patterns, audio recordings, mixer settings, automation curves, and other creative content you produce. This data is stored locally in your browser (IndexedDB) by default and optionally synced to our cloud servers when you enable cloud sync.
• AI Interaction Data: When you use the AIRESS AI co-producer, your text prompts and relevant project context (track names, note data, tempo, key, mixer settings, and other musical parameters) are transmitted to our AI processing provider to generate responses. See Section 5 for details on AI data processing.
• Usage Analytics: Anonymous, aggregated data about feature usage, session duration, page views, button clicks, and error reports. This data is used solely to improve the Service and does not include personally identifiable information.

2.3 Information Collected Automatically

• Device Information: Browser type and version, operating system, screen resolution, and device type.
• Network Information: IP address (anonymized for analytics), referring URL, and general geographic location (country/region level, not precise location).
• Cookies and Local Storage: Essential cookies for authentication and session management, and browser local storage for application state. See our Cookie Policy for details.

We use the information we collect for the following purposes:

• Providing the Service: Operating the DAW, processing audio, rendering exports, syncing projects across devices, and managing your account.
• AI Processing: Transmitting project context to our AI provider to generate contextually relevant musical content, drum patterns, chord progressions, and other AI-assisted features.
• Payment Processing: Processing subscription payments, marketplace purchases, AI credit top-ups, and marketplace creator payouts.
• Communication: Sending transactional emails (account verification, password resets, payment receipts), service announcements, and security alerts. We will not send marketing emails without your explicit opt-in consent.
• Service Improvement: Analyzing anonymous usage patterns to identify bugs, improve performance, and prioritize feature development.
• Security and Fraud Prevention: Detecting and preventing unauthorized access, abuse, fraud, and violations of our Terms of Service.
• Legal Compliance: Complying with applicable laws, regulations, legal processes, or governmental requests.

4.1 Local Storage. By default, your project data is stored locally in your browser using IndexedDB and localStorage. This data resides on your device and is not transmitted to our servers unless you enable cloud sync. Local data is subject to your browser's storage policies and may be lost if you clear browser data.

4.2 Cloud Storage. When cloud sync is enabled, your project data is encrypted in transit using TLS 1.2 or higher and encrypted at rest on our servers. Audio files are stored in secure cloud storage with access controls. Cloud infrastructure is hosted by Vercel and Supabase, both of which maintain SOC 2 compliance.

4.3 Security Measures. We implement commercially reasonable security measures including: encryption in transit and at rest, secure password hashing (bcrypt), rate limiting, input validation, CSRF protection, Content Security Policy headers, and regular security reviews. However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

4.4 Breach Notification. In the event of a data breach that affects your personal information, we will notify affected users via email and/or in-app notification within seventy-two (72) hours of becoming aware of the breach, as required by applicable law. The notification will include the nature of the breach, the data affected, steps we are taking, and recommended actions for you.

5.1 What Data Is Sent to AI. When you use the AIRESS AI co-producer, the following project context data may be transmitted to our AI processing provider (currently Google Gemini): your text prompt, track names and types, note data (pitch, velocity, duration), tempo, key signature, time signature, mixer settings (volume, pan, effects), automation parameters, and sequencer patterns. This data is necessary for AIRESS to generate contextually relevant responses.

5.2 What Data Is NOT Sent. Raw audio recordings and audio files are NOT transmitted to the AI provider. Only structured musical data (MIDI-like note information, parameter values, and text) is sent.

5.3 AI Provider Data Handling. Our AI provider (Google) processes your data in accordance with their own privacy policies and data processing agreements. Under our agreement with Google, data sent through the Gemini API is not used to train Google's general AI models. Prompts and responses may be temporarily cached for performance optimization (context caching) but are not retained for model training purposes.

5.4 AI Conversation Storage. Your AIRESS conversation history is stored locally in your browser and, if cloud sync is enabled, on our servers as part of your project data. We do not separately analyze, mine, or use your AI conversations for any purpose other than providing the Service to you.

We use the following third-party services to operate the Service. Each has its own privacy policy governing their handling of your data:

• Supabase — Authentication, database, and cloud storage infrastructure
• Google Gemini API — AI co-producer processing (see Section 5)
• Vercel — Application hosting and deployment
• Stripe — Payment processing (PCI DSS Level 1 compliant)

We do not sell, rent, or trade your personal information to third parties. We do not share your data with third-party advertisers or data brokers. We only share data with the service providers listed above to the extent necessary to operate the Service.

Active Accounts. We retain your account information and cloud-synced project data for as long as your account is active.

Deleted Accounts. When you delete your account, we will permanently delete your personal information and cloud-stored project data within thirty (30) days. Some information may be retained in encrypted backups for up to ninety (90) days before being permanently purged. Anonymized, aggregated analytics data that cannot be used to identify you may be retained indefinitely.

Legal Obligations. We may retain certain information as required by applicable law, including transaction records for tax and accounting purposes (typically seven years) and data subject to legal holds or pending disputes.

Marketplace Creator Data. If you sell content on the marketplace, transaction records and tax-related information are retained as required by applicable tax law, even after account deletion.

The Service is not intended for children under thirteen (13) years of age. We do not knowingly collect personal information from children under 13 in compliance with the Children's Online Privacy Protection Act (“COPPA”).

If we learn that we have collected personal information from a child under 13, we will promptly delete the account and all associated data. If you are a parent or guardian and believe your child under 13 has provided personal information to us, please contact us at privacy@onomo.io and we will take immediate action.

Users between 13 and 18 years of age may use the Service with the consent of a parent or legal guardian, as described in our Terms of Service.

Depending on your jurisdiction, you may have the following rights regarding your personal information:

9.1 All Users

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete personal information.
• Deletion: Request deletion of your account and all associated personal data.
• Export: Export your projects and data from the Service at any time.
• Opt-Out: Opt out of non-essential analytics and marketing communications.

9.2 European Economic Area (EEA) Residents — GDPR

If you are located in the EEA, you have additional rights under the General Data Protection Regulation (GDPR), including the right to: data portability, restriction of processing, objection to processing, and the right to lodge a complaint with your local data protection authority. Our legal basis for processing your data is: (a) performance of a contract (providing the Service), (b) legitimate interests (security, fraud prevention, service improvement), and (c) consent (where applicable, such as marketing communications).

9.3 California Residents — CCPA/CPRA

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including the right to: know what personal information we collect and how it is used, request deletion of your personal information, opt out of the “sale” or “sharing” of your personal information (we do not sell or share your personal information as defined by the CCPA/CPRA), and non-discrimination for exercising your privacy rights.

To exercise any of these rights, contact us at privacy@onomo.io. We will respond to verified requests within thirty (30) days (or as required by applicable law).

onomo is operated from the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. These countries may have data protection laws that differ from those in your jurisdiction.

By using the Service, you consent to the transfer of your information to the United States and other countries as described in this policy. Where required by applicable law (such as the GDPR), we rely on appropriate legal mechanisms for international data transfers, including Standard Contractual Clauses approved by the European Commission.

Some browsers transmit “Do Not Track” (DNT) signals. We do not use third-party tracking cookies or advertising cookies, so the DNT signal does not change our data practices. We do not track users across third-party websites.

We may update this Privacy Policy from time to time. If we make material changes, we will provide at least thirty (30) days' notice via email or prominent in-app notification before the changes take effect. Non-material changes (such as formatting or clarification) may be made without notice. The “Last Updated” date at the top of this page indicates when the policy was last revised.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised policy.

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

• Privacy Inquiries: privacy@onomo.io
• Data Deletion Requests: privacy@onomo.io
• Security Concerns: security@onomo.io

Onomo Inc.
Atlanta, Georgia, United States