Privacy Policy

Last Updated: June 11, 2026

1. Introduction

Vortex App LLC ("Vortex," "we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our desktop application, mobile application, and website (collectively, the "Service").

2. Information We Collect

2.1 Account Information

When you create an account, we collect information based on your sign-up method:

  • Email/Password: Email address and password (stored securely hashed)
  • Discord OAuth: Discord user ID, email address, username, and profile picture
  • Google OAuth: Google user ID, email address, name, and profile picture

For OAuth sign-ups, we do not store passwords. Authentication is handled securely through the respective OAuth provider.

2.2 Audio Files and Metadata

When you upload audio files, we collect and store:

  • Audio file content
  • Filename, file size, and format
  • Duration
  • BPM (tempo), extracted automatically
  • Tags and labels you assign
  • Source information (e.g., imported from Gmail, Dropbox)
  • Content hash (for duplicate detection)

2.3 Contact Information

If you use our contact management features, we collect and store contact information that you choose to import or manually add:

  • Contact names and email addresses
  • Phone numbers (for SMS features)
  • Preferred music genres (if you assign them)

Phone Contact Import: On mobile devices, you may choose to import contacts from your phone's address book. When you tap "Import from Phone," your device will prompt you to grant contact access. On iOS, you can choose to share all contacts or select specific contacts. Only the contacts you select and import are transmitted to and stored on our servers. We do not automatically access or sync your entire address book—you control exactly which contacts are imported.

Desktop Contact Entry: On the desktop app, you can manually add contacts by entering their name, email, and phone number. This information is stored on our servers to enable cross-device synchronization.

You can view, edit, or delete any imported contact at any time through the Manage Contacts section in the app.

2.4 Third-Party Integration Data

When you connect third-party services, we collect:

  • Gmail: Email address, OAuth tokens (encrypted), message IDs for imported attachments. We scan email messages to identify audio file attachments and links to audio files (e.g., Dropbox, Google Drive links). We do not store or analyze email content beyond extracting audio-related attachments and links.
  • Google Drive: Email address, OAuth tokens (encrypted), folder names and IDs. We access your Drive to upload audio files to folders you specify. We do not access or read other files in your Drive.
  • Dropbox: Email address, OAuth tokens (encrypted). We access your Dropbox to import audio files you select. We do not access or read other files in your Dropbox.
  • YouTube: Vortex uses YouTube API Services. We collect your email address, channel ID and title, and OAuth tokens (encrypted). We access your channel to upload audio visualization videos you create. We do not access your watch history, subscriptions, or other YouTube data. By using our YouTube integration, you agree to be bound by the YouTube Terms of Service. You can learn how Google handles your data at Google's Privacy Policy.
  • Instagram: Account ID, username, OAuth tokens (encrypted). We scan direct messages to identify audio file attachments and links to audio files (e.g., Dropbox, Google Drive links). We do not store or analyze message content beyond extracting audio-related attachments and links.

2.5 Email Tracking Data (Omega Plan Only)

If you use email tracking features (available on paid plans), we collect:

  • Recipient email addresses
  • Email open timestamps
  • Approximate recipient location (derived from IP address)
  • Device type and email client information

2.6 Activity and Usage Data

We automatically collect:

  • Activity logs (actions you take within the Service)
  • File upload and download history
  • Feature usage patterns
  • Device information (for mobile: device ID, platform type)
  • Push notification tokens (for mobile notifications)

2.7 Payment Information

Payment processing is handled by Stripe. We store only:

  • Stripe customer ID
  • Subscription status and plan type

We do not store credit card numbers, CVVs, or full payment details. Stripe's privacy policy governs payment data handling.

2.8 Cookies and Similar Technologies

We use cookies, localStorage, and similar technologies to operate our Service and improve your experience:

  • Essential Storage: We use localStorage and session cookies to maintain your authentication state, remember your preferences, and enable core functionality. These are strictly necessary for the Service to function.
  • Analytics (Cloudflare Web Analytics): We use Cloudflare Web Analytics to understand how visitors interact with our website. Cloudflare collects anonymized, aggregated data about page views and visitor counts. It does not use cookies or collect personally identifiable information. You can learn more at Cloudflare's Web Analytics page.
  • Product Analytics (Mixpanel): We use Mixpanel to understand how users interact with our application, identify issues, and improve features. Mixpanel collects usage data including page views, feature interactions, and session recordings. When you are logged in, this data is associated with your user ID and email. Mixpanel stores this data using localStorage. You can learn more at Mixpanel's Privacy Policy.
  • Affiliate Tracking (Endorsely): Our marketing website uses Endorsely to track affiliate referrals. When you visit via an affiliate link, Endorsely may set cookies or use localStorage to attribute your signup to the referring affiliate. This data is used solely to compensate affiliates and is not used for advertising purposes. You can learn more at Endorsely's Privacy Policy.

Managing Cookies: You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. However, blocking essential cookies may prevent you from using certain features of the Service. Clearing your browser's localStorage will remove stored preferences and may require you to log in again.

3. How We Use Your Information

We use your information to:

  • Provide, maintain, and improve the Service
  • Process and store your audio files
  • Enable file distribution via email, cloud storage, and social platforms
  • Synchronize data between your desktop and mobile devices
  • Send push notifications (with your consent)
  • Process subscription payments
  • Provide email tracking analytics (Omega plan)
  • Respond to your requests and support inquiries
  • Detect and prevent fraud or abuse
  • Comply with legal obligations

4. How We Share Your Information

4.1 Third-Party Service Providers

We share data with service providers who help us operate the Service:

  • Supabase: Database hosting, authentication, and file storage
  • Stripe: Payment processing
  • Expo: Mobile push notifications
  • Cloud Workers: Audio and video processing
  • Mixpanel: Product analytics and session recording

4.2 Connected Platforms

When you use integrations, your content is shared with those platforms according to your instructions:

  • Gmail receives emails and attachments you send
  • Google Drive receives files you upload
  • Dropbox provides files you import
  • YouTube receives videos you publish
  • Instagram receives content you post

4.3 Legal Requirements

We may disclose your information if required by law, court order, or government request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

4.4 Business Transfers

If Vortex is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or uses of your information.

5. YouTube API Services

Vortex uses YouTube API Services to enable you to upload audio visualization videos directly to your YouTube channel. By using Vortex's YouTube features, you agree to be bound by the YouTube Terms of Service.

For information about how Google handles your data, please review Google's Privacy Policy.

What YouTube data we access: When you connect your YouTube account, we access only your channel ID and channel title to display which account is connected and to upload videos on your behalf. We do not access your watch history, subscriptions, playlists, or any other YouTube data.

Direct uploads: Videos are created and uploaded directly to YouTube without intermediate storage on our servers. Your video content is never stored on Vortex infrastructure during the YouTube upload process.

Data retention: Any data retrieved from YouTube API Services is used only for the purpose of uploading your videos and is refreshed or deleted within 30 days. We do not store YouTube statistics, analytics, or viewer data.

Revoking access: You can disconnect your YouTube account at any time through the Vortex app settings. You can also revoke Vortex's access via your Google Account permissions.

6. Google API Services Usage

Vortex's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

5.1 What Google Data We Access

When you connect your Google account, we access only the data necessary to provide the features you request:

  • Gmail: We scan email messages to identify audio file attachments and links to audio files (e.g., Dropbox, Google Drive links). We do not store or analyze email content beyond extracting audio-related attachments and links.
  • Google Drive: We access your Drive to upload audio files to folders you specify. We do not access or read other files in your Drive.
  • YouTube: We access your channel to upload videos you create. We do not access your watch history, subscriptions, or other YouTube data.

5.2 OAuth Scope Justifications

We request the minimum OAuth scopes necessary to provide our core functionality. Below is a detailed justification for each scope we request and why lesser scopes cannot fulfill our functionality:

Non-Sensitive Scopes

openid

Purpose: Required for OAuth 2.0 authentication to securely identify you and associate your Google account with your Vortex account.

Why necessary: This is the base scope required for any Google OAuth flow. Without it, we cannot authenticate you or verify your identity. There is no lesser alternative.

../auth/userinfo.email

Purpose: Retrieves your Google account email address to display which account is connected and to prevent duplicate integrations.

Why necessary: Users need to see which Google account is connected to their Vortex account. This scope only provides email—we do not request userinfo.profile which would include name and photo.

../auth/drive.file

Purpose: Allows uploading audio files to Google Drive folders you specify for distribution to your contacts.

Why necessary: This is already the most restrictive Drive scope available. It only grants access to files that Vortex creates or that you explicitly open with Vortex—we cannot see or access any other files in your Drive. The broader "drive" scope would grant full access to all files, which we do not need or request.

Sensitive Scopes

../auth/gmail.send

Purpose: Enables sending audio files as email attachments directly from Vortex to your contacts.

Why necessary: Our core feature is distributing audio files via email. This scope only allows sending emails—it does not allow reading, modifying, or deleting any emails. The alternative would require users to manually compose and send each email outside of Vortex, defeating the purpose of our distribution platform.

../auth/youtube.upload

Purpose: Allows uploading audio visualization videos you create in Vortex directly to your YouTube channel.

Why necessary: This is the most restrictive YouTube scope that permits uploads. It only allows uploading videos—we cannot access your existing videos, playlists, subscriptions, watch history, or any other YouTube data. There is no lesser scope that would allow video uploads.

Restricted Scopes

../auth/gmail.readonly

Purpose: Enables automatic import of audio file attachments from incoming emails, and detection of audio file links (Dropbox, Google Drive) shared with you via email.

Why necessary: Our "One Inbox" feature consolidates audio files from multiple sources including email. To detect and import audio attachments, we must read email content. This scope is read-only—we cannot modify, delete, or send emails with it. Lesser scopes like "gmail.metadata" would only provide headers (sender, subject, date) without access to attachments or message bodies, making audio import impossible. We use Gmail Pub/Sub to process only new incoming messages, and we do not store or analyze email content beyond extracting audio files.

5.3 Scope Selection and Opt-Out

You are not required to grant all scopes to use Vortex. Google integrations in Vortex are organized into four categories, each with its own OAuth scope. You can enable only the integrations you need:

  • Input (Email Import): Uses gmail.readonly to automatically import audio attachments from your inbox. If you prefer to add files manually, you don't need this integration.
  • Output (Email Sending): Uses gmail.send to send audio files to contacts directly from Vortex. Skip this if you don't need email distribution.
  • Google Drive: Uses drive.file to upload and share audio files via Google Drive folders. Skip this if you don't use Drive for distribution.
  • YouTube: Uses youtube.upload to publish audio visualization videos to your YouTube channel. Skip this if you don't need YouTube publishing.

Each integration is independent—you can connect any combination of these four categories based on your workflow. When you connect an integration, you will be prompted to grant the specific scope it requires. Features that require a scope you haven't granted simply won't be available, but all other Vortex functionality will work normally. You can always add or remove integrations later in the app settings.

5.4 Limited Use Disclosure

Vortex's use of Google user data is limited to providing and improving the specific features you enable. We do not:

  • Sell Google user data to third parties
  • Use Google user data for advertising purposes
  • Use Google user data to build user profiles for purposes unrelated to the Service
  • Transfer Google user data to third parties except as necessary to provide the Service, comply with law, or as part of a business transfer (with user notice)

5.5 Data Minimization and Revocation

We request only the minimum OAuth scopes necessary for each feature. You can disconnect any Google integration directly in the Vortex app: scroll down to the Integrations section on the main page and click the X button next to any connected account. This immediately removes the integration and deletes the associated tokens from our database, stopping Vortex from accessing that account.

For complete revocation, you can also review and revoke Vortex's access via your Google Account permissions.

5.6 OAuth Token Security

OAuth tokens that grant access to your Google account are encrypted at rest using AES-256-GCM encryption and transmitted only over encrypted connections (TLS 1.2+). We use short-lived access tokens (1 hour) and securely stored encrypted refresh tokens. Access is limited to authenticated services that require it to perform your requested actions.

We implement PKCE (Proof Key for Code Exchange) for all OAuth flows to protect against authorization code interception attacks. This industry-standard security measure ensures that even if an authorization code is intercepted, it cannot be exchanged for tokens without the original cryptographic verifier.

7. Data Retention

Vortex is designed primarily as a staging and distribution platform. We retain your data as follows:

  • Account data: Retained until you delete your account
  • Saved audio files: If you explicitly save a file through the app, it is retained indefinitely until you choose to delete it. You can delete individual files or all of your data at any time through the app.
  • Cached files: Files that have not been explicitly saved are automatically deleted after 30 days
  • Temporary video files: Videos created for Google Drive or Dropbox uploads are temporarily stored and automatically deleted after 1 hour. YouTube uploads are streamed directly to YouTube without intermediate storage on our servers.
  • YouTube API data: Any data retrieved from YouTube API Services is refreshed or deleted within 30 days in accordance with YouTube API Services policies
  • Pending SMS messages: Automatically deleted after 1 hour
  • Activity logs: Retained for the lifetime of your account
  • Email tracking data: Retained for analytics purposes

You have full control over your data. You can delete individual files, contacts, integrations, or your entire account and all associated data directly through the app at any time.

8. Data Security

We implement appropriate security measures to protect your information:

  • All data is transmitted over encrypted connections (TLS/HTTPS)
  • OAuth tokens are encrypted at rest in our database
  • Passwords are securely hashed; OAuth authentication available via Discord and Google
  • Database access is restricted using Row-Level Security policies
  • We regularly review and update our security practices

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

7.1 Encryption Standards

We use industry-standard encryption to protect your data:

  • Data in Transit: All communications use TLS 1.2 or higher (HTTPS) with strong cipher suites
  • OAuth Tokens at Rest: Encrypted using AES-256-GCM (Advanced Encryption Standard with 256-bit keys in Galois/Counter Mode), providing both confidentiality and authenticity
  • Passwords: Hashed using bcrypt with appropriate cost factors; we never store plaintext passwords
  • Database: Hosted on Supabase with encryption at rest enabled
  • File Storage: Audio files stored in encrypted cloud storage buckets

7.2 Security Incident Response

In the event of a security incident or data breach that affects your personal information, we will:

  • Notify affected users within 72 hours of confirming the breach via email and/or in-app notification
  • Describe the nature of the incident and the types of data potentially affected
  • Explain the steps we are taking to address the incident and prevent future occurrences
  • Provide guidance on steps you can take to protect yourself
  • Report to relevant regulatory authorities as required by applicable law

We maintain incident response procedures and conduct regular security assessments to identify and address potential vulnerabilities.

7.3 Vulnerability Disclosure

We appreciate the security research community's efforts to improve the security of our Service. If you discover a security vulnerability, please report it responsibly:

  • Email: security@getvortex.app
  • Include a detailed description of the vulnerability and steps to reproduce
  • Allow us reasonable time to investigate and address the issue before public disclosure
  • Do not access, modify, or delete other users' data during your research

We commit to acknowledging receipt of vulnerability reports within 48 hours and will work with researchers in good faith to understand and resolve issues promptly.

9. Device Permissions

Our mobile app may request the following permissions:

  • Contacts: To import contacts from your phone for file sharing and SMS messaging. On iOS, you can grant full access or select specific contacts to share. Only contacts you explicitly import are sent to our servers. You can update your contact access at any time in the app or in your device settings.
  • Photos/Media: To save audio visualization videos to your device
  • Push Notifications: To receive alerts about file deliveries and updates
  • SMS: To send audio files via text message (messages are composed on-device and sent through your phone's messaging app)

You can manage these permissions through your device settings at any time. The app includes an "Update contact access in Settings" link to help you modify which contacts are shared with the app.

10. Your Rights and Choices

10.1 Access and Portability

You can access and download your audio files and account data at any time through the Service. We provide an "Export My Data" option in the Settings page under Security Options, which allows you to download a complete copy of your personal data in a portable format.

10.2 Correction

You can update your account information, contact details, and file metadata through the Service settings.

10.3 Deletion

You can delete individual files, contacts, and integrations at any time through the app. You can also delete your entire account and all associated data directly through the app settings.

10.4 Disconnect Integrations

You can disconnect third-party services (Gmail, Google Drive, Dropbox, YouTube, Instagram) at any time. Simply scroll to the Integrations section on the main page and click the X button next to any connected account. This immediately removes the integration from your account and deletes the associated tokens from our database.

10.5 Opt-Out of Notifications

You can disable push notifications through your device settings or by logging out of the mobile app.

11. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: You can request information about the categories and specific pieces of personal information we have collected about you.
  • Right to Delete: You can request deletion of your personal information, subject to certain exceptions.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

We do not sell your personal information to third parties.

To exercise your California privacy rights, contact us at security@getvortex.app.

12. Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will delete that information promptly. If you believe we may have collected information from a child under 13, please contact us at security@getvortex.app.

13. International Data Transfers

Your information may be transferred to and processed in countries other than your own. Our service providers, including Supabase and cloud processing services, may process data in the United States and other jurisdictions. By using the Service, you consent to the transfer of your information to these locations.

14. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the Service or by email. The "Last Updated" date at the top of this page indicates when this policy was last revised. Your continued use of the Service after changes become effective constitutes your acceptance of the revised policy.

15. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

Vortex App LLC
Email: security@getvortex.app

16. Additional Disclosures for European Union (EU) and United Kingdom (UK) Residents

If you are located in the European Economic Area (EEA) or the United Kingdom (UK), the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 apply to our processing of your personal data.

16.1 Data Controller & Data Processor Roles

  • Vortex as Data Controller: Vortex App LLC is the data controller for the personal information we collect directly from you to create and manage your account, process payments, and analyze app performance.
  • Vortex as Data Processor: When you upload, sync, or manually enter third-party contact information (such as collaborator emails or phone numbers) into our Service, you act as the Data Controller of that information. Vortex acts strictly as a Data Processor, handling that data on your behalf to provide the contact management features. By importing these contacts, you affirm you have the legal right or consent to share this information with us.

16.2 Lawful Bases for Processing

We only process your personal data when we have a valid legal basis under the GDPR:

  • Performance of a Contract: To create your account, securely authenticate you via OAuth, process payments via Stripe, sync data between your devices, host your uploaded audio files, and deliver transactional notifications (such as send confirmations and delivery alerts).
  • Legitimate Interests: To monitor app stability, prevent fraud, secure our network, and operate cookieless infrastructure analytics (Cloudflare), provided these interests do not override your privacy rights.
  • Consent: For non-essential cookies and tracking technologies, including product analytics (Mixpanel), ad performance (Meta Pixel), affiliate referral tracking (Endorsely), email open tracking (Omega Plan), and promotional marketing emails or push notifications. You can withdraw your consent at any time via the "Cookie Preferences" link in our footer, which re-opens the consent banner. Withdrawal halts further collection going forward but does not affect the lawfulness of any processing carried out before withdrawal.

16.3 International Data Transfers

Vortex App LLC is located in the United States. To protect your personal data when it is transferred out of the EEA or UK, we ensure a similar degree of protection is afforded to it by implementing Standard Contractual Clauses (SCCs) approved by the European Commission (and the UK Addendum) within our agreements with our infrastructure, payment, and analytics sub-processors — including Supabase (database and storage), Stripe (payment processing), Cloudflare (edge infrastructure and cookieless analytics), Mixpanel (product analytics, consent-gated), Meta Platforms (advertising pixel, consent-gated), and Endorsely (affiliate referral tracking, consent-gated).

16.4 Your European Privacy Rights

In addition to the rights outlined in Section 10 of this policy, you have the following rights under the GDPR:

  • Right to Restrict Processing: You can request that we suspend the processing of your data while maintaining its storage.
  • Right to Object: You have the absolute right to object to our processing of your data for direct marketing purposes, or processing based on our legitimate interests.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with your local Data Protection Authority (DPA) regarding our collection and use of your personal data.

To exercise any of these rights, please contact us at security@getvortex.app. We will respond to your request within one month, in line with GDPR Article 12(3).