Privacy Policy

Last updated: 15 June 2026

This Privacy Policy explains how the Beethovium application ("the app") handles personal data. It is written for the people who use the app and for the data-protection rules that apply to them, including the EU General Data Protection Regulation (GDPR).

The app is an ear-training application. It is developed and operated by an independent developer ("the developer"), who is the data controller for the personal data described below. The developer can be reached at [email protected] for any question or request relating to this policy or to personal data.

Who this policy is for

The app is intended for general audiences aged 16 and over. It is not directed to children under 16, and the developer does not knowingly collect personal data from anyone under 16. If a parent or guardian believes that a child under 16 has provided personal data, they may contact the address above and the data will be deleted.

What data is collected, and why

The app collects only what it needs to provide an account and to function. There is no advertising, and there are no third-party analytics, tracking, or attribution tools in the app.

Account data. When an account is created with an email address and password, the email address is stored, and the password is stored only as a secure one-way hash (bcrypt) — the password itself is never stored or recoverable. When an account is created through Google or Apple sign-in instead, the app receives a verified identity token from the provider; from it, a stable provider identifier and (where the provider supplies one) an email address are stored to identify the account. No password exists for accounts created this way.

Email confirmation. For accounts created with email and password, a confirmation email is sent so the address can be verified. This uses the email address and a one-time confirmation link.

Technical data needed to run the service. When a device connects to the service, a device/installation record is created so the account can be associated with the app on that device. As part of this, the IP address seen at registration is recorded, and basic technical details such as platform and app version are stored. The IP address is used for abuse prevention and rate limiting; it is not used to profile or track users, and it is not written to application logs.

Learning activity. The service records progress and per-track practice activity so the learning experience works and so anonymous, aggregate usage can be understood. On the device itself, the app also stores progress, scores, settings, and cached lesson audio so it works smoothly and offline where possible.

The app stores authentication tokens on the device in the operating system's secure storage (the Android Keystore-backed encrypted store, and the iOS Keychain). The email address and account identity are not stored on the device; they are held only in memory while the app is running and re-fetched from the service as needed.

How the data is used

Personal data is used only to create and maintain the account, to verify the email address, to deliver the ear-training functionality, to keep the service secure and prevent abuse, and to respond to requests sent to the contact address. It is not sold, and it is not used for advertising or cross-service tracking.

Who else processes the data

A small number of service providers process data on the developer's behalf to make the app work. They act as processors or sub-processors and only handle what is necessary for their function:

• Resend — sends account emails (confirmation and password-reset links, and, where a user submits feedback, the feedback message). It receives the recipient's email address and the relevant message or link.
• Hetzner — hosts the servers and database, located in the European Union. It stores the data at rest.
• Cloudflare — routes and protects web traffic to the service, and handles inbound email routing. In doing so it processes connection metadata and data in transit.
• The developer's support inbox (operated via Google) — receives outbound copies of certain messages (such as feedback) and any replies users send to account emails.

In addition, when a user chooses Sign in with Google or Sign in with Apple, that sign-in happens between the user's device and Google or Apple directly, before any token reaches the service. The service then verifies the resulting token using Google's and Apple's public keys; no user information is sent from the service to Google or Apple in order to do this. Each provider's own privacy policy governs the sign-in step.

Data is hosted in the European Union. Where a provider processes data outside the EU, it does so under the safeguards that provider maintains for international transfers.

How long data is kept, and what happens when an account is deleted

An account can be deleted at any time, in two ways: from within the app, or through the web page at https://www.beethovium.com/delete-account, which sends a confirmation link to the account's email address so that only the account owner can complete the deletion.

When an account is deleted, the deletion is immediate and permanent — there is no recovery period. The following are erased: the account record and email address, the password hash, authentication and refresh tokens, confirmation and password-reset tokens, the linked Google/Apple identity, submitted feedback, and the IP address recorded for that account's devices.

Some non-identifying records are kept after deletion, de-linked from the account so they can no longer be tied to a person: anonymous per-track practice counts (retained as aggregate usage data) and a one-time coupon-redemption ledger (kept so a single-use code cannot be reused). These no longer reference the deleted account.

Outside of deletion, the service does not currently run automated data-pruning, so records persist until an account is deleted or they are removed manually. Backups may temporarily retain data after deletion until they rotate out of the normal backup cycle.

Your rights

Under the GDPR and similar laws, you have the right to access the personal data held about you, to correct it, to have it deleted, to restrict or object to certain processing, and to receive a copy of it. Deletion can be carried out directly using the methods above. For access, correction, a copy of your data, or any other request, contact [email protected] and the request will be handled. You also have the right to lodge a complaint with your local data-protection authority.

Changes to this policy

This policy may be updated as the app changes. Material changes will be reflected here with an updated date at the top. If the app later introduces features that collect or use data differently — for example, notifications — this policy will be updated before those features are released.

Contact

For any privacy question or request: [email protected]