Privacy Policy

Effective Date: October 5, 2025

Section 1: Information We Collect

We collect the following categories of information to provide, secure, and improve our services:

a. Account Information

When you sign in (e.g., via a third-party identity provider), we collect:

• Name
• Email address
• User/account ID
• Profile image (if provided)

Legal bases (GDPR): Contract (to provide the service), Legitimate interests (security & fraud prevention); Consent where required for specific features. CCPA/CPRA: Business purposes.

b. Audio & Transcription Data

If you use our recording features:

• We temporarily access your microphone to capture live audio.
• Audio is streamed to trusted speech-to-text providers for real-time transcription.
• Transcripts (not raw audio) may be analyzed by AI services to infer scene attributes (e.g., setting, tone, intensity) and enhance the in-session soundtrack.
• Raw audio is not retained by default; limited, short-term retention may occur only if you explicitly enable it for support/debugging.

Legal bases (GDPR): Consent; Legitimate interests for security/abuse prevention. U.S. state laws: audio processing disclosures as applicable.

c. Gameplay Metadata

We store:

• Session IDs and timestamps
• User ID associated with each transcript
• Extracted scene descriptions and tags (e.g., “dark forest”, “tense”, “low action”)
• Selected and played music tracks per scene

Purpose: to deliver personalized music and an immersive, low-friction experience.

d. Technical Information

When you access our service, we may automatically collect:

• IP address
• Browser type and version
• Operating system and device identifiers
• Usage logs (e.g., pages visited, session duration, errors)

This data is collected via our analytics and infrastructure providers and used for performance, reliability, and security.

Legal bases (GDPR): Legitimate interests (analytics, security, service improvement). CCPA/CPRA: Business purposes.

e. Cookies and Tracking Technologies

We use cookies and similar technologies (including local storage) to:

• Operate core features and maintain sessions
• Understand product usage and performance (e.g., analytics)
• Measure conversions from our own advertising campaigns
• Customize and improve your experience

We honor your choices via a cookie banner using consent controls. When consent is denied, only cookieless, aggregated measurement is used.

You can change your cookie choices at any time in the banner/preferences or disable cookies in your browser (some features may not work properly).

We do not sell or share personal information for cross-context behavioral advertising, and we do not enable interest-based remarketing by default. If optional personalization is offered later, we will request your opt-in and provide an opt-out.

Section 2: How We Use Your Information

We use the information we collect to operate, secure, and improve Journey Beyond, and to provide a responsive soundtrack experience.

a. Provide and Operate the Service

We use your information to authenticate your account, enable optional recording and transcription features, analyze transcripts to understand scenes, and deliver responsive music during play.

b. Personalize Content

We use scene data and usage signals (e.g., tags, skips, replays) to personalize music selection and improve transitions over time.

c. Communicate with You

If you provide contact details, we may send service updates, respond to inquiries, and share product or legal notices. You can opt out of non-essential communications at any time.

d. Maintain Security and Prevent Abuse

We use IP address, session identifiers, and activity logs to protect accounts, detect misuse, and enforce our Terms of Service.

e. Analyze and Improve the Platform

We use aggregated and/or de-identified data to understand usage trends, diagnose issues, and inform product decisions. These analyses are not used to identify individual users.

f. Comply with Legal Obligations

We may process or retain information as required by law, to respond to lawful requests, or to protect our rights and users.

Legal bases (GDPR): Contract (to provide the service), Consent (e.g., recording/transcription, certain analytics), and Legitimate interests (security, service improvement, essential analytics). CPRA: Business purposes.

Section 3: How We Share Your Information

We do not sell your personal information. We may share information with trusted service providers to operate, secure, and improve Journey Beyond, and as otherwise described below.

a. Service Providers (Processors)

We use third parties for cloud hosting, authentication, speech-to-text, AI analysis, analytics/measurement, content delivery, and security. These providers act on our instructions, are bound by confidentiality and security obligations, and may not use your information for their own purposes.

For transparency, we maintain a current list of subprocessors and data locations here: /subprocessors.

b. Legal and Regulatory Disclosure

We may disclose information to comply with laws or legal processes, respond to lawful requests by public authorities (e.g., court orders, subpoenas), or protect the rights, safety, and property of Journey Beyond, our users, or others.

c. Business Transfers

If Journey Beyond is involved in a merger, acquisition, financing, reorganization, or sale of assets, your information may be transferred as part of that transaction, subject to protections consistent with this policy. We will notify you if such a transfer materially changes how your data is handled.

d. With Your Consent

We may share information with third parties when you explicitly authorize it (for example, connecting your account to an integration or participating in beta features). We will request your permission before sharing beyond our core infrastructure.

e. Advertising & Measurement; “Sell”/“Share” (CPRA)

We use measurement tools to understand the effectiveness of our own advertising (e.g., conversions). We do not enable interest-based remarketing by default. We do not sell personal information or share personal information for cross-context behavioral advertising. If we offer optional personalization in the future, we will request your opt-in and provide an opt-out at any time.

f. International Data Transfers

We may process and store information in the United States and other countries where we and our service providers operate. When transferring personal data from the EEA/UK/Switzerland, we rely on appropriate safeguards (such as Standard Contractual Clauses and, where applicable, the UK Addendum).

Section 4: Your Rights and Choices

Depending on where you live, you may have certain rights over your personal information. We honor these rights consistent with applicable law.

a. Access and Portability

You can request a copy of the personal data we hold about you. Where technically feasible, we can provide it in a structured, commonly used format (e.g., JSON or CSV).

To request a copy of your data, email support@journeybeyond.io.

b. Correction

You can ask us to correct or update inaccurate or incomplete information.

c. Deletion (“Right to be Forgotten”)

You can request deletion of your account and associated data, including:

• Transcription history
• Session logs
• Extracted scenes and music selections

We may retain certain information where required by law or for fraud prevention and security, as permitted by law.

d. Withdrawal of Consent

If you previously consented to audio recording or analysis, you may withdraw consent at any time. Some features may no longer function without consent.

Withdrawing consent does not affect the lawfulness of processing before withdrawal.

e. Communications Preferences

You may opt out of non-essential emails (e.g., announcements, tips, beta invites). We may still send essential notices such as security or account alerts.

f. Cookies & Preferences

You can manage cookies and similar technologies via our cookie banner/preferences at any time. If you deny analytics/measurement, we use only cookieless, aggregated measurement where applicable. You can also control cookies through your browser settings (some features may not work properly).

g. Additional Rights by Region

EU/EEA & UK (GDPR/UK GDPR): You may also have the right to object to processing, restrict processing in certain circumstances, and lodge a complaint with your local supervisory authority.

California (CCPA/CPRA): You may request to know the categories and specific pieces of personal information we have collected and disclosed about you. We do not sell personal information or share it for cross-context behavioral advertising. You also have the right to correct and delete personal information, and to limit use of sensitive personal information where applicable.

h. How to Make a Request

To exercise any rights, email support@journeybeyond.io with:

• Your account email
• A description of your request
• Proof of identity (we may request verification for security)

We aim to respond without undue delay and within the timeframes required by law (e.g., 30–45 days, with possible extension where permitted). You will not be discriminated against for exercising your rights. Authorized agents may submit requests where permitted by law.

Section 5: Data Retention

We retain information only for as long as necessary to fulfill the purposes described in this Privacy Policy, including providing our services, complying with legal obligations, resolving disputes, and enforcing our agreements.

a. Account Information

• Your account data (e.g., name, email, user/account ID) is retained for as long as your Journey Beyond account remains active.
• If you delete your account or request removal, your account data will be permanently deleted typically within 30 days, unless we are legally required to retain it longer.

b. Transcriptions and Scene Data

• Transcribed text, analyzed passages, and associated scene tags are retained to support replay/history features and to improve the soundtrack experience.
• You can request deletion of session history at any time. Deleting a session also deletes its associated transcripts and music selections.

c. Audio Recordings

• Raw audio is not stored by default; it is processed in real time by trusted speech-to-text providers and then discarded.
• In limited support/debug cases, and only with your explicit consent, temporary audio may be retained for up to 3 days and then deleted. We do not use audio for biometric identification.

d. Technical Logs and Metadata

• System logs, crash reports, and de-identified/aggregated usage data are retained for up to 12 months for performance monitoring, reliability, and security.
• Fully aggregated analytics (which cannot reasonably be linked to an individual) may be retained for longer to understand long-term trends.

e. Legal Retention

• We may retain certain information as required to comply with law (e.g., audit, tax, or regulatory requirements), to enforce our terms, or to defend against legal claims.

Section 6: Children’s Privacy

Journey Beyond is not directed to children, and we do not knowingly collect personal information from children under 13.

a. U.S. Compliance (COPPA)

In accordance with the Children’s Online Privacy Protection Act (COPPA):

• Users under 13 are not permitted to create accounts or use recording/transcription features.
• If we learn that a child under 13 has provided personal information without verified parental consent, we will delete it promptly.

b. International Considerations

If you are located in the European Economic Area (EEA) or United Kingdom, the minimum age to use Journey Beyond is 16, unless your country’s law permits a lower age between 13 and 16 with parental/guardian consent. We do not knowingly allow use by anyone under 13.

Parents or guardians who believe their child may have provided personal information should contact us at support@journeybeyond.io.

c. Age Verification

We rely on users to confirm eligibility during sign-up or before using recording features and may request additional age or consent verification where required by law.

Section 7: Security Measures

We take the security of your data seriously and implement technical and organizational measures to help protect personal information from unauthorized access, loss, misuse, or alteration.

a. Data Encryption

• All communications with our services (including audio streams and API traffic) are protected using TLS/HTTPS.
• Sensitive data (e.g., authentication tokens, session records) is encrypted in transit and at rest using industry-standard mechanisms.

b. Access Controls

• Access to user data is limited to authorized personnel under the principle of least privilege and only as needed to operate or support the platform.
• Account access is governed by authentication and role-based permissions; administrative access requires additional safeguards.

c. Secure Infrastructure

• We use reputable cloud infrastructure with network protections (e.g., DDoS mitigation, firewalls) and continuous monitoring.
• We follow secure development practices, including regular updates, dependency management, and vulnerability scanning.

d. Incident Response

If a security incident affects your personal information, we will investigate, mitigate, and notify affected users without undue delay and, where required by law, within 72 hours. We will provide guidance on protective steps and any next actions.

e. User Responsibilities

You can help keep your account secure by:

• Keeping your credentials confidential and using strong, unique passwords
• Preventing unauthorized access to your devices and account
• Promptly reporting suspicious activity to support@journeybeyond.io

Section 8: Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons.

a. Notification of Changes

• We will update the “Effective Date” at the top of this policy.
• For material changes, we will provide additional notice (e.g., in-app or email, if you have provided an email address).

Non-material changes may be made without additional notice and will be reflected in the updated policy.

b. Continued Use

By continuing to use Journey Beyond after changes take effect, you agree to the revised Privacy Policy. If you do not agree, you should discontinue use and may request deletion of your data.

c. Prior Versions

We maintain a version history of this policy and can provide prior versions upon request.

Section 9: Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our handling of personal information, contact us:

Journey Beyond
Email: support@journeybeyond.io
Contact: /feedback

We aim to respond to privacy-related inquiries within 7 business days. If your request is urgent (e.g., account security or data deletion), please indicate that in the subject line.

Data Controller: Journey Beyond. Our service providers act as processors under our instructions.

California Privacy: We do not sell personal information or share personal information for cross-context behavioral advertising. If this changes, we will update this policy and provide an opt-out link. You can also visit /do-not-sell-or-share for more information.

Optional: EU/UK Data Protection Authorities

If you are an EU/UK resident and believe your data protection rights have been violated, you may contact your local Data Protection Authority. A list is available at: https://edpb.europa.eu/about-edpb/board/members_en