Privacy Policy

Effective date: 28/09/2025
Who we are: Inner Rhythm (“we”, “us”, “our”).
Contact: Inner Rhythm, hello@yourinnerrhythm.com (or use /contact on our site).

This policy explains what we collect, why we collect it, how we use it, and your choices. It applies to our website and service (the “Service”).

1) The short version

  • We use Outseta for sign-in and subscriptions, Stripe for payments, Bunny.net for streaming via signed links, and Cloudflare for delivery.

  • No advertising or retargeting.

  • We track listening activity to power in-app stats and improve content (e.g., most-played tracks).

  • Cookies: only essential cookies for auth + optional Squarespace Analytics cookies (controlled by our cookie banner).

  • We also use first-party localStorage for product features (streaks, referral code, etc.).

  • You can access, correct, export, or delete your data, just contact us.

2) What we collect

a) Account & billing (you provide)

  • Name, email, password (hashed), country; subscription/billing details handled by Outseta/Stripe.
    Why: run your account; provide paid features; process payments.
    Legal basis (GDPR): Contract performance.

b) Product analytics (when you use the Service)

  • Playback/session events (track ID, play/pause, minutes, completion %, streaks); lightweight device/tech (browser, timezone); referral code if present.
    Why: in-app stats; improve content; prevent abuse.
    Legal basis: Legitimate interests (product analytics & security).
    We do not collect: advertising IDs, precise location, cross-site behavior.

c) Support

  • Messages you send us.
    Why: respond and help you.
    Legal basis: Legitimate interests / Contract.

3) Cookies, localStorage & the cookie banner

A. Essential cookies (always on; no consent required)

Auth / session (Outseta)
– Purpose: Keep you securely signed in and allow access to member-only content.
– Attributes: Secure, HttpOnly, SameSite.
– Duration: Persistent (up to [75 days], configured by us).

CSRF / security (Outseta / site host)
– Purpose: Protect against abuse and invalid requests.
– Attributes: Secure, SameSite.
– Duration: Short-lived.

Infrastructure / performance (Cloudflare / site host, if present)
– Purpose: Reliability, caching, bot mitigation.
– Attributes: Secure.
– Duration: Short-lived.

B. Squarespace Analytics (optional; controlled by banner)

  • What: first-party analytics cookies from Squarespace that count visits and basic page interactions across our own site.

  • Why: understand site usage to improve pages; no ads or cross-site tracking.

  • Consent: Our cookie banner lets you opt in/out of these analytics cookies. If you decline, only essential cookies are set.

C. LocalStorage (first-party, no consent required)

We store small product values locally (no cross-site tracking), e.g.:

  • ir_today_minutes, ir_today_sessions, ir_month_sessions, ir_current_daily_streak, ir_best_daily_streak

  • ir_counts_by_track_json, ir_counts_by_category_json, ir_reflections_json, ir_favourites_json

  • ir_ref (your referral code if you arrived with ?ref=)

Squarespace may also briefly set a localStorage["test"] key to check storage support.

D. Media & embeds

Audio streams from Bunny.net using signed URLs; no third-party ad cookies. If we ever add third-party embeds (e.g., YouTube), we’ll load them behind a click-to-play notice.

4) How we use data

  • Operate the Service (auth, entitlements, account screens).

  • Deliver audio securely (short-lived signed links).

  • Improve content (aggregate listens/completions).

  • Product features (streaks, favorites, quick stats).

  • Security & fraud prevention.

We aggregate or de-identify data when reasonable.

5) Processors (data sub-processors)

  • Outseta - membership, auth, billing, webhooks

  • Stripe - payment processing (we never see full card info)

  • Bunny.net - CDN/streaming via signed URLs

  • Cloudflare - DNS/edge and Workers for serverless endpoints

  • Squarespace - website hosting/CMS & optional Squarespace Analytics

We don’t sell your personal data.

6) International transfers

Data may be processed in the US/EU/UK and other regions where our processors operate, under appropriate safeguards (e.g., SCCs).

7) Retention

  • Account & billing: as long as your account is active and as required by law.

  • Product analytics: while your account is active; raw events are periodically trimmed/aggregated.

  • Logs: short-lived (e.g., ~30–90 days).

  • Support: as needed to address your request.

8) Your rights

You can request access, correction, deletion, or export of your data, and you can object/restrict certain processing. To exercise rights, contact us at hello@yourinnerrythm.com or via /contact. We’ll respond within legal timelines.

9) Security

HTTPS/TLS, signed media links, role-based access, reputable processors. If a breach occurs, we’ll notify affected users and regulators where required.

10) Children

Not directed to children under 16, and we don’t knowingly collect data from them.

11) Changes

We’ll post updates here and adjust the “Effective date.” Material changes may also be notified in-app or by email.

12) Contact

Questions or requests: /contact or hello@yourinnerrhythm.com.