Privacy Policy for Legato

Effective Date: January 14, 2026
Last Updated: January 14, 2026

Introduction

ProximityLabs ("we," "us," or "our") develops the Legato mobile application (the "App"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our App on iOS and Android devices.

We are committed to protecting your privacy and ensuring you have a positive experience using Legato. This policy applies to all users of our App and complies with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable privacy laws.

Information We Collect

Information Stored Locally on Your Device

The following data is stored exclusively on your device using our local Isar database and is NOT uploaded to our servers:

• Practice Session Data: Duration, goals, progress tracking, and completion status
• User Preferences: Instrument type, daily practice goals, onboarding preferences
• Audio Recordings: Practice session recordings in M4A format (44.1kHz)
• PDF Files: Sheet music files you import into the App
• User-Generated Content: Practice notes, annotations, and custom content
• Performance Statistics: Progress tracking and achievement data

Information Collected and Stored on Our Servers

We collect and store the following information on our secure servers (Supabase):

Account Information:

• Anonymous user identifier (Firebase UID)
• Account creation date

Subscription Information:

• Subscription status (active, expired, canceled)
• Platform (iOS or Android)
• Product ID and purchase tokens
• Subscription purchase and expiration dates
• Auto-renewal status

Support Information:

• Support ticket messages and email addresses (if provided)
• Device information (app version, OS version, device model)

Webhook Events:

• Subscription lifecycle events from Apple App Store and Google Play Store
• Event timestamps and processing logs

Information Collected Through Third-Party Services

We use Firebase services (operated by Google) which automatically collect certain information:

Firebase Authentication:

• Anonymous user identifiers
• Authentication timestamps

Firebase Analytics:

• Screen views and navigation patterns
• User interaction events
• App usage statistics
• Session duration and frequency
• Device information (model, OS version)
• General location (country/region level)

Firebase Crashlytics:

• Crash reports and stack traces
• Device state at time of crash
• App version information
• Performance metrics
• Error logs

This information is processed according to Google's Privacy Policy.

How We Use Your Information

We use the information we collect to:

• Provide Core Functionality: Enable practice tracking, progress monitoring, subscription management, and access to practice tools
• Process Subscriptions: Verify purchases, manage subscription status, and handle renewals/cancellations
• Provide Customer Support: Respond to support tickets and technical inquiries
• Improve App Performance: Identify and fix bugs, optimize features, and enhance user experience
• Analytics: Understand how users interact with our App to improve features
• Legal Compliance: Comply with applicable laws and enforce our Terms of Service

Device Permissions

Legato requests the following device permissions:

Microphone Access

• Purpose: Enable tuner functionality and voice recording features
• Usage: Audio is processed locally for real-time tuning feedback and saved recordings
• Control: You can revoke this permission in your device settings

Storage Access

• Purpose: Import and manage PDF sheet music files and audio recordings
• Usage: Read and write files to designated app storage areas
• Control: You can manage this permission in your device settings

Internet Access

• Purpose: Connect to our servers for subscription verification, support tickets, and analytics
• Usage: Communication with Supabase and Firebase services
• Note: Your practice session data, recordings, and PDFs remain on your device and are NOT transmitted

Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties.

We may share information only in the following circumstances:

• Service Providers:
  • Firebase/Google for authentication, analytics, and crash reporting
  • Supabase for secure database hosting
  • Resend for email delivery (support notifications)
• Payment Processors: Apple App Store and Google Play Store handle all payment processing
• Legal Requirements: If required by law, court order, or governmental authority
• Protection of Rights: To protect our rights, privacy, safety, or property
• Business Transfers: In connection with a merger, sale, or acquisition of our company
• With Your Consent: When you explicitly agree to sharing for a specific purpose

Data Security

We implement appropriate technical and organizational measures to protect your information:

• Encryption: All data transmitted to our servers uses industry-standard encryption (TLS/SSL)
• Secure Database: Subscription and user data stored on Supabase with row-level security policies
• Access Controls: Limited internal access to user data; service role keys secured as environment variables
• Authentication: Firebase Authentication for secure anonymous user identification
• Regular Updates: Security patches and updates to address potential vulnerabilities

While we strive to protect your information, no method of electronic storage or transmission is 100% secure.

Data Retention

Local Device Data

• Stored indefinitely until you delete the App or clear app data
• You maintain full control over this data through your device

Server-Stored Data

• User accounts: Retained while account is active; deleted upon account deletion request
• Subscriptions: Retained for the duration of your subscription plus 90 days for billing/support purposes
• Support tickets: Retained for 2 years for customer service purposes
• Webhook events: Retained for 90 days for audit and debugging purposes

Firebase Analytics Data

• Retained according to Google's data retention policies
• User-level data: 14 months
• Event-level data: 2 months
• Aggregated data: No expiration

Crash Reports

• Retained for 90 days in Firebase Crashlytics

Your Privacy Rights

Depending on your location, you may have the following rights:

GDPR Rights (European Users)

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate personal data
• Erasure: Request deletion of your personal data
• Restriction: Limit processing of your personal data
• Portability: Receive your data in a portable format
• Objection: Object to certain processing activities
• Automated Decision-Making: Opt-out of automated decision-making

CCPA Rights (California Residents)

• Know: What personal information we collect, use, and share
• Delete: Request deletion of your personal information
• Opt-Out: Opt-out of the sale of personal information (Note: We do not sell personal information)
• Non-Discrimination: Equal service regardless of exercising privacy rights

How to Exercise Your Rights

To exercise these rights, contact us at legal@proximitylabs.dev. We will respond within 30 days.

You may request:

• Export of your subscription data
• Deletion of your account and associated data
• Correction of inaccurate information

Children's Privacy (COPPA Compliance)

Legato is designed for musicians of all ages. For users under 13:

• We do not knowingly collect personal information from children under 13 without parental consent
• We use anonymous Firebase Authentication, which does not require personal information
• Parents/guardians may review and request deletion of their child's information
• Analytics data is collected in aggregate form only

If we discover we have collected personal information from a child under 13 without parental consent, we will delete it immediately. Parents who believe we have information about their child should contact us at legal@proximitylabs.dev.

Premium Subscription Features (LegatoPlus)

LegatoPlus enables seamless integration of tools within your practice sessions:

• In-practice metronome
• In-practice drones
• In-practice audio recording
• In-practice notes and annotations
• In-practice PDF sheet music access

Note: These tools are available for free use outside of practice sessions. LegatoPlus provides the convenience of accessing them seamlessly during active practice.

Subscription Processing

• Handled through Apple App Store or Google Play Store
• Payment information is processed by Apple/Google, not by us
• We receive only subscription status and basic transaction information
• Subject to Apple/Google privacy policies

Subscription Verification

• We verify purchases with Apple/Google servers to prevent fraud
• Purchase tokens are securely stored on our servers
• We automatically update subscription status based on webhooks from app stores

International Data Transfers

Your data may be processed in countries outside your country of residence:

• Supabase servers: Located in the United States (configurable)
• Firebase services: May process data globally according to Google's infrastructure

We ensure appropriate safeguards for international transfers including:

• Standard Contractual Clauses
• Compliance with GDPR adequacy decisions
• Adequate security measures

Updates to This Privacy Policy

We may update this Privacy Policy periodically. We will notify you of material changes by:

• Posting the new Privacy Policy in the App
• Updating the "Last Updated" date
• Sending an in-app notification for significant changes

Continued use of the App after changes constitutes acceptance of the updated policy.

Contact Information

For questions, concerns, or to exercise your privacy rights, contact us at:

ProximityLabs
Email: legal@proximitylabs.dev
Privacy Inquiries: legal@proximitylabs.dev

For GDPR concerns, EU residents may also contact their local Data Protection Authority.

Additional Information for Specific Jurisdictions

California Residents

Under California Civil Code Section 1798.83, California residents may request information about disclosure of personal information to third parties for marketing purposes. We do not share personal information for marketing purposes.

European Economic Area

Our legal bases for processing under GDPR:

• Consent: For optional features like analytics
• Contract: To provide App services you requested (subscription management)
• Legitimate Interests: For improving our App, ensuring security, and fraud prevention
• Legal Obligation: When required by law

Nevada Residents

Nevada residents may opt-out of the sale of personal information. We do not sell personal information, but you may register your preference by emailing legal@proximitylabs.dev.

---

By using Legato, you acknowledge that you have read and understood this Privacy Policy and agree to its terms.