Security & privacy

Last updated: May 4, 2026 · Effective: May 4, 2026

Our top-line commitments

What we technically do

What we technically do process server-side

To make your library searchable and your shares accountable, our servers run a narrow set of audio analyses. None of these train any model, leave our infrastructure, or are shared with third parties:

• Tempo and musical key detection – runs for paid plans when analysis is enabled so your library is sortable and searchable. Stored output: the tempo number and key string.
• Waveform peak generation – a low-resolution amplitude array used to draw the scrubber bar. Not a recognition fingerprint.
• Stem separation – runs only when a Pro or Max user clicks "Separate stems" on a specific track they own. Output is written back to that user's private vault.
• Forensic watermark embedding – runs only when you create a share link from a tier that includes per-recipient watermarks (Max or above).

That is the complete list. Anything else we might want to do later requires an actual product change, an updated Privacy Policy, and your continued use of the Service after that change.

What we technically do not do

• We do not train AI on your music. Worth saying twice. No models, no fine-tunes, no embeddings, no analysis pipelines. Ever.
• We do not have humans listen to your audio. No staff plays your tracks for QA, curiosity, demos, or analysis. The only audio access is what you initiate (upload, playback, share) and what your authorized share recipients trigger.
• We do not run ML classifiers, mood detectors, lyric transcription, or content-matching fingerprinting on your files. The narrow processing we do run is listed above.
• We do not store full payment details. Stripe handles all card data; we keep only your customer ID and subscription tier.
• We do not share data with marketing brokers, ad networks, or "data partners."
• We do not use behavioral fingerprinting (canvas, font, audio-context, device-graph cross-site tracking).
• We do not retain backups of deleted accounts forever. Once you delete, your data ages out of our backup tiers (max 12 weeks for weekly snapshots) and is gone for good.

Where your data physically lives

We're transparent about our infrastructure. Their incident pages are our incident pages.

• Audio files → Backblaze B2 (us-west-004 region, US west coast)
• Application + database → Hetzner Online (Ashburn, VA, USA)
• CDN, edge, DDoS protection, DNS → Cloudflare (global anycast)
• Continuous off-site backup replication → Backblaze B2 (separate prefix from your active files)
• Tier snapshots (hourly / daily / weekly) → Backblaze B2, with weekly automated restore drills to verify integrity

Two vendors, two geographic regions, multiple snapshot tiers. A single-vendor failure does not mean data loss.

Who can access your files

• You, via the app, signed in.
• Anyone you explicitly share with, via a share link you generate. Only what you share, only for as long as you keep the share active.
• Capiscana operations staff, for narrow operational reasons (e.g., investigating a bug you reported, restoring data after a system failure). All such access is audit-logged. We do not "browse" user files for any other reason.
• Backblaze, Hetzner, Cloudflare, at the storage / network layer, as required to deliver the service. They are bound by their own privacy policies (linked in Privacy §3).

That's the entire list. We do not "review" your account for QA. We do not show your files to investors, advisors, or new hires for demos. The only automated processing on the audio bytes themselves is the narrow server-side pipeline listed under What we process server-side (BPM, key, waveform peaks, on-demand stems, forensic watermarks on shares).

Watermarked shares & leak provenance

When you share an audio file, recipients receive a per-recipient watermark embedded in the audio stream. The watermark is inaudible to listeners but identifiable forensically. If a song you shared leaks publicly, we can trace the leak back to the specific recipient who received that copy.

This is one of the reasons Session™ Vault exists: making file-sharing accountable. Other services let your unreleased songs leak with no trace. We make leaks traceable.

Breach notification

If we confirm a security incident affecting your account, we will notify you via the email on file within 72 hours of confirmation. The notice will include:

• What happened, in plain English
• What data was potentially affected
• What we've done to contain it
• What you should do (rotate password, audit shares, etc.)
• How to reach our security team

This applies to incidents at Capiscana and incidents at our infrastructure providers (Backblaze, Hetzner, Cloudflare) where the provider's notification reaches us.

Your data is yours

You can take your full catalog and walk away anytime:

• Export everything via /api/account/export: complete data dump in machine-readable format
• Permanent deletion via /api/account/delete: 30-day grace period, then full purge from active storage. Backups age out per tier retention.
• No win-back retention. We don't keep "deleted" data for marketing purposes. Deleted is deleted.
• Independent backups recommended. Per our Terms § 12A, you remain responsible for keeping your own copies. Session™ Vault is a service, not the only place your music should exist.

Responsible disclosure

If you find a security issue (vulnerability, data leak, broken access control, anything), please report it.

Email [email protected]. We aim to respond within 48 hours and to remediate confirmed issues within 30 days. We don't have a paid bug bounty yet, but we will publicly thank researchers (with their consent) once we've shipped a fix.

Please do not: attempt to access user data that isn't your own; degrade service for other users; demand payment for the disclosure; publish the issue before we've had a reasonable chance to fix it. We commit not to pursue legal action against good-faith researchers who follow these guidelines.