Legal

Privacy Policy

Effective date: May 26, 2026  ·  Last updated: May 26, 2026

The short version: SonicSandbox collects only what's needed to run the site — your email address if you create an account, and your game scores if you play while signed in. We don't sell data, run ads, or share your information with anyone except the infrastructure providers that power the site.

1. Who we are

SonicSandbox (sonicsandbox.app) is an independent project providing interactive ear training games for music producers and audio engineers. If you have questions about this policy, contact us at contact@sonicsandbox.app.

2. What we collect and why

If you create an account:

  • Email address — used to sign you in, send password reset emails, and identify your account. We don't send marketing emails.
  • Password — stored as a salted hash by our authentication provider (Supabase). We never see or store your plaintext password.
  • Username — optional. You can choose a display name that appears on stats and leaderboards. You can change or omit it at any time.

If you play games while signed in:

  • Game scores — the game name, whether you answered correctly, your round score, and a timestamp are saved to your account. This is what powers your personal stats page.

From all visitors (no account required):

  • Browser storage preferences — a handful of keys are stored in your browser's localStorage and sessionStorage to remember UI state (e.g. whether you prefer the desktop version, or have dismissed a banner). These never leave your device.

We do not collect IP addresses directly, serve advertisements, or sell your data. We use a privacy-focused analytics tool (Umami) to measure aggregate page traffic — see Section 3 for details.

3. Third-party services

SonicSandbox uses a small number of third-party services to operate:

  • Supabase (privacy policy) — our backend database and authentication provider. Your account data and game scores are stored on Supabase's infrastructure, which is hosted on AWS in the United States. Supabase is SOC 2 Type II certified.
  • Google Fonts (privacy policy) — fonts used for the site's typography are loaded from Google's CDN. Google may log the request (including your IP address) in accordance with their own privacy policy.
  • jsDelivr CDN — the Supabase JavaScript library is loaded from jsDelivr's CDN. No personal data is shared with jsDelivr; it serves only static files.
  • GitHub Pages — the site's static files are hosted on GitHub Pages (Microsoft). GitHub may collect basic server logs. See GitHub's privacy statement.
  • Umami (privacy policy) — a privacy-focused, open-source analytics platform used to measure aggregate page traffic (e.g. page views, referrers). Umami does not use cookies, does not track individual users across sessions, and does not share data with third parties. No personally identifiable information is collected.

We do not use any advertising networks, social media tracking pixels, or data brokers.

4. How your data is stored and protected

Account data (email, hashed password, username) and game scores are stored in a Supabase PostgreSQL database. Row-Level Security (RLS) is enforced on all tables, meaning each user can only read and write their own data.

Authentication tokens are stored in your browser's localStorage by the Supabase client library. They are never sent to any server other than Supabase's authentication endpoints.

All traffic between your browser and Supabase is encrypted via TLS.

5. Data retention

Your data is retained for as long as you have an account. If you delete your account, your email address, username, and all game scores are permanently deleted from our database. This action is immediate and irreversible.

You can delete your account at any time from the Account page.

6. Your rights

Depending on where you live, you may have certain rights regarding your personal data:

  • Access — request a copy of the data we hold about you.
  • Correction — update your username or email address via the Account page.
  • Deletion — delete your account and all associated data via the Account page, or by contacting us.
  • Portability — request an export of your game score data.

To exercise any of these rights, use the self-service tools on the Account page or contact us at contact@sonicsandbox.app. We'll respond within 30 days.

7. Children's privacy

SonicSandbox is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has created an account, please contact us and we will delete it promptly.

8. Changes to this policy

If we make material changes to this policy, we'll update the "Last updated" date at the top of this page. We won't reduce your rights under this policy without providing reasonable notice.

9. Contact

Questions about this privacy policy? Reach us at contact@sonicsandbox.app or via the About page.