Legal

Privacy Policy

Last updated May 4, 2026

The short version. We collect what we need to run Levels Flow on your behalf and nothing else. We never sell your data. We don't use it to train AI models. You can export or delete everything at any time from Settings.

1. Who we are

Levels Flow is a software-as-a-service product operated by Sheldon Yeoman, trading as Levels Studio, in Perth, Western Australia. For the purposes of this policy we are the “data controller” of the personal information you provide.

2. What we collect

We collect three categories of information: (a) account data — your email address, password hash, name, business details, and billing details once paid plans launch; (b) content data — the audio files, invoices, receipts, client records, and messages you upload or create inside the Service; and (c) usage data — anonymous request logs, error reports, and aggregated metrics that help us run the Service.

3. Why we collect it

Account and content data are processed solely to operate the Service for you — store your files, render your invoices, deliver share links to people you authorise, send you transactional email. Usage data is processed to keep the Service running, debug problems, and prevent abuse. We do not use your data for advertising or for training third-party machine-learning models.

4. Where it lives

Levels Flow is built on Supabase (Postgres + S3-compatible object storage). Data is stored in Supabase's Sydney (ap-southeast-2) region. All connections are encrypted in transit (TLS) and at rest. Row-level security policies in the database ensure that one studio's data is never queryable from another studio's session.

5. Sub-processors

We rely on a small number of vendors to operate the Service: Supabase (database, storage, auth), Vercel (web hosting), Resend (transactional email), and — once paid plans launch — Stripe (payments). Each vendor is contractually bound to handle your data only on our instructions. We will publish a current sub-processor list on this page when the beta closes.

6. Cookies and tracking

We use a small number of strictly-necessary cookies for authentication and session management. We do not use third-party advertising trackers, social-media pixels, or session-replay tools on the marketing site or inside the app.

7. Sharing your data

We never sell your data. We share content only at your direction — for example, when you generate a share link for a song, send an invoice to a client, or grant your accountant a read-only token URL. We may disclose data in response to a valid legal request, but will notify you first unless prohibited from doing so.

8. Your rights

You can access, export, correct, or delete your data at any time from Settings. Account deletion permanently removes your content from active storage; backup copies are purged on a 30-day cycle. If you are in the EU, UK, or California, you have additional rights under GDPR, UK GDPR, and CCPA respectively — including the right to object, the right to data portability, and the right to lodge a complaint with your supervisory authority.

9. Retention

We keep account and content data for as long as your account is active. After deletion, content is purged within 30 days. Anonymous usage logs are retained for up to 12 months for security and debugging purposes, then aggregated or deleted.

10. Children

Levels Flow is not directed to children under 16 and we do not knowingly collect data from them. If you believe a child has created an account, email privacy@levelsflow.app and we will close the account.

11. Changes to this policy

Material changes will be communicated by email or in-app notice at least 14 days before they take effect. The “last updated” date at the top of this page reflects the current version.

12. Contact

Privacy questions or requests? Email privacy@levelsflow.app.