Legal

Privacy Policy

Last updated: 4 June 2026

This Privacy Policy describes how Objectif Thunes (an Australian sole trader based in New South Wales, "we", "us", "our") collects, uses, stores, and discloses personal information when you use the Nocturne mobile application (including its Berceuse mode, together the "App") and the marketing website at objectifthunes.com (the "Site"). We comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) and, where applicable, the EU General Data Protection Regulation (GDPR) and the UK GDPR.

The short version. We ask for your email, and that's the entire signup. No name, no phone, no demographic question, no profile page to fill out. If you decide to publish a mood for other people to discover, you can optionally add a display name so listeners know who made it — but only then, and only because you chose to. There are no advertising trackers, no third-party analytics, no cookies on this Site, and nothing we collect is ever sold or used to train AI.

By using the App or the Site you confirm you have read this Policy. If you do not agree, please do not use them.

1. Information we collect

We collect the minimum needed to run the App, and nothing more. There is no profile setup screen, no first name asked, no social link asked, no demographic question, and no password to invent. The only identifier we require is your email — and only because that's how we send you a sign-in code.

Email address (required, for sign-in only). We use it to deliver a one-time-password (OTP) code each time you sign in. We do not store or set a password. We do not send marketing emails by default.

Display name (optional, only if you publish a mood). If you create a mood and choose to publish it for other users to discover, you may set a display name so listeners know who to credit. Setting one is entirely your choice — leaving it blank shows your published moods as anonymous. The App never asks you for your real name and there is no signup step that demands a name before you can use the App.

Content interactions (functional). We log which moods, playlists, and tracks you play, save, like, dismiss, or download, and which users you choose to follow. These records exist so the App can run the "Recently played" row, the trending and "From people you follow" surfaces, the daily-free rotation, and the offline-download list. They are not analytics, they are not sold, and they are not shared.

Subscription state. If you subscribe, the purchase is processed exclusively by Apple App Store or Google Play, and reconciled through our subscription processor RevenueCat. We receive a status flag (active / trial / cancelled / expired) and a customer identifier. We never receive, see, or store payment card numbers, bank details, or CVVs.

Network metadata. When the App or Site makes a request to our servers, we observe the source IP address. IPs are used strictly to: enforce rate limits (e.g. on OTP requests, to prevent abuse), detect and block automated attacks, and produce aggregate operational metrics. We do not derive location below country level from IPs, and we do not store IP-to-account joins beyond the rate-limit windows defined in §6.

Device-local data. Your downloaded audio, mixer state, current mode (Nocturne / Berceuse), and recent search inputs are stored on your device using the operating system's secure on-device storage. This data does not reach our servers.

Support correspondence. If you email us we keep the message, our reply, and any attachments for as long as needed to resolve the request and to maintain a record of the interaction (typically 24 months).

2. Information we do NOT collect

  • We never ask for your first name, last name, full name, date of birth, gender, or any other identity attribute. Signup is email-only.
  • We never ask for your phone number, postal address, or any government identifier.
  • We do not collect precise geolocation (no GPS, no Bluetooth scanning, no Wi-Fi triangulation).
  • We do not collect contacts, photo library, microphone audio, calendar, or any other on-device source not directly required to play audio.
  • We do not embed advertising trackers, third-party analytics, or social-media pixels in the App. There is no Google Analytics, no Meta Pixel, no Mixpanel, no Amplitude — nothing of that kind, anywhere.
  • The Site uses no third-party analytics, no cookies for tracking, and no cookies that require consent under EU/UK rules. The only browser storage we use is functional (e.g. remembering your selected mode).
  • We do not sell, rent, or trade personal information to third parties. Ever.
  • We do not use your data to train machine-learning or AI models.

3. How we use information

We process the information described in §1 for the following purposes only:

  • To provide the core functions of the App (authentication, playback, library sync, subscription gating).
  • To surface relevant content (recently played, trending, from people you follow).
  • To deliver transactional emails (OTP codes, account-related notices).
  • To protect the service against fraud and abuse (rate limiting, anomaly detection).
  • To respond to your support, privacy, or legal requests.
  • To meet our legal obligations (e.g. responding to a lawful demand from an Australian authority).

Under GDPR / UK GDPR, our lawful bases are: (a) performance of the contract for account, subscription and content functions; (b) legitimate interest for fraud prevention, security, and minimal analytics; (c) consent where you explicitly opt-in to something; (d) legal obligation when required by law.

4. Service providers (processors)

We use the following processors. Each is bound by a written agreement to handle your data only on our instructions, to maintain security safeguards at least equivalent to ours, and to notify us promptly of any incident.

  • Supabase — database, authentication, and storage hosting.
  • Cloudflare R2 — audio files and cover images.
  • Railway — backend application hosting.
  • Resend — transactional email delivery (OTP codes).
  • RevenueCat — subscription state management.
  • Upstash — short-lived rate-limit counters and caches.
  • Apple App Store / Google Play — payment processing and store distribution. These are independent controllers under their own privacy policies; we only receive the subscription state described in §1.

5. International transfers

Some processors named in §4 store data outside Australia (typically in the United States or the European Union). Where personal data of EU/UK residents is transferred out of the European Economic Area or the United Kingdom, we rely on Standard Contractual Clauses approved by the European Commission (and the UK addendum where relevant). Where personal data of Australian residents is transferred overseas, we comply with APP 8 and take reasonable steps to ensure the recipient handles the data consistently with the Australian Privacy Principles.

6. Retention

  • Account data — for as long as your account exists. Deleted within 30 days of account deletion.
  • Content interactions — for as long as your account exists. Deleted with the account.
  • OTP codes — stored as a one-way hash; expire and become unusable within 10 minutes; purged within 24 hours.
  • Rate-limit IP counters — purged within 1 hour (per-IP send window) or 60 seconds (per-email cooldown).
  • Server access logs — purged within 30 days unless we are required to retain them longer to investigate a specific incident.
  • Subscription receipts — retained for 7 years to meet Australian tax and accounting obligations (Income Tax Assessment Act 1936 s.262A).
  • Support correspondence — 24 months from last contact.

7. Your rights

Regardless of where you live, you can:

  • Request a copy of the personal information we hold about you.
  • Ask us to correct information that is inaccurate or out-of-date.
  • Request deletion of your account and all associated personal information.
  • Withdraw any consent you have given (this does not affect prior lawful processing).
  • Lodge a complaint with us in the first instance — if unresolved, with your local supervisory authority (in Australia, the Office of the Australian Information Commissioner; in the EU/UK, your national data-protection authority).

Email contact@objectifthunes.com with the subject line "Privacy request". We respond within 30 days. We may ask you to verify control of the account email before acting on a request.

8. Security

Account credentials use OTP only (no passwords to leak). All client–server traffic is TLS-encrypted. Audio file URLs are short-lived presigned links that expire within an hour of issue. Database access is restricted to least-privileged service accounts. Despite reasonable measures, no system is perfectly secure — we cannot guarantee absolute security of information transmitted over the internet.

9. Data breach notification

If we become aware of a personal-information breach likely to result in a risk of harm to affected individuals, we will notify the Office of the Australian Information Commissioner and the affected individuals as soon as practicable, and in any case within the timelines required by the Notifiable Data Breaches scheme (Part IIIC of the Privacy Act 1988). For affected EU/UK residents we will additionally notify the relevant supervisory authority within 72 hours where required by Article 33 GDPR.

10. Children

The App is rated 4+ and includes a Berceuse mode designed to be played for very young children, but the App itself is intended for parents, guardians, and adult users to operate. We do not knowingly collect personal information from children under 13 (or, in the EU/UK, under 16 where local law sets a higher digital-consent age). If you believe a child has provided personal information to us, contact us and we will delete it.

11. Changes

We may update this Policy from time to time. The "Last updated" date above always reflects the current version. Material changes that broaden the use of personal information will be announced in-app and via email at least 14 days before they take effect.

12. Contact

Objectif Thunes
New South Wales, Australia
contact@objectifthunes.com