🔐 Privacy Policy

🧠 Who We Are

JazzPracticePro – ABN 57 253 432 686, owned and operated by Trent Jordan, sole trader, based in QLD, Australia.

About JazzPracticePro's Privacy Approach

The AI features are optional. If you don't use them, no practice data ever leaves your device. When you do use AI, JazzPracticePro uses a hybrid client–server design to balance performance and privacy: your device streams results directly from Google's Gemini API (or via our secure Cloud Run proxy) while small, non-content control requests are made to our serverless endpoints only to manage AI credits and safety checks.

Optional cloud backup: You can enable end-to-end encrypted cloud backup. Your passphrase never leaves your device, and your data is encrypted before upload. We cannot decrypt your backups.

🤖 What powers the AI?

JazzPracticePro uses Google's Gemini 1.5 Flash API (via @google/generative-ai) to provide two AI-powered features:

• Practice Feedback: Personalized insights based on your recent practice patterns
• Voice Import: Speak practice details and have them automatically structured into pillar entries (5-10x faster logging)

When you request AI help, your practice data is securely sent to Gemini to generate a response. In hybrid mode, generation is streamed directly from your device (or via our secure Google Cloud Run proxy) while credits are enforced on the server for fairness and security.

📤 What data is sent?

Only the information needed for your request is included:

For AI Practice Feedback:

• Your profile information (instrument, experience context)
• Practice session summaries from the last 30 days (dates, durations, pillar categories, exercise descriptions)
• Repertoire information (tune names you've practiced)
• Transcription project names (if applicable)
• Active pillar definitions (names and descriptors)
• Session notes (if you've added them)

For Voice Import:

• The transcription of your spoken practice notes
• Your last 8 practice sessions (for consistency in parsing)
• Active pillar definitions
• Your known tunes and transcriptions (for fuzzy matching)

🔐 How is it sent?

AI Request Flow (Hybrid Architecture):

1. Pre-flight checks: Before any AI call, our serverless function checks:
   • Kill switch status (can disable AI system-wide if needed)
   • Your current AI credit balance
   • Reserves 1 credit for your request
2. Token issuance: If using Cloud Run proxy, request a signed JWT token (120-second expiry)
3. Content streaming: Your device streams content generation:
   • Primary path: Via Google Cloud Run secure proxy (JWT-authenticated, rate-limited)
   • Fallback path: Direct to Gemini API if proxy unavailable
4. Confirmation or refund:
   • On success: Usage confirmed via serverless function
   • On failure: Credit automatically refunded
   • No practice content is stored on our servers during this process

User Control:

You always have full control over when data is sent. You'll see:

• A banner on all AI pages reminding you that data will be shared with Gemini
• A "Generate" button you must click to initiate the request
• Credit balance display so you know how many AI calls you have remaining
• Transparent error handling with automatic fallback if primary path fails

Authentication & Cloud Backup:

• Authentication: Email + One-Time Password (OTP) via Supabase (no passwords stored)
• Session management: JWT tokens with automatic refresh, cross-tab synchronization
• Cloud backup encryption: Your passphrase derives an encryption key (PBKDF2-SHA256, 600k iterations)
• Backup storage: Encrypted blobs stored in Supabase Storage with Row Level Security
• Zero-knowledge: Your passphrase never leaves your device - we cannot decrypt your backups

🚨 Does Google keep my data?

Possibly, for a short time.

According to Google's Gemini API Terms of Service, prompts and responses may be temporarily stored by Google for:

• Abuse prevention
• Improving their models (in anonymized form)

JazzPracticePro does not store or log any prompts or responses locally after generation. You can optionally choose to save your AI results to a file or copy them manually.

✅ Quick Summary

☁️ Encrypted Cloud Backup (Optional)

JazzPracticePro supports end-to-end encrypted cloud backups using your passphrase. Your passphrase never leaves your device; backups are encrypted before upload and can only be decrypted by you.

Technical Details:

• Encryption: PBKDF2-SHA256 key derivation (600,000 iterations) + AES-GCM-256 encryption
• Compression: gzip before encryption to reduce size
• Storage: Supabase Storage with Row Level Security (per-user access controls)
• Passphrase scope: Lives only in browser sessionStorage (cleared on sign-out)
• Zero-knowledge: Server stores only encrypted blobs, cannot decrypt without your passphrase

Local Backup Alternative:

You can also export/import a local JSON backup (v3 format, schema version 14) at any time without using cloud storage or authentication. This gives you full control over your data with no server involvement whatsoever.

🔍 Transparency: AI Control Endpoints

For fairness and safety, the app calls a small set of serverless endpoints that manage AI usage. These do not store your practice content and are only used to check status, reserve, confirm, or refund credits:

Netlify Serverless Functions:

• GET /.netlify/functions/ai-status: Kill switch check + AI credit balance lookup
• POST /.netlify/functions/reserve-credit: Reserve 1 credit before AI request (atomic transaction)
• POST /.netlify/functions/confirm-usage: Confirm credit usage after successful AI response
• POST /.netlify/functions/refund-credit: Refund reserved credit if AI request fails
• POST /.netlify/functions/issue-proxy-token: Issue signed JWT token for Cloud Run proxy authorization (120-second TTL)
• POST /.netlify/functions/generateFeedback: Fallback server-side AI generation (used only if client-side streaming fails)

Google Cloud Run Proxy:

• jpp-gemini-proxy: Optional secure streaming proxy to Gemini API
• Authorization: JWT bearer token (issued by Netlify function)
• Security: Rate limiting, CORS protection, domain restrictions
• Purpose: Secure API key management without exposing keys to client
• Stateless: No logging of practice content, auto-scaling

Important: None of these endpoints store your practice content. They only handle credit accounting and access control. All practice data streaming happens directly between your device and Gemini API (or via the stateless Cloud Run proxy).

📁 Your Control & Portability

• You can export all your practice data, repertoire, and goals at any time.
• You can import previous data or example files.
• The app includes a Soft Reset (clears practice data) and Factory Reset (clears everything).
• AI usage logs can be reset manually via the Debug tools in the app.

📋 Additional Privacy Disclosures

📧 Email Collection (Website)

The JazzPracticePro website includes an optional email signup form for users interested in joining the beta program and receiving product updates.

How We Use Your Email Address:

• Beta program access: To notify you when you've been approved as a beta tester
• Product updates: To send you updates about JazzPracticePro features and improvements
• No marketing spam: We will not sell, rent, or share your email address with third parties for marketing purposes

Where Emails Are Stored:

Email addresses submitted through the website form are stored securely via Netlify Forms, a service provided by Netlify, Inc. Netlify processes this data in accordance with their Privacy Policy.

Your Rights:

• Unsubscribe anytime: You can request to be removed from our email list at any time by contacting us at contact@jazzpracticepro.com
• Data deletion: You can request deletion of your email address from our records
• Optional signup: Providing your email is completely optional - you can use the app without signing up for emails

❓ Your Rights & Contact