Privacy Policy

Last updated: April 14, 2026

Studio Pilot ("we", "us", or "the app") is a desktop application for music studio project management, built by [Echo Punch LLC]. This policy explains what we collect, what we don't, and what you can do about it. Plain English, no dark patterns.

The short version

Almost everything Studio Pilot knows about you lives in a local SQLite database on your own computer. We store the minimum needed in the cloud to make authentication and the client portal work. We don't sell your data. We don't use it to train models. You can export everything or delete everything at any time from Settings → Privacy & Data.

What we store locally (on your computer)

  • Your clients, projects, tasks, calendar events, invoices, notes, and activity logs
  • Time tracking entries
  • Files you link from Dropbox or the local filesystem
  • Integration tokens for Google Calendar, Dropbox, Wave, Resend, Stripe, and Claude
  • App settings, including your studio name, logo, invoice defaults, and rates

This data never leaves your machine unless you take an explicit action (inviting a client to the portal, syncing Google Calendar, sending an invoice, etc.).

What we store in the cloud (Supabase)

  • Your login email and hashed password (or OAuth identity)
  • Organization and role membership so the right account sees the right data
  • For clients you invite to the portal: enough project / invoice / revision data to render the portal pages
  • Portal activity logs (when a client viewed, signed, or requested a revision)

We do not store audio files, private notes, or any data you haven't explicitly sent through a portal invite or sync action. Row-level security policies enforce that only you and your invited clients can see your data.

Third-party services

When you connect an integration, data flows directly from your machine (or the portal) to that provider. Studio Pilot does not proxy, log, or cache the content of those requests.

  • Google Calendar — reads/writes events on calendars you authorize
  • Dropbox — reads folder listings and shared links you explicitly link to projects
  • Wave — bulk imports customers and invoices (optional)
  • Resend — sends transactional email using your own API key and sender domain
  • Stripe — processes client invoice payments through the portal
  • Supabase — authentication and client portal data
  • Anthropic (Claude) — you bring your own API key; requests go directly from the app

Telemetry and crash reports

We may collect anonymous crash reports and usage metrics via [Sentry] to improve reliability. No personal data, client data, or project data is ever sent. You can see exactly what's collected and opt out from Settings → Privacy & Data.

Your rights

  • Export all data: Settings → Privacy & Data → "Export all data as JSON". One click, full dump.
  • Delete everything: Settings → Privacy & Data → "Delete my account and all data". Local data is wiped immediately; your cloud authentication record is removed within 30 days (or immediately by emailing support).
  • Correct or access: All your data is editable directly in the app. For cloud auth records, email [support@studiopilot.app].

If you're in the EU / UK, these rights are protected under GDPR. If you're in California, under CCPA. If you're somewhere else, we honor them anyway.

Children

Studio Pilot is a professional tool and not directed to children under 13. We do not knowingly collect data from them.

Changes

If we change this policy materially, we'll update the date at the top and surface the change in-app. Minor wording fixes don't count.

Contact

Questions or complaints: privacy@studiopilot.app

[Legal entity name and address go here once registered]