shart.app

Privacy Policy

Last updated: April 18, 2026

1. Introduction

This Privacy Policy describes how shart.app ("we", "us", "the Service") collects, uses, and protects your information. By using the Service, you consent to the practices described in this policy.

2. Information We Collect

2.1 Account Information
When you sign in via an authentication provider (Auth0, Google, or Microsoft), we receive and store your email address, display name, and avatar URL as provided by that provider. We do not store your password -- authentication is handled entirely by your chosen provider.
2.2 User Content
Audio files you upload, along with metadata (duration, frequency, file size, MIME type), are stored on our servers. A SHA-256 hash of each file is computed and stored for integrity verification.
2.3 Usage Data
We automatically collect:
  • Ratings and reports you submit (linked to your account)
  • Streak and badge data (activity tracking for gamification)
  • Anonymous quick-log entries (loudness value and session fingerprint, no account association)
2.4 Device and Security Information
For security purposes, we collect device information on each authenticated request:
  • IP address (used for geolocation to country level only)
  • Browser and operating system (parsed from User-Agent header)
  • Device fingerprint (SHA-256 hash derived from User-Agent and IP subnet -- not a tracking cookie)
  • Login attempt records (timestamp, provider, success/failure, IP, country)
2.5 Geolocation
We use the geoip-lite library (an offline MaxMind database) to resolve your IP address to a 2-letter country code. This lookup happens entirely on our server -- your IP is never sent to a third-party geolocation service. We store only the country code, not your precise location.
2.6 Payment Information
Premium subscriptions are processed by Stripe. We do not store your credit card number, CVV, or full billing address. We receive and store only your Stripe customer ID and subscription status via webhook events.

3. How We Use Your Information

  • Authenticate your identity and maintain your session
  • Display your profile, uploads, ratings, and badges
  • Operate leaderboards, soundboards, and community features
  • Enforce storage quotas and rate limits
  • Detect and prevent abuse (login attempt monitoring, device tracking)
  • Send notification emails (badge alerts, top 10 alerts, weekly digest) based on your notification preferences
  • Process premium subscription payments via Stripe
  • Generate aggregate statistics (global shart count, country distribution)
  • Moderate content (review uploads, process reports)

4. Information Sharing

We do not sell your personal information. We share data only with:
  • Authentication providers (Auth0, Google, Microsoft) -- only during the sign-in flow
  • Stripe -- for payment processing (premium subscriptions only)
  • Resend -- for transactional email delivery (notifications, contact form confirmations)
  • Google AdSense -- for displaying advertisements (non-premium users only). Google may use cookies per its own privacy policy.

5. Data Storage and Security

Your data is stored in PostgreSQL databases and audio files are stored via SFTP on isolated storage volumes. We implement the following security measures:
  • JWT token verification with JWKS for all authenticated requests
  • Provider-agnostic TOTP two-factor authentication (optional)
  • SHA-256 file integrity hashing
  • Path traversal protection on file access
  • Content Security Policy (CSP) headers
  • Rate limiting on uploads, API calls, and contact form submissions
  • Magic byte validation on uploaded files
  • Encrypted sessions with PostgreSQL-backed session store

6. Your Rights

You have the right to:
  • Access your data -- view your profile, uploads, ratings, devices, and login history on the Dashboard
  • Export your data -- download your shart history as CSV or JSON via the Dashboard export feature
  • Delete your account -- permanently remove all your data including uploads, ratings, badges, streaks, devices, and profile via the Dashboard
  • Control notifications -- toggle badge alerts, top 10 alerts, and weekly digest emails from the Dashboard security section
  • Manage devices -- view and remove registered devices from the Dashboard security section

7. Cookies and Local Storage

We use browser localStorage to store authentication tokens (managed by the Auth0 SDK) and sessionStorage for the sign-in flow. We use a session cookie (httpOnly, secure in production, sameSite=lax) for server-side session management. Google AdSense may set additional cookies per Google's policies.

8. Children's Privacy

The Service is not intended for users under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us.

9. International Users

The Service is operated from the United States. If you access the Service from outside the United States, your information may be transferred to and processed in the United States.

10. Changes to This Policy

We may update this Privacy Policy at any time. Material changes will be communicated through the Service or via email. Continued use after changes constitutes acceptance.

11. Contact

For questions about this Privacy Policy or to exercise your data rights, contact us at shart.app/contact.