Privacy Policy

Legal 📅 Effective: 2026-05-22 📝 Version 2.0

This Privacy Policy explains what data Shimga collects, why we collect it, where it lives, and how to delete it. We've tried to keep it short, honest, and free of "we may collect anything for any reason" filler. If anything is unclear, contact us via the homepage.

Plain-English summary
Data that stays on your device
Data we store in the cloud
Analytics & telemetry
Third-party processors
Anonymous sessions & retention
Legal basis (GDPR)
Your rights
California (CCPA)
Cookies & local storage
Children
Security
Changes
Contact

1. Plain-English summary

We don't sell your data. Ever.
We don't show third-party ads.
Your audio file is analyzed in your browser. It is not uploaded to our servers unless you save a template that uses it.
Anonymous drafts (without sign-up) live for up to 24 hours of inactivity, then they and their media are automatically deleted.
Signed-up users own everything they save and can delete any of it from the Templates page.

2. Data that stays on your device

The following never leaves your browser unless you explicitly save:

Audio files you upload. Decoded in the browser via the Web Audio API and used for live visualization. Read more: how Shimga handles your audio.
In-progress scene. Layer placements, parameter values, and project settings live in your browser's localStorage as you work. Closing the tab keeps them on that browser; sign in to sync across devices.

3. Data we store in the cloud

The following is stored on our servers only when you explicitly save, publish, or sync:

What	Where	Why
Saved template structure (name, description, layer settings, visibility, owner, R2 references)	Firebase Firestore	So you can load it on another device or share it.
Saved template media (images, videos, audio)	Cloudflare R2 object storage	So the template still renders when reopened or remixed.
Auto-saved draft	Firestore	So a tab close or a power cut doesn't lose work in progress.
Account email + Google profile (if Google sign-in)	Firebase Auth	So you can sign back in.
Email + first name on signup	Brevo (transactional)	To send a one-time welcome email. Not used for marketing.
Feedback you submit	Firestore	So we can fix bugs and prioritize features.

4. Analytics & telemetry

To understand how Shimga is used and where it breaks, we collect:

Session telemetry (Firebase Realtime Database): session length, last-active timestamp, anonymous device id, browser / OS, viewport, language, timezone, referrer, and your email if you're signed in.
Google Analytics 4 via gtag.js: page views, link clicks, scroll depth. Anonymous unless you've identified yourself elsewhere on the same browser.
Microsoft Clarity: anonymous session replays and heatmaps. We use it to find UX bugs (e.g. a button no one ever finds).

All three can be blocked by any standard tracker blocker without breaking the Service.

5. Third-party processors

Shimga uses these processors. Their privacy policies apply to data they process:

Cloudflare — R2 object storage, Workers, edge DNS, CDN. policy
Google (Firebase) — Firestore, Realtime Database, Authentication, Analytics. policy
Brevo — transactional email. policy
Microsoft — Clarity analytics. policy
Vercel — alternate hosting (some deploys). policy
Pexels — stock-image search (when used). policy

6. Anonymous sessions & retention

When you open Shimga without signing in, we mint a high-entropy URL token (e.g. ?sessionId=session_…). Any draft you build is written to that session in Firestore, and any cloud media uploads are stored in R2 under that session's path.

An automated job runs daily. It permanently deletes any session draft whose last activity is older than 24 hours and removes the associated R2 files. There is no way to recover a session draft after this sweep. Create an account before the 24-hour window closes to preserve your work indefinitely.

The session URL acts as a credential. Anyone with the URL has full read/write access to the session draft until it's swept. Don't share a session URL unless you intend the recipient to be able to edit it.

7. Legal basis (GDPR)

If you're in the EU/EEA or UK, our legal bases for processing are:

Contract performance for saving templates, serving the studio, authenticating accounts, and exporting videos.
Legitimate interests for telemetry, security monitoring, and product improvement. You can object via the rights section below.
Consent for welcome emails and any optional cookies set by Analytics or Clarity.

8. Your rights

Regardless of where you live, you can:

Access — request a copy of the data we hold about you.
Delete — delete any saved template yourself from the Templates page. To delete your entire account, contact us via the homepage form.
Correct — change your display name and email in your Google account; both flow into Shimga.
Opt out of analytics — block third-party trackers in your browser, or use a privacy-focused browser.
Object — to telemetry processing, by signing out and using Shimga with cookies blocked.
Complain — to your local data-protection authority. In the EU, the supervisory authority of your member state.

9. California (CCPA)

If you are a California resident, you have the right to know what personal information we collect, to delete it, and to opt out of any sale. We do not sell personal information as that term is defined by the CCPA. Use the rights listed in §8 to access or delete your data.

10. Cookies & local storage

Shimga uses browser localStorage for scene state, preferences, and theme — no cookie banner needed for those because they are functional, not tracking, storage. Google Analytics and Microsoft Clarity set their own cookies for analytics and may be blocked at the browser level without breaking the Service.

11. Children

Shimga is not directed to children under 13 (or 16 in the EU/EEA). If you become aware of an account that belongs to a child under that age, contact us and we will delete it promptly.

12. Security

We use TLS in transit on every connection, encryption at rest from our providers, scoped service-account credentials for server-side Firebase access, and short-lived presigned URLs for direct-to-storage uploads. No system is perfectly secure; report suspected vulnerabilities to us via the homepage form.

13. Changes

We may update this Policy. The "Effective" date and version at the top reflect the most recent change. Material changes — anything that expands what we collect or how we use it — will be announced in-app for at least 14 days before taking effect.

14. Contact

Questions, deletion requests, or access requests? Use the contact form on the homepage. Include the email tied to your account when applicable.