Legal
A detailed overview of how ASMR DIY handles data — our architecture, security practices, and compliance measures.
Effective Date: April 7, 2026
ASMR DIY follows a local-first architecture. Most user data — recordings, custom sounds, preferences — lives on your device and never touches our servers. Server-side storage is limited to authentication, subscription management, and voluntarily shared Community content.
Recordings, custom sounds, preferences, cached plan data, volume settings
Account (email, username, hash), plan/trial, usage count, Community sounds
Text-to-speech synthesis, sound generation (transient, not stored)
Subscription billing, payment processing
Pseudonymous usage analytics, screen views, app performance (internal user ID, no names or emails)
Data Storage Practices
What is stored: User accounts (email, username, bcrypt-hashed password), subscription plan and trial status, monthly character usage count, and Community-shared sounds (audio files, metadata).
Encryption: All database connections use TLS/SSL. Passwords are hashed with bcrypt (never stored in plain text). Authentication tokens are generated server-side with cryptographic randomness.
Location: Hosted on Replit's infrastructure with encrypted storage.
What is stored: Session recordings (file system), custom Sound Crafter outputs (file system), app preferences (AsyncStorage), cached plan info (AsyncStorage).
Encryption: Protected by your device's native encryption (iOS Data Protection, Android file-based encryption). Sensitive items like auth tokens use the platform's secure storage.
Transmission: Local data is never transmitted to our servers unless you explicitly share a recording to the Community tab.
AI Whisper text: Your text prompt is sent to our server, forwarded to ElevenLabs, and discarded after the audio response is returned. It is not logged or persisted.
Sound Crafter prompts: Same as Whisper — forwarded to ElevenLabs and discarded after generation.
Session rendering: During server-side audio mixing, temporary audio files are created in the system temp directory and deleted immediately after the mixed file is returned.
Data Retention & Deletion
Server-side data is retained as long as your account is active. Local data is retained as long as the App is installed on your device.
When you request account deletion (via email to maiboxingcoach@gmail.com), we will:
Local data on your device is not affected by server-side deletion. To remove local data, uninstall the App.
Cancelling your subscription does not delete your account. Your account data is retained so you can resubscribe in the future. To fully delete your data, request account deletion separately.
Third-Party Data Processing
Data sent: Text prompts for voice synthesis (Whisper) and sound generation (Sound Crafter). Prompts are limited to 250 characters.
Data NOT sent: Your name, email, account ID, device ID, or any personal identifier. Requests are anonymous from ElevenLabs' perspective.
Retention: ElevenLabs processes requests according to their own data retention policies. See ElevenLabs Privacy Policy.
Data sent: App Store transaction identifiers for subscription validation.
Purpose: Manages subscription state, entitlements, and plan identification across the App.
Policy: RevenueCat Privacy Policy
Data sent: Payment information provided by you directly to Stripe's secure checkout. We never receive or store your card details.
Purpose: Processes web subscription payments.
Policy: Stripe Privacy Policy
Data sent: Usage events (screen views, feature interactions, app performance metrics), device type, operating system version, app version, a pseudonymous internal user ID, and user properties (subscription plan tier and trial status).
Data NOT sent: Your name, email address, or username are not sent to Firebase Analytics. The internal user ID is numeric and pseudonymous — it cannot identify you without access to our server database.
Retention: Google retains analytics data according to the configured retention period (default 2 months for user-level data). Aggregated reporting data is retained indefinitely.
Policy: Google Privacy Policy
COPPA Compliance
ASMR DIY is not directed at children under 13 years of age. We do not knowingly collect, use, or disclose personal information from children under 13. Account creation requires users to be at least 13 years old.
If we become aware that we have collected personal information from a child under 13, we will take immediate steps to delete that information. If you believe a child under 13 has created an account, please contact us at maiboxingcoach@gmail.com.
International Data Considerations
ASMR DIY's server infrastructure is hosted in the United States. If you access the App from outside the United States, your data (account information, usage data) may be transferred to and processed in the United States.
By using the App, you consent to the transfer of your information to the United States, which may have different data protection laws than your country of residence.
For EU/EEA users: We process data based on contractual necessity (providing the service you subscribed to) and legitimate interest (maintaining security and preventing abuse). We do not engage in profiling or automated decision-making.
Security Practices
Contact & Related Pages
For questions about our data practices, compliance, or to submit a data request: