What we keep. And what we don't.

Sonant is built by TB Tech, a one-person studio. We don't run analytics, we don't drop cookies, we don't fingerprint your browser, and we don't sell anything about you to anyone. This page exists to tell you exactly what does get stored when you interact with us, why, and how to make it go away.

Last updated: 26 May 2026

1. Who we are

Sonant is a product of TB Tech, an independent macOS software studio. The data controller for everything described on this page is TB Tech, contactable at [email protected]. There is no data protection officer because we are too small to be required to appoint one — emails go to a real human who reads them.

2. What we collect when you visit this site

Nothing. sonant.tbtech.app runs no analytics, no tag managers, no advertising pixels, no session replay, no heatmaps, and no cookies. Your IP address is processed by Cloudflare's edge to deliver the page to you, but we never see it and it isn't logged for our use.

3. What we collect when you subscribe to the newsletter

When you submit your email through the subscribe form, we store the following in a Cloudflare D1 database:

• Your email address. So we can email you when something worth saying actually happens — launches, big updates, occasional behind-the-scenes notes.
• A list slug (always newsletter) so the same row works regardless of which TB Tech site you signed up from.
• The date and time of your sign-up.
• Your browser's User-Agent string and the referring page, kept for spam triage and truncated to 255 characters. Not used for marketing or profiling.
• The country your request originated from (a two-letter ISO code derived from your IP at request time). We never store the IP itself.

That's the entire row. There is no name field, no postal address, no phone number, no birthday, no checkbox preferences. We don't track which links you click in our emails because we don't add tracking pixels.

4. Why we collect it (lawful basis)

Under GDPR Article 6, the processing has two lawful bases:

• Consent (Art. 6(1)(a)) covers storing your email and sending you occasional newsletter emails — launches, big updates, behind-the-scenes notes. The act of submitting the form is the consent. Submission is voluntary; there is no consequence for not signing up.
• Legitimate interest (Art. 6(1)(f)) covers the User-Agent / referrer / country fields, which exist to keep bots from filling our database with garbage. We've balanced this against your privacy by truncating, never logging IPs, and never sharing the data with third parties.

5. Where it lives and how long

Your row is stored in a Cloudflare D1 database (a managed SQLite instance) in Cloudflare's network. We retain it for as long as you stay subscribed. The moment you unsubscribe (one click — see below), the row is marked inactive, excluded from every future send, and permanently deleted from the database within 30 days. If TB Tech ever shuts the newsletter down, the entire table is archived and then deleted within 90 days.

6. Who else sees it

Nobody. We do not sell, rent, share, license, or otherwise hand your data to advertising networks, data brokers, social platforms, or AI training companies. The only third parties that touch any byte of it are:

• Cloudflare — hosts the D1 database, the worker that writes to it, and the website that serves the form. Cloudflare's processing is governed by their privacy policy and their EU/UK data processing addendum.
• Resend — used to send each newsletter email. Resend sees your email address at the moment of sending, governed by their privacy policy.

Both providers act as data processors under our instructions. Neither uses your data for their own marketing.

7. Your rights

If GDPR (EU/UK), KVKK (Turkey), or similar data-protection law applies to you, you have the right to:

• Access the data we hold about you.
• Correct it if it's wrong.
• Delete it (right to erasure / right to be forgotten).
• Withdraw your consent at any time.
• Receive a copy in a portable format.
• Object to or restrict our processing.
• Lodge a complaint with your local supervisory authority.

To exercise any of these, just email [email protected]. Because we're small, we usually act on the request the same day. We will not ask you to "verify your identity" by sending us an ID card — your request from the email address on file is sufficient.

8. Unsubscribing

Every newsletter email we send has a one-click unsubscribe link in the footer (and an RFC 8058 List-Unsubscribe header so Gmail and Apple Mail can show their own unsubscribe button). Clicking it instantly marks your row inactive without requiring you to log in to anything, confirm by email, or answer "are you sure?" prompts. If the link is ever broken, emailing [email protected] with the word "unsubscribe" will remove you the same day.

9. Cookies and tracking

None. We don't use cookies, localStorage, sessionStorage, or any other client-side persistence on the marketing sites. No analytics scripts, no Google Analytics, no Facebook Pixel, no Plausible, nothing.

10. Anonymous app pings (Sonant)

The Sonant macOS app sends one tiny POST request to newsletter.tbtech.app/ping at most once every 24 hours so we can count how many active installs there are. The payload is exactly four fields:

• An anonymous install ID — a random UUID generated locally on your Mac the first time the app launches and stored in UserDefaults. It is not derived from your hardware UUID, your license key, your Apple ID, or anything else that could identify you.
• The app slug (always sonant).
• The app version (e.g. 1.0.0).
• Your macOS major version (e.g. 14) so we know which OS versions to keep supporting.

Cloudflare's edge derives a 2-letter country code from your IP at request time so we know roughly where active installs are. Your IP itself is never logged. The server stores one row per install and updates a last_seen timestamp. No track titles, no listening time, no playback history, no email — nothing about what you actually do with the app — is ever sent.

Listening stats stay local. The "Today / This Week / Top Artists" data shown in Sonant's right-click menu is computed from a file stored only on your Mac and is never transmitted anywhere. The same applies to the "Recently Played" history.

Opting out. Right-click the Sonant pill, open Settings → General → Privacy, and turn off "Send anonymous usage data." The app will immediately stop pinging and will never resume until you re-enable it. Rows for installs that haven't pinged in 30 days are deleted from our database, so opting out also ages your row out within a month.

11. The live visualizer (optional, opt-in)

Sonant includes an optional live visualizer that makes the menu bar bars react to the actual audio coming out of Music or Spotify. It is off by default and only turns on when you explicitly choose "Allow" — either during first-run setup or by enabling Live audio capture under Settings → General → Audio Analysis.

When enabled, Sonant uses macOS's CoreAudio process tap (macOS 14.2+) to read the audio output of Music and Spotify in real time. macOS gates this API behind the standard Microphone privacy permission, which is why your Mac asks for it. No audio is recorded, written to disk, or sent over the network. Samples flow into a 1024-point FFT, get reduced to four band-amplitude numbers, drive the bars, and are then immediately discarded. Music continues to play normally through your speakers — the tap is a read-only branch of the signal.

You can turn the live visualizer off at any time from Settings → General → Audio Analysis. When off, Sonant makes no audio capture calls and the bars revert to a synthetic animation.

12. Lyrics

When you open the Now Playing preview or enable the Current lyric line toggle on the widget, Sonant fetches synced lyrics from lrclib.net, a free no-auth lyrics catalog. The request includes the track title, artist, and album of whatever's currently playing. We do not send your install ID, IP (other than the standard TCP header), or any account information. lrclib.net's response is cached in memory only — it isn't written to disk and disappears when you quit Sonant. If you never open the preview and never enable the widget's lyric row, Sonant never contacts lrclib.net.

13. Streaming-service account connections (optional)

If you click Settings → Accounts → Connect Spotify, Sonant runs the standard Spotify OAuth flow with PKCE. You sign in on Spotify's website (not Sonant) and grant the user-read-playback-state scope. Spotify returns an access token + refresh token to a loopback listener on your machine; we store both in macOS's Keychain under your user account, scoped to Sonant's bundle identifier. We use the access token only to fetch your upcoming-queue list when Spotify is the active player so we can populate Sonant's Up Next submenu. We never see your password, and the tokens never leave your Mac (other than being sent directly back to Spotify on each API call). Disconnecting from the same settings panel deletes both tokens from Keychain immediately.

14. Children

Our products and newsletter are not directed at children under 16. We don't knowingly collect data from anyone in that age range. If you believe we have, email us and we'll delete it immediately.

15. International transfers

Cloudflare and Resend operate global edge networks. Your data may be processed in any region they operate in, including outside the EU/EEA. Both providers maintain Standard Contractual Clauses for international transfers under GDPR Chapter V.

16. Changes to this page

If we change anything about how we handle your data, we'll update the "Last updated" date at the top of this page and, for material changes, email every active newsletter subscriber before the new policy takes effect.

17. Questions

Anything unclear, anything missing, anything you want changed? Email [email protected]. A real person will write you back.