Privacy

1. Who we are

The website at ombs.io and the Echobox music player are operated by OMBS ("One Man Band Studios", "we", "us"), a sole-trader studio established in England and Wales. OMBS is the data controller for the personal data described in this policy.

For privacy queries, write to privacy@ombs.io.

2. What this policy covers

This policy applies to three audiences, each described in its own section below:

• Visitors to the OMBS website (ombs.io and api.ombs.io).
• Users of the Echobox app (Android, Linux, Windows; iOS / macOS pending).
• Newsletter subscribers who hand us an email address.

Where the same processing applies to all three, we say so once. Where it differs, we say so explicitly.

3. Website visitors

When you load any page on ombs.io or the Echobox app contacts api.ombs.io, the following processing happens.

Cloudflare (essential infrastructure)

The website is served from Cloudflare's edge network. Cloudflare automatically processes request metadata — IP address, user-agent, requested URL, timestamp — to deliver the response, mitigate abuse, and provide network-security protections. This processing is a contractual necessity (we can't serve a webpage without it) and a legitimate interest in protecting our infrastructure from attack. Cloudflare is a sub-processor; their privacy practices are at cloudflare.com/privacypolicy.

Google Analytics 4 (optional)

With your explicit consent, the site uses Google Analytics 4 (measurement ID G-JF5L85QJC0) to count pageviews and understand which content is read. GA4 is off by default: the cookie banner shown on your first visit gives you Accept and Reject buttons, and we only load Google's tracker if you click Accept. Click "Cookie preferences" in the footer to change your mind any time.

When enabled, GA4 sets cookies (_ga, _ga_<ID>) that persist for up to 13 months, and sends events to Google. We have IP anonymisation and ads-data redaction enabled. Google's privacy practices are at policies.google.com/privacy.

Embedded social links

The site footer links to our profiles on X, GitHub, Instagram, YouTube, and Reddit. Following any of those links sends your browser's referrer + IP to those platforms, governed by their own policies. We do not embed their tracking scripts on the site itself.

Cookies and similar storage

We use no advertising, social, or fingerprinting cookies. There are no third-party cookies on this site beyond the GA4 pair listed above (which only load with your consent).

api.ombs.io (Echobox app)

The Echobox app contacts api.ombs.io for two purposes only:

• GET /v1/version — once per launch, returns the latest available app version. Cloudflare logs the request as described above.
• POST /v1/lastfm — only if you have configured Last.fm scrobbling, and only when a scrobble or now-playing update needs Last.fm-side signing. Our Cloudflare Worker performs the signing and forwards your request to Last.fm verbatim. The Worker does not persist request bodies; Cloudflare's edge logs include request metadata (not body).

4. App users — local-only by default

Out of the box, with no add-ons enabled and no servers configured, nothing leaves your device.

The app stores the following on disk:

• A SQLite library database — track listings, scan state, smart playlists, and any add-on data (audiobook bookmarks, smart playlist rules, Subsonic server URL + username if you connect one, scrobble queue entries waiting to be uploaded). The database is not encrypted at rest. We recommend full-disk encryption (BitLocker, FileVault, dm-crypt, Android device encryption).
• An artwork cache — embedded covers extracted from your music files plus anything downloaded by the optional Artwork Backfill feature.
• A crash log (crash_log.jsonl in the app data directory) — local panic backtraces and Flutter framework errors. Track titles are dropped before write (from version 0.9.0 onwards); file paths are scrubbed; older entries may have track titles and rotate out within 100 entries.
• Voice memos recorded by the Ideas Recorder feature — see Section 9.
• Sensitive credentials (your Last.fm session key, your ListenBrainz token, your Subsonic password) are kept in your operating system's secure store: Android Keystore, iOS Keychain, Windows DPAPI, Linux libsecret. They are not stored in the SQLite library database.
• A handful of small preference files (Sentry opt-in marker, last-played track, scan resume cursor, and a randomly-generated 16-byte anonymous user ID used only by Sentry — see Section 7).

On Android, backup is disabled (android:allowBackup="false"); the SQLite library DB and crash log are excluded from Google Drive auto-backup and device-to-device transfer.

5. App users — network features

Echobox initiates network connections only when you use a feature that needs the network. Each feature is opt-in.

Scrobble payload

A scrobble (Last.fm or ListenBrainz) sends the artist, track title, album, duration, and a wall-clock timestamp. Both services link the scrobble to the account whose session key / token you configured. We never see scrobble content; the Last.fm signing proxy on api.ombs.io forwards your request verbatim and does not log the body.

Last.fm OAuth callback

The Last.fm authorisation flow opens your browser, you grant the app access, and Last.fm redirects to eb2://lastfm-callback?token=…. Echobox accepts that callback only within 10 minutes of you tapping "Connect Last.fm" (defence-in-depth against stale or third-party callback hijack). The exchanged session key is stored in your OS secure store; the token is single-use and discarded.

Cleartext (HTTP) traffic

Echobox does not initiate cleartext (HTTP) traffic to any pre-configured destination. Subsonic, UPnP, SoundTouch, and Radio-Browser endpoints are user-configured: if you point Echobox at http://my-home-server:4040, the request is plaintext because you chose a plaintext server. Outbound connections to ombs.io services are HTTPS-only. We recommend HTTPS for any Subsonic-class server you administer.

Android — exposed artwork provider

On Android, album art is exposed via a ContentProvider at content://io.ombs.echobox.artwork/<path> so that Android Auto, Bluetooth media controllers, and Wear OS companions can render album covers without per-URI permission grants. Only artwork is exposed; track metadata + the library DB are not.

iOS — local-network and Bluetooth permission prompts

On iOS, the operating system prompts you for permission the first time the app reaches for the corresponding capability:

• Local Network — required to discover UPnP / DLNA renderers and Cast receivers on your Wi-Fi network. Used only for that discovery and for sending control commands you initiate (play, pause, set volume).
• Bluetooth — required to read codec / output-route information from connected Bluetooth audio devices for the Signal Path inspector and to deliver audio. Echobox does not act as a Bluetooth peripheral, does not advertise, and does not pair with devices on its own.

You can revoke either permission any time in iOS Settings → Echobox; the corresponding feature stops working until you grant it again. The rest of the app is unaffected.

6. App users — purchases and subscriptions

Echobox has a free tier and paid tiers. The free tier is local-only — no account is needed and no purchase metadata exists. The paid tiers vary by platform and each involves a third-party payment processor.

Android — Google Play Store (one-time purchase)

The full feature set is unlocked by purchasing a separate companion app ("Echobox Pro Unlocker", or similarly named) on the Google Play Store. Google handles the transaction; we never see your payment instrument or full Google account. The app uses Google Play's Licensing Verification (or equivalent) to confirm that your Google account owns the Unlocker, and unlocks features locally based on the result. The verification check is sent to Google's servers; we do not log it.

iOS — Apple App Store (subscription)

The full feature set is available via a recurring subscription processed by Apple. Apple handles the transaction; we never see your payment instrument or full Apple ID. We receive an App Store receipt (a signed token) which we validate to confirm an active subscription, and unlock features locally based on the result. Apple's privacy practices govern how Apple handles your subscription metadata.

Desktop (Windows, Linux, macOS) — direct purchase

On desktop platforms the subscription is purchased directly from us via our payment processor (currently Stripe; subject to change with notice). The processor handles the payment instrument; we receive: an order ID, your billing email, the country you bought from, and the subscription state (active / past-due / cancelled). We store this minimum set so we can validate your entitlement and contact you about your subscription (renewal reminders, cancellation confirmations, billing failures). We do not store your payment card; that lives with the processor.

Tax records

Where we are the merchant of record (direct desktop subscriptions), UK and EU tax law require us to retain transaction records for a statutory period (typically 6 years). After that, we delete the records or anonymise them.

7. App users — optional crash reporting

Crash reporting is off by default. Turning it on (Settings → Diagnostics → "Send crash reports to Sentry") opts you in to sending crash and error events to Sentry, a third-party telemetry service operated by Functional Software, Inc. (US).

When enabled, Echobox sends:

• Crash backtraces — Rust panics, Flutter framework errors, and Android native crashes (via the bundled sentry-android NDK signal handler). Desktop SIGSEGV capture is best-effort and may not reach Sentry reliably.
• Device model, OS version, and app version.
• A short rolling buffer of breadcrumb events (recent navigation, recent commands) — capped at 15 entries.
• A randomly-generated 16-byte anonymous user ID (stored at <appSupport>/echobox/anon_user_id). It is not derived from anything you typed; reinstalling regenerates it. Lights up Sentry's "Users Affected" count without identifying you.

Echobox does not send: track titles, library contents, file paths, Subsonic credentials, recordings, or any personally identifying information beyond what is in the backtrace itself. URL credentials (user:pw@host style) and absolute file paths are stripped before the event leaves your device. The first query-string key of any URL is preserved with its value redacted; subsequent query parameters are dropped. Session replay is explicitly disabled. PII forwarding (sendDefaultPii) is off.

You can opt out at any time by toggling the same setting; Echobox closes the Sentry SDK and on Android wipes sentry-android's on-disk envelope queue so any pending events are discarded rather than uploaded.

8. Newsletter subscribers

If you give us your email via one of the signup forms on ombs.io, we store the address (plus the form source — e.g. "homepage splash", "beta signup" — and your locale) on our own infrastructure. We are the data controller and we operate the storage ourselves; your email is not handed off to any third-party newsletter service.

When we begin sending newsletters, delivery will go through a transactional email provider; we will update this section with the provider's name and disclose any cross-border transfer that involves. Until then, your email is stored only and not used for sending.

You can unsubscribe or request deletion at any time by writing to privacy@ombs.io. Once newsletter sending is enabled, every newsletter we send will also include an unsubscribe link.

9. Microphone

Microphone access is used by two optional features. Both run entirely on-device — nothing leaves your device.

• Ideas Recorder (voice-memo / sketchpad add-on): recording occurs only while you are actively on the Ideas Recorder screen and tap Record. Recordings are saved as audio files in your local Echobox data folder and stay there until you delete them.
• Room Correction wizard (audiophile add-on): the wizard plays measurement sweeps through your speakers and captures the room's response via the microphone to compute correction filters. The mic stream is used for setup-time microphone health checks and for the measurement passes you trigger explicitly. Raw measurement audio is processed into correction coefficients (an impulse response and EQ filters) stored alongside the rest of your settings; the raw audio is not retained beyond the measurement session.

Permission is requested at runtime when you first use either feature. You can revoke it any time in your OS settings — Ideas Recorder and Room Correction will stop working until you grant permission again, but the rest of the app is unaffected.

10. Storage

Echobox reads audio files from folders you explicitly select. On Android, folder selection uses the Storage Access Framework (a custom in-app browser plus per-folder grants); the app never asks for MANAGE_EXTERNAL_STORAGE.

11. Your rights

Under the UK GDPR / EU GDPR you have the following rights with respect to personal data we hold about you:

• Right of access — ask for a copy of any personal data we hold (typically: your newsletter email and any Sentry events tagged with your anonymous user ID, if you opted in to crash reporting).
• Right to rectification — ask us to correct anything inaccurate.
• Right to erasure ("right to be forgotten") — ask us to delete data we hold. For local-only app data, uninstalling is the deletion. For Sentry events, we'll instruct Sentry to delete events tagged with your anonymous user ID. For newsletter records, unsubscribe + we delete on request.
• Right to restrict processing — ask us to pause processing while a query is being resolved.
• Right to data portability — ask for your data in a machine-readable format.
• Right to object — object to processing carried out on the basis of legitimate interest.
• Right to withdraw consent — for processing that depends on consent (analytics, crash reporting, newsletter), withdraw any time. Toggling Reject in the cookie banner, toggling Sentry off, and unsubscribing from the newsletter are all in-product withdrawal paths.

To exercise any of these rights, write to privacy@ombs.io. We aim to respond within 30 days.

Data breach notification. If we discover a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the supervisory authority (the UK ICO) within 72 hours of becoming aware of the breach, in line with our obligations under UK GDPR Articles 33 and 34. Where the breach is likely to result in a high risk, we will also notify affected users without undue delay, by email where we have one.

12. International transfers

Some of our processors are based outside the UK / EEA:

• Sentry — Functional Software, Inc., United States. If you opt in to crash reporting, your events transfer to the US under the EU-US Data Privacy Framework / UK extension, supplemented by Standard Contractual Clauses where applicable.
• Google Analytics — Google LLC, United States. If you accept analytics cookies, GA4 events transfer to the US under the same framework.
• Cloudflare — Cloudflare, Inc., global anycast network (your traffic terminates at the nearest Point of Presence; logs are processed in regional clusters).
• Stripe — Stripe, Inc., United States. If you take a desktop subscription, payment processing happens via Stripe under the EU-US Data Privacy Framework / UK extension and Stripe's data-processing addendum.
• Apple / Google — your iOS App Store / Google Play Store relationship is governed by Apple's and Google's own privacy policies, which include international transfers we have no control over.

Your local Subsonic server, your Last.fm / ListenBrainz account, and any UPnP / DLNA / Cast renderer you connect to are not our processors — your data flow to those services is governed directly by your relationship with their operators.

13. Legal basis (Art. 6 GDPR)

14. Retention

15. Children

Echobox is a general-audience music player and is not directed at children under 13 (or under 16 in the EU, where local law sets a higher digital-consent age). We do not knowingly collect personal data from children. If you are a parent or guardian and you believe we hold your child's data, write to privacy@ombs.io and we will delete it.

16. Changes to this policy

We update this policy when our practices change. The "Last updated" date at the top reflects the most recent revision. Material changes will be flagged at the top of the page and, where appropriate, surfaced inside the App.

17. Contact and supervisory authority

For any privacy query — including exercising your rights under Section 11 — write to privacy@ombs.io.

If you believe we have not handled your personal data lawfully, you have the right to lodge a complaint with the supervisory authority in your country. In the United Kingdom this is the Information Commissioner's Office (ICO) at ico.org.uk/concerns. In the EU, contact your national data protection authority. We would appreciate the chance to address your concern first — please reach out to us before lodging a complaint.

US residents. If you reside in a US state with a comprehensive privacy law (including but not limited to California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, and Delaware), you have rights similar to those described in Section 11 — including the right to know, to delete, to correct, to port, and to opt out of "sale" or "sharing" of personal data. We do not sell or share personal data for cross-context behavioural advertising under any of these definitions. To exercise your rights, contact privacy@ombs.io.

18. Definitions

For clarity:

• Personal data — any information relating to an identified or identifiable individual (UK GDPR Art. 4(1)).
• Processing — any operation performed on personal data, including collection, storage, use, transmission, and deletion (UK GDPR Art. 4(2)).
• Data controller — the entity that determines the purposes and means of the processing (UK GDPR Art. 4(7)). For the data described in this policy, OMBS is the controller.
• Processor — an entity that processes personal data on behalf of the controller (UK GDPR Art. 4(8)). Sentry, Stripe, Google (for Analytics and Play), Apple, and Cloudflare act as processors for the relevant data flows.
• Sub-processor — a processor engaged by another processor.
• Data subject — the individual to whom personal data relates.
• Consent — a freely-given, specific, informed, and unambiguous indication of the data subject's wishes (UK GDPR Art. 4(11)).
• Cookie — a small text file stored on your device by your browser. We use the term to also include localStorage entries and similar mechanisms.
• Sale / sharing (US state laws) — disclosure of personal data to a third party in exchange for monetary or other valuable consideration, or for cross-context behavioural advertising. We do not engage in either.