Privacy Policy

Last updated: May 1, 2026

This Privacy Policy explains how DuoMidi ("we", "us") collects, uses, and protects information when you use the DuoMidi service available at duomidi.fly.dev (the "Service"). DuoMidi is operated by Frederico Guth, an individual based in Brasília, Brazil.

1. Who we are

Controller: Frederico Guth (pessoa física), Brasília, Brazil. Contact: fredguth@fredguth.com.

2. Information we collect

2.1 Account information

When you sign in with Google, we receive your email address, name, profile picture, and Google account identifier. This information is stored by our authentication provider, Supabase.

2.2 Session metadata

When you join a session, our signaling server records the room identifier, connection timestamps, and your IP address (in transient server logs) so that two peers can establish a direct WebRTC connection.

2.3 Camera, microphone, and MIDI streams

Audio, video, and MIDI data exchanged during a session are transmitted directly between you and your session peer over a peer-to-peer WebRTC connection. We do not record, store, intercept, or have access to the contents of these streams. Our servers only relay the initial connection metadata (SDP and ICE candidates) needed to establish the peer-to-peer link.

2.4 What we do NOT collect

  • No analytics or tracking pixels.
  • No advertising identifiers.
  • No recordings of your performance, audio, video, or chat.
  • No persistent log of your MIDI notes.

3. How we use information

  • To authenticate you and maintain your account.
  • To connect you with your session peer.
  • To diagnose technical issues and prevent abuse.
  • To comply with applicable legal obligations.

4. Cookies

We use a single session cookie issued by Supabase to keep you signed in. We do not use advertising or third-party tracking cookies.

5. Third parties and sub-processors

To deliver the Service, we rely on the following providers:

  • Google — OAuth identity (sign-in).
  • Supabase — authentication and database.
  • Fly.io — application hosting (São Paulo region).
  • Google STUN servers (stun.l.google.com) — used to discover network paths for peer-to-peer connections. Only IP/port pairs are exchanged; no media flows through these servers.

6. International data transfers

Some of our sub-processors (Google, Supabase) may process data in countries outside Brazil. Where required, transfers rely on contractual safeguards offered by those providers.

7. Data retention

Account data is kept for as long as your account exists. Signaling logs are short-lived and rotate automatically. You may request deletion of your account at any time by contacting us.

8. Your rights

Under the LGPD (Brazil) and, where applicable, the GDPR (EU), you have the right to access, correct, delete, and port your personal data, to object to or restrict certain processing, and to withdraw consent. To exercise these rights, email fredguth@fredguth.com.

9. Security

All connections to the Service use TLS encryption. Authentication is delegated to Google via OAuth. Because session media is peer-to-peer, it never traverses our servers.

10. Children

The Service is open to users of all ages. Where required by law, a parent or legal guardian should review this policy and supervise a minor's use of the Service.

11. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of the page reflects the latest revision. Material changes will be communicated through the Service.

12. Contact

Questions about this policy: fredguth@fredguth.com.