Privacy Policy

Last updated: 14 July 2026

App: ArcaLyra

Developer and Data Controller: Birk Roolf

Address: Ahornstraße 1, 75045 Walzbachtal, Germany

Contact: hello@arcalyra.app


1. General Information

ArcaLyra can generally be used without creating a user account and without providing a name or email address.


The app processes data only where necessary to provide its functions, verify subscriptions and access permissions, protect the access system against misuse, and generate strictly limited aggregated usage statistics.

ArcaLyra does not use advertising, personalized advertising, cross-app tracking, or user profiling.

Some functions, including subscription verification, purchases, access-code redemption, and aggregated usage statistics, require an internet connection. Imported sheet music and the main editing and viewing functions remain locally available on the device.

2. Local Data Processing

All content created or imported within ArcaLyra, including sheet music, images, PDF files, annotations, settings, markings, set lists, tutorial progress, and edited files, is generally stored locally on the user’s device.

ArcaLyra does not automatically transmit this content to the developer, to the ArcaLyra server, or to third parties.

Only when the user deliberately uses an export, backup, or sharing function and selects an external destination or service will the selected files be transferred to the destination chosen by the user.

The privacy policy of the selected external provider applies to any processing performed by that provider.

3. Camera Permission

ArcaLyra may request access to the device camera.

The camera is used only to photograph or scan sheet music inside the app.

Camera images are captured only when the user actively initiates the capture. They are processed locally on the device and are stored only when the user accepts or imports them.

Camera images are not transmitted to the ArcaLyra server and are not used for analytics or access verification.

4. Microphone Permission

ArcaLyra may request access to the device microphone.

The microphone is used only for functions such as the tuner.

Audio input is processed locally and in real time for the selected function. ArcaLyra does not transmit microphone audio to the ArcaLyra server and does not use microphone data for analytics or access verification.

5. File Access and Storage

ArcaLyra accesses external files or folders only when the user explicitly selects them through the operating system’s file or folder picker. This access may be used to import sheet music or

other supported content, restore a backup, or, on supported platforms, save exports and backups to a user-selected destination.

Imported content is copied to ArcaLyra’s local app storage and is displayed and edited there.

Sheet music, images, PDF files, annotations, and other editing content are not transmitted as part of aggregated usage statistics or license verification.


6. Google Play Billing and Subscriptions

ArcaLyra uses Google Play Billing to manage subscriptions and purchases on Android.

Payment, billing, Google-account, and subscription information is processed by Google.

ArcaLyra does not receive complete payment details and does not store credit-card, bank-account, or other complete payment information.

The app receives only the technical information required to recognize a purchase or active subscription and unlock access to the app.

For offline subscription verification, ArcaLyra stores a technical subscription status locally on the device. This may include:

- the detected subscription status

- the product identifier

- the app version and build number

- the time of the most recent successful verification


This allows a successfully verified subscription to remain available offline for up to 14 days after the most recent successful online verification.

This local subscription-verification file is not transmitted to the ArcaLyra server.

Further information about data processing by Google:


https://policies.google.com/privacy


7. Reviewer, Campaign, and Access Codes

ArcaLyra provides technical access codes, for example for app reviews or time-limited campaigns.

When an access code is redeemed, the following information is transmitted to the ArcaLyra access service using an encrypted connection:

- the entered and normalized access code

- a randomly generated installation identifier

- the device platform

- the app version

- the build number


The access code is not stored on the server in plain text. Only a cryptographic hash of the normalized code is stored.


The installation identifier is also stored in the database only in hashed form.


The server additionally stores the technical information required to manage the issued access permission. This may include:


- the type of access

- the platform

- the validity period

- the date and time of issuance and verification

- the number of redemptions

- the revocation status

- the app version and build number


The random installation identifier is stored locally on the device for as long as the app data remains installed.

It is used only to bind an issued access permission to that installation, enable offline verification, renew eligible campaign access, and prevent abusive multiple redemptions.

After successful verification, the app receives a digitally signed access entitlement. This entitlement is stored locally and can be verified offline during its validity period.

Access-code processing does not transmit names, email addresses, payment information, Google accounts, advertising identifiers, sheet music, images, PDF files, annotations, or other editing content.

The processing is necessary to provide the access requested by the user and to protect the access system against manipulation and misuse.

8. Aggregated Usage Statistics

ArcaLyra transmits strictly limited usage events to the ArcaLyra server.

Only counting events relating to the following actions are recorded:

- the app or main menu was opened

- the subscription screen was displayed

- the monthly subscription option was selected

- the yearly subscription option was selected

- a purchase was started

- a purchase was completed successfully

- a purchase was cancelled

- the access-code section was opened

- an access code was redeemed successfully

- an invalid access code was entered

- a technical error occurred during access-code verification

Only the following technical information is transmitted with each event:

- the event type

- the platform

- the app version

- the build number

- a random event identifier generated only for that individual event

The event identifier is never reused. It cannot be used to link multiple events to the same user, installation, or device.

The server stores only a cryptographic hash of the event identifier in order to prevent the same event from being counted more than once. This hash is deleted after no more than seven days.

The resulting statistics contain only aggregated daily totals grouped by:

- event type

- platform

- app version

- build number


The usage statistics do not use:

- a device identifier

- the access-system installation identifier

- a daily user identifier

- an advertising identifier

- a Google-account identifier

- a store identifier

- any other recurring analytics identifier


It is therefore not possible to determine which statistical events originated from the same user, installation, or device.

ArcaLyra does not create usage profiles and cannot follow the behavior of an individual user across multiple events.

The following information is not transmitted for usage statistics:

- names or email addresses

- Google accounts or payment information

- advertising or device identifiers

- precise location information

- sheet music, images, or PDF files

- annotations, edits, markings, or set lists

- microphone or camera content


The purpose of the aggregated statistics is limited to understanding the basic use of the app and purchase process, detecting technical problems, and improving the app functionally and economically.

The processing is based on the developer’s legitimate interest in privacy-preserving functional monitoring and improvement of the app, purchase process, and access system.

Aggregated daily totals may be stored for the long term because they cannot be assigned to an individual user or device.


9. Email Contact, Feedback, and Bug Reports

If users send feedback, bug reports, or support requests, this is done through the email application installed on the user’s device.

Only the information, text, and attachments selected or entered by the user before sending the email are transmitted.

ArcaLyra does not secretly collect or attach imported sheet music, images, PDF files, microphone recordings, or other personal content.

Contact information and message content may be stored for as long as necessary to process the request, provide support, resolve technical problems, or comply with legal retention obligations.


10. Technical Service Provider Cloudflare

ArcaLyra uses Cloudflare Workers and Cloudflare D1 to operate the access service and store the aggregated usage statistics.

The ArcaLyra D1 database is restricted to the European Union jurisdiction. The database therefore runs and stores its data within the European Union.

ArcaLyra does not store IP addresses in its D1 database.

Persistent Worker logs, traces, and log exports are disabled for the ArcaLyra access service.

Cloudflare may nevertheless process limited connection and network information as part of the technical transmission, network security, and protection against misuse. This may include the IP address used to establish the connection.

Cloudflare is a company based in the United States. Where processing takes place outside the European Economic Area, Cloudflare states that it uses appropriate safeguards for international data transfers.

Further information about Cloudflare’s processing practices:

https://www.cloudflare.com/policies/privacy/


11. Data Sharing and Sale

ArcaLyra does not sell or rent personal data.

Personal data is not shared for advertising, personalized advertising, marketing profiles, or cross-app tracking.

Technical data is transmitted only where required to:

- process subscriptions through Google Play

- operate the ArcaLyra access service

- provide aggregated usage statistics

- process an email or support request initiated by the user

- use an external export, backup, or sharing destination deliberately selected by the user


12. Storage Periods

Locally stored content remains on the device until it is deleted by the user, the app data is removed, or the app is uninstalled.

Technical hashes used to prevent duplicate analytics events are deleted after no more than seven days.

Aggregated daily statistics may be retained for the long term because they cannot be assigned to a user, installation, or device.

Information relating to access codes and issued access permissions is stored for as long as necessary to provide, verify, renew, or revoke the access and to prevent misuse.

Support emails and any personal data contained within them are deleted when they are no longer required to process the request or comply with applicable legal obligations.


13. User Rights

Where personal data is processed, users may have the following rights under applicable data-protection law:

- the right to access their personal data

- the right to correct inaccurate data

- the right to request deletion

- the right to restrict processing

- the right to data portability

- the right to object to processing based on legitimate interests

Requests or objections can be sent to:


hello@arcalyra.app


Because the aggregated usage statistics do not contain a user, installation, or device identifier, individual statistical events cannot later be assigned to a particular person or selectively removed from the aggregated totals.

Users also have the right to lodge a complaint with a competent data-protection supervisory authority.


14. Hosting of This Privacy-Policy Page

This privacy-policy page is hosted as part of the official ArcaLyra website using Squarespace.

When this page is accessed, Squarespace may process technical connection information as described in the Website Privacy Policy.

Further information about the processing of personal data on this website is available in the separate Website Privacy Policy.

15. Changes to This Privacy Policy

This privacy policy may be updated when app functions, technical processes, service providers, or legal requirements change.

The current version is available through the privacy-policy link provided in Google Play and within the ArcaLyra app.