Privacy Policy

Version 2
Effective Date: June 10, 2026 Last Updated: June 12, 2026



Version 2
Effective Date: June 9, 2026
Last Updated: June 9, 2026

1. Who We Are and How to Reach Us

This Privacy Policy explains how Rhythm Holdings, LLC, a Pennsylvania limited liability company ("Rhythm," "we," "us," or "our"), collects, uses, shares, and protects your information when you use the Rhythm mobile application, our website at my-rhythm.app, and any related services we offer (collectively, the "Service").

Rhythm is a productivity tool for individual content creators. The Service helps you track brand deals, campaigns, deliverables, and payments; extract structured information from contracts you upload using artificial intelligence ("AI Contract Extraction"); and generate a non-binding estimated rate range based on your own deal history and certain general factors ("Valuation Estimator").

For the purposes of the EU and UK General Data Protection Regulation ("GDPR"), Rhythm is the controller of the personal data processed through the Service. This Privacy Policy is incorporated by reference into our Terms of Service.

Contact for privacy questions and requests: Rhythm Holdings, LLC
Easton, PA Email: hello@my-rhythm.app.

By using the Service, you acknowledge the practices described in this Privacy Policy. Where the law requires consent for a specific processing activity, we ask for it separately in the app.

2. Information We Collect

2.1 Information you provide directly

Account and profile. When you create an account we collect your name, email address, and login credentials (managed by our authentication provider; we do not store your password in readable form). During onboarding you may also provide your creator role (e.g., influencer or agency), your content niche, and your social-media handles (e.g., Instagram, TikTok, YouTube, Facebook).

Brand and deal information. As you use the Service you create records that may include: brands you work with (including a brand's name, website, and any contact name, contact email, and notes you choose to enter about a brand representative); campaigns (title, status, contract amount, currency, payment terms, invoice status, agency-fee percentage, whether a deal is gifted, and notes); deliverables (platform, content type, quantity, due dates, notes); and payments (amounts, dates, notes). You may also save settings such as preferred currency, preferred payment methods, an invoice footer, and your time zone.

Documents you upload. When you use AI Contract Extraction, you upload contracts, briefs, screenshots, or other documents (as PDFs, images, or files). These documents are stored on our infrastructure and processed as described in Section 3. These documents frequently contain another party's information — including a brand's confidential terms and the personal details of brand contacts — and may be subject to a non-disclosure agreement that binds you. You are responsible for ensuring you have the right to upload and process each document (see Section 3.4 and the Terms of Service).

Consents and acknowledgments. To create defensible records of agreement, we log when you accept our Terms and this Privacy Policy, confirm you are 18 or older, accept feature-specific terms (such as for AI Offer Review), authorize a social-profile lookup, and acknowledge per-deal AI disclaimers. Each record includes the exact version of the text you saw and a timestamp.

Communications. If you contact us for support or otherwise, we collect the contents of your message and our correspondence with you.

2.2 Public social-profile data you authorize us to fetch

If you add a social handle and authorize a profile lookup, we use a third-party social-data provider to retrieve limited public profile facts from your public profile on the platform you specify — specifically your follower/subscriber count and your profile picture URL. We display your profile picture by linking to the platform's own image URL; we do not store a copy of your profile picture. We ask for your authorization at or before the moment of this lookup. We do not retrieve per-post content, engagement metrics, direct messages, or non-public data.

2.3 Subscription and payment information

Rhythm offers a free tier and a paid subscription ("Rhythm Pro"). We do not collect or store your payment-card or bank-account numbers. In-app purchases on iOS are processed by Apple (and, where Android is offered, by Google Play); where we offer direct or web purchases, they are processed by our third-party payment processor. We use a subscription-management provider to verify your subscription status. From these providers we may receive your subscription status, entitlement details, product identifiers, and transaction metadata (such as purchase and renewal events) so we can provide paid features. Your relationship with the app stores and our payment providers is also governed by their own terms and privacy policies.

2.4 Information collected automatically

When you use the Service, we and our third-party diagnostics provider automatically collect technical and usage data, which may include: device type and model, operating system and version, app version, unique device or installation identifiers, IP address, approximate location derived from your IP address, language and locale, in-app actions and usage patterns, performance data, and crash and error logs.

We have enabled diagnostic features that associate this data with your account and that include session-replay capture, which records interactions and portions of app screens to help us reproduce and fix errors. We collect this data to operate, secure, debug, and improve the Service. We do not collect precise (GPS-level) location, and the app does not request location permission.

On iOS, if you have iCloud enabled, some app data may be backed up to your personal iCloud account under Apple's terms.

2.5 Cookies and similar technologies

Our website uses a minimal set of strictly necessary cookies and similar technologies required to operate the site and remember your preferences. We do not use advertising or cross-site tracking cookies. Our mobile app does not use cookies but uses third-party software development kits (SDKs) described in this policy (such as our diagnostics SDK) and local device storage to function. Where required by law, we will present a cookie/consent control before setting non-essential technologies.

3. AI Features and Your Data

3.1 What our AI features do

AI Contract Extraction uses a third-party large language model to read documents you upload and attempt to identify and structure their terms (for example, parties, fees, deliverables, exclusivity, usage rights, payment terms, and termination). The Valuation Estimator generates a non-binding estimated rate range based on your own inputs and your own prior deals in the app, together with certain general factors. The Valuation Estimator does not compare you against other creators' deals.

3.2 Who processes the data

To provide these features, the contents of the documents you upload — and the relevant fields used for estimation — are transmitted to and processed by our third-party AI provider. Under our commercial terms with that provider, your inputs and the resulting outputs are not used to train its models, and it retains them for a limited period (currently up to 30 days) for operational and trust-and-safety purposes consistent with its commercial API terms, after which they are deleted. You may request the specific identity of this provider (see Section 6). We store the extracted structured output, scores, and your edits to those fields in our database so the feature works without re-processing your document.

3.3 AI output can be wrong — no reliance

AI extraction and estimation are probabilistic and routinely produce errors, including missing or misread clauses, misattributed terms, incorrect dates or amounts, and fabricated ("hallucinated") content. AI output is not legal, financial, tax, or professional advice, and is not a substitute for review by a licensed professional. You are responsible for verifying AI output against the underlying document. See Section 5 of the Terms of Service for the full AI disclaimers, which govern.

3.4 Your responsibility for uploaded content about third parties

Documents and notes you submit often contain information about other people and businesses (for example, a brand's confidential terms and a brand contact's name and email). By submitting them, you represent that you have the right to upload that content and to have it processed as described here, including under any non-disclosure or confidentiality obligation that applies to you. You are responsible for that content; we process it to provide the Service to you.

4. How We Use Your Information and Our Legal Bases

We use personal data to: provide, operate, and maintain the Service; create and manage your account; track your campaigns, deliverables, and payments; provide AI Contract Extraction and the Valuation Estimator; determine your access to paid features; fetch the social-profile data you authorize; respond to your support requests; secure the Service and detect, prevent, and address fraud, abuse, and technical issues; maintain records of your consents and agreements; improve and develop the Service; and comply with our legal obligations and enforce our agreements.

Where the GDPR or UK GDPR applies, we rely on the following legal bases:


Performance of a contract (Art. 6(1)(b)). Creating and operating your account, and delivering the core deal-tracking, AI-extraction, and estimation features you request.

Your consent (Art. 6(1)(a)), which you may withdraw. Fetching public social-profile data, and per-deal AI-processing acknowledgments.

Our legitimate interests (Art. 6(1)(f)), balanced against your rights. Securing the Service; preventing fraud and abuse; debugging via diagnostics and session replay; improving the Service; and keeping records of agreements.

Performance of a contract, and legitimate interests in collecting amounts due. Processing payments and subscription status.

Legal obligation (Art. 6(1)(c)). Complying with legal, tax, accounting, and regulatory obligations, and responding to lawful requests.


If we ever process special-category data, we will do so only on a valid Article 9 condition. You can withdraw any consent at any time without affecting prior processing.

  1. How We Share Your Information

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We disclose personal data only as described here:

  • Service providers / sub-processors. We share data with vendors who process it on our behalf to run the Service, under contracts that require them to protect it and use it only for our purposes. See the categories in Section 6; you may request the specific identities.

  • Collaborators you invite. If you invite an agency or collaborator to a workspace or campaign, the campaign-related data you choose to share is visible to them.

  • Payment and store providers. The app stores and our payment and subscription-management providers receive the data needed to process purchases and manage subscriptions.

  • Legal, safety, and rights protection. We may disclose data where we believe in good faith it is necessary to comply with law or legal process, enforce our Terms, or protect the rights, safety, or property of Rhythm, our users, or others.

  • Business transfers. If Rhythm is involved in a merger, acquisition, financing, or sale of assets, your data may be transferred as part of that transaction, subject to this policy.

6. Categories of Recipients and Sub-processors

We share personal data with vendors ("sub-processors") that process it on our behalf to operate the Service. Each is bound by written contract to protect your data and to use it only to provide its service to us. Some sub-processors are identified by name below; for those listed by category only, you may request their specific identities and an up-to-date list by contacting us at hello@my-rhythm.app.

Cloud hosting & database. Hosts your account, deal data, and uploaded documents; provides authentication and serverless functions. (United States.)

AI processing (Anthropic, PBC — anthropic.com). Processes uploaded documents and estimation inputs to produce extraction and valuation output. Under our commercial terms with Anthropic, your inputs and outputs are not used to train its models; Anthropic retains them for a limited period (currently up to 30 days) for operational and trust-and-safety purposes consistent with its commercial API terms, after which they are deleted. Anthropic's privacy practices are described at anthropic.com/legal/privacy. (United States.)

Social-profile lookup. On your authorization, fetches your follower count and profile-picture URL from your public social profile. (United States / EU.)

Subscription management. Verifies and manages your subscription status and purchase events. (United States.)

Payment processing. Processes payments for direct or web purchases, where offered. (United States.)

App distribution & in-app billing. Distributes the app and processes in-app purchases — the Apple App Store, and Google Play where Android is offered. (United States.)

Brand logos. Supplies brand logos from a brand name or website you enter (no personal data of yours). (United States.)

Crash & performance diagnostics. Crash, error, performance, and session-replay diagnostics (device data, IP address, diagnostic and interaction data). (United States.)

Device backup. If enabled on your device, backs up app data to your personal cloud backup (Apple iCloud). (United States.)

None of these recipients is authorized to use your personal data for its own purposes, and we do not sell or share your personal data for cross-context behavioral advertising.

7. International Data Transfers

We are based in the United States, and we and our providers process your personal data in the United States and potentially other countries. If you are located in the EEA, the UK, or Switzerland, your personal data is transferred to a country that may not provide the same level of protection as your home jurisdiction. Where we make such transfers, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and, for Switzerland, the Swiss addendum, together with supplementary measures where appropriate. You may request a copy of the relevant safeguards using the contact details in Section 1.

8. Data Retention and Account Deletion

We retain personal data for as long as your account is active and as needed to provide the Service. We may retain certain data for longer where necessary to comply with legal, tax, accounting, or regulatory obligations, resolve disputes, prevent fraud and abuse, and enforce our agreements — for example, we keep consent and acknowledgment records as evidence of agreement, and transaction records as required by law.

You can delete your account and personal data at any time from Settings → Delete Account, or by contacting us at hello@my-rhythm.app. Deleting your account permanently removes your profile, social handles, brands, campaigns, deliverables, payments, settings, uploaded documents, and associated AI extractions and scores. You may also delete individual campaigns or documents at any time, which removes their associated files. Account deletion is permanent and cannot be undone, except where we are required or permitted by law to retain certain information (such as records of your consents and of your transactions). Residual copies may persist for a limited period in encrypted backups and in our providers' systems until they age out under standard retention cycles.

9. Security

We use reasonable administrative, technical, and organizational measures designed to protect your data, including encryption in transit and at rest through our hosting provider, row-level access controls that scope your data to your account, and access restrictions for our personnel. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If we become aware of a personal-data breach that affects you, we will notify you and the relevant authorities as required by applicable law.

10. Your Privacy Rights and Choices

Depending on where you live, you have some or all of the rights described below. We will not discriminate against you for exercising them. To make a request, email hello@my-rhythm.app or use the in-app controls. We will verify your request by reference to your account, and we may ask for additional information to confirm your identity.

10.1 California (CCPA/CPRA)

In the preceding 12 months, we have collected the following categories of personal information (as defined in Cal. Civ. Code § 1798.140) and disclosed them to the categories of recipients described in Section 6 for the business purposes described in Section 4:

Identifiers. Name, email, account and device identifiers, and IP address.

Customer-records information (Cal. Civ. Code § 1798.80). Name and contact details, and the deal financial information you enter.

Commercial information. Subscription status, and brand-deal records, amounts, and payment activity.

Internet or network activity. App usage, diagnostics, and crash, performance, and session-replay data.

Geolocation data (coarse only). Approximate location derived from your IP address (not precise).

Audio or visual information. Documents, screenshots, and images you upload, and your profile-picture URL.

Professional or employment-related information. Your creator role, niche, and brand-deal or business activity.

Sensitive personal information (limited). Account log-in credentials, and the contents of documents or communications you choose to upload.

Inferences (limited). Valuation estimates derived from your own deal inputs.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We do not have actual knowledge that we sell or share the personal information of consumers under 16.

We use and disclose sensitive personal information only for the purposes permitted by Cal. Civ. Code § 1798.121 (such as providing the Service and securing it), and not to infer characteristics about you. Because our use is so limited, the "right to limit" has limited practical effect, but you may still exercise it.

Your California rights: to know/access the categories and specific pieces of personal information we hold; to delete your personal information; to correct inaccurate personal information; to opt out of sale/sharing (not applicable, as we do none); and to limit the use of sensitive personal information. You may use an authorized agent to submit a request on your behalf with proof of authorization.

10.2 Other U.S. states

If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, or another state with a comprehensive privacy law, you may have rights to access, correct, delete, and obtain a portable copy of your personal data, and to opt out of targeted advertising, sale, and certain profiling. We do not conduct targeted advertising, sell personal data, or engage in profiling that produces legal or similarly significant effects. You may appeal a denied request by replying to our decision; if we deny your appeal, you may contact your state attorney general.

10.3 EEA, UK, and Switzerland (GDPR / UK GDPR)

As the controller of your personal data, we honor your rights to: access your data; rectify inaccurate data; erase your data; restrict processing; data portability; object to processing based on our legitimate interests; and withdraw consent at any time where we rely on it. You also have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects — see Section 11.

We rely on the legal bases in Section 4 and transfer data internationally under the safeguards in Section 7. If you believe we have processed your data unlawfully, you have the right to lodge a complaint with your supervisory authority (in the UK, the Information Commissioner's Office; in the EEA, your local data-protection authority). We would appreciate the chance to address your concern first via hello@my-rhythm.app.

11. Automated Decision-Making and AI Transparency

AI Contract Extraction and the Valuation Estimator are decision-support tools. They present information and a non-binding estimate for you to evaluate; they do not make decisions about you that produce legal or similarly significant effects, and you remain in control of every negotiation, signing, and payment decision. We do not engage in solely-automated decision-making within the meaning of Article 22 GDPR. When you interact with our AI features, we make clear that the output is generated by artificial intelligence, consistent with applicable AI-transparency requirements (including Article 50 of the EU AI Act). The AI features' limitations are described in Section 3 and in Section 5 of the Terms of Service.

12. Children's Privacy

The Service is intended only for individuals who are 18 years of age or older, and our signup requires you to confirm that you are. The Service is not directed to children. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected personal information from a person under 18, we will delete it promptly. If you believe a minor has provided us information, contact us at hello@my-rhythm.app.

13. Third-Party Services and Links

The Service may link to or display content from third parties. For example, the app may display brand logos and related assets provided through a third-party brand-logo service; these logos are the trademarks of their respective owners, are used solely for identification, and Rhythm claims no ownership of them. We are not responsible for the privacy practices of third-party sites or services, including the social-media platforms you connect, the app stores, and our payment providers. We encourage you to review their policies before providing them personal information.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make a material change, we will notify you by email (to the address associated with your account) and/or by in-app or on-page notice at least fourteen (14) days before it takes effect, except where a shorter period is needed to comply with law. The "Last Updated" date above reflects the most recent version. Your continued use of the Service after a change takes effect means you accept the updated policy, except where applicable law requires your affirmative consent, which we will obtain.

15. Contact Us

If you have any questions about this Privacy Policy or your personal data, or to exercise your rights, contact us at:

Rhythm Holdings, LLC
Easton, PA
General Support: hello@my-rhythm.app
Legal Notices: legal@my-rhythm.app

© 2026 Rhythm Holdings LLC. All rights reserved.

Company

Support

© 2026 Rhythm Holdings LLC. All rights reserved.

Company

Support

© 2026 Rhythm Holdings LLC. All rights reserved.

Company

Support