Legal & Privacy

1. Medical Disclaimer

Sound therapy is supportive, not curative. Many people experience reduced distress from tinnitus over weeks of daily use, but outcomes vary and a meaningful share of users see no measurable change. Tinnitus is frequently a symptom of an underlying medical issue (hearing loss, jaw or neck problems, medication side effects, vascular issues, and, rarely, more serious conditions). Always consult an audiologist or ENT doctor before starting any sound-therapy routine — especially if your tinnitus is recent.

See a healthcare professional before using this app if:

• Your tinnitus started within the past month.
• It is one-sided (only in one ear).
• It is accompanied by hearing loss, dizziness or vertigo, ear pain, ear discharge, fullness, or a pulsing/whooshing rhythm matching your heartbeat.
• You have a history of acoustic trauma, head injury, or sudden hearing loss.
• You have hyperacusis or any sound-sensitivity condition — start with the breathing / CBT-style Calm modules, not the masking protocols, and only proceed if comfortable.
• You are pregnant or considering pregnancy and want to confirm there are no concerns specific to your situation (sound therapy at low volume is generally low-risk, but your care provider knows your history).

Stop using the app and seek medical attention if:

• You experience sudden hearing loss, ear pain, dizziness, or vertigo.
• Your tinnitus or hearing changes significantly during or after use.
• You develop ear discharge or signs of infection.

Volume safety

Sound therapy works at low, comfortable volume — at or just below the loudness of your own tinnitus, not above it. Never use this app at uncomfortable or unsafe listening levels. Prolonged exposure to high-volume audio can damage hearing. Start with master volume low and increase only to a setting that feels gentle. If headphones cause fatigue, take a break.

Children and adolescents

The app is designed for adults. Anyone under 16 should only use it with parental or guardian oversight, and only after consulting an audiologist about any persistent tinnitus.

2. Terms of Service

These Terms govern your use of Tinnitus Wizard at tinnituswizard.com and the in-browser app served from that site (collectively, the “Service”), provided by the operator of tinnituswizard.com (“we”, “us”, “operator”). By using the Service, you agree to these Terms. If you don’t agree, please don’t use it.

1. Eligibility

You must be at least 16 to use the Service on your own. Users aged 13–15 may use it only with the active involvement and consent of a parent or legal guardian, and only after their tinnitus has been evaluated by an audiologist or doctor. We do not knowingly allow users under 13. See Children & Minors for the full position. You confirm that you have the legal capacity to enter into a binding agreement.

2. The Service

Tinnitus Wizard is a self-help wellness tool offering research-inspired audio protocols (notched noise, ACRN, bimodal stimulation, sleep masking with four selectable soundscapes, calm/breathing modules), tracking, and educational content. The free tier runs entirely in your browser. Optional sign-in enables cross-device sync, and an optional Pro subscription unlocks additional features. It is not medical advice. See the Medical Disclaimer for safety and contraindication information.

3. Free use, accounts, and Pro subscriptions

Free tier. Foundation (notched-noise) sessions, the Calm module, breathing guide, the full Sleep Protocol with all four soundscapes (Classic, Rainforest, Ocean, Night Garden), the Morning protocol, SOS spike relief, the diary, calibration, and progress tracking are usable without any account, sign-in, payment, or email collection. Two ACRN trial sessions are also available free at week 3+ so you can hear ACRN before deciding whether to subscribe. Your data stays on your device unless you choose otherwise — see the Privacy Policy.

Optional account (encouraged). You can sign in with Google or with an email-and-password through Firebase Authentication. We strongly suggest signing in if you intend to use the app regularly — it means your calibration, settings, diary, and Pro entitlement survive clearing your browser, switching devices, or browser updates. Signing in is required only if you want (a) cross-device sync, (b) Pro features tied to your purchase, or (c) the ability to email-restore a previous Pro entitlement. You are responsible for your account credentials and for activity under your account.

Pro subscription. Pro features unlock additional protocols and audio options. Specifically: unlimited ACRN sessions (the Tass coordinated-reset scheduler), the Bimodal protocol (paced tone + jaw-clench), the structured 8-week protocol past week 2, audiogram-based EQ / Hearing Preset profiles, the Fractal Tones and Brown Noise toggles for daytime sessions, and the Quiet Counter residual-inhibition analytics. Free users get two trial ACRN sessions at week 3+ so they can hear what it’s like before subscribing. The full plan list and pricing are shown in the upgrade flow before payment.

4. Free trial and recurring billing

The Monthly and Annual plans include a 7-day free trial. To start the trial you must enter a valid payment method — this is collected by Stripe at checkout, not by us. By starting a trial:

• You authorise us, via Stripe (our payment processor), to charge your saved payment method automatically at the end of the trial unless you cancel beforehand.
• The subscription renews automatically (monthly or annually) at the published price until you cancel.
• You can cancel at any time from the in-app subscription portal (which opens a Stripe-hosted billing page). Cancellation takes effect at the end of the current period — you keep access until then.
• You will receive automated transactional emails from us when: your trial starts, three days before your trial ends, your card is charged, your card fails to charge, and when you cancel. These are operational, not marketing.
• Stripe collects and stores your payment method. We never see your full card number. If a card on file later becomes invalid (expiry, etc), Stripe will retry per its policy and we’ll email you to update it.

The Lifetime plan is a one-time purchase with no recurring billing and no trial period.

5. Cancellation and refunds

You can cancel a subscription at any time from the in-app subscription portal (Stripe-hosted). Cancellation stops future renewals and your Pro access continues to the end of the current paid period; it does not by itself entitle you to a refund of charges already taken.

Refunds are issued where required by applicable consumer-protection law (for example, statutory withdrawal or guarantee rights in your jurisdiction). One-time Lifetime purchases are otherwise non-refundable once access has been delivered, except where such a non-excludable right applies. If you believe you have a refund right, email info@tinnituswizard.com with your purchase details and we’ll review it.

6. Acceptable use

You agree not to:

• Reverse-engineer, decompile, or attempt to extract the source of the proprietary audio engines (ACRN scheduler, Bimodal cue logic, calibration analyser, fractal tone generator, cinematic-ACRN layer, sleep-soundscape synthesiser).
• Scrape, mirror, or systematically copy the Service or its content.
• Resell, sublicense, or share access to your account or Pro entitlement, or attempt to circumvent the entitlement check.
• Forge, replay, or tamper with entitlement tokens or webhook signatures.
• Use the Service in any way that violates applicable law.
• Misrepresent the Service to third parties (e.g. presenting it as a medical device or as clinician-prescribed).

7. Intellectual property

We own the code, design, copy, and audio-generation logic of the Service. You own the data you put into it (calibration results, diary entries, settings). When you save data to our cloud sync by signing in, you grant us a limited, non-exclusive licence to store and process it solely to operate the sync feature on your behalf. We do not use your personal data for analytics, advertising, or to train any AI model.

The name “Tinnitus Wizard” and the wordmark are trademarks of the operator.

8. Disclaimer of warranties

The Service is provided “as is” and “as available.” To the maximum extent permitted by law, we disclaim all warranties, express or implied, including warranties of merchantability, fitness for a particular purpose, non-infringement, and uninterrupted operation.

We do not guarantee any particular outcome from sound therapy. Tinnitus responds differently to different protocols and not everyone improves.

9. Limitation of liability

To the maximum extent permitted by law, the operator is not liable for any indirect, incidental, consequential, or punitive damages arising from your use of the Service, including loss of data, hearing changes, psychological distress, or service interruption. Total aggregate liability for any direct claim is limited to the amount you paid us in the twelve months preceding the claim, or USD 100, whichever is greater.

Nothing in these Terms excludes or limits liability for death or personal injury caused by negligence, fraud, or any other liability that cannot be excluded by applicable law. If you are a consumer in a jurisdiction that grants you statutory rights that cannot be excluded by contract (such consumer-protection regimes exist in many jurisdictions, including the EU, UK, and Australia), those rights continue to apply regardless of these Terms.

10. Indemnification

You agree to indemnify and hold harmless the operator against any third-party claims arising from your breach of these Terms or your misuse of the Service.

11. Governing law and disputes

These Terms are governed by the laws of the jurisdiction in which the operator is established, without regard to its conflict-of-laws principles. Any dispute will be resolved in the competent courts of that jurisdiction, except where applicable consumer-protection law gives you a non-excludable right to bring proceedings in your local jurisdiction. We will try in good faith to resolve any complaint informally first — please email us before escalating.

12. Changes to these Terms

We may update these Terms occasionally. Material changes (pricing, scope of licence, dispute resolution) will be notified in-app and, where applicable, by email. Continued use after a change means you accept the new Terms.

13. Termination

You can stop using the Service at any time. We may suspend or terminate access if you materially breach these Terms. On termination of a Pro subscription, your access reverts to the free tier — your data remains in localStorage on your device, and if you had an account, you can request its deletion.

3. Privacy Policy

What we collect, and when

Always — no account, no purchase:

• Local storage on your device. All calibration results, settings, mode preferences, soundscape choice, mixer levels, diary entries, session history, breathing presets, hearing-preset choice, and Pro entitlement cache are saved to your browser’s localStorage under a single key (tcNZ_v10) and never leave your device unless you explicitly sign in or upgrade. We have no access to this data. You can inspect or clear it via your browser’s developer tools.
• Standard request logs. Like any website, requests for the Service pass through our hosting provider (Cloudflare) which captures standard request metadata (IP address, browser user-agent, referrer URL, requested path) at the edge for delivery, security, and basic operational logging. These edge logs are typically retained for around 24 hours per Cloudflare’s defaults and are not joined with any account data.

Only if you sign in (optional but encouraged):

• Your email address and a Firebase user ID (an opaque identifier issued by Google) via Firebase Authentication. Sign-in methods offered: Google (OAuth) and email/password.
• If you sign in with Google, Firebase receives basic account details (email, display name, profile photo URL) from Google — we store only the email and the photo URL (the latter is shown in the app’s avatar).
• The following data, synced to Cloud Firestore (Google Cloud, US region by default), in a document scoped to your user ID and readable only by you:
  • Your settings (audio preferences, calibration frequency, master and per-channel volumes, accessibility flags, layperson/scientist toggle, sleep soundscape choice, cinematic-ACRN toggle, jitter toggle, breathing-guide preference, balance setting, Bluetooth-latency offset, etc).
  • Your diary entries (up to 150 most recent), each containing a timestamp, your tinnitus loudness rating, your sleep / mood / stress sliders, an optional free-text note, and (only if you opted in) the local barometric pressure at that time.
  • Your in-session impact log (which sessions you ran, when, and how long).
  • A pointer to your Pro entitlement if you have one (so we can restore it across devices without you re-entering anything).

You can delete your account and all associated cloud data from the in-app Account menu, which removes the Firestore document and signs you out. The deletion is immediate and unrecoverable. Your localStorage data remains on whichever device(s) you used — you can clear it via your browser if you wish.

Only if you upgrade to Pro (optional):

• Stripe collects and stores your name, billing address, card details, and IP address per its own privacy policy. We never see your full card number. Stripe is PCI-DSS Level 1 certified and GDPR-compliant. A payment method must be on file before the free trial begins — this is so the subscription can renew cleanly without an unexpected invoice. You can cancel before the trial ends and you will not be charged.
• Our Cloudflare Worker stores a small entitlement record in Cloudflare KV: your email (lowercased), your Stripe customer ID, your subscription tier (monthly / annual / lifetime) and status (trialing / active / past_due / canceled), the current period-end date, and whether you have cancelled at period end. This is the source of truth for your Pro access. The worker also issues you a signed entitlement token (HMAC-SHA-256, no personal data inside) that your browser stores in localStorage to verify Pro on every page load without a round-trip.
• Resend sends transactional emails about your subscription: trial start, trial-ending warning (3 days out), payment receipts, payment-failed alerts, and cancellation confirmation. These are operational emails, not marketing. There is no opt-out for transactional email while a subscription is active because the messages relate to charges on your card — but we never send marketing email.

Only if you opt in to specific features:

• Weather / barometric pressure tracking. If you opt in (some people find their tinnitus correlates with weather), your approximate latitude and longitude via browser geolocation are sent to Open-Meteo (a free, EU-based weather API) to fetch local pressure and humidity. We don’t store your location; the result is folded into your diary entry locally on your device.
• Restore Purchases. If you cleared your browser data or moved to a new device, you can re-enable Pro by entering your purchase email. This sends just that email to our worker for an entitlement lookup.
• Audio backgrounding. To keep audio playing while the screen is locked, the app holds a screen-wake lock and pings the OS-level media session. No data is exchanged with the OS beyond standard playback state.

What we do not collect, ever:

• Behavioural analytics or session-by-session tracking tied to an individual. There is no Google Analytics, Meta Pixel, Mixpanel, Amplitude, or equivalent.
• Advertising identifiers or device fingerprints.
• Microphone, camera, or biometric data.
• Background location beyond the optional weather lookup.
• Contact lists, calendar, photos, or any device data we have no business need for.
• Health, medical, or sensitive-category data outside what you voluntarily enter in your diary.
• The contents of other tabs, your browsing history, or anything outside the Tinnitus Wizard pages.
• Your audio — the audio engines run client-side and your headphones output never reaches us.

What we do not use your data for, ever:

• Selling, renting, or licensing your data to anyone.
• Behavioural advertising, retargeting, or audience-building.
• Training or fine-tuning machine-learning or AI models (ours or anyone else’s).
• Sharing with insurers, employers, or healthcare providers without your explicit instruction.

Why we collect (purposes)

• To operate the Service (free tier uses only local storage and edge request logs).
• To provide cross-device sync if you sign in.
• To process payments and grant Pro access if you upgrade.
• To send you transactional emails about your subscription if you have one.
• To prevent fraud and abuse (standard edge logs help block attack traffic).

Legal bases (GDPR / UK GDPR)

If you are in the EU or UK, our legal bases for processing are:

• Consent — for cloud sync, Pro upgrade, weather pressure tracking, and any optional feature (you explicitly opt in).
• Performance of a contract — for delivering Pro features once you’ve subscribed.
• Legitimate interest — for standard hosting and security logs, balanced against your privacy expectations.

Sub-processors and where data is held

International data transfers

Some of these providers process data outside your country of residence. Where required, we rely on Standard Contractual Clauses or equivalent safeguards for transfers out of the EU, UK, or Switzerland.

Retention

• Local storage: indefinite, but only on your device. Clear your browser data to remove it.
• Firestore sync: until you delete your account.
• Entitlement records: while your subscription is active, plus an additional ~400-day TTL after expiry (for restore-purchases and tax records).
• Stripe customer records: per Stripe’s retention policy (typically several years for tax/legal reasons).
• Cloudflare edge logs: per Cloudflare’s defaults (typically ~24 hours).
• Email logs (Resend): per Resend’s defaults (typically 30 days).

Your rights

Under GDPR, UK GDPR, CCPA, and similar laws, you have the right to:

• Access — a copy of any data we hold about you.
• Rectify — correct inaccurate data.
• Erase — delete your account and associated cloud data (in-app, or email us).
• Restrict or object — pause processing in certain cases.
• Portability — export your data (in-app diary export, or we can supply a JSON copy of your Firestore document on request).
• Withdraw consent — for any consent-based processing.
• Complain — to the data-protection or privacy supervisory authority in your jurisdiction.

To exercise any of these, email info@tinnituswizard.com. We respond within the time limits required by applicable data-protection law in your jurisdiction.

For California residents (CCPA): you have the right to know which categories of personal information we collect, to delete it, and to opt out of “sales” — we don’t sell personal data.

Cookies and similar technology

We use localStorage (not cookies) for app state. Firebase Auth uses limited cookies to maintain your session if you sign in. We do not run analytics, advertising, or tracking cookies.

Security

See Security & Responsible Disclosure for the technical detail. In short: HTTPS everywhere, signed entitlement tokens, verified webhook payloads, per-document Firestore rules, no third-party trackers, and a minimum-data-collection principle that limits blast radius.

Children

See Children & Minors below for our complete position on age limits, parental consent, and what to do if a minor signed up without permission.

Changes to this policy

We may update this Policy. Material changes will be flagged in-app and, if you have an account, by email.

4. Beta & Tester Terms

From time to time we invite specific individuals to test the Service, evaluate new features before public launch, or participate in pre-release access via a complimentary grant. If you are using the Service in any such capacity, these additional terms apply on top of the Terms of Service above.

1. How beta access is granted

Beta access is invite-only. There is no public signup, no waiting list, and no self-service way to enable it. We add your email address to a server-side grant list with:

• An access duration (typically 90 days, configurable per grant).
• A tier (usually equivalent to Pro Monthly or Pro Annual).
• An internal note recording why the grant was issued (e.g. “closed beta — cohort 3”).

To activate your access you go to the app, tap Restore Purchases, and enter the email we sent the invite to. The app fetches your entitlement from our worker and unlocks Pro for the duration of the grant. No payment method is required. Beta access never touches Stripe, never triggers a trial, and is not converted to a paid subscription automatically. When the grant expires, the app reverts to the free tier — nothing else changes; your settings and diary remain intact.

2. Pre-release status

You acknowledge the Service (or the portions you are testing) is in active development. It may contain bugs, incomplete features, inaccurate copy, or unexpected behaviour. Features may be added, changed, or removed without notice during the testing period.

3. Confidentiality of unreleased features

Features, designs, copy, pricing, and audio engines that are not yet public are confidential. You agree not to publish screenshots, recordings, screen-shares, descriptions, or technical details of pre-release features outside the testing channel without our written consent. This applies until those features go live publicly.

You may discuss your personal experience of tinnitus with friends, clinicians, or support groups in general terms — this clause is only about pre-release product details.

4. Feedback grant

Feedback, suggestions, ideas, bug reports, and similar information you share with us during testing (collectively, “Feedback”) may be used by us freely — including being incorporated into the Service — without obligation to compensate, attribute, or assign rights to you. You confirm that any Feedback you provide is your own to share and does not infringe third-party rights.

This grant does not cover personal data you enter into the app (calibration, diary). Your personal data remains yours and is handled per the Privacy Policy.

5. No compensation; complimentary access

Unless we have agreed otherwise in writing, you are not entitled to payment for testing. Your complimentary Pro access is revocable at our discretion (for example, if the testing engagement ends, if the grant expires, or if you breach these Beta terms).

6. Medical disclaimer applies fully

The Medical Disclaimer applies during testing exactly as it applies to public users. Beta features have not been clinically validated and may behave unexpectedly — particularly the audio engines, which are the most rapidly evolving part of the product. Use low volume and stop immediately if anything causes discomfort. Report any safety-relevant behaviour to us promptly via the testing channel.

7. Liability during testing

The disclaimers and liability limits in the Terms of Service above apply during the testing period. Testing is at your own risk; we cannot promise the Service will behave as expected during this phase.

8. Termination of testing

We may end your testing access at any time, and you may withdraw at any time by emailing us. On termination, complimentary access ends. Any Feedback you have already given remains usable per Section 4.

9. Account deletion after testing

If you signed in during testing, you can delete your account from the in-app Account menu. This removes your Firestore document and signs you out. Your email may remain in our server-side grant list (for record-keeping) but will not be associated with any active subscription, payment record, or personal data beyond the address itself. You can ask us to delete that record too by emailing info@tinnituswizard.com.

5. Children & Minors

Tinnitus Wizard is designed for adults. We take age limits seriously because tinnitus in children is rare, often has a medical cause that needs investigation, and self-administered sound therapy at the wrong volume could harm developing hearing. Our position:

Parental consent and involvement

If you are a parent or guardian permitting a minor aged 13–15 to use the Service, you remain responsible for: (a) supervising their use, particularly volume, (b) ensuring they have had a clinical evaluation if tinnitus is persistent, (c) the account credentials and any subscription billing, and (d) deciding what diary content is appropriate for them to write. By allowing the minor to use the Service you accept the Terms of Service and the Medical Disclaimer on their behalf.

If a minor signed up without permission

If you believe a child under 13 has used the Service, signed in, or otherwise had personal data collected by us — or if you are a parent who didn’t consent to a 13–15 year old’s account — email info@tinnituswizard.com with “Child account” in the subject line and include the email address used. We will delete the account, any cloud document, and any entitlement record, and confirm the deletion to you promptly.

Volume safety for younger users

Children and adolescents have more vulnerable hearing than adults. If you are permitting a minor to use the Service, please limit headphone volume to the lowest setting that masks the tinnitus, take regular breaks, and stop entirely if you notice ear pain, hearing change, or distress.

6. Accessibility

We aim to meet WCAG 2.1 Level AA across the Service. This is a continuous effort — we know we’re not perfect — and we welcome feedback when something falls short.

What we have done

• The app supports both a plain-English and a scientific reading mode (toggle in the header), so you can use whichever vocabulary suits you.
• Sleep Protocol switches the entire interface to a warm, low-blue-light deep-red palette to minimise melatonin disruption and reduce strain when reading at night.
• Sound therapy can be paired with an on-screen breathing guide for users who prefer visual pacing to audio cues alone.
• An audiogram-based EQ (Pro) lets users with hearing loss boost the audio in their reduced-sensitivity bands, so the therapy reaches them at a comfortable level.
• The SOS module offers immediate calming sounds and a guided breath without requiring navigation, for moments of acute distress.
• Text size and contrast are tuned for readability on small phones and high-DPI displays.
• The app is keyboard-navigable; transport controls have ARIA labels.

What we’d like to do better

Screen-reader testing across all modes is ongoing. If you use a screen reader and encounter unlabelled controls or unreadable content, please email us — we’ll fix it as a priority.

Accommodations

If you need a specific accommodation to use the Service, email info@tinnituswizard.com with “Accessibility” in the subject line and describe what you need. We’ll do our best.

7. Security & Responsible Disclosure

How we protect your data

• HTTPS everywhere (TLS 1.2+). HSTS enabled.
• Payment data is handled exclusively by Stripe (PCI-DSS Level 1). We do not store, log, or transmit card data ourselves.
• Subscriber entitlement tokens are signed with HMAC-SHA-256 (server secret never leaves the worker). Tokens contain no PII beyond the customer ID.
• Webhook payloads from Stripe are verified with HMAC-SHA-256 against the webhook signing secret, with a five-minute timestamp tolerance to mitigate replay.
• Firebase Authentication and Firestore are protected by Google’s standard security plus per-document access rules — your Firestore data is scoped to your user ID and other users cannot read it.
• We don’t use third-party analytics or trackers, so there’s no leakage of your activity to ad networks.
• The minimum data-collection principle — we don’t collect anything we don’t use, which limits blast radius if anything ever goes wrong.

Responsible disclosure

If you find a security vulnerability, please email info@tinnituswizard.com with “Security” in the subject line. Include reproduction steps and an estimate of impact. We will work on a fix and credit you (with your permission) once a patch is live. Please do not publicly disclose unpatched issues, do not access or modify data that isn’t yours, and don’t run automated scans that affect availability.

Breach notification

No online service is perfectly secure. If we become aware of a breach affecting your personal data, we will notify you and the relevant supervisory authority where and as required by applicable data-protection law.

8. Contact

Tinnitus Wizard
Email: info@tinnituswizard.com

For privacy questions, data-subject requests, or any concern about how we handle your information, email the address above with “Privacy” in the subject line. We will respond within the time limits required by applicable law.