Privacy Policy — StormMic

StormMic ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data when you use StormMic at stormmic.com.

01What We Collect

We collect only the information necessary to provide and improve the StormMic service. Here is a breakdown of what we collect and why:

Data Type	Details	How Collected
Email address	Used for account creation, login, and service communications	Account signup
Payment information	Billing details processed by Stripe. We never store your card numbers — only a Stripe customer ID and last-4 digits for display	Stripe checkout
ZIP code	Used to localize weather data for your market area	Account setup
Station name	Used to personalize generated scripts for your broadcast	Account setup
Usage data	Number of generations used, current plan tier, generation timestamps	Automatic

We do not collect your physical address, phone number, Social Security number, or any sensitive personal information beyond what is listed above.

Card security: StormMic never stores or transmits your full credit or debit card number. All payment processing is handled end-to-end by Stripe, a PCI-DSS Level 1 certified payment processor.

02How We Use It

We use the information we collect strictly to operate and improve StormMic. Specifically, your data is used to:

Provide the service. Your email, ZIP code, and station name power the core StormMic experience — generating localized weather scripts and audio tailored to your broadcast.
Process payments. Your payment information (via Stripe) is used to bill your subscription, issue receipts, and manage upgrades, downgrades, and cancellations.
Send account-related emails. We send transactional emails including account confirmations, subscription receipts, billing notifications, and important service announcements. We do not send marketing emails without your explicit consent.
Enforce fair use. Usage data (generations used, plan tier) allows us to apply the correct generation limits for your subscription and detect trial abuse.
Improve the product. Aggregated, anonymized usage data helps us understand which features are most valuable and where the service can be improved. This data is never tied to individual users in improvement analysis.
Comply with legal obligations. We may process data as required to comply with applicable laws, regulations, or legal proceedings.

We do not sell your personal data. We do not use your data for advertising targeting. We do not share your data with third parties beyond the service providers listed in Section 3.

03Third-Party Services

StormMic integrates with a small number of trusted third-party services to deliver its functionality. Each service has access only to the data necessary for its specific function:

Supabase

Auth & Database

Handles user authentication and stores your account data, including email, station name, ZIP code, and usage records.

Stripe

Payments

Processes all subscription billing. Stripe receives your payment details directly. StormMic only stores a Stripe customer ID.

ElevenLabs

Voice Synthesis

Generates the synthesized voice audio for your weather broadcasts. ElevenLabs receives the script text for synthesis.

Tomorrow.io

Weather Data

Provides real-time and forecast weather data used to generate your scripts. Tomorrow.io receives your ZIP code to retrieve local forecasts.

NWS / NOAA

Weather Data

The National Weather Service provides free, public weather data including forecasts, alerts, and observations. Your ZIP code (converted to coordinates) is used to query NWS endpoints. NWS does not require authentication and does not receive your personal information.

Vercel

Hosting & CDN

Hosts the StormMic web application and serves static assets. Vercel may log IP addresses, request metadata, and geographic location data as part of standard web hosting. See Vercel's privacy policy for details.

We select service providers who maintain industry-standard security practices. We do not permit our service providers to use your data for their own purposes beyond what is necessary to provide services to us. Each provider operates under their own privacy policy.

If we ever add a new service provider that materially changes how your data is handled, we will update this policy and notify you via email.

04Data Storage

Your account data is stored in Supabase, which is hosted on Amazon Web Services (AWS). AWS is SOC 2 and ISO 27001 certified and maintains industry-leading physical and network security standards.

Key data storage practices:

Data is stored in the United States on AWS infrastructure
Data is encrypted in transit using TLS and at rest using AES-256 encryption
Access to your data is restricted to authenticated users (you) and StormMic system processes
We retain your account data for as long as your account is active, or as required by law
Upon account deletion, your data is scheduled for permanent deletion within 30 days (see Section 7 for full retention details)

We do not sell your data. Your personal information is never sold, rented, or traded to third parties for any purpose — commercial, marketing, or otherwise.

05Cookies & Local Storage

StormMic uses a minimal, privacy-respecting approach to browser storage:

localStorage (settings). We use your browser's localStorage to save user interface preferences and settings, such as your selected broadcast format or voice preferences, so they persist between sessions.
localStorage (generation counters). During your free trial and active subscription, we use localStorage to track local generation counts for a smooth UI experience. This data is also synced to your account server-side.
Authentication session cookies. Supabase sets a secure, HTTP-only session cookie to keep you logged in. This cookie does not track you across other websites.

No third-party tracking cookies. StormMic does not use Google Analytics, Meta Pixel, advertising trackers, or any third-party behavioral tracking cookies. We do not participate in cross-site tracking.

You can clear your browser's cookies and localStorage at any time through your browser settings. Clearing session cookies will log you out of StormMic.

06Your Rights

You have meaningful control over your data in StormMic:

Access your data. You can view your account information, subscription status, and usage history at any time from your StormMic dashboard.
Update your information. You can update your station name, ZIP code, and other account details from the My Account tab.
Delete your account. You can permanently delete your account at any time from the My Account tab. Once initiated, your personal data will be permanently deleted from our systems within 30 days. Note that some anonymized, aggregated usage data may be retained for product analytics.
Export your data. If you need a copy of your account data, contact us at support@stormmic.com and we will provide it in a machine-readable format within a reasonable timeframe.
Opt out of emails. You can unsubscribe from non-essential emails using the unsubscribe link in any email we send. Note that transactional emails (receipts, billing alerts) cannot be opted out of while your account is active.

If you are located in the European Economic Area (EEA) or California, you may have additional rights under the GDPR or CCPA, including the right to object to processing and the right to data portability. To exercise any of these rights, contact us at support@stormmic.com.

Indiana Consumer Data Protection Act (CDPA). The Indiana CDPA took effect on January 1, 2026 and grants Indiana residents specific data privacy rights. Although StormMic is likely below the CDPA's applicability thresholds (the law generally applies to businesses that control or process personal data of 100,000 or more consumers, or 25,000 consumers if deriving over 50% of revenue from data sales), we voluntarily honor the following rights for all users:

Right to access. You may request confirmation of whether we are processing your personal data and obtain a copy of that data.
Right to correct. You may request correction of inaccurate personal data we hold about you.
Right to delete. You may request deletion of personal data you have provided to us or that we have collected about you.
Right to data portability. You may request a copy of your personal data in a portable, readily usable format.
Right to opt out of sale. You have the right to opt out of the sale of your personal data. StormMic does not sell personal data, so there is nothing to opt out of.

To exercise any of these rights, email support@stormmic.com. We will respond to verified requests within 45 days. If we need additional time, we may extend the response period by up to 45 additional days with notice to you explaining the reason for the extension.

Appeals. If we deny your data rights request in whole or in part, you may appeal the decision by emailing support@stormmic.com with the subject line "Privacy Rights Appeal" within 30 days of receiving our decision. We will respond to your appeal within 60 days. If the appeal is denied, we will provide you with information on how to contact the Indiana Attorney General to submit a complaint.

07Data Retention

We retain your data only as long as necessary to provide the service and comply with our legal obligations. Here is how long we keep different types of data:

Active account data. Your email address, station name, ZIP code, and usage records are retained for as long as your subscription is active.
After cancellation. Account data is retained for 90 days after subscription cancellation to allow for account reactivation. After 90 days, your account data is permanently purged from our systems unless we are legally required to retain it.
Billing records. Stripe billing records (transaction history, invoices, and payment metadata) are retained for 7 years in accordance with financial record-keeping regulations. StormMic does not store raw credit card numbers — only Stripe customer IDs.
Session tokens. Authentication session tokens expire after 7 days of inactivity. Expired tokens are automatically deleted.
Generated audio files (WAVs). Generated WAV audio files are not stored server-side. Audio is generated on-demand and downloaded or streamed directly to your device. Once the transfer is complete, StormMic does not retain a copy of the audio file on its servers.
Station settings. Station-level preferences (such as voice selection, broadcast format, and intro/outro text) are stored in localStorage on your device, not on our servers. The exception is your ZIP code, which is stored server-side because it is needed to fetch weather data for script generation.

08Security

We implement industry-standard security measures to protect your data. While no system is perfectly secure, we take the following steps to safeguard your information:

Encryption in transit. All data transmitted between your browser and StormMic is encrypted using HTTPS/TLS.
Row-level security. Supabase row-level security (RLS) policies ensure that authenticated users can only access their own data. No user can query or view another user's account information, usage records, or settings.
API key management. All third-party API keys (ElevenLabs, Tomorrow.io, Stripe, Supabase) are stored as server-side environment variables and are never exposed in client-side code.
Payment security. Stripe handles all payment card data. StormMic never sees, processes, or stores raw credit or debit card numbers. Stripe is PCI-DSS Level 1 certified.
Server-side API proxying. Calls to the ElevenLabs voice synthesis API are proxied through StormMic's server-side functions, preventing direct client-side access to third-party API credentials.

Vulnerability disclosure: If you discover a security vulnerability in StormMic, please report it responsibly to support@stormmic.com. We take all reports seriously and will respond promptly.

Important note: StormMic has not undergone an independent third-party security audit or penetration test. Users with sensitive security requirements or compliance obligations should evaluate this limitation accordingly. We are committed to improving our security posture over time.

09Signature Auto — Automation Data

If you subscribe to the Signature Auto plan, you provide FTP or SFTP credentials so that StormMic can deliver generated audio files directly to your broadcast automation system. The following data practices apply to those credentials:

Encryption at rest. FTP/SFTP credentials (hostname, username, password, and delivery path) are encrypted at rest using AES-256 encryption.
Purpose limitation. Your FTP/SFTP credentials are used solely to deliver WAV audio files to your designated server. They are not used for any other purpose.
Staff access. StormMic staff do not access your FTP/SFTP server except for troubleshooting delivery issues, and only with your explicit consent.
Credential deletion. If you cancel your Signature Auto subscription, your FTP/SFTP credentials are permanently deleted from our systems within 30 days of cancellation.

10Do Not Sell / Do Not Share

StormMic does not sell your personal data to any third party for any reason.

StormMic does not share your personal data with third parties for the purpose of cross-context behavioral advertising or targeted advertising.

This section is provided to satisfy the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) requirements for a "Do Not Sell or Share My Personal Information" disclosure. Because StormMic does not engage in the sale or sharing of personal data as defined by these laws, there is nothing for you to opt out of.

If you have questions about this policy or believe your data has been handled inconsistently with this commitment, contact us at support@stormmic.com.

11Children's Privacy

StormMic is a professional broadcast tool intended solely for adults and business users. The service is not directed at or intended for children under the age of 13.

We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will take steps to delete that information promptly. If you believe a child under 13 has created an account with StormMic, please contact us at support@stormmic.com so we can address it immediately.

12Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or how your data is handled, please reach out:

StormMic Support
Email: support@stormmic.com
Website: stormmic.com

We aim to respond to all privacy-related inquiries within 5 business days. For data rights requests (access, correction, deletion, portability), please allow up to 45 days for a substantive response, with a possible 45-day extension if needed. For account deletion requests submitted via email (rather than through the dashboard), please allow up to 30 days for full data removal to complete.

This Privacy Policy may be updated periodically. When we make material changes, we will notify you by email and update the "Last updated" date at the top of this page. Continued use of StormMic after changes take effect constitutes your acceptance of the revised policy.