The Cut Download
← Back

Privacy Policy

Last updated: May 2026

The Cut is built by Heftii, Inc. Your privacy matters. This policy explains what data we collect, how we use it, and how we handle data from third-party services.

Data we collect

The Cut does not collect personal data. Your track library, listening decisions, and star ratings are stored locally on your device and synced via your personal iCloud account. Heftii has no access to your iCloud data.

Third-party source connections

The Cut allows you to connect third-party services as track sources. When you connect a service, the app accesses only the data necessary to discover and play audio tracks. Each connection is initiated by you and can be disconnected at any time from the app's settings.

Google Gmail

When you connect a Gmail account, The Cut accesses your Gmail data via Google's OAuth 2.0 authentication. The app requests the gmail.modify scope, which Google classifies as a restricted scope. The Cut's use of this scope is limited to (a) discovering audio tracks from messages in labels you select and (b) executing the per-source actions you configure — adding or removing Gmail labels and archiving emails when you accept or reject a track. Both uses are described in detail below and comply with the Google API Services User Data Policy, including its Limited Use requirements.

What Google user data we access

When you connect Gmail and select one or more labels, The Cut accesses only the following categories of Google user data, and only from messages within the labels you explicitly select:

  • Message metadata — sender name, sender email address, subject line, and message date.
  • Message body content — read only to extract URLs that point to audio on services such as SoundCloud and Dropbox. The body text itself is not stored or used for any other purpose.
  • MIME structure and audio attachments — the message structure is parsed to identify audio file attachments (e.g. MP3, M4A, WAV, AIFF, FLAC), which are then downloaded for playback.
  • Gmail labels — the list of labels on your account is read so you can choose which labels to scan and which labels actions should add or remove.
  • Account profile — your Gmail address and display name, used to identify the connected account in the app.

The Cut does not access:

  • Messages in any label you have not explicitly selected.
  • Email body text or conversation content beyond URL extraction.
  • Contacts, Calendar, Drive, or any other Google service data.

How we use Google user data

Google user data accessed by The Cut is used solely to provide and improve user-facing features of the app:

  • Discovering tracks — message metadata, audio attachments, and links in message bodies from your selected labels are used to populate your track library for review.
  • Playing tracks — audio attachments are downloaded to your device so they can be played in the app.
  • Displaying track context — sender, subject, and date are shown alongside each track so you know where it came from.
  • Executing actions you configure — when you accept or reject a track, The Cut can add Gmail labels, remove Gmail labels, or archive the email. These actions are optional, only run when you have explicitly configured them per source, and only affect messages associated with tracks you act on.

In line with Google's Limited Use requirements, The Cut does not use Google user data for any of the following:

  • Serving advertisements.
  • Selling, renting, or transferring it to data brokers or any other third party.
  • Training generalised machine-learning or AI models.
  • Allowing humans to read it, except (a) with your explicit consent for specific support requests, (b) where required by law, or (c) for security investigations such as responding to abuse. Heftii operates no backend that receives Gmail data, so in normal operation no Heftii employee has any technical means to read it.
  • Any purpose unrelated to the audio-discovery features described above.

How we protect Google user data

The Cut uses the following mechanisms to protect Google user data, including the data accessed via the restricted gmail.modify scope:

  • On-device processing only. All Gmail API requests are made directly from your iOS device to Google's servers. Heftii operates no backend, proxy, or server that receives, stores, or processes your Gmail data.
  • Encryption in transit. All requests to Google APIs use HTTPS over TLS 1.2 or higher, as required by Apple's App Transport Security.
  • Encryption at rest — OAuth tokens. Access and refresh tokens are stored in the iOS Keychain, which is backed by the device's hardware Secure Enclave. Tokens are synced across your own Apple devices only via iCloud Keychain, which Apple end-to-end encrypts so that neither Apple nor Heftii can read them.
  • Encryption at rest — cached audio and metadata. Cached audio attachments and track metadata are stored inside The Cut's iOS app sandbox, which is isolated from other apps and protected by iOS Data Protection (Complete Until First User Authentication) so the files are encrypted at rest.
  • Minimal data retention. Only the data needed for the audio-discovery features above is retained on your device. We do not retain anything on Heftii servers because there are no Heftii servers in the data path.
  • Deletion on disconnect. When you disconnect Gmail from the source settings, the OAuth tokens, cached audio attachments, and locally stored Gmail metadata for that source are deleted from the device. Removing the app deletes all locally stored Gmail data.
  • Server-side revocation. You can revoke The Cut's access to your Google Account at any time from the Google Account permissions page. After revocation, The Cut can no longer make any Gmail API calls on your behalf.
  • No sharing with third parties. The Cut does not transfer Google user data to any third party, including for advertising, analytics, or model training.

Google API Services — Limited Use Disclosure

The Cut's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, The Cut:

  • Only uses access to Google user data to provide or improve user-facing features that are prominent in the application's user interface.
  • Does not transfer Google user data to others except as necessary to provide or improve user-facing features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with the user's explicit prior consent.
  • Does not use Google user data for serving advertisements.
  • Does not allow humans to read Google user data, unless we have obtained the user's explicit consent for specific messages, this is necessary for security purposes such as investigating abuse, to comply with applicable law, or for internal operations where the data has been aggregated and anonymised.

Other third-party sources

The Cut may also connect to Dropbox, SoundCloud, Beatport, and IMAP email servers as track sources. Each connection accesses only audio-related content from services and folders you explicitly choose. Data from these services is processed and stored locally on your device using the same on-device, Keychain-backed approach described above for Gmail.

Analytics

We may collect anonymised, aggregate crash reports and usage analytics through Apple's standard App Store analytics, which do not identify individual users.

iCloud sync

The Cut uses iCloud for syncing your track library across devices. iCloud is subject to Apple's privacy policy at apple.com/legal/privacy.

Data retention and deletion

  • Data accessed from third-party sources (Gmail, SoundCloud, Dropbox, Beatport, IMAP) is retained on your device only for as long as the source remains connected and the associated tracks remain in your library.
  • Disconnecting a source from within the app deletes the OAuth tokens, cached audio, and locally stored metadata for that source from the device.
  • Removing The Cut from your device deletes all locally stored data, including any cached Gmail content.
  • Server-side access can be revoked at any time via your Google Account permissions page (Gmail) or the equivalent settings of other connected services.
  • Heftii does not retain copies of any data on its own servers.

Changes to this policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated revision date.

Contact

Questions? Email us at support@heftii.com.

The Cut

© 2026 Heftii, Inc.