🥁 Drumolo

Security & privacy

Drumolo is a small, self-made project — and I built it so that respecting your privacy isn't a policy I ask you to trust, it's how the system is wired.

🔒 TLS everywhere 🛡️ argon2id password hashing 💳 PCI-compliant payments 🚫 No ad trackers 🗄️ Nightly encrypted backups

My promise to you

I will never sell your data — not to advertisers, data brokers, or anyone. There is no ad network and no third-party tracking on this site.
I can't even read your password. It's stored only as a one-way argon2id hash — a scramble that can't be reversed. Nobody recovers it, including me; if you forget it you reset it.
I collect the bare minimum to run your account, and nothing I don't need.
Your data is yours. Ask and I'll export or permanently delete your account and everything tied to it.

What I actually store

Your email	To sign you in, verify your address, and send account emails (verify / password reset). Never sold or shared.
Your password	Only as an irreversible argon2id hash — never the password itself, never in plain text, never in logs.
Membership	Whether you're Free or on Drumolo Pro, so the app knows what to unlock. The payment itself is handled by my processor, not stored here.
Feedback you send	Only if you use the feedback button — your message plus basic context (page, browser) so I can act on it.

That's it. No card numbers, no location tracking, no advertising profile, no selling lists.

How it's secured

🔒 Encrypted connection

Every page and request is served over HTTPS/TLS (the padlock in your browser). Traffic rides through Cloudflare, which also shields the server and absorbs attacks.

🛡️ Password protection

Passwords are hashed with argon2id, the modern memory-hard standard. Sessions use signed, httpOnly, Secure cookies a browser script can't read.

💳 Payments stay off our servers

Checkout is handled by Lemon Squeezy, our Merchant of Record and a PCI-DSS-compliant processor. Your card details go straight to them and never touch Drumolo's server.

✉️ Safe account recovery

Verification and password-reset links are single-use and expire quickly. Sign-in attempts are rate-limited, and reset never reveals whether an email is registered.

🗄️ Backed up, not lost

The account database is backed up nightly to two separate disks, so a hardware failure can't wipe your account — and backups hold the same hashed-only passwords.

📊 Privacy-first analytics

If analytics are ever enabled, it's a cookieless, privacy-first counter (no cross-site tracking, no selling). I only want to know which features get used — never who you are.

A note on trust badges

You'll see sites plastered with “100% secure” seals. I'd rather show you the real thing than a sticker: the verifiable facts above — a valid TLS certificate (check the padlock), argon2id hashing, and a PCI-compliant payment processor — are the genuine security guarantees. I won't display a third-party “audit” badge Drumolo hasn't actually earned.

Your rights & contact

Want a copy of your data, or want it gone for good? Email me and it's done — deleting your account removes your record and everything attached to it. Questions about any of this are welcome too.

About me

👋 Coming soon — a short note about who builds Drumolo and why.