Privacy Policy

Last updated: December 2024

Overview

MusicInnovation is committed to protecting your privacy. This policy explains what data we collect, how we use it, and your rights regarding your information. We designed our service to minimize data collection while delivering a fun music compatibility experience.

Data We Collect

From Spotify

When you connect your Spotify account, we access:

  • Profile Information: Your Spotify username, display name, and profile image
  • Top Artists & Tracks: Your most-listened artists and songs over different time periods
  • Recently Played: Your recent listening history for fresher compatibility data
  • Genre Preferences: Derived from your top artists' associated genres
  • Playback Control (Party Mode): If you host a party, we access your playback state to control music through our in-app player

Account Data

  • Your Spotify user ID (used as your account identifier)
  • OAuth tokens (encrypted at rest using AES-256-GCM)
  • Account tier and purchase history
  • Compatibility check history and generated reports

Party Mode Data

When you use Party Mode, we collect:

  • Guest Information: Display names chosen by party guests (no Spotify login required for guests)
  • Queue Data: Songs added to the party queue and voting activity
  • Session Data: Party codes and connection status for real-time updates

Party data is temporary and deleted when the party ends, except for exported playlists which are saved to the host's Spotify account.

Technical Data

  • IP addresses (for rate limiting and security)
  • Request logs (retained for debugging and security purposes)
  • Browser type and device information

How We Use Your Data

  • Compatibility Analysis: Comparing your music taste with other users to generate reports
  • AI Report Generation: Sending anonymized music data to Claude (Anthropic) for generating compatibility reports
  • Account Management: Managing your subscription, purchases, and usage limits
  • Service Improvement: Analyzing usage patterns to improve the product
  • Security: Protecting against abuse, fraud, and unauthorized access

Data Storage & Security

We take security seriously:

  • Encryption: Spotify OAuth tokens are encrypted at rest using AES-256-GCM with PBKDF2 key derivation
  • Secure Sessions: Sessions use signed JWT tokens with HttpOnly, Secure cookies
  • Rate Limiting: Protection against abuse with request rate limits
  • Database Security: Data stored in MongoDB with access controls and encryption in transit

Third-Party Services

We use the following third-party services:

Spotify

Authentication and music data access. See Spotify's Privacy Policy

Anthropic (Claude AI)

AI-powered compatibility report generation. We send anonymized music data (artists, tracks, genres) to generate reports. See Anthropic's Privacy Policy

Stripe

Payment processing. We do not store your credit card information. See Stripe's Privacy Policy

MongoDB Atlas

Database hosting with encryption in transit and at rest. See MongoDB's Privacy Policy

AWS App Runner

Application hosting infrastructure. See AWS Privacy Notice

Data Retention

  • Account Data: Retained while your account is active
  • Compatibility Reports: Stored indefinitely so you can view your history
  • OAuth Tokens: Refreshed automatically; deleted when you disconnect your account
  • PKCE Verifiers: Automatically deleted after 10 minutes (used only during login)
  • Request Logs: Retained for up to 30 days for security and debugging

Your Rights

You have the right to:

  • Access: Request a copy of your data
  • Disconnect: Revoke Spotify access at any time via Spotify's app settings
  • Delete: Request deletion of your account and associated data
  • Portability: Export your compatibility report history

To exercise these rights, please contact us through our support channels.

Cookies

We use essential cookies for:

  • Session Management: Keeping you logged in (HttpOnly, Secure, 7-day expiry)
  • CSRF Protection: Preventing cross-site request forgery
  • Party Guest Sessions: Identifying party guests during a session (HttpOnly, Secure, 24-hour expiry)

We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

Children's Privacy

MusicInnovation is not intended for users under 13 years of age. We do not knowingly collect data from children. If you believe a child has provided us with personal information, please contact us.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of significant changes by updating the "Last updated" date. We encourage you to review this policy periodically.

Contact

If you have questions about this Privacy Policy or our data practices, please contact us through our support channels.

View Terms of Service →