Privacy Policy
Last updated: April 2026 · We keep it short because we actually mean it.
Short version: We use your data only to make your music discovery better. We do not sell it. Ever.
1. Data We Collect
Identity Data (Account users only)
When you sign in via Spotify, Google, or Apple, we receive your email address and public profile name from the OAuth provider. We use these to create and identify your account. We do not receive or store your password.
Vibe History
To power recommendations, we store a log of your in-app actions:
| Data point | Why we store it | Retention |
|---|---|---|
| Track interactions (like / skip / more like this) |
Trains your personal taste profile and prevents repeat recommendations | Until account deletion |
| Genre and artist preferences | Powers genre pivoting and the BPM-aware feed | Until account deletion |
| Energy level & BPM estimates | Temporal Awareness feature — calibrating your Monday-to-Sunday energy profile | Until account deletion |
| Session timestamps | Detecting time-of-day patterns for better recommendations | 90 days rolling window |
Local Storage (Guest users)
We use localStorage in your browser to store a single counter: the number of free swipes used in your current session. This data lives only on your device and is never transmitted to our servers unless you create an account, at which point it is used to preserve your discovery history.
We do not set third-party cookies. We do not use tracking pixels.
2. How We Use Your Data
Your data is used exclusively to:
- Personalise your real-time discovery feed based on BPM, energy, and genre taste
- Build your Monday-to-Sunday energy profile for the Temporal Awareness feature
- Prevent repetitive recommendations within and across sessions
- Synchronise your Pivots and taste profile across mobile and web devices
- Resurface tracks you loved but may have forgotten ("Rediscovered" mode)
We do not use your data for advertising, profiling for third-party sale, or automated decision-making that produces legal effects.
3. Third-Party Sharing
We do not sell your personal data. We share the minimum necessary with:
- Auth Providers (Spotify / Google / Apple): Only the OAuth tokens required to verify your identity. We do not share your taste profile or listening history with them.
- iTunes Search API (Apple): Music metadata queries are made anonymously. No user data is sent.
- Infrastructure providers: Our database host processes data under strict data processing agreements.
4. Spotify-Specific Permissions
When you connect via Spotify, we request the following OAuth scopes:
user-read-email— to identify your accountuser-read-private— to confirm your country for region-appropriate contentuser-library-read— to optionally seed discovery from your saved tracksplaylist-read-private— to optionally pivot from your existing playlists
We do not write to your Spotify library, modify playlists, or initiate playback through Spotify's API.
5. Your Rights & Data Deletion
You may request full deletion of your Vibe History and account data at any time through the in-app settings menu, or by emailing privacy@vibepivot.com.
You have the right to:
- Access — request a copy of all data we hold about you
- Rectification — correct inaccurate data
- Erasure — delete your account and all associated Vibe History
- Portability — receive your taste profile as a JSON export
- Withdraw consent — disconnect an OAuth provider at any time via your account settings
Deletion requests are processed within 30 days. Anonymised, aggregate interaction data (not linked to your identity) may be retained for system improvement.
6. Data Deletion Instructions
To delete your account and all associated data:
- In-app: Settings → Account → Delete Account
- By email: privacy@vibepivot.com with subject line "Data Deletion Request"
For Facebook / Meta platform users: you may submit a data deletion callback via your Facebook settings. Our Data Deletion Instructions URL is: https://vibepivot.com/legal/privacy.html#data-deletion
7. Security
We use industry-standard encryption in transit (TLS) and at rest. OAuth tokens are stored using Auth.js secure session handling. We do not store raw OAuth access tokens in our database beyond what is required for session management.
8. Children's Privacy
VibePivot is not directed at users under 13. We do not knowingly collect data from children. If you believe a child has created an account, contact us at privacy@vibepivot.com and we will delete it immediately.
9. Changes to This Policy
We will update this page when our data practices change and note the revision date at the top. Continued use of VibePivot after changes constitutes acceptance.
10. Contact
Privacy questions: privacy@vibepivot.com
Legal questions: legal@vibepivot.com