Privacy Policy

Last updated: February 2026

Spoticromos ("we", "us", "our") is a music collection and game platform that integrates with the Spotify API. This Privacy Policy explains how we collect, use, store, and protect your information when you use our service.

1. Information We Collect

1.1 Information from Spotify

When you log in with your Spotify account, we collect the following information through the Spotify API:

  • Spotify User ID — your unique Spotify identifier
  • Display Name — your public Spotify display name
  • Email Address — the email associated with your Spotify account
  • Avatar URL — your Spotify profile picture URL
  • Playlist Data — metadata about your playlists (names, track listings) when you choose to import them

1.2 Information Generated Through Use

  • Collection Data — your imported playlists, collected items, and rarity tiers
  • Game Results — scores and statistics from trivia and pairs games you play
  • Trivia Templates — custom trivia games you create

2. How We Use Your Information

We use the collected information to:

  • Authenticate you and maintain your session
  • Display your profile information within the app
  • Import and display your Spotify playlists as collections
  • Enrich track metadata (artist details, album information, lyrics)
  • Power game mechanics (item collection, rarity assignment, scoring)
  • Display your game history and collection progress

3. Data Storage

3.1 Server-Side Storage

Your data is stored in a MySQL database on our server. This includes your Spotify profile information, authentication tokens, imported collections, track/artist/album metadata, game results, and lyrics data. Spotify OAuth tokens (access and refresh tokens) are stored server-side only and are never sent to your browser.

3.2 Browser Storage

We use your browser's local storage for the following purposes:

  • Theme Preference — your light/dark mode selection
  • API Response Caches — temporary caches of Spotify and lyrics API responses (automatically expire after 5 minutes)
  • Cookie Consent — whether you have accepted the cookie notice

4. Cookies

We use essential cookies for authentication and, with your consent, analytics cookies to understand site usage. For a detailed breakdown, please see our Cookie Policy.

  • Session Cookie — an HTTP-only cookie that identifies your session (expires after 30 days)
  • OAuth Cookie — a temporary HTTP-only cookie used during the Spotify login process (expires after 10 minutes)
  • Analytics Cookies — Google Analytics cookies (_ga, _ga_*) set only with your explicit consent. These help us understand how visitors use the site.

5. Third-Party Services

Spoticromos integrates with the following:

  • Spotify Web API — to authenticate users, fetch playlists, and retrieve music metadata (tracks, albums, artists). Your use of Spotify data is also subject to Spotify's Privacy Policy.
  • LrcLib — to fetch song lyrics. Only track names, artist names, album names, and durations are sent to this service. No personal user data is shared.
  • Google Analytics 4 — with your consent, we use Google Analytics to collect anonymized usage data (pages visited, session duration, browser/device type, approximate location). This data is processed by Google under their Privacy Policy. No personal data (name, email, Spotify ID) is sent to Google Analytics. You can opt out at any time via the cookie consent banner or by using the Google Analytics Opt-out Add-on.

6. Data Retention

Your data is retained for as long as your account exists. Sessions expire after 30 days of inactivity. Spotify tokens are refreshed automatically while your session is active and are invalidated when you log out.

7. Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data and account
  • Revoke Spotify access at any time through your Spotify Account Settings

8. Data Security

We take reasonable measures to protect your data. OAuth tokens are stored server-side only, session cookies are HTTP-only to prevent client-side access, and all authentication flows use PKCE (Proof Key for Code Exchange) for enhanced security.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. Continued use of the service after changes constitutes acceptance of the revised policy.

10. Contact

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact the application administrator.

We use essential cookies for authentication and preferences. We also use Google Analytics to understand how visitors use our site.

Analytics cookies are only set with your consent. You can change your preference at any time by clearing site data. Cookie Policy · Privacy Policy