Privacy Policy

1. Who We Are

Gave It A Spin is operated by Geoffrey Lessel in the United States. For privacy-related questions, rights requests, or concerns, contact us at:

Email: privacy@gaveitaspin.com
Subject line: “Privacy Request — [Type of Request]”

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address — required for account creation and transactional emails (confirmation, password reset)
• Username — chosen by you; may be visible to other users depending on your privacy settings
• Password — stored only as a one-way hash (using bcrypt); we never store or have access to your plaintext password
• Profile visibility preference — whether your profile is public or private (default: private)

If you do not provide an email address and username, you cannot create an account or use the Service.

2.2 Authentication and Security Tokens

To keep your account secure, we generate and store:

• Session cookie (_spin_key) — a signed, HttpOnly, SameSite: Lax cookie that maintains your login; expires when you close your browser
• CSRF token — a security token embedded in forms to prevent cross-site request forgery; not a persistent cookie and not linked to your identity
• API keys — if you create one, stored as a one-way hash (the plaintext is shown once and never stored)
• Email confirmation tokens — temporary; expire after 24 hours or upon use
• Password reset tokens — temporary; expire after 1 hour or upon use

2.3 Discogs Integration (Optional)

If you choose to connect your Discogs account, we collect:

• Discogs user ID and username
• OAuth access token and secret — stored encrypted at rest; used to retrieve your collection on your behalf
• Music collection data — release titles, years, formats, labels, artists, cover art URLs, track listings, your personal notes
• Raw Discogs API response data — cached JSON responses retained on a 30-day rolling basis, used for debugging and ensuring data accuracy during sync; this data may contain more information than what we display to you
• Sync metadata — last sync timestamp, sync status

Your collection is synced when you request it and also nightly at approximately 3:00 AM UTC to keep it current. You can disconnect this integration at any time from your account settings.

2.4 Last.fm Integration (Optional)

If you choose to enable Last.fm scrobbling, we collect:

• Last.fm username
• Last.fm session key — stored and used to authenticate scrobble submissions on your behalf

When you log a listening session (“spin”) with scrobbling enabled, we transmit only track metadata (artist, album, track title, and timestamp) to Last.fm. Your ratings and personal notes are never shared with Last.fm — they remain stored only within Gave It A Spin.

Last.fm processes the scrobble data under its own privacy policy. You can disconnect Last.fm at any time from your account settings. When you do, we delete your stored session key and stop transmitting data. Note: scrobble data previously transmitted to Last.fm cannot be deleted by us — contact Last.fm directly to manage your scrobble history on their service. Additionally, if you revoke access through Last.fm’s website, our app may not detect this automatically until you also disconnect within our settings.

2.5 Listening Activity (“Spins”)

When you log a listening session, we store:

• Date and time of the session
• Your rating (1–10 scale, optional)
• Free-text notes (optional)
• Scrobble status (whether the session was submitted to Last.fm)
• Record timestamps (created and updated)

You can edit or delete individual spins within the app at any time.

2.6 Social Data

When you use social features:

• Follow relationships — who you follow and who follows you
• Follow request status — pending or accepted
• Shared content — depending on your profile visibility settings, your spins (ratings, notes, dates) may be visible to approved followers or all users

2.7 Internal Event Log

We maintain an internal log of significant actions within the application for security, debugging, and fraud prevention. This log includes timestamps, action types, and record identifiers. Logs are retained for 90 days and then deleted. This log data is included if you make a data access request (see Section 8).

2.8 Technical and Usage Data

We automatically collect limited technical information:

• IP address — received with each request for standard server operation; may appear in transient server logs retained for up to 7 days for security purposes
• Browser type and user agent — used for compatibility
• Error reports — error data and stack traces sent to our monitoring provider (AppSignal) for diagnosing issues; this data may incidentally include user identifiers or session information
• Aggregated analytics — page views, referral source, and session duration collected by Plausible Analytics (see Section 5)

2.9 Email Records

When we send you a transactional email (such as email confirmation or password reset), our email provider Resend handles delivery and retains delivery status records per their own retention policies.

2.10 Marketing Email List

When you create an account, your email address and username are added to our marketing email list hosted by Resend. We use this list to send you occasional emails about product updates, new features, and tips for using the Service. You can unsubscribe from marketing emails at any time using the unsubscribe link included in every email. Unsubscribing from marketing emails does not affect transactional emails (such as email confirmation and password reset).

3. How We Collect Information

• Directly from you — when you register, update your profile, log spins, add notes, or contact us
• From services you authorize — Discogs (via OAuth) and Last.fm (via session key), only when you choose to connect them
• Automatically — session cookies, CSRF tokens, server logs, error monitoring
• From analytics — Plausible Analytics collects aggregated, non-identifying usage data (no cookies, no IP tracking)

4. How We Use Your Information

We use the information we collect to:

• Provide the Service — authenticate you, store your spins and collection data, deliver core features
• Sync your collection — retrieve and display your Discogs collection
• Scrobble to Last.fm — transmit track data when auto-scrobble is enabled
• Enable social features — follow other users, share listening activity based on your privacy settings
• Send transactional emails — email confirmations and password resets
• Send marketing emails — occasional product updates, new features, and tips; you can unsubscribe at any time
• Maintain security — detect and address security incidents, fraud, and misuse
• Monitor reliability — track errors and performance to keep the Service running
• Improve the Service — analyze aggregated, non-identifying usage data
• Comply with the law — fulfill legal obligations

We do not:

• Sell your personal information to anyone
• Share your personal information for cross-context behavioral advertising
• Use your data for targeted advertising of any kind
• Use your data to train AI or machine learning models
• Build behavioral profiles about you
• Share your data with third parties except as described in Section 5

5. How We Share Your Information

5.1 With Other Users

The Service includes social features. Depending on your settings:

• Public profile: Your username and spins (ratings, notes, dates) are visible to any user
• Private profile (default): Your spins are visible only to users you have approved as followers
• Username: Always visible to users who follow you or have requested to follow you
• Follow relationships: Visible within the app

You can change your profile visibility at any time in your settings.

5.2 With Service Providers

We use the following service providers who process data on our behalf:

Note: While AppSignal is EU-based, your data is initially processed on our US-based servers before being transmitted to AppSignal. All data processing originates from US infrastructure.

These providers are permitted to use your data only for the purposes described above.

5.3 Legal Requirements

We may disclose your information when required by law, court order, or valid governmental request. We may also disclose information when necessary to protect the rights, property, or safety of our users or the public.

5.4 Business Transfers

If Gave It A Spin is acquired, merged, or sells substantially all of its assets, personal data may be transferred as part of that transaction. We will notify you by email and/or a prominent notice on the Service before any such transfer.

5.5 Third-Party Links

The Service may contain links to third-party websites (such as Discogs, Last.fm, and others). We are not responsible for the privacy practices of those websites. We encourage you to read their privacy policies.

6. Cookies and Tracking

6.1 Cookies We Set

The CSRF token is embedded in HTML forms, not set as a persistent cookie.

Both are strictly necessary for the Service to function. They do not track you across websites.

6.2 What We Don’t Use

• No third-party cookies
• No advertising or retargeting cookies
• No cross-site behavioral tracking
• No browser fingerprinting

6.3 Analytics (Plausible)

We use Plausible Analytics, a privacy-focused analytics tool that:

• Does not use cookies
• Does not collect or store personal data (including IP addresses)
• Does not track individuals across websites or devices
• Is compliant with GDPR, ePrivacy Directive, and CCPA without requiring a consent banner

6.4 Why No Cookie Banner

Because we use only essential first-party cookies and cookieless analytics, we do not display a cookie consent banner. If our practices change, we will update this policy and add a consent mechanism as required.

7. Data Retention

When your account is deleted, we delete or anonymize your personal data within 30 days, except where retention is required by law. Follow relationships involving your account are dissolved, and your spins are no longer visible to other users.

8. Your Rights and Choices

8.1 All Users

• View your data — your spins, settings, and connected integrations are accessible within the app
• Correct your data — update your username, email, profile settings, and spin records in the app
• Delete individual spins — remove specific listening records in the app
• Disconnect integrations — remove your Discogs or Last.fm connection at any time
• Change profile visibility — toggle between public and private at any time
• Unsubscribe from marketing emails — opt out using the link in any marketing email; this does not affect transactional emails

8.2 Account Deletion

Self-service account deletion is not currently available in the app. To request deletion of your account and all associated personal data, email privacy@gaveitaspin.com with the subject line “Data Deletion Request.” We will complete the deletion within 30 days and confirm by email.

Upon deletion:

• Your account data, spins, and collection data are deleted
• Follow relationships are dissolved
• Your username is released
• Some data may be retained where required by law (for example, fraud prevention records)

8.3 Data Export

Self-service data export is not currently available. To request an export of your data, email privacy@gaveitaspin.com with the subject line “Data Export Request.” We will provide your data in JSON format within 30 days. The export includes your account information, spins (with ratings and notes), collection data, and event log entries.

8.4 California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:

• Right to Know — what personal information we collect, use, and disclose
• Right to Delete — request deletion of your personal information
• Right to Correct — request correction of inaccurate personal information
• Right to Opt Out of Sale or Sharing — opt out of the sale of personal information or sharing for cross-context behavioral advertising
• Right to Limit Use of Sensitive Personal Information — we do not collect sensitive personal information as defined by the CPRA (such as precise geolocation, financial account numbers, health data, or similar categories)
• Right to Non-Discrimination — we will not discriminate against you for exercising any of these rights

We do not sell or share personal information for cross-context behavioral advertising. We have not done so in the preceding 12 months and do not intend to.

Global Privacy Control (GPC): We honor GPC signals. Because we do not sell or share personal information, any GPC signal you send is automatically satisfied.

Categories of personal information we collect (as defined under CCPA):

• Identifiers: email address, username, Discogs username, Last.fm username
• Internet or other electronic network activity: aggregated usage data via Plausible, session data

We do not draw inferences from personal information to create profiles about you.

To exercise your CCPA/CPRA rights, email privacy@gaveitaspin.com or use in-app controls where available. California residents may designate an authorized agent to submit requests on their behalf.

California “Shine the Light” (Civil Code § 1798.83): We do not disclose personal information to third parties for their direct marketing purposes.

8.5 Nevada Residents

We do not sell covered information as defined under Nevada Revised Statutes Chapter 603A.

8.6 Response Timeline

We aim to acknowledge privacy requests within 5 business days and resolve them within 30 days. For complex requests, we may extend this to 45 days and will notify you. We may need to verify your identity before fulfilling a request. We do not charge a fee for rights requests unless they are manifestly unfounded or excessive.

9. Data Security

We take reasonable technical and organizational measures to protect your personal data:

• Encryption in transit — all connections use TLS/HTTPS; unencrypted HTTP is not permitted
• Password hashing — passwords are stored as bcrypt hashes; we never store plaintext passwords
• Encrypted credentials — Discogs OAuth tokens are encrypted at rest
• Hashed API keys — stored as one-way hashes
• Secure cookies — signed, HttpOnly, SameSite: Lax
• CSRF protection — enforced on all state-changing requests
• Restricted access — production systems are accessible only to authorized personnel
• Error monitoring — AppSignal monitors for errors and anomalies

No method of electronic transmission or storage is 100% secure. While we use commercially reasonable safeguards, we cannot guarantee absolute security.

Breach notification: If we become aware of a breach that affects your personal data, we will notify affected users by email without unreasonable delay and take steps to mitigate any harm.

10. International Users

The Service is currently operated in and intended for users in the United States. All data is processed on US-based infrastructure.

If you access the Service from outside the United States, your data will be transferred to and processed in the United States, which may not provide the same level of data protection as your home country. By using the Service from outside the US, you acknowledge this transfer.

We plan to formally support users in the European Union, European Economic Area, and United Kingdom in the future. When we do, we will update this policy to include applicable GDPR and UK GDPR provisions, establish appropriate data transfer mechanisms (such as Standard Contractual Clauses), and designate representatives as required by law.

11. Children’s Privacy

The Service is intended for users 13 years of age and older. We do not knowingly collect personal information from children under 13.

During account registration, users must confirm that they are at least 13 years old. If we learn that we have collected personal information from a child under 13, we will delete that information within 30 days. If you believe we have collected information from a child under 13, please contact us immediately at privacy@gaveitaspin.com.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do:

• We will update the “Last Updated” date at the top of this page
• For material changes that affect how your data is collected, used, or shared, we will notify you by email and/or by a prominent notice in the Service before the changes take effect
• For non-material changes (such as clarifications or corrections), we will update the date and the policy

13. Contact Us

For privacy questions, rights requests, or concerns:

Email: privacy@gaveitaspin.com
Subject line: “Privacy Request — [Type of Request]”

We aim to acknowledge your message within 5 business days and resolve requests within 30 days.