Skip to content

Privacy Policy

Last updated: April 10, 2026

1. Data We Collect

DJ accounts (via OAuth providers): When you sign in with Google, GitHub, Spotify, or Facebook, we collect the email address, display name, and provider account identifier made available by that provider. We also store your uploaded or imported music catalogue metadata, venue configuration, Stripe customer and Connect account IDs (if used), referral and subscription settings, and account settings.

Catalogue imports: If you connect Spotify for catalogue import, we request access to read your playlists, collaborative playlists, and Liked Songs, store the Spotify refresh token on your DJ record, and store imported track metadata in Firebase Storage. Apple Music/iTunes imports are uploaded XML files that we parse and store as track metadata.

Guest users: We collect your IP address for rate limiting purposes (stored ephemerally). We assign a rate-limit token cookie (rl_token) and use browser localStorage to track cooldown timers and request IDs for the session. If Cloudflare Turnstile is enabled, we also verify public request and message submissions using challenge tokens and IP addresses.

Error monitoring: We use Sentry to capture error reports for service stability. With your consent, Sentry may also record session replays to help us diagnose issues. Session replay data is masked and media is blocked by default.

2. How We Use Your Data

We use the data we collect to:

  • Operate and maintain the song request system
  • Authenticate DJ accounts via supported OAuth providers
  • Import catalogue metadata from Spotify when you connect it
  • Process subscription and boost payments through Stripe
  • Rate-limit guest requests to prevent abuse
  • Verify public forms with Cloudflare Turnstile when enabled
  • Monitor errors and maintain service stability via Sentry
  • Display DJ branding (logo, accent colour) on guest-facing pages
  • Send service-related, billing, onboarding, and referral emails via Resend when configured

3. Data Sharing

We do not sell your personal data. We share data only with the following service providers necessary to operate the Service:

  • Firebase (Google Cloud) — database hosting and file storage
  • Stripe — payment processing for subscriptions, the customer portal, and Stripe Connect boost payments
  • Sentry — error monitoring and (with consent) session replay
  • OAuth providers (Google, GitHub, Spotify, Facebook) — authentication
  • Spotify — optional catalogue import from playlists and Liked Songs
  • Resend — email delivery for service, billing, onboarding, and referral messages
  • Cloudflare Turnstile — bot protection for public request and message forms when enabled

Each provider processes data in accordance with their own privacy policies. We do not share data with advertising networks or data brokers.

4. Cookies & Local Storage

We use the following cookies:

CookieTypePurposeDuration
authjs.session-tokenEssentialNextAuth session authenticationSession
rl_tokenEssentialRate limiting token (httpOnly)24 hours
cookie_consentEssentialStores your cookie preferences365 days
Sentry replayNon-essentialSession replay for error diagnosis (consent required)Per Sentry policy

We also use browser localStorage on guest pages to store request cooldown timers and submitted request IDs. This data stays on your device and is not transmitted to our servers.

You can manage your cookie preferences at any time via the "Cookie Settings" link in the footer.

5. Data Retention

  • DJ account data is retained while your account is active
  • Song requests and messages are retained until the DJ deletes their account
  • Rate-limit data is ephemeral and automatically expires after 24 hours
  • Spotify refresh tokens are retained while Spotify catalogue import remains connected or until account deletion
  • Sentry error and replay data is retained per Sentry's data retention policy

When a DJ deletes their account, core app data under their DJ account (profile, venues, requests, messages, catalogue files, logos, and settings) is removed from our database and storage. Active Stripe subscriptions are cancelled where possible; processor-side records may remain subject to provider retention policies.

6. Your Rights

Under applicable data protection laws (including GDPR and CCPA), you have the following rights:

  • Access & Portability: Export your account, settings, venue, request, and message data as a JSON file from Settings > Your Data
  • Erasure: Delete your account and core app data from Settings > Danger Zone
  • Restrict Processing: Manage cookie preferences via the "Cookie Settings" footer link
  • Withdraw Consent: You can withdraw cookie consent at any time, which disables non-essential tracking

Guest users can clear their local data by clearing their browser cookies and localStorage for this site.

7. Children

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal data from a child under 13, we will take steps to delete that information.

8. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or in-app notification. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of the Service after changes constitutes acceptance of the updated policy.

9. Contact

If you have any questions about this Privacy Policy, please contact us at the support email listed in the application.

We use essential cookies for authentication and rate limiting. We also use Sentry for error monitoring which may capture session data. Learn more