Privacy Policy

Effective Date: May 10, 2026

1. Introduction

We operate the Music Memory mobile application (the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our Service. By accessing or using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

2. Information We Collect

2.1 Information You Provide Directly

  • Account Information: Email address, username, and password (for email registration); or authentication tokens provided by Apple Sign-In or Google Sign-In.
  • Profile Information: Username, profile picture (avatar), and card color preference.
  • Journal Entries: Song name, artist name, journal text (up to 500 words), date first heard, and optional location data (place name, latitude, longitude).
  • Media Uploads: Photographs and videos you attach to journal entries (images up to 10MB, videos up to 50MB, maximum 5 files per entry).
  • Comments: Text content you post on community entries (up to 500 characters).
  • Feature Requests: Titles and descriptions of feature suggestions you submit.
  • Onboarding Survey Responses: Answers to optional questions about your music listening habits and journaling interests.
  • Support Communications: Any information you provide when contacting us for support.

2.2 Information Collected Automatically

  • Analytics Data: We use PostHog to collect usage analytics, including screen views, feature interactions, onboarding progress, and error events. You are identified by your Supabase user ID and email address.
  • Device Information: Device model, operating system version, and application version (collected for diagnostics and support purposes).
  • Subscription Status: Information about your subscription tier and entitlements, processed through RevenueCat.

2.3 Information We Do Not Collect

  • Precise GPS Location: We do not access your device's GPS or collect location data automatically. Location information is only stored when you manually search for and select a place using the in-app location picker.
  • Contacts or Address Book: We do not access your device contacts.
  • Microphone or Camera (passively): Camera and photo library access is only used when you actively choose to upload media.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • To provide, maintain, and improve the Service
  • To authenticate your identity and manage your account
  • To process and manage your subscription
  • To display your public entries to other community members
  • To deliver notifications about interactions with your content (likes, comments, replies)
  • To enforce our Terms of Service and Community Guidelines
  • To detect, prevent, and address fraud, abuse, and security issues
  • To analyze usage patterns and improve user experience
  • To respond to your support requests and communications
  • To send push notifications (with your consent) related to streaks and account activity

4. Data Storage and Security

4.1 Storage Infrastructure

  • Supabase (PostgreSQL): All structured data including account information, journal entries, profiles, reactions, comments, and notifications.
  • Cloudflare R2: Media files (images, videos, avatars, and collection covers) stored as encrypted objects.
  • Cloudflare KV: Temporary caching of Apple Music API tokens.
  • On-Device Storage: Authentication tokens are stored securely using expo-secure-store (iOS Keychain / Android Keystore). Local preferences are stored using MMKV.

4.2 Security Measures

We implement industry-standard security measures to protect your data, including: Row Level Security (RLS) policies ensuring users can only access their own data; JWT-based authentication with JWKS verification; secure token storage on-device; HTTPS encryption for all data in transit; and optional two-factor authentication (TOTP). However, no method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security.

5. Third-Party Services

We share information with the following third-party service providers, solely for the purposes of operating the Service:

  • Supabase: Authentication, database hosting, and real-time data synchronization. Privacy Policy
  • Cloudflare: Backend infrastructure (Workers), media storage (R2), and content delivery. Privacy Policy
  • PostHog: Product analytics and event tracking. Your user ID and email are shared for identification purposes. Privacy Policy
  • RevenueCat: Subscription management and payment processing. Your user ID is shared to manage entitlements. Privacy Policy
  • Apple (Apple Music API, Apple Sign-In): Song catalog data retrieval and authentication. Privacy Policy
  • Google (Google Sign-In): Authentication services. Privacy Policy
  • OpenStreetMap/Nominatim: Location search queries. Only your search text is transmitted; no personal identifiers are sent. Privacy Policy
  • Expo (Push Notifications): Delivery of push notifications to your device. Privacy Policy

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

6. Data Sharing and Visibility

  • Private Entries: By default, all journal entries are private and visible only to you.
  • Public Entries: If you choose to make an entry public (Pro subscription required), your username, avatar, journal text, date first heard, location name, and attached media will be visible to other users who also have an entry for the same song.
  • Profile Information: Your username and avatar are visible to other users when you interact with community features (public entries, comments, reactions).
  • Reactions and Comments: Your reactions (likes/dislikes) and comments on public entries are visible to other users.

7. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Specifically:

  • Active Accounts: Data is retained indefinitely while your account remains active.
  • Deleted Accounts: Upon requesting account deletion, your data enters a fourteen (14) day grace period. After this period, all data is permanently and irreversibly purged, including: journal entries, media files (from Cloudflare R2), reactions, reports, comments, survey answers, profile data, and authentication credentials.
  • Analytics Data: Anonymized analytics data may be retained for product improvement purposes after account deletion.

8. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: You may request a copy of the personal data we hold about you.
  • Export: You may export all your journal entries in Markdown format at any time via the Settings screen.
  • Correction: You may update your profile information (username, avatar) through the application.
  • Deletion: You may request complete account deletion through the Settings screen, which initiates a 14-day grace period followed by permanent data purge.
  • Withdrawal of Consent: You may revoke push notification permissions through your device settings at any time.
  • Visibility Control: You may toggle any public entry back to private at any time.

To exercise any of these rights, please contact us at support@musicmemory.app.

9. Children's Privacy

The Service is not directed to children under the age of thirteen (13). We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal data from a child under 13 without parental consent, we will take steps to delete that information promptly. If you believe we have inadvertently collected information from a child under 13, please contact us immediately.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. Our service providers (Supabase, Cloudflare, PostHog, RevenueCat) operate globally. By using the Service, you consent to the transfer of your information to these jurisdictions, which may have data protection laws that differ from those in your jurisdiction.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the “Effective Date” at the top of this policy and, where practicable, by providing in-app notification. Your continued use of the Service after any changes constitutes your acceptance of the revised Privacy Policy. We encourage you to review this Privacy Policy periodically.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Email: support@musicmemory.app