Privacy Policy

1. About Us

Unheard.FM is developed and operated by Woolly Bear Software LLC. We are committed to protecting your privacy and ensuring a secure user experience. Our contact information is listed in Section 10.

2. Information We Collect

When you use Unheard.FM, we may collect the following information:

  • Your Spotify profile information (Username, Profile Image, Display Name) and email address (only if you log in via Spotify).
  • Listening preferences and settings you provide while using the app (e.g., genre selections, desired decades).
  • Usage metrics and error data, which are stored anonymously using internal user IDs.
  • Your IP address when you visit the website or while using the app (used for basic request logging). IP addresses are retained in transient server access logs for a maximum of 30 days, then automatically purged, and are not linked to your Spotify ID for routine analysis.

No personal data is collected unless you are logged in with Spotify.

Note: Some older internal logs created before August 2025 may still include Spotify user IDs. These logs were previously retained indefinitely, but we are currently migrating them to anonymized formats. Once migrated, all personally identifiable information will be removed.

3. Cookies and Tracking Technologies

We use a single HTTP-only session cookie if you log in with Spotify. This cookie contains:

  • Your user ID
  • Your session token

This cookie is used strictly for session management and is not accessible to JavaScript or third parties.

4. Data Processing and Storage

We are committed to a "local-first" data model to protect your privacy. This means:

  • Listening History: Your listening history and most of the data used for playlist generation are stored and processed locally within your browser. This data is not sent to or stored on our servers.
  • Backend Services: Our backend only facilitates your login, securely refreshes your Spotify access token, and manages your account settings. It does not access your Spotify listening history or your library.
  • Third-Party APIs: Our servers interact with the Spotify and Discogs APIs on a per-request basis to provide specific data (e.g., track information or album data) for your playlist generation. Your personal account information is not shared with these third-party services.

5. How We Use Your Information

We use your data for the following purposes:

  • Generate personalized playlists based on your preferences.
  • Improve our service by analyzing aggregated and anonymous usage data.
  • Ensure the security and functionality of our platform, including monitoring for security threats, detecting and preventing abuse, and troubleshooting technical issues (e.g., using transient IP address logs and error logs).
  • To send you service and transactional email updates (e.g., account confirmation, necessary information about platform changes, and notifications to re-engage with the core service you signed up for). These communications are essential to your user experience.
  • To send you promotional and marketing communications, including information about new features, special offers, and general Unheard.FM news. We will only send these communications if you have given us explicit, separate consent (e.g., via an opt-in checkbox during sign-up or in your account settings). You may opt out of promotional emails at any time via the unsubscribe link provided in every email or through your account settings.

Any logging that includes your Spotify ID is retained for no more than 30 days and is used only for debugging or operational purposes.

6. Data Security

We implement technical and organizational security measures to protect your data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:

  • Using encryption (SSL/TLS) to secure data transmission between your browser and our servers.
  • Access controls and authentication protocols to limit data access to authorized personnel only.
  • Pseudonymization of user data for long-term usage metrics and analytics.

7. Data Sharing and Storage

We do not sell or share your personal data with third parties. All data is securely stored and is used only to provide and improve your experience with Unheard.FM.

Usage metrics and error logs are anonymized using internal IDs and cannot be linked back to your Spotify account once your account is deleted.

8. Your Rights (GDPR and Others)

If you are located in the European Union or European Economic Area, or otherwise protected by similar regulations, you have the following rights concerning your personal data:

  • Right to Access: Obtain confirmation about whether your personal data is being processed and receive a copy of that data.
  • Right to Correction: Request correction of inaccurate personal data.
  • Right to Deletion: Request the deletion of your personal data ("Right to be Forgotten"). You can delete your Unheard.FM account and all associated data at any time via the account management page.
  • Right to Object: Object to the processing of your personal data for direct marketing purposes (as detailed in Section 5).
  • Right to Restrict Processing: Request us to temporarily or permanently stop processing some or all of your personal data.
  • Right to Data Portability: Request a copy of your personal data in a machine-readable format.

You can exercise any of these rights by contacting us at contact@unheard.fm. We will respond within 30 days.

9. Changes to This Policy

This policy was last updated on November 5, 2025. We may update this policy from time to time. Any significant changes will be communicated via our website or via email.

10. Contact Us

If you have any questions about this privacy policy, please contact us at contact@unheard.fm.

Our valid physical postal address, as required by the CAN-SPAM Act, is:

Woolly Bear Software LLC
412 E 3rd St, Unit 3
South Boston, MA, 02127, USA

11. Legal Basis for Processing (GDPR)

We process your data under the following legal bases for specific purposes:

  • Performance of a contract (Necessary to provide the service): Processing required to manage your account, generate playlists, and deliver service updates.
  • Legitimate interest (Our business interest): Processing to improve our service, monitor platform health, prevent fraud, and send non-promotional re-engagement communications (as detailed in Section 5). This includes the transient processing of your IP address for network security and abuse detection.
  • Consent (Explicit, affirmative agreement): Processing for promotional and marketing email communications.

12. Data Transfers and Location

Our primary servers and databases are located in the United States (US-East AWS region). All personal data that we store is processed and retained within this region. The website itself, including static assets like images, CSS, and JavaScript, is distributed globally via a Content Delivery Network (CDN) to ensure fast load times for all users. This CDN does not store any of your personal data.

If you are located outside the U.S., your data may be transferred internationally to our servers. We take appropriate safeguards to protect your data, including relying on the EU-U.S. Data Privacy Framework and standard contractual clauses where applicable.

13. Data Retention

We retain personal data only as long as necessary to provide our services.

  • Transient IP addresses are retained for a maximum of 30 days.
  • Usage data that includes Spotify IDs is retained for no more than 30 days and is being actively migrated to anonymous storage.
  • Anonymous usage metrics may be retained indefinitely for analysis.
  • Personal data is deleted upon user request or account deletion.

14. Children's Privacy

Our service is not directed to individuals under the age of 13. We do not knowingly collect personal information from children under 13. If you become aware that your child has provided us with personal information without your consent, please contact us at contact@unheard.fm. If we become aware that a child under 13 has provided us with personal information, we will take steps to delete such information.