Privacy Policy

• User Account Data (Platform): If you create a Platform account, we collect your name, email address, and profile metadata from authentication providers (e.g., Google, Meta) and manage sessions via Supabase Auth.
• Advertising and Campaign Data: When you connect ad networks (e.g., Meta, Google/YouTube), we process campaign configuration and performance metrics (spend, impressions, clicks, views, conversions) to operate and optimize your campaigns.
• Conversion Tracking: We use conversion pixels from ad platforms (Meta, Google, Reddit) to measure campaign effectiveness. These may collect device identifiers, IP addresses, and page interaction data. We also use server-side Conversion APIs (CAPI) to transmit hashed user data for attribution.
• Platform Connection Identifiers: To enable integrations, we store necessary identifiers and tokens (e.g., Meta Page ID and access tokens; YouTube Channel ID and encrypted refresh tokens; Spotify Artist IDs).
• Spotify OAuth Data (Play): When an end user taps the Play action (e.g., 'Save on Spotify') and authorizes via Spotify, we receive: Spotify user ID; basic profile (display name, country, product tier) and, where available, email and profile image; and OAuth tokens. Tokens are stored server-side only and encrypted.
• Play Activity and Engagement Data: For authorized Play users, we may access limited Spotify engagement data to power attribution and analytics, including recently played tracks (/me/player/recently-played), saved tracks (/me/tracks), and followed artists (/me/following). We also record attribution events (e.g., AUTH, SAVE_TRACK, FOLLOW_ARTIST, STREAM) with timestamps and landing path context.
• Play Cookie: We set a first-party, HTTP-only cookie ('play_spotify_uid') that stores only your Spotify user ID to maintain a lightweight link for frictionless future flows. Max age up to one year; same-site Lax. No third-party advertising usage.
• Product Analytics and Telemetry: We use analytics and quality tools (e.g., PostHog, Google Analytics, Ahrefs) to understand usage patterns, plus server-side structured logs to diagnose failures. These tools may collect IP address, device/browser information, pages viewed, and events. On the Platform dashboard, we may record anonymized user sessions (via PostHog session replay) to diagnose issues and improve usability.
• Server Logs and Security Signals: We may log IP address, user agent, referrer, and host headers for security, abuse prevention, and debugging. Logs are retained for a limited time and only accessible to authorized personnel.
• Billing Data: If you subscribe to paid services, Stripe processes your payment details. We receive limited billing information (e.g., transaction history) but do not store full card numbers.
• Shop Checkout Data: If you purchase a shop package, we process checkout details such as email address, package tier, locale, currency, YouTube URL, selected target countries (if provided), attribution parameters (such as gclid/fbclid where available), payment status metadata, and lifecycle email delivery status.
• Customer Support Data: We use email to provide support, which may include conversation history, user identifiers, and related metadata to assist you.
• Affiliate Program Data: If you participate in our affiliate program, we process referral and commission information to administer the program, including first-party cookie-based attribution and payout records.

We use information for the following purposes:

• Service Delivery: Provide, operate, and improve the Platform and Play, including landing pages, deep links, and campaign tooling.
• Play Actions with Consent: After Spotify authorization on Play, perform the requested actions (e.g., save a specified track to your library, follow a specified artist) and attempt to initiate playback on your active device.
• Attribution and Analytics (Play): Measure actions (AUTH, SAVE_TRACK, FOLLOW_ARTIST, STREAM), and where authorized, process recently played, saved tracks, and followed artists to attribute outcomes, compute per-event valuations, and detect fraud/abuse.
• Campaign Management (Platform): Manage ad campaigns on connected ad networks and provide performance reporting.
• Shop Order Fulfillment and Lifecycle Emails: Process one-time shop purchases, deliver campaign status updates (order confirmed, campaign live, campaign completed), and link campaigns to a dashboard profile if you later create an account with the same email.
• AI-Powered Content Generation: Generate ad copy and content images using AI services (Google Gemini, Imagen). Campaign metadata (artist name, content title, genres) may be processed by these services. No user emails or financial data is shared with AI providers.
• Personalization and UX: Improve relevance and usability across our services.
• Security and Integrity: Detect, prevent, and investigate fraud, abuse, and violations of policies or law.
• Customer Support: Diagnose issues, respond to requests, and provide help.
• Compliance: Satisfy legal, regulatory, or audit obligations.
• Legal Bases: Depending on your region, processing relies on consent (e.g., Play actions via Spotify OAuth), performance of a contract (service delivery), and our legitimate interests (analytics, security, product improvement).

We do not sell personal data. We share information with trusted service providers that help us deliver services, such as hosting, authentication, analytics, logging, communications, support, affiliates, and payments (e.g., Vercel, Supabase, PostHog, Resend, Stripe).

We use Google AI services (Gemini, Imagen) to generate ad copy and content images. Campaign metadata (artist name, content title, genres) may be shared with these services. No user emails or financial data is shared with AI providers.

In the event of non-payment, we may share necessary billing information with debt collection agencies. Where you connect third-party platforms (e.g., Spotify, Meta, Google/YouTube), we exchange data with those platforms as necessary to provide features.

We may disclose data to comply with law, respond to lawful requests, protect our rights or users, or in connection with a business transaction. We may provide aggregated or anonymized insights to clients (e.g., campaign performance) without identifying end users.

We employ administrative, technical, and organizational measures to protect information, including encryption at rest and in transit, role-based access controls, and auditing. No system can be 100% secure; we cannot guarantee absolute security.

OAuth tokens (including Spotify tokens for Play) are stored server-side only and encrypted using industry-standard AES-256-GCM. OAuth state parameters are HMAC-signed and time-limited to mitigate tampering. Background sync endpoints require authenticated secrets. Access to production data is restricted to authorized personnel with least-privilege.

We use first-party cookies necessary for core functionality and to improve user experience. On Play, the 'play_spotify_uid' HTTP-only cookie stores only your Spotify user ID to streamline authorized flows; it is not used for third-party advertising.

We set first-party tracking cookies for ad attribution: Google cookies (_gclid, _gbraid, _wbraid) retained for up to 90 days; Meta cookies (_fbc, _fbp) retained for up to 7 days. These help measure campaign performance and attribute conversions.

We also use analytics cookies and similar technologies (e.g., Google Analytics, PostHog) to understand usage and improve our services. You may control cookies via your browser; disabling some cookies may affect functionality.

Your information may be processed in the United States and other countries with different data protection laws. Where required, we implement appropriate safeguards for cross-border transfers.

Depending on your location, you may have rights to access, correct, delete, or restrict processing of personal data, to object to processing, or to portability. You may withdraw consent at any time (e.g., revoke Spotify access via your Spotify account). To exercise rights related to Platform or Play data, contact support@dynamoi.com. We will verify requests and respond as required by law.

We retain personal data as long as necessary to provide services, comply with legal obligations, resolve disputes, and enforce agreements. Spotify tokens and Play user records are removed when you revoke access in Spotify or request deletion; associated Play engagement data is minimized or deleted within a reasonable period (typically within 14 days), and aggregated or anonymized analytics may be retained longer for reporting and security.

For instructions on revoking Spotify access and requesting deletion of your Play data, visit dynamoi.com/data-deletion or navigate to the Data Deletion page from our site footer.

Our services are not directed to children under the age required by applicable law. End users of Play must also meet Spotify's age and eligibility requirements. If you believe a child has provided us personal data, contact support@dynamoi.com and we will take appropriate steps.

We may update this Privacy Policy to reflect changes to our practices or legal requirements. We will notify you of material changes (e.g., by posting to our site or via in-product notices). Continued use after changes take effect indicates acceptance.

For questions about this Policy or to submit a data request (including deletion of Play data), contact support@dynamoi.com.