Privacy Policy

1. Information We Collect

• User Account Data (Platform):If you create a Platform account, we collect your name, email address, password (hashed), and profile metadata from authentication providers (e.g., Google, Meta) and manage sessions via Supabase Auth.
• Advertising and Campaign Data:When you connect ad networks (e.g., Meta, Google/YouTube, TikTok, Snapchat), we process campaign configuration and performance metrics (spend, impressions, clicks, views, conversions) to operate and optimize your campaigns.
• Platform Connection Identifiers:To enable integrations, we store necessary identifiers and tokens (e.g., Meta Page ID and access tokens; YouTube Channel ID and encrypted refresh tokens; Spotify Artist IDs).
• Spotify OAuth Data (Play):When an end user taps the Play action (e.g., 'Save on Spotify') and authorizes via Spotify, we receive: Spotify user ID; basic profile (display name, country, product tier) and, where available, email and profile image; and OAuth tokens. Tokens are stored server-side only and encrypted.
• Play Activity and Engagement Data:For authorized Play users, we may access limited Spotify engagement data to power attribution and analytics, including recently played tracks (/me/player/recently-played), saved tracks (/me/tracks), and followed artists (/me/following). We also record attribution events (e.g., AUTH, SAVE_TRACK, FOLLOW_ARTIST, STREAM) with timestamps and landing path context.
• Play Cookie:We set a first-party, HTTP-only cookie ('play_spotify_uid') that stores only your Spotify user ID to maintain a lightweight link for frictionless future flows. Max age up to 12 months; same-site Lax. No third-party advertising usage.
• Product Analytics and Telemetry:We use analytics and quality tools (e.g., PostHog) to understand usage patterns, and Sentry for error monitoring and performance tracing. These tools may collect IP address, device/browser information, pages viewed, and events.
• Server Logs and Security Signals:We may log IP address, user agent, referrer, and host headers for security, abuse prevention, and debugging. Logs are retained for a limited time and only accessible to authorized personnel.
• Billing Data:If you subscribe to paid services, Stripe processes your payment details. We receive limited billing information (e.g., transaction history) but do not store full card numbers.
• Customer Support Data:We use Intercom to provide support, which may include conversation history, user identifiers, and related metadata to assist you.
• Affiliate Program Data:If you participate in our affiliate program, Rewardful processes referral and commission information; we receive reports necessary to administer the program.

2. How We Use Your Information

We use information for the following purposes:

• Service Delivery:Provide, operate, and improve the Platform and Play, including landing pages, deep links, and campaign tooling.
• Play Actions with Consent:After Spotify authorization on Play, perform the requested actions (e.g., save a specified track to your library, follow a specified artist) and attempt to initiate playback on your active device.
• Attribution and Analytics (Play):Measure actions (AUTH, SAVE_TRACK, FOLLOW_ARTIST, STREAM), and where authorized, process recently played, saved tracks, and followed artists to attribute outcomes, compute per-event valuations, and detect fraud/abuse.
• Campaign Management (Platform):Manage ad campaigns on connected ad networks and provide performance reporting.
• Personalization and UX:Improve relevance and usability across our services.
• Security and Integrity:Detect, prevent, and investigate fraud, abuse, and violations of policies or law.
• Customer Support:Diagnose issues, respond to requests, and provide help.
• Compliance:Satisfy legal, regulatory, or audit obligations.
• Legal Bases:Depending on your region, processing relies on consent (e.g., Play actions via Spotify OAuth), performance of a contract (service delivery), and our legitimate interests (analytics, security, product improvement).

3. Sharing and Disclosure

We do not sell personal data. We share information with trusted service providers that help us deliver services, such as hosting, authentication, analytics, error monitoring, communications, support, affiliates, and payments (e.g., Vercel, Supabase, PostHog, Sentry, Resend, Intercom, Rewardful, Stripe). Where you connect third-party platforms (e.g., Spotify, Meta, Google/YouTube, TikTok, Snapchat), we exchange data with those platforms as necessary to provide features. We may disclose data to comply with law, respond to lawful requests, protect our rights or users, or in connection with a business transaction. We may provide aggregated or anonymized insights to clients (e.g., campaign performance) without identifying end users.

4. Data Security

We employ administrative, technical, and organizational measures to protect information, including encryption at rest and in transit, role‑based access controls, and auditing. No system can be 100% secure; we cannot guarantee absolute security.

5. Token Storage and Encryption

OAuth tokens (including Spotify tokens for Play) are stored server‑side only and encrypted using industry‑standard AES‑256‑GCM. OAuth state parameters are HMAC‑signed and time‑limited to mitigate tampering. Background sync endpoints require authenticated secrets. Access to production data is restricted to authorized personnel with least‑privilege.

6. Cookies and Tracking

We use first‑party cookies necessary for core functionality and to improve user experience. On Play, the 'play_spotify_uid' HTTP‑only cookie stores only your Spotify user ID to streamline authorized flows; it is not used for third‑party advertising. We also use analytics cookies and similar technologies (e.g., Google Analytics, PostHog) to understand usage and improve our services. You may control cookies via your browser; disabling some cookies may affect functionality.

7. International Data Transfers

Your information may be processed in the United States and other countries with different data protection laws. Where required, we implement appropriate safeguards for cross‑border transfers.

8. Your Rights and Choices

Depending on your location, you may have rights to access, correct, delete, or restrict processing of personal data, to object to processing, or to portability. You may withdraw consent at any time (e.g., revoke Spotify access via your Spotify account). To exercise rights related to Platform or Play data, contact support@dynamoi.com. We will verify requests and respond as required by law.

9. Data Retention

We retain personal data as long as necessary to provide services, comply with legal obligations, resolve disputes, and enforce agreements. Spotify tokens and Play user records are removed when you revoke access in Spotify or request deletion; associated Play engagement data is minimized or deleted within a reasonable period (typically within 14 days), and aggregated or anonymized analytics may be retained longer for reporting and security.

9a. Data Deletion Requests

For instructions on revoking Spotify access and requesting deletion of your Play data, visit dynamoi.com/data-deletion or navigate to the Data Deletion page from our site footer or legal pages.

10. Children's Privacy

Our services are not directed to children under the age required by applicable law. End users of Play must also meet Spotify’s age and eligibility requirements. If you believe a child has provided us personal data, contact support@dynamoi.com and we will take appropriate steps.

11. Changes to this Policy

We may update this Privacy Policy to reflect changes to our practices or legal requirements. We will notify you of material changes (e.g., by posting to our site or via in‑product notices). Continued use after changes take effect indicates acceptance.

12. Contact Us

For questions about this Policy or to submit a data request (including deletion of Play data), contact support@dynamoi.com.