Privacy Policy

Effective date: March 29, 2026

This Privacy Policy explains what information GrooveID collects about you, how we use it, and your rights regarding that information. By using the Service you agree to the practices described here.

1. Information we collect

Account information

• Email address — used for account creation, email verification, and transactional emails (e.g. usage warnings).
• Password — stored as a bcrypt hash (cost factor 12). We never store your plaintext password.

API usage data

• API keys — stored as SHA-256 hashes. The plaintext key is shown to you once and never stored.
• Usage events — we record recognition call counts per account per month to enforce free-tier limits and calculate billing. Individual request payloads are not stored.

Audio fingerprints

• When you upload a song, we extract a spectral fingerprint (a numerical representation of frequency characteristics over time) and store it in our database.
• The original audio file is deleted immediately after fingerprinting. We do not retain, analyse, or distribute your audio.
• Fingerprints are used solely to perform recognition matching on your behalf.

Session data

• We use server-side sessions (stored in PostgreSQL) to keep you logged into the developer portal. Sessions expire after 7 days of inactivity.

2. How we use your information

• To create and manage your account.
• To send a one-time email verification link when you sign up.
• To enforce free-tier usage limits and calculate billing for paid accounts.
• To respond to support requests.
• To send transactional notifications (e.g. 80% usage threshold warnings).

We do not sell, rent, or share your personal data with third parties for marketing purposes.

3. Third-party services

• Neon (PostgreSQL) — database hosting. Your data is stored on Neon-managed infrastructure. See Neon's Privacy Policy.
• Resend — transactional email delivery. Your email address is transmitted to Resend to send verification emails. See Resend's Privacy Policy.
• iTunes Search API — when a recognition match is found, we query Apple's public iTunes Search API with the song name to enrich the result with metadata (artwork, track name, artist). No personal data is sent to Apple.

4. Data retention

• Account data is retained until you delete your account.
• Fingerprint data is retained until you delete the associated song or library, or delete your account.
• Usage events are retained for a rolling 12-month window for billing and analytics.
• Session data is purged when a session expires or you log out.

5. Your rights

You may, at any time:

• Delete your account — from the developer portal. This cascades and permanently deletes all your libraries, songs (fingerprints), API keys, and usage history.
• Request a data export — email [email protected] and we will provide a copy of your account data within 30 days.
• Correct your information — contact support to update your email address.

6. Security

We use HTTPS for all data in transit, bcrypt for password hashing, SHA-256 for API key hashing, and server-side session management with CSRF protection. We do not store plaintext secrets. No security measure is perfect; use a strong password and keep your API keys confidential.

7. Changes to this policy

We may update this policy from time to time. The effective date at the top of this page will be updated accordingly. Continued use of the Service constitutes acceptance.

8. Contact

Privacy questions or data requests: [email protected].