Privacy Policy

Last updated: May 16, 2026

Collab.fm is a small social music app. This page describes what information we collect, why we collect it, and what your rights are. If anything here is unclear, email us — see the contact section at the bottom.

What we collect

• Account information you give us: email, name, username, password (stored hashed), bio, profile and cover images.
• Music service tokens: when you connect Spotify or YouTube Music, we store the access and refresh tokens we get back from those services. These let us sync playlists on your behalf. We never receive your music-service password.
• Content you create: playlists, tracks, likes, shelf items, recommendations you send, and the messages attached to them.
• Activity log: a record of actions you take in the app (creating a playlist, adding a track, following someone, connecting a service) so we can render your activity feed.
• Notifications: rows recording when someone follows you or sends you a recommendation, plus whether you've read them.
• Operational data: HTTP request logs from the server (IP address, timestamps, paths), kept transiently for debugging.

We do not use analytics or advertising trackers, and we don't sell or rent your data to anyone.

How we use it

• To provide the service itself (showing you the right pages, syncing playlists).
• To send you email related to your account: password resets, playlist invitations, and (only if you opt in) the weekly digest.
• To populate other people's feeds with your public activity, if you have followers.

Third parties we share with

• Spotify and YouTube / Google — when you connect a music service, we exchange data with them on your behalf to read and write playlists. Their handling of that data is governed by their own privacy policies.
• Resend — we use Resend to deliver email (password reset, weekly digest, etc.). Your email address is transmitted to Resend at send time.

That's it. No analytics provider, no ad network, no data broker.

Cookies

We use a single session cookie for authentication. It's necessary for the app to know you're signed in. We don't use tracking cookies or third-party cookies for advertising.

How long we keep it

Account data is kept for as long as your account exists. Deleting your account removes your account record and all data attached to it (playlists, tracks, likes, shelf, activity, recommendations you sent, etc.). Recommendations you received from other users are also removed.

Your rights

• Access: you can download a JSON copy of your data from your settings page.
• Deletion: you can delete your account from the same page. This is permanent and cascades through your content.
• Opt out of email: weekly digest can be turned off in settings. Transactional email (password reset, playlist invitations sent to you) is required to operate the account.
• Disconnect music services: you can revoke a service connection from the connect-services page. We delete the stored tokens immediately.

Where data lives

Application data is stored in a self-hosted Postgres database. The service runs on infrastructure operated by the project maintainer. No data is intentionally transferred outside that infrastructure except as described above (Spotify, YouTube, Resend).

Children

Collab.fm is not directed at children under 13 and we don't knowingly collect information from them. If you believe a child has provided us information, please contact us so we can delete it.

Changes to this policy

If we make material changes, we'll update the “Last updated” date at the top and surface a notice in the app.

Contact

Questions or requests? Email [email protected].