/ song of the week /

Privacy Policy

Last updated: April 23, 2026

Song of the Week (“SotW”, “we”, “us”) is a small hobby project for sharing music with friends. This policy describes what we store, why, and what we do with it.

What we collect

  • Account basics: your email address, a hashed password (argon2id — we never see your plaintext), your chosen display name, and an optional profile picture.
  • Preferences: your preferred streaming service, your email-notification opt-in, and your Web Push subscription when you enable push notifications.
  • Activity: groups you belong to, songs you submit, ratings and comments you leave, and votes you cast. These are the point of the app.
  • Connected services: if you sign in with Spotify, we store your Spotify user id, display name, and encrypted OAuth tokens so we can build playlists on your behalf. We never see your Spotify password.
  • Session metadata: a hashed session token, the IP address and user-agent of each login, and timestamps. We use this to keep you signed in and to invalidate sessions safely.

How we use it

Everything listed above is used only to run the features you interact with — letting you sign in, join groups, submit songs, vote, see results, receive notifications, and (if you opt in) build Spotify playlists. We don’t sell your data, we don’t share it with third parties for marketing, and we don’t use it to profile you across the wider internet.

Emails

We send three kinds of email: a one-off verification email when you sign up, password-reset emails when you ask for them, and notification emails when a new round opens or results are in. You can turn off the notification emails at any time from your account page or via the unsubscribe link in every notification email. Verification and reset emails are essential to account security and cannot be opted out of.

Retention & deletion

Your data lives as long as your account does. You can delete your account — and everything associated with it — by contacting us. We’ll remove your account and your submissions, votes, ratings, and comments.

Cookies

We use two cookies: a session cookie so you stay signed in, and a CSRF token cookie used to protect form submissions. Both are first-party and strictly necessary — there are no analytics or advertising cookies.

Contact

Questions or requests? Reach out via the contact page.