Privacy Policy

Last updated: 2026-05-02

beatmatch is a portfolio project that compares the music taste of two Spotify users. This page explains exactly what data we read, how we use it, where it lives, and how to delete it. No legalese, just facts.

What we read from your Spotify account

When you click Start your match, you authorise beatmatch on Spotify (OAuth 2.0 with PKCE — we never see your password). Once authorised, we read three things, in your browser:

• Your basic profile: id, display_name, profile picture URL.
• Your top 50 artists from the past ~6 months (medium_term) — only their id, name, and image.
• Your top 50 tracks from the past ~6 months — only id, name, primary artist name, album metadata (id, name, image, release date), and duration.

We do not read your saved library, playlists, listening history, payment status, or anything outside the scopes user-read-private and user-top-read.

What happens to that data

The data is sent to a small server-side endpoint that stores it as a single JSON file alongside your friend's data, keyed by a random match ID. The file lets the two of you load the same dashboard from different browsers.

Your Spotify access tokens never leave your browser. They are stored in your own localStorage and used only to call Spotify's API directly from your device. Our backend never sees them.

How long we keep it

• The match JSON file is automatically deleted by a cleanup routine that runs on every page load — anything older than yesterday's midnight is purged.
• You can delete your match instantly by clicking End match in the dashboard. This removes the file from the server, clears your local storage, and signs you out.
• If you never come back, the file is gone within 48 hours regardless.

Who we share data with

Nobody. The only third party involved is Spotify itself (whose API you are authenticating against). We do not use analytics, ad networks, tracking pixels, or external CDN services beyond Google Fonts (which sees your IP when loading typeface files — same as on any site using fonts.googleapis.com).

Cookies

beatmatch sets zero cookies. State is kept in your browser's localStorage (Spotify token, current match ID, your Spotify user ID) and sessionStorage (PKCE verifier & state during the OAuth round-trip — wiped immediately after).

Your rights

You can at any time:

• Click End match to delete your match data from our server and clear your local storage.
• Revoke beatmatch's access from your Spotify account at spotify.com/account/apps.
• Email us to request deletion of any residual data (see contact below).

Security

Authentication uses OAuth 2.0 with PKCE — there is no client secret on the page, and your tokens stay in your browser. The match endpoint validates the match ID against a strict regex and refuses payloads over 2 MB. The app is served exclusively over HTTPS in production.

Children

beatmatch is not directed at children under 13. Spotify itself requires users to be at least 13 (or older in some jurisdictions) — we rely on that enforcement.

Changes to this policy

If we change anything material, the "Last updated" date at the top of this page will change. Substantive changes will be flagged on the homepage.

Contact

Questions, deletion requests, or concerns: pro.massia@gmail.com.

Spotify attribution

Music data on this page is provided by Spotify. beatmatch is not affiliated with, endorsed by, or sponsored by Spotify AB.