Privacy Policy

01Introduction

TurnTbl is a free music rating and social platform available on the web at turntbl.net and as a native iOS application. We are committed to protecting your privacy and being transparent about the data we collect and how we use it.

This Policy applies to all users of the Service, including visitors who browse without an account and registered users, across both the web platform and the iOS application. It covers:

• Information you provide directly (e.g., account registration, ratings, reviews).
• Information collected automatically as you use the Service (e.g., usage data, cookies).
• Information we receive from third parties (e.g., Spotify, Last.fm).

This Policy does not apply to third-party websites or services linked from the Service, including Spotify, Last.fm, or Apple Music. We encourage you to review their privacy policies independently.

02Information We Collect

2.1 Information You Provide Directly

• Account Information: When you register, we collect your email address, username (handle), and password (stored in hashed form). You may optionally provide a display name, profile picture, and banner image.
• User Content: Music ratings (numerical scores), written reviews, comments, and replies you post on the Service.
• Spotify Data: If you choose to connect your Spotify account, we collect user-authorized data including your listening history, top artists, top tracks, and saved music. Connection is optional and can be disconnected at any time. See Section 5 for full disclosure.
• Last.fm Data: If you choose to connect your Last.fm account, we collect scrobble history and listening statistics. Connection is optional and can be disconnected at any time.
• Communications: Any messages you send us via email or feedback forms.

2.2 Information Collected Automatically

• Usage Data: Pages and screens you view, features you use, search queries, albums you rate, profiles you visit, and timestamps of your activity.
• Device & Technical Data: IP address, browser type and version, operating system, device identifiers (see Section 13 for iOS-specific details), referring URLs, and general geographic location derived from IP address (not precise GPS).
• Session & Behavioral Data: On the web platform, we use behavior analytics tools including Microsoft Clarity (session recordings, heatmaps) and PostHog (product analytics, feature usage events). See Section 4 for full disclosure.
• Performance Data: Collected by Vercel Analytics to monitor web application performance including page load times and error rates.

2.3 Information We Do Not Collect

• Audio files, music recordings, or streaming content.
• Precise geolocation data (GPS coordinates).
• Biometric data.
• Financial information or payment card data. The Service is free and we process no payments.
• Government-issued ID numbers.
• Data from children under 13 without verifiable parental consent.

03How We Use Your Information

We use the information we collect for the following purposes:

• Providing and Operating the Service: Creating and managing your account, processing and displaying your ratings and reviews, enabling community features (comments, follows, activity feeds), and maintaining platform security.
• Personalizing Your Experience: Generating music stats and rankings based on your Spotify and Last.fm data, customizing content and discovery features based on your listening history.
• Analytics and Improvement: Understanding how users interact with the Service, identifying bugs and performance issues, and developing new features. This includes use of Microsoft Clarity, PostHog, and Vercel Analytics as described in Section 4.
• Safety and Integrity: Detecting and preventing fraud, abuse, spam, and violations of our Terms of Service.
• Communications: Sending essential service notifications such as account confirmations, security alerts, and policy updates. We do not send marketing or promotional emails without your explicit opt-in.
• Legal Compliance: Complying with applicable laws, regulations, court orders, and legal processes.

Legal Basis for Processing (EEA and UK Users): Where required by GDPR, we rely on the following legal bases: (a) Performance of a contract — to provide the Service you signed up for; (b) Legitimate interests — for security, platform improvement, and aggregated analytics; (c) Consent — for optional features including Spotify integration, Last.fm integration, and behavior analytics tools (Microsoft Clarity, PostHog); (d) Legal obligation — for compliance with applicable law.

04Analytics & Tracking Tools

We use the following third-party analytics tools on the Service. Each tool has distinct data practices, and we disclose them fully here.

4.1 Vercel Analytics

We use Vercel Analytics to monitor web performance, including page load speeds, error rates, and visitor counts. Vercel Analytics is designed to be privacy-friendly and does not use cookies or collect personally identifiable information. Data is aggregated and anonymized.

• Data collected: Aggregated page view counts, performance metrics, referrer information (anonymized).
• Personal data linked to identity: No.
• Consent required: Not required under GDPR or CCPA for aggregated, cookieless analytics.
• Vercel Privacy Policy: vercel.com/legal/privacy-policy

4.2 Microsoft Clarity

We use Microsoft Clarity to understand how users interact with the web platform. Clarity records anonymized session data including mouse movements, clicks, scrolls, and page interactions (session recordings and heatmaps). Clarity automatically masks form inputs and sensitive fields.

• Data collected: Session recordings, click and scroll heatmaps, device type, browser type, IP address (anonymized), session identifiers.
• Cookies used: _clck (session ID), _clsk (session data), CLID (client ID).
• Personal data linked to identity: Indirectly — behavioral patterns may constitute personal data under GDPR when they enable identification.
• Data retention: Session recordings are retained for up to 30 days. Aggregated reports may be retained longer.
• Consent required: Yes. For users in the EEA, UK, and Switzerland, we obtain explicit consent before activating Microsoft Clarity, in compliance with Microsoft's mandatory consent requirements effective October 31, 2025.
• Microsoft Clarity Privacy Statement: microsoft.com/en-us/clarity/privacy
• Opt-out: You can opt out of Microsoft Clarity at any time via your cookie preferences. EEA/UK/Swiss users will see a consent prompt before any Clarity data is collected.

4.3 PostHog

We use PostHog for product analytics including feature usage events, funnel analysis, and user flow tracking. PostHog is configured to minimize data collection.

• Data collected: Feature interaction events (e.g., share card views, profile loads, search queries), session identifiers, device and browser type, IP address.
• Personal data linked to identity: Pseudonymous — events are associated with a session or user ID but not your name or email unless explicitly configured.
• Cookies used: ph_* (PostHog session and user ID cookies).
• Consent required: Yes, for users in the EEA, UK, and Switzerland.
• PostHog Privacy Policy: posthog.com/privacy
• Opt-out: You can opt out via cookie preferences. EEA/UK/Swiss users will see a consent prompt.

05Third-Party Services

5.1 Spotify Integration

TurnTbl integrates with the Spotify API to display your listening statistics, top artists, top tracks, and related music data within the Service.

What data we access from Spotify:

• Your Spotify display name and profile image (public profile).
• Your top artists and top tracks (short-term, medium-term, long-term).
• Your recently played tracks.
• Your listening history and saved music where authorized.

Your explicit consent is required before we access any Spotify data. When you connect your Spotify account, you will be shown a Spotify authorization screen disclosing the specific permissions being requested. You can disconnect your Spotify account at any time from your account settings, which will revoke our access to your Spotify data.

Spotify data is used solely within TurnTbl to personalize your experience and generate your profile stats. We do not sell or share your Spotify data with third parties beyond what is necessary to operate the Service.

• Spotify Privacy Policy: spotify.com/legal/privacy-policy

5.2 Last.fm Integration

TurnTbl integrates with the Last.fm API to display scrobble history and listening statistics.

What data we access from Last.fm:

• Your Last.fm username and public profile.
• Your scrobble history and listening statistics.
• Your top artists, albums, and tracks.

Your explicit consent is required before we access any Last.fm data. You can disconnect your Last.fm account at any time from your account settings.

• Last.fm Privacy Policy: last.fm/legal/privacy

5.3 iTunes / Apple Music Preview

TurnTbl's "Hear It" feature uses the iTunes Search API to display 30-second audio previews of tracks. When a preview is played, a link to the full track on iTunes or Apple Music is displayed alongside the preview. We do not use iTunes previews for entertainment purposes or as background music; previews are strictly for track identification and reference, in compliance with Apple's Guideline 5.2.5.

• Apple Privacy Policy: apple.com/legal/privacy

06How We Share Your Information

We do not sell your personal information. We may share your data in the following limited circumstances:

• With Other Users (Publicly): Your username (handle), profile picture, ratings, reviews, and comments are visible to other TurnTbl users and the general public by default. Your email address is never publicly displayed.
• Service Providers: We engage trusted third-party vendors to operate the Service, including Vercel (cloud infrastructure and analytics), Supabase (database and authentication), Upstash Redis (caching), Spotify API (music data), Last.fm API (music data), Apple Music/iTunes API (track previews), Microsoft (Clarity analytics), and PostHog (product analytics). These providers access your data only to perform services on our behalf and are bound by confidentiality obligations.
• Analytics Partners: As described in Section 4, Microsoft and PostHog process behavioral data on our behalf for analytics purposes. This data is not shared for advertising or third-party profiling purposes.
• Business Transfers: If TurnTbl is involved in a merger, acquisition, restructuring, or sale of assets, your information may be transferred. We will provide notice before your data becomes subject to a different privacy policy.
• Legal Requirements: We may disclose your information when required by law, subpoena, court order, or government request, or when we believe disclosure is necessary to protect rights or safety.
• With Your Consent: For any other purpose with your explicit prior consent.

07Cookies & Tracking Technologies

We use cookies and similar technologies to operate and improve the Service.

Cookie Categories

• Essential Cookies: Required for authentication (keeping you logged in) and basic platform functionality. These cannot be disabled without breaking the Service. No consent required.
• Analytics Cookies (Vercel Analytics): Aggregated, cookieless analytics for performance monitoring. No consent required as no personal data is collected.
• Behavior Analytics Cookies (Microsoft Clarity, PostHog): Session recording, heatmaps, and product analytics. These set cookies including _clck, _clsk, CLID (Clarity) and ph_* (PostHog). Explicit opt-in consent is required for users in the EEA, UK, and Switzerland. For other users, these are enabled by default but can be disabled via cookie preferences.
• Preference Cookies: Store your settings and display preferences between sessions.

Cookie Management

You can control cookies through your browser settings or via our cookie preference center. Disabling essential cookies will prevent you from logging in. Disabling analytics and behavior cookies will stop Microsoft Clarity and PostHog data collection, which will not affect your ability to use the Service.

We do not use advertising, retargeting, or behavioral tracking cookies for commercial advertising purposes. We do not participate in cross-site tracking networks.

08Your Privacy Rights

Depending on where you live, you may have specific rights regarding your personal data. TurnTbl respects and honors these rights globally.

8.1 All Users

Regardless of location, all TurnTbl users have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data via your account settings.
• Delete your account and associated personal data. You can initiate account deletion from within the iOS app or web app account settings. Upon deletion, your account data is deleted within 30 days.
• Withdraw consent for optional data processing at any time (e.g., disconnect your Spotify or Last.fm integration, opt out of behavior analytics).
• Receive a copy of the data you have submitted (ratings, reviews, profile information) in a portable format upon request.

8.2 European Economic Area (EEA) and United Kingdom — GDPR / UK GDPR

If you are located in the EEA or UK, you have the following additional rights:

• Right of Access (Article 15): Request confirmation of whether we process your data and obtain a copy.
• Right to Rectification (Article 16): Request correction of inaccurate personal data.
• Right to Erasure (Article 17): Request deletion of your personal data, subject to legal retention obligations.
• Right to Restriction (Article 18): Request that we restrict processing in certain circumstances.
• Right to Data Portability (Article 20): Receive your data in a structured, machine-readable format.
• Right to Object (Article 21): Object to processing based on legitimate interests.
• Right to Withdraw Consent: Where processing is based on consent (e.g., Spotify integration, behavior analytics), you may withdraw consent at any time without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection authority (e.g., the UK ICO, or your EU national supervisory authority).

For users in the EEA, UK, and Switzerland, we present a consent prompt before activating Microsoft Clarity and PostHog. You can update your preferences at any time.

8.3 California Residents — CCPA / CPRA

If you are a California resident, the CCPA as amended by the CPRA grants you the following rights:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources, purposes, and third parties with whom it is shared.
• Right to Delete: Request deletion of personal information we have collected, subject to certain exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioral advertising. No "Do Not Sell or Share" opt-out is required because we do not engage in these activities.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

To exercise your California rights, contact us at turntblteam@gmail.com with the subject line "California Privacy Request." We will respond within 45 days.

8.4 Canada — PIPEDA / Quebec Law 25

Canadian users have rights under PIPEDA and, where applicable, Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25), including the right to access, correct, and withdraw consent for non-essential processing. Contact us at turntblteam@gmail.com to exercise these rights.

8.5 Australia — Privacy Act 1988

Australian users have rights under the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs), including the right to access personal information we hold about you and to request correction. If you have a complaint, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

8.6 Brazil — LGPD

Brazilian users have rights under the Lei Geral de Proteção de Dados (LGPD), including rights to access, correction, deletion, portability, and information about sharing of your personal data. Contact us at turntblteam@gmail.com to exercise your LGPD rights.

8.7 How to Exercise Your Rights

To exercise any rights described in this Section, contact us at turntblteam@gmail.com. We will verify your identity before processing your request. We will respond within the timeframes required by applicable law (typically 30–45 days). We will not charge a fee for reasonable requests.

09Data Retention

• Account Data: Retained for the life of your account. Upon account deletion initiated in-app or via request, we will delete or anonymize your personal account data within 30 days, except where required by law.
• User Content (Ratings & Reviews): Publicly posted ratings and reviews may persist in anonymized or aggregated form after account deletion, as they contribute to the community record. If you request deletion of your content prior to closing your account, we will remove your identifying information.
• Spotify and Last.fm Tokens: Access tokens are retained only as long as you have an active connection. Upon disconnecting a service, tokens are revoked and deleted.
• Behavior Analytics Data (Clarity): Session recordings are retained by Microsoft for up to 30 days. Aggregated heatmap data may be retained longer per Microsoft's data practices.
• PostHog Analytics Data: Event data is retained for up to 12 months by default.
• Usage Logs: Retained for up to 12 months for security and analytics, then deleted or anonymized.
• Legal Hold: We may retain data longer if required by applicable law, court order, or in connection with a legal dispute involving TurnTbl.

10Data Security

We take reasonable technical and organizational measures to protect your personal information, including:

• Encrypted data transmission (HTTPS/TLS) for all Service traffic.
• Hashed password storage — we never store your password in plaintext.
• Authentication managed via Supabase Auth using industry-standard OAuth 2.0 PKCE flow.
• Access controls limiting access to personal data on a need-to-know basis.
• Microsoft Clarity is configured to automatically mask form inputs and sensitive fields.
• Regular review of security practices and third-party service security posture.

No security system is impenetrable. We cannot guarantee absolute security. If you believe your account has been compromised, contact us immediately at turntblteam@gmail.com. In the event of a data breach affecting your personal information, we will notify affected users as required by applicable law.

11Children's Privacy

The Service is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13 without verifiable parental consent.

If you are between 13 and 18 (or under the age of majority in your jurisdiction), you may only use the Service with verifiable parental or guardian consent.

The iOS application is rated 13+ on the App Store in accordance with Apple's age rating guidelines. Users who indicate they are under 13 during registration will be denied access to account creation.

If we learn that we have collected personal information from a child under 13 without proper consent, we will promptly delete that information. If you believe we have inadvertently collected data from a child under 13, please contact us at turntblteam@gmail.com.

12International Data Transfers

TurnTbl is operated from the United States. If you are accessing the Service from outside the United States, your personal information will be transferred to, stored in, and processed in the United States and potentially other countries where our service providers operate (including Microsoft Azure for Clarity data, and Supabase infrastructure).

For users in the EEA, UK, or Switzerland, where required by law, we rely on appropriate transfer mechanisms such as Standard Contractual Clauses (SCCs) adopted by the European Commission to ensure your data is adequately protected when transferred internationally. For more information, contact us at turntblteam@gmail.com.

13iOS-Specific Disclosures

This section applies specifically to users of the TurnTbl iOS application.

13.1 Data Collected by the iOS Application

The iOS application collects the same categories of data described in Section 2. Additionally:

• Device Identifiers: The iOS application may access device-level identifiers for analytics and crash reporting purposes. We do not access the Identifier for Advertisers (IDFA) or use cross-app tracking. If any Capacitor plugin we use accesses device identifiers, this is disclosed in our App Store privacy nutrition label.
• Network Requests: The iOS application communicates with turntbl.net, Supabase, Spotify API, Last.fm API, and iTunes API over HTTPS.

13.2 In-App Consent

When you first launch the TurnTbl iOS application and connect a third-party service (Spotify, Last.fm), you will be shown an explicit consent screen disclosing:

• What data will be accessed from that service.
• How that data will be used within TurnTbl.
• How to disconnect the service at any time.

You must actively confirm consent before any third-party data is retrieved.

13.3 Account Deletion (Apple Guideline 5.1.1(v))

In compliance with Apple's App Store guidelines, you can initiate deletion of your TurnTbl account directly from within the iOS application by navigating to Account Settings > Delete Account. Account deletion will remove your personal data, ratings, reviews, and connected service tokens within 30 days.

13.4 App Store Privacy Nutrition Label

Our App Store privacy nutrition label in App Store Connect reflects all data collected by the iOS application. If our data practices change in a way that affects the nutrition label, we will update both the label and this Policy accordingly.

13.5 Third-Party SDKs

The iOS application uses the following SDKs that may process personal data:

• Capacitor (Ionic): Native iOS wrapper for the web application.
• Supabase iOS client: Authentication and database access.
• Any additional SDKs are disclosed in our App Store privacy nutrition label and privacy manifest (PrivacyInfo.xcprivacy).

14Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by:

• Posting the updated Policy on this page with an updated "Last Updated" date.
• Displaying a notice on the Service upon your next login for significant changes.
• For iOS application users, displaying an in-app notice on next launch for material changes.

Your continued use of the Service after any update constitutes your acceptance of the revised Policy. If you do not agree with the updated Policy, you must stop using the Service and may delete your account.

15Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We will endeavor to respond to all privacy inquiries within 10 business days.