Privacy Policy

Effective date: 3 May 2026 · Last updated: 3 May 2026

This Privacy Policy explains how Songly ("Songly", "we", "us", or "our") collects, uses, and shares information about you when you use our website at https://songly.fun and any related services (the "Service"). By using the Service, you agree to the practices described in this Policy. If you do not agree, please do not use the Service.

1. Who we are

Songly is operated by Johann Briem, an individual based in Iceland, as a personal hobby project. You can reach us at johannbriem@gmail.com.

Songly is a free, music-based party game in which a host plays short audio previews and players guess metadata about each song. The Service is provided primarily for personal, non-commercial entertainment.

2. Information we collect

2.1 Information you provide directly

• Account information. When you sign in, we collect your email address (used only to send sign-in links). You may optionally provide a display name.
• Spotify connection (optional). If you choose to connect your Spotify account, we receive a Spotify access token and refresh token (which let us read certain Spotify data on your behalf), your Spotify user ID, your Spotify display name, and your Spotify email address.

2.2 Information collected automatically

• Game-play events. When a game starts or finishes, we record an event with non-personal metadata such as the number of players, number of rounds, the genres or year range selected, the playlist source, and the duration of the game. These events include a randomly-generated session ID stored in your browser, and (if you are signed in) your Songly user ID.
• Browser storage. We use browser localStorage and sessionStorage to persist your authentication session, your Spotify tokens (only if connected), a random session ID for analytics, and a few non-sensitive game preferences.
• Page-view analytics. We use Vercel Web Analytics, which records anonymous, aggregated page-view metrics. Vercel Analytics does not use third-party cookies, does not track individuals across sites, and does not collect personally-identifying information.

2.3 Information from Spotify

When you connect your Spotify account, we may, on your behalf, query the Spotify Web API for:

• The list of your private and collaborative playlists
• The tracks within a specific playlist you choose for a game
• Basic profile metadata: display name, ID, and email

We request only the minimum scopes required: playlist-read-private, playlist-read-collaborative, and user-library-read. We never receive your Spotify password.

3. How we use your information

We use the information we collect to:

• Provide and operate the Service (sign you in, run games, fetch your playlists, play song previews)
• Improve the Service (understand which features are used, fix bugs, plan new content)
• Communicate with you when necessary (e.g., emailing you a sign-in link)
• Comply with legal obligations and enforce our Terms of Service

We do not use your information for advertising or to sell to third parties.

4. How we share your information

We share information only in the following limited cases:

• Service providers. We use Supabase to store account information and game events, and Vercel to host the Service. These providers process information on our behalf under their own privacy practices.
• Spotify. When you connect Spotify, your interactions with Spotify (which playlists you fetch, which tracks you play) involve direct API calls to Spotify and are subject to Spotify's privacy policy.
• iTunes Search API. We query the public Apple iTunes Search API to find 30-second song previews for songs in the game. These queries do not include any personally-identifying information.
• Legal requirements. We may disclose information if required by law, subpoena, or to protect our rights, our users, or the public.

5. How long we keep your information

• Account information. Kept for as long as your account exists. You can request deletion at any time (see "Your rights" below).
• Spotify tokens. Stored locally in your browser. Cleared when you click "Disconnect", sign out, or your browser storage is cleared.
• Game-play events. Anonymous events with no link to an account are retained for analytics purposes. Events linked to your account are deleted when you delete your account.

6. Your rights

Depending on where you live (including under the EU GDPR, UK GDPR, California CCPA, and other applicable laws), you may have the right to:

• Access information we hold about you
• Correct or update your information
• Delete your account and associated information
• Object to or restrict our processing of your information
• Receive a copy of your information in a portable format
• Withdraw consent (e.g., by disconnecting Spotify)
• Lodge a complaint with your local data protection authority

To exercise any of these rights, contact us at johannbriem@gmail.com. We will respond within a reasonable time and free of charge.

You can revoke Songly's access to your Spotify account at any time directly via Spotify at https://www.spotify.com/account/apps/.

7. Children's privacy

The Service is not directed to children under 13 (or under 16 in the European Economic Area). We do not knowingly collect personal information from children under those ages. If you believe we have collected information from a child, please contact us and we will delete it.

8. International users

The Service is hosted in the European Union (Supabase EU region) and the United States (Vercel). If you access the Service from outside these jurisdictions, your information may be transferred to, stored, and processed in those jurisdictions. By using the Service, you consent to such transfer. We rely on standard contractual clauses or equivalent legal mechanisms where required.

9. Security

We take commercially reasonable measures to protect your information, including:

• HTTPS for all client connections to the Service and its providers
• Row Level Security policies on the Supabase database so each user can only access their own profile data
• Spotify's PKCE OAuth flow, which never exposes a client secret
• No client-side storage of plaintext passwords (we use email magic links instead)

However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

10. Third-party services

The Service relies on third-party platforms. By using the Service, you also agree to the terms and privacy policies of:

• Spotify — Terms of Service · Privacy Policy
• Apple iTunes — iTunes Terms
• Supabase — Privacy Policy
• Vercel — Privacy Policy

Songly is not affiliated with, endorsed by, or sponsored by Spotify, Apple, Supabase, or Vercel. Spotify is a registered trademark of Spotify AB.

11. Changes to this Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent change. If we make material changes, we will provide additional notice (e.g., a banner on the Service or, if you have an account, an email). Continued use of the Service after a change constitutes acceptance.

12. Contact

For privacy-related questions or to exercise any of your rights:

Johann Briem
johannbriem@gmail.com

See also our Terms of Service.