Back to Home

Privacy Policy

Last updated: January 23, 2026

Introduction

Welcome to Unwrapped ("we", "our", or "us"). We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, and safeguard your information when you use our service.

Information We Collect

Account Information

When you create an account, we collect:

  • Email address
  • Password (encrypted and securely stored)
  • Account creation date

Spotify Data

When you upload your Spotify Extended Streaming History, we collect:

  • Track names, artist names, and album names
  • Listening timestamps and duration
  • Platform information (iOS, Android, Web, etc.)
  • Listening behavior (shuffle mode, skipped tracks)

Technical Data

  • Session cookies for authentication
  • Browser type and version
  • Device information

How We Use Your Information

We use your data to:

  • Provide the Service: Generate personalized music analytics and insights
  • Authentication: Keep you logged in and secure your account
  • Improve the Service: Understand usage patterns and fix bugs
  • Communication: Send important service updates (only essential emails)

Data Storage and Security

Your data is stored securely on Supabase (PostgreSQL database) with industry-standard encryption:

  • Encryption at rest: All data is encrypted in the database
  • Encryption in transit: All connections use HTTPS/TLS
  • Access controls: Row-level security ensures you only see your own data
  • Password security: Passwords are hashed using bcrypt

Your Rights (GDPR Compliance)

You have the right to:

  • Access: View all data we have about you
  • Portability: Export your data in JSON format
  • Rectification: Correct inaccurate data
  • Erasure: Delete your account and all associated data
  • Restriction: Limit how we process your data
  • Object: Object to data processing
  • Withdraw consent: Remove consent at any time

Data Retention

We retain your data as long as your account is active. When you delete your account:

  • All Spotify streaming data is immediately deleted
  • Your account information is removed
  • Cached data is cleared within 24 hours
  • Backups are purged within 30 days

Data Sharing

We do not sell your data to third parties. We only share data with:

  • Supabase: Database hosting (infrastructure provider)
  • Anthropic: AI analysis for "Get Exposed" feature (optional)
  • Vercel: Application hosting

All third-party providers are GDPR-compliant and have Data Processing Agreements (DPAs) in place.

Cookies

We use essential cookies only:

  • Authentication cookies: Keep you logged in (HTTP-only, secure)
  • Session management: Maintain your login state

We do not use tracking cookies, analytics cookies, or advertising cookies.

Children's Privacy

Our service is not intended for users under 16 years of age. We do not knowingly collect data from children.

International Data Transfers

Your data may be processed in the United States or European Union through our service providers. All transfers comply with GDPR requirements through Standard Contractual Clauses (SCCs).

Changes to This Policy

We may update this privacy policy from time to time. We will notify you of significant changes by email or through a notice on our service. Continued use of the service after changes constitutes acceptance.

Contact Us

For privacy-related questions, data access requests, or to exercise your rights, contact us at:

  • Email: privacy@unwrapped.app
  • Data Protection Officer: dpo@unwrapped.app

Legal Basis for Processing (GDPR)

We process your data based on:

  • Consent: You explicitly agree when uploading Spotify data
  • Contract: Processing necessary to provide the service you signed up for
  • Legitimate interest: Improving service quality and security

Supervisory Authority

If you are in the EU/EEA, you have the right to lodge a complaint with your local data protection authority.

This privacy policy is effective as of the date stated above. For older versions of this policy, please contact us.