Privacy & Data Use

Last updated: Jun 29, 2026

LunaClone is built with transparency and user control at its core. This policy explains what we collect, how we use it, and the rights you have over your data. If any part of it is unclear, contact us at privacy@lunaclone.me and we’ll walk you through it.

What we collect

We keep the data footprint intentionally small. Everything below is collected only after you connect your account and grant explicit consent.

  • Spotify listening data — recently played tracks, saved library, top artists and genres, and audio features returned by the Spotify Web API.
  • Interaction signals — likes, skips, replays, playlist additions, and dwell time within LunaClone.
  • Optional inputs — mood, context, and preference tags you volunteer to sharpen your recommendations.
  • Account & device basics — email, authentication tokens, device type, and coarse locale. Used to keep you signed in and to detect abuse.

We do not collect precise location, contacts, microphone input, or advertising identifiers.

How we use your data

  • Personalization. We rank and generate recommendations tailored to your listening patterns and stated preferences.
  • Responsible model training. Aggregated, de-identified signals help us improve our recommendation models. You can opt out at any time without losing access to the core product.
  • Explainable recommendations. Every suggestion carries a plain-language reason so you can see why it surfaced.
  • Service operations. Diagnosing bugs, preventing abuse, meeting legal obligations.

We never sell your data. We do not use it for third-party advertising.

Your rights

Under the GDPR (EU / EEA / UK) and comparable regimes (CCPA, LGPD, PIPEDA, and others), you can:

  • Access — request a copy of the personal data we hold about you.
  • Rectify — correct anything that’s inaccurate.
  • Delete — ask us to erase your account and associated data.
  • Export — download your data in a portable, machine-readable format (JSON or CSV).
  • Opt out of AI profiling — disable training-signal use and personalized recommendation ranking.
  • Withdraw consent — revoke Spotify connection or any optional inputs at any time.

Requests are handled within 30 days. Reach us at privacy@lunaclone.me.

Security

  • Encrypted storage — PostgreSQL with encryption at rest; secrets managed in a dedicated vault.
  • Encrypted transport — TLS 1.2+ for every API call and web request.
  • Strict access control — role-based access with least-privilege defaults, mandatory MFA for internal tooling, and audit logging of production access.
  • Token isolation — Spotify OAuth tokens are stored encrypted and scoped to the minimum permissions required.
  • Incident response — we notify affected users and relevant supervisory authorities within 72 hours of a confirmed breach.

Transparency first

For every song we surface, we show you:

  • Why it was recommended (e.g. “similar tempo and mood to tracks you replayed this week”).
  • What data influenced the choice (recent plays, saved library, explicit mood input).
  • How to change it — controls to downweight a signal, mute an artist, or reset your profile.

Data retention

We keep interaction data only as long as it usefully improves your recommendations. When you delete your account, associated personal data is purged within 30 days from primary systems and within 90 days from encrypted backups.

Third parties

We use a small set of processors to run the service: Spotify (music data), our hosting provider (compute and storage), and standard analytics tooling (privacy-preserving, no third-party trackers). Each processor is bound by a data processing agreement.

Changes to this policy

We’ll notify you in-product and by email at least 14 days before any material change takes effect.

Last updated: June 29, 2026.