Privacy Policy

Tuneshift is a playlist transfer tool. We respect your privacy and keep data collection to the absolute minimum needed to perform transfers.

We do not serve ads. We do not sell or share your data with anyone. You can use Tuneshift without creating an account.

Information we collect

Streaming service tokens. When you connect a streaming service (Spotify, Apple Music, YouTube Music, Tidal, Deezer), we receive an OAuth access token from that service. This token allows us to read your playlists and write to your library on the destination service. Tokens are stored in an encrypted session cookie in your browser (AES-256-GCM) and never written to a server database.

Playlist data. During a transfer, we temporarily read your playlist names, track titles, artist names, album names, and ISRCs from the source service. This data is used only to match and recreate tracks on the destination service. It is processed in memory and not stored permanently.

Transfer results. After a transfer completes, a summary (playlist names, match counts, and status) is saved to a Redis datastore for 7 days so you can close the tab and return later. Transfer results are automatically deleted after 7 days.

Account data (optional). If you choose to sign in with Google, Apple, or a passkey, we store your name, email address, and profile image from the sign-in provider in a PostgreSQL database. This links your transfer history to your account so it persists across devices. You can delete your account at any time from your account settings.

What we do NOT collect

• No passwords (all sign-in is via OAuth or passkey)
• No analytics or tracking
• No advertising identifiers
• No personal information beyond what is needed for accounts and streaming display (name, email, avatar)

Cookies

We use functional cookies only:

• Session cookie — stores your encrypted streaming service tokens so you stay connected during a transfer session. Encrypted with AES-256-GCM. Cleared when you disconnect your accounts.
• Auth cookie — if you sign in, a session cookie identifies your account. Cleared when you sign out.
• Transfer history cookie — for anonymous users, stores a list of recent transfer IDs (no playlist data) so you can view past results. Expires after 7 days.

No analytics cookies, no advertising cookies, no third-party tracking cookies. All cookies are strictly functional, so no consent banner is required under GDPR or the ePrivacy Directive.

How we use your information

• To authenticate with your streaming services via OAuth
• To read playlists from your source service
• To match and create playlists on your destination service
• To display your account name and avatar during the session
• To maintain your Tuneshift account and link transfer history (if signed in)

We use data obtained from connected streaming services (OAuth tokens and playlist metadata) solely to provide the playlist transfer functionality you requested. We do not use your data for marketing, profiling, advertising, automated decision-making, or training AI models.

Third-party services

Tuneshift connects to streaming service APIs to perform transfers. When you authorize a service, the OAuth flow is handled directly between your browser and the streaming service. We receive only the access token needed to act on your behalf. If you sign in with Google or Apple, the same OAuth flow is used — we receive your name, email, and profile image.

We do not sell, transfer, or disclose your data to any third party for any purpose, except as required to provide the core playlist transfer service or as required by law.

The streaming services we integrate with have their own privacy policies:

• Spotify Privacy Policy
• Apple Privacy Policy
• Google Privacy Policy (YouTube Music)
• Tidal Privacy Policy
• Deezer Privacy Policy

Tuneshift is hosted on Vercel. Standard server logs (IP address, user agent) may be collected by the hosting provider as part of normal operations.

Data storage and retention

• Streaming tokens — stored in an encrypted cookie in your browser (AES-256-GCM). Cleared when you disconnect or when the cookie expires. Never written to a server database.
• Transfer results — saved to a Redis datastore (Upstash) for 7 days, then automatically deleted. Includes playlist names, match counts, and status — not full track data.
• Account data — if you sign in, your name, email, and profile image are stored in a PostgreSQL database. Auth sessions and passkey credentials are also stored. You can delete your account at any time, which removes all stored data.

Your rights under GDPR

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the right to access, rectify, erase, restrict, and port your personal data.

• Anonymous users: streaming tokens are in your browser cookie — clear your cookies to erase them. Transfer results expire automatically after 7 days.
• Signed-in users: visit your account settings to export your data or delete your account, which removes all stored personal data (name, email, profile image, auth sessions, passkeys, and linked transfer history).

You can also revoke Tuneshift's access to your streaming accounts at any time through each service's account settings.

You can export your data or delete your account at any time from your account settings. For any other requests, contact us at hello@tuneshift.co.

Children's privacy

Tuneshift is not directed at children under 16. We do not knowingly collect personal information from children.

Changes to this policy

If we make changes, we will update the date at the top of this page.

Contact

Questions about this policy? Reach us at hello@tuneshift.co.