Privacy Policy for Bop Machine

Effective Date: April 24, 2025

1. About this Policy

This Privacy Policy describes how Bop Machine processes your personal data. It applies to your use of the Bop Machine web application (the "Service").

By using the Service, you agree to the collection and use of information in accordance with this policy.

2. Your Personal Data Rights and Controls

You have certain rights regarding the personal data we process about you:

• Access: You can access much of your information (like generated playlists) directly within the Bop Machine app. For other information, please contact us.
• Rectification: Information synced from Spotify (like your name and avatar) should be updated in your Spotify profile. For other data, please contact us.
• Disconnection and Erasure (Deletion): You can disconnect your Spotify account from Bop Machine at any time via the 'My Account' page. Disconnecting your account initiates the deletion of your Spotify Personal Data stored by Bop Machine (including linked profile information, generated playlists, job history, and stored tokens) from our active databases, typically within 5 days, in line with Spotify's developer terms. You can also request erasure by contacting us via the email below.

To exercise these rights, please contact us using the information provided in Section 11 below, or use the features provided within the application where available.

3. Personal Data We Collect About You

We collect personal data necessary to provide and improve our Service. This includes the following categories:

• Data Provided via Spotify Authentication: When you connect your Spotify account, we request access to certain information based on the permissions (scopes) you grant. As of the Effective Date, these scopes include:
  • user-read-private: Used to access your Spotify User ID (for linking your account), Display Name, and Profile Picture (to personalize your experience within Bop Machine).
  • playlist-modify-public andplaylist-modify-private: Used solely to create playlists in your Spotify account when you choose to export a generated playlist from Bop Machine.

  We also receive access tokens from Spotify necessary to interact with the Spotify API on your behalf (e.g., for exporting playlists). You can review Spotify's own Privacy Policyhere.

• Data You Provide Directly:
  • Prompts you enter to generate playlists.
• Data Generated Through Your Use of the Service:
  • Playlist content generated based on your prompts (titles, descriptions, essays, lists of track metadata retrieved from Spotify based on AI-generated criteria).
  • Job status information related to playlist generation.
  • Your Bop Machine User ID (linked to your Spotify User ID via Supabase Authentication).
• Usage Data : We collect usage data to improve the Service. This includes: - Standard web logs - Analytics (Vercel Analytics)

4. Our Purpose for Using Your Personal Data

We use the personal data we collect for the following purposes:

• To provide, operate, and maintain our Service.
• To link your Spotify account and authenticate your use of the Service.
• To generate playlist content based on the prompts you provide using AI.
• To store and allow you to access your generated playlists within Bop Machine.
• To personalize your experience within the Service (e.g., displaying your Spotify name and avatar).
• To enable you to export generated playlists to your Spotify account.
• To troubleshoot issues and improve the Service's performance and features.
• To prevent misuse of the Service and enforce our terms.
• **Important:** We do **not** use your Spotify Personal Data or any Spotify Content obtained via the Spotify Platform to train machine learning or AI models.
• **Important:** We do **not** sell your personal data.

5. Sharing Your Personal Data

We only share your personal data in the circumstances described below:

• Service Providers: We share necessary information with third-party service providers who perform services on our behalf. They require access to certain data to do their work. These include:
  • Supabase: For user authentication and database storage (profile linkage, generated content, job status, necessary tokens). See Supabase Privacy Policy.
  • OpenAI: To process text prompts. Only prompt text is sent. See  OpenAI Privacy Policy.
  • Vercel & Railway: For hosting infrastructure. See  Vercel Privacy Policy and  Railway Privacy Policy.
• Spotify Platform: When you choose to export a playlist, we interact with the Spotify API using your authorization, which inherently shares necessary identifiers and instructions with Spotify to perform the action.
• Legal Obligations: We may disclose your information if required by law or legal process, or to protect rights, safety, and investigate fraud.

6. Data Retention

We keep your personal data only as long as necessary to provide you with the Service and for legitimate and essential business purposes, such as maintaining service performance, complying with legal obligations, and resolving disputes. Generally, data associated with your account (like generated playlists and job history) is retained until you disconnect your Spotify account or request deletion (see Section 2).

7. Transfer to Other Countries

Bop Machine operates globally and uses service providers (like Supabase, OpenAI, Vercel, Railway) that may process your information in countries outside of your country of residence, including the United States. We rely on the data protection measures and agreements provided by these service providers to ensure that transfers comply with applicable laws.

8. Keeping Your Personal Data Safe

We are committed to protecting our users' personal data. We implement appropriate technical and organizational measures to help protect the security of your personal data, leveraging the security features of our service providers like Supabase for data storage and encryption. However, please be aware that no system is ever completely secure. We encourage you to use a strong, unique password for any linked accounts and practice good security hygiene.

9. Children

Our Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under the relevant age limit. If you are a parent or guardian and believe your child has provided us with personal data, please contact us.

10. Changes to This Policy

We may occasionally make changes to this Policy. When we make material changes, we will provide you with notice as appropriate, for example, by updating the "Effective Date" at the top of this Policy and potentially through other means if significant. Please review this Policy periodically.

11. How to Contact Us

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us at: support@bopmachine.ai.