Privacy Policy

Who we are and which law applies

Muzazaa is an independent catalog of the Ukrainian music scene. We process personal data under Ukraine's Law on Personal Data Protection (No. 2297-VI).

The service targets users in Ukraine, but we follow GDPR principles from V1.0, because building in privacy up front is cheaper than retrofitting it.

What data we collect

The personal-data surface is deliberately minimal: your email, your Spotify display name, OAuth provider IDs, and text you submit yourself (such as artist suggestions).

We collect no payment data, no health data, and no children's data.

How we use data

We use data to show the catalog, to sync your liked tracks to Spotify on your action, and to process the suggestions you submit. We do not sell personal data.

OAuth tokens

When you sign in with Spotify, refresh tokens are stored encrypted (ActiveRecord::Encryption). Access tokens are held only in a short-TTL cache.

We do not write tokens to logs.

Scope minimisation

We request only the Spotify scopes we actually use. At V1.0 these are user-library-modify, user-read-email, and user-read-private. We take no speculative scope grants.

Third-party processors

We share the minimum necessary data with trusted processors: Spotify (sign-in and catalog), MusicBrainz and Genius (metadata enrichment), Cloudflare (protection and delivery), and hCaptcha (bot protection on forms).

Your rights

You have the right to access, rectify, and erase your data. Deleting your account triggers a cascade: your submissions are soft-deleted (moderation history is preserved), your listening history is permanently deleted, and your Spotify profile is cleared.

To exercise your rights, delete your account in profile settings or contact us.

Contact

For privacy questions, write to [email protected].