Privacy Policy
Last updated: July 13, 2026
1. Introduction
tastegraph ("we", "us", "our") operates the website tastegraph.org and the worker deployment at tastegraph.org (the "Service"). This page informs you of our policies regarding the collection, use, and disclosure of personal data when you use our Service.
By using the Service, you agree to the collection and use of information in accordance with this policy.
2. Information We Collect
We collect several types of information for various purposes to provide and improve our Service:
Personal Data: Email address (when you sign in via magic link). Spotify playlist URLs you submit to the parser.
Usage Data: Anonymized request counts for rate limiting (3 renders per day for anonymous IPs, 5 for signed-in free users, unlimited for Pro). Anonymous rate-limit identifiers are stored in Upstash Redis with daily TTL and are deleted automatically at UTC midnight.
Tracking Data: We do not use third-party analytics, advertising cookies, or tracking pixels. We may add Plausible Analytics in the future (privacy-friendly, no cookies) — see our Terms.
3. How We Use Your Data
tastegraph uses the collected data for:
- Providing the Service: parsing your Spotify playlist, computing personality scores, rendering the poster, generating a shareable link.
- Authentication: issuing magic-link emails and session JWTs.
- Rate limiting: preventing abuse (3 / 5 / unlimited renders per day depending on tier).
- Communicating with you: only when you contact us at hi@tastegraph.org.
We do not sell your personal data to third parties.
4. Data Storage and Security
- Database: Neon Postgres (us-east-1) for user accounts, sessions, and rate-limit state. Encrypted at rest.
- Cache: Upstash Redis (AP Southeast 1) for poster share links (90-day TTL) and rate-limit counters (24-hour TTL).
- Email: Resend for magic-link delivery. We do not store email content beyond what's needed to deliver the link.
- Session tokens: HTTP-only cookies, JWT-signed (HS256, 30-day expiry).
- Storage of exported posters: We do not store the rendered PNG. Download it on your device.
We use commercially reasonable safeguards (TLS in transit, encryption at rest, least-privilege access) but cannot guarantee absolute security.
5. Third-Party Services
We use the following third-party processors, each governed by their own privacy practices:
- Spotify (parsing public playlist metadata via Open Graph / oEmbed)
- Neon (Postgres hosting)
- Upstash (Redis KV)
- Resend (transactional email)
- Cloudflare (hosting + image cache)
- Stripe (subscription billing for Pro tier)
6. Your Rights (GDPR / CCPA)
If you are in the EU, UK, or California, you have the right to:
- Access the personal data we hold about you
- Rectification of inaccurate data
- Erasure ("right to be forgotten")
- Restriction or objection to processing
- Data portability (export your account data)
- Withdraw consent at any time
To exercise these rights, email hi@tastegraph.org. We respond within 30 days.
7. Children's Privacy
Our Service is not directed to children under 13 (COPPA) or 16 (GDPR). We do not knowingly collect personal data from children. If you believe a child has provided us data, contact hi@tastegraph.org and we will delete it.
8. Changes to This Policy
We may update this policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date above. Continued use of the Service after changes constitutes acceptance.
9. Contact
Questions about this privacy policy? Email us at hi@tastegraph.org.