Privacy Policy

Effective Date: March 1, 2026

1. Who We Are

RealSongCheck ("we," "us," "our") is a music library management service available at realsongcheck.com. This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and your rights in relation to it.

RealSongCheck is operated under the laws of England and Wales. We are the data controller for the personal data we process in connection with the Service.

For privacy-related questions or to exercise your rights, contact us at: hello@realsongcheck.com

2. How We Connect to Spotify

RealSongCheck does not use Spotify's official OAuth developer API. Instead, the Service works by intercepting a short-lived access token from your active Spotify web player session. This token is generated by Spotify for your own browser or in-app session and belongs to your account. When you open Spotify within the RealSongCheck app or extension, this token is captured, transmitted to our servers over HTTPS, and stored in encrypted form.

This token allows us to make requests to Spotify's internal endpoints on your behalf, in the same way your browser would if you were performing these actions manually. The token expires approximately every hour. We refresh it automatically where possible. Your Spotify password is never transmitted to or stored by RealSongCheck at any point.

We are transparent about this because it is a material fact about how your data is processed. We operate this way because Spotify's official API has quota restrictions that would make a free public service impossible to run.

RealSongCheck is an independent tool and is not affiliated with or approved by Spotify. It works by interacting with your Spotify session in ways that fall outside Spotify's official API. This is uncharted territory and we cannot guarantee Spotify will not change their technical or legal position on tools like ours in the future. We take on that uncertainty so you don't have to, but we cannot accept liability for any disruption to your Spotify account arising from your use of this service.

3. What Data We Collect and Why

3.1 When you connect your Spotify account (Android app or Chrome extension)

Spotify user ID and display name: to identify your account and personalise the Service. Legal basis: contract performance (operating the Service for you).
Spotify subscription type (free or premium): to determine which features are available. Legal basis: contract performance.
Encrypted Spotify access token: to carry out blocking actions on your behalf. Stored encrypted at rest. Expires after approximately one hour and is refreshed. Legal basis: contract performance.
Record of artists blocked through the Service: to track which blocklist entries have been applied to your account, avoid duplicate blocking calls, and let you see what has been blocked. Legal basis: contract performance and legitimate interests.

3.2 When you join the waitlist

Email address: to notify you when the Service launches. Legal basis: consent (you voluntarily provide this). You can unsubscribe at any time via the link in any email we send.
Unsubscribe token: a unique identifier stored alongside your email to enable one-click unsubscribe. Not linked to any other personal data.

3.3 When you submit a report or appeal

Track name, Spotify link, reason, and optionally your email: to investigate reports of AI music and appeals of false positives. Legal basis: legitimate interests (maintaining the accuracy of the blocklist).
Reports and appeals are reviewed by humans. Your email, if provided, is used only to follow up on your submission.

3.4 Technical and operational data

Session data: we use server-side session cookies to maintain your logged-in state within the Service. These are strictly necessary for the Service to function and do not track you across other sites.
Error logs: we log technical errors (e.g. failed API calls) without personal identifiers where possible, to diagnose and fix issues. These logs are retained for 30 days.

We do not collect payment information. We do not collect precise location data. We do not use advertising cookies. We do not collect any data beyond what is listed above.

4. How We Use Your Data

Your data is used exclusively to operate RealSongCheck for you:

To connect to Spotify on your behalf and apply blocklist updates to your account
To maintain a record of which artists have been blocked on your account
To send you a notification when you need to reconnect your Spotify session (Android app only)
To notify waitlist members when the Service launches (email only, with unsubscribe on every message)
To review and act on reports and appeals submitted through the Service
To generate anonymised, aggregate statistics about the Service (e.g. total blocklist size, number of users)

We do not sell your data. We do not share your data with advertisers. We do not use your data for any purpose other than operating the Service for you.

5. Data Sharing and Third Parties

5.1 Spotify

When the Service makes requests on your behalf, those requests are sent to Spotify's servers. Spotify's own Privacy Policy governs how Spotify processes data in connection with those requests.

5.2 Infrastructure providers

Railway (railway.app): our backend server and database hosting provider. Your data is stored on Railway's infrastructure. Railway is a US-based provider. We rely on Standard Contractual Clauses as the legal mechanism for international data transfers.
Resend (resend.com): used to send transactional emails (waitlist confirmation, unsubscribe, reconnect notifications). Only your email address is shared with Resend for this purpose.

We do not use any other third-party data processors. We do not use analytics services, advertising networks, or tracking pixels.

5.3 Legal requirements

We may disclose your data if required to do so by law, court order, or other legal process, or if we believe in good faith that disclosure is necessary to protect the rights or safety of any person.

6. Data Storage and Security

Your data is stored in a PostgreSQL database hosted on Railway. Access tokens are encrypted at rest using industry-standard encryption. Access to the database is restricted to authorised personnel only.

All data is transmitted over HTTPS. We implement reasonable technical and organisational measures to protect your data against unauthorised access, loss, or disclosure.

No method of electronic storage or transmission is completely secure. We cannot guarantee absolute security and accept no liability for breaches outside our reasonable control. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by the UK GDPR.

7. Data Retention

Connected account data (access token, Spotify ID, blocked artist records): retained while your account is active. Deleted within 30 days of a deletion request.
Waitlist email addresses: retained until you unsubscribe or request deletion.
Reports and appeals: retained for up to 2 years to maintain the integrity of the blocklist, then anonymised or deleted.
Error logs: automatically deleted after 30 days.
Anonymised aggregate statistics: retained indefinitely as they cannot be linked to individual users.

8. Your Rights Under UK GDPR

Under UK GDPR and the Data Protection Act 2018, you have the following rights:

Right of access: to receive a copy of the personal data we hold about you
Right to rectification: to have inaccurate data corrected
Right to erasure: to have your data deleted in certain circumstances
Right to restriction of processing: to limit how we use your data in certain circumstances
Right to data portability: to receive your data in a structured, commonly used format
Right to object: to object to processing based on legitimate interests
Right to withdraw consent: where processing is based on consent (e.g. the waitlist), you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal

To exercise any of these rights, contact us at hello@realsongcheck.com. We will respond within one calendar month.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

If you are located outside the UK, you may have additional rights under the data protection laws of your jurisdiction. We will honour reasonable requests made under applicable local law. Contact us at hello@realsongcheck.com to exercise any such rights.

9. Cookies

The Service uses only strictly necessary session cookies to maintain your logged-in state. These cookies are not used for tracking, advertising, or analytics. They are automatically deleted when you end your session or log out.

We do not use third-party cookies, advertising cookies, or persistent tracking cookies of any kind. No consent banner is required for strictly necessary cookies under UK GDPR and PECR.

10. Children

The Service is not directed at or intended for use by children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us and we will delete it promptly.

11. International Data Transfers

Our servers are hosted by Railway, a US-based provider. Transfers of personal data to the United States are made under Standard Contractual Clauses approved by the UK Secretary of State, which provide appropriate safeguards for your data.

Resend, our email delivery provider, is also US-based. Your email address is transferred to Resend under the same mechanism.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the effective date at the top of this document and, where appropriate, by sending an email to waitlist members. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

13. Contact and Supervisory Authority

For privacy-related questions, data subject requests, or complaints, contact us at: hello@realsongcheck.com. We will respond within one calendar month.

You also have the right to complain to the Information Commissioner's Office (ICO), the UK's data protection supervisory authority: ico.org.uk / 0303 123 1113.