Privacy Policy

Last Updated: November 20, 2025 Effective Date: [TO BE DETERMINED BY LEGAL]

1. Introduction

Welcome to Top Ten Club ("we," "our," or "us"). We are committed to protecting your privacy and ensuring transparency about how we collect, use, and protect your personal information.

This Privacy Policy explains how Top Ten Club collects, uses, shares, and protects information when you use our web application (the "Service"). By using the Service, you agree to the collection and use of information in accordance with this policy.

⚠️ LEGAL REVIEW REQUIRED: This document is an engineering draft and requires legal review before production deployment.

2. Information We Collect

2.1 Information You Provide Directly

When you create an account or use our Service, we may collect:

  • Account Information: Name, email address, username
  • User-Generated Content: Song submissions, votes, and round participation data
  • Communications: Messages you send to us through support channels

2.2 Information from Third-Party Services

Spotify Integration

When you connect your Spotify account, we access the following data through the Spotify Web API. We request only the minimum permissions necessary to provide our Service:

| OAuth Scope | Purpose | Data Accessed | Retention | | ---------------------------- | ---------------------------------------- | -------------------------------------------------------------- | -------------------------------- | | user-read-email | Account identification and communication | Your Spotify email address | Stored until account deletion | | user-read-private | Personalized experience | Your Spotify user ID, display name, country, subscription tier | Stored until account deletion | | playlist-modify-public | Create round playlists | Permission to create public playlists on your behalf | No data stored (permission only) | | playlist-modify-private | Create round playlists | Permission to create private playlists on your behalf | No data stored (permission only) | | streaming | In-app music playback (Premium users) | Permission to play full tracks via Web Playback SDK | No data stored (permission only) | | user-read-playback-state | Playback controls (Premium users) | Current playback state (track position, device) | Not stored (real-time only) | | user-modify-playback-state | Playback controls (Premium users) | Permission to control playback (play, pause, skip) | No data stored (permission only) |

Important Notes:

  • We do NOT access your Spotify library, saved tracks, or listening history
  • We do NOT access your top artists or top tracks
  • We only create playlists when you explicitly request playlist creation for a completed round
  • In-app playback features (streaming, playback controls) are only available to Spotify Premium subscribers
  • You can revoke our access to your Spotify account at any time through your Spotify Account Settings

2.3 Automatically Collected Information

When you use our Service, we automatically collect:

  • Device Information: IP address, browser type, operating system
  • Usage Data: Pages visited, features used, time spent on the Service
  • Cookies and Similar Technologies: Session identifiers, authentication tokens

3. How We Use Your Information

We use the collected information for the following purposes:

3.1 Core Service Functionality

  • Create and manage your account
  • Authenticate you through Spotify OAuth
  • Enable song submissions and voting in music rounds
  • Create Spotify playlists for completed rounds (when requested)
  • Display personalized content based on your participation

3.2 Communication

  • Send service announcements and updates
  • Respond to your inquiries and support requests
  • Notify you about round results and playlist creation

3.3 Service Improvement

  • Analyze usage patterns to improve features
  • Monitor and prevent fraud, abuse, or technical issues
  • Ensure security and integrity of the Service

3.4 Legal Compliance

  • Comply with applicable laws and regulations
  • Enforce our Terms of Service
  • Respond to legal requests and prevent harm

4. Data Sharing and Disclosure

4.1 Third-Party Service Providers

We share your information with trusted third-party service providers who assist us in operating our Service:

| Provider | Purpose | Data Shared | Privacy Policy | | ----------- | ---------------------------------------------- | ------------------------------------------------------------- | ----------------------------------------------------------------------- | | Spotify | Music streaming integration, playlist creation | Spotify user ID, email, playlists created through our Service | Spotify Privacy Policy | | Vercel | Web hosting and infrastructure | Usage data, IP addresses | Vercel Privacy Policy | | Neon | Database hosting | All user data stored in our database | Neon Privacy Policy |

All third-party providers are contractually obligated to protect your data and use it only for the purposes we specify.

4.2 Spotify-Specific Data Handling

In compliance with Spotify Developer Policy:

  • 5-Day Data Deletion: If you revoke our access to your Spotify account or delete your Top Ten Club account, we will delete all Spotify-sourced data (email, user ID, display name) within 5 business days
  • No Data Resale: We do NOT sell, rent, or share your Spotify data with third parties for marketing purposes
  • Minimal Permissions: We request only the minimum OAuth scopes necessary for our Service functionality

4.3 Legal Requirements

We may disclose your information if required by law or in response to:

  • Valid legal process (subpoenas, court orders)
  • Governmental requests or investigations
  • Enforcement of our Terms of Service
  • Protection of our rights, property, or safety, or that of others

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email and/or prominent notice on our Service before your data is transferred.

5. Data Retention

We retain your personal information for as long as necessary to provide the Service and fulfill the purposes outlined in this Privacy Policy:

| Data Type | Retention Period | Deletion Trigger | | ---------------------------- | ------------------------------------ | --------------------------------------------------- | | Account Data | Until account deletion | User-initiated account deletion | | Spotify OAuth Data | Until revocation or account deletion | 5 business days after Spotify access revocation | | Song Submissions & Votes | Until account deletion | User-initiated account deletion | | Usage Logs | 90 days | Automatic deletion after 90 days | | Support Communications | 2 years | Automatic deletion after 2 years |

When you delete your account or revoke Spotify access, we will:

  1. Immediately disable your account and revoke authentication tokens
  2. Delete all personal data within 5 business days (Spotify policy requirement)
  3. Anonymize or delete your user-generated content (song submissions, votes)
  4. Retain only anonymized, aggregated data for analytics (no personal identifiers)

6. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal data:

6.1 General Rights

  • Access: Request a copy of the personal data we hold about you
  • Correction: Update or correct inaccurate information
  • Deletion: Request deletion of your personal data (subject to legal obligations)
  • Portability: Receive your data in a structured, machine-readable format
  • Objection: Object to certain processing of your data
  • Restriction: Request restriction of processing under certain circumstances

6.2 GDPR Rights (European Economic Area)

If you are located in the EEA, you have additional rights under the General Data Protection Regulation (GDPR):

  • Right to withdraw consent at any time
  • Right to lodge a complaint with your local data protection authority
  • Right to know the legal basis for processing your data

Legal Basis for Processing:

  • Consent: Spotify OAuth integration (you explicitly authorize access)
  • Contract Performance: Account creation and service functionality
  • Legitimate Interests: Service improvement, fraud prevention, security

6.3 CCPA Rights (California Residents)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: Request disclosure of data collected, sources, purposes, and third parties with whom we share it
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: Opt out of the "sale" of your personal information (we do NOT sell your data)
  • Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

Note: We do NOT sell personal information as defined by the CCPA.

6.4 Exercising Your Rights

To exercise any of these rights, please contact us at:

  • Email: [COMPANY EMAIL TO BE PROVIDED BY LEGAL]
  • Subject Line: "Privacy Rights Request - [Your Request Type]"

We will respond to your request within 30 days (or as required by applicable law). We may require identity verification before processing your request.

7. Data Security

We implement industry-standard security measures to protect your personal information:

7.1 Technical Safeguards

  • Encryption: All data in transit is encrypted using TLS 1.3
  • Secure Authentication: OAuth 2.0 with PKCE for Spotify integration
  • Session Management: Secure, HTTP-only cookies with CSRF protection
  • Database Security: Encrypted connections to PostgreSQL database

7.2 Organizational Safeguards

  • Access to personal data is restricted to authorized personnel only
  • Regular security audits and vulnerability assessments
  • Incident response procedures for data breaches

7.3 Limitations

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.

8. Children's Privacy

Our Service is NOT intended for users under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children.

If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete that information immediately. If you believe we may have collected information from a child, please contact us at [COMPANY EMAIL].

9. International Data Transfers

Top Ten Club is based in [COMPANY LOCATION TO BE PROVIDED BY LEGAL], and your data may be transferred to and processed in countries outside your country of residence.

For users in the EEA:

  • We comply with GDPR requirements for international data transfers
  • We use Standard Contractual Clauses (SCCs) or other approved transfer mechanisms
  • Your data is protected by equivalent safeguards regardless of location

10. Third-Party Links

Our Service may contain links to third-party websites (e.g., Spotify). We are not responsible for the privacy practices of these external sites. We encourage you to review the privacy policies of any third-party sites you visit.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements.

Notification of Changes:

  • We will notify you of material changes via email or prominent notice on the Service
  • The "Last Updated" date at the top of this policy will reflect the most recent revision
  • Continued use of the Service after changes constitutes acceptance of the updated policy

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

  • Email: [COMPANY EMAIL TO BE PROVIDED BY LEGAL]
  • Subject Line: "Privacy Policy Inquiry"
  • Response Time: We aim to respond within 5 business days

For Spotify-related data requests or concerns, you may also contact Spotify directly through their Privacy Center.

13. Compliance and Certifications

Top Ten Club is committed to compliance with:

  • Spotify Developer Policy: Minimal OAuth scopes, 5-day data deletion, no data resale
  • GDPR (European Economic Area): Data protection and user rights
  • CCPA (California, USA): Consumer privacy rights and transparency
  • WCAG 2.1 Level AA: Accessibility standards for all users

⚠️ LEGAL REVIEW STATUS: PENDING Next Steps: Legal team review required before production deployment Contact: [LEGAL TEAM CONTACT TO BE PROVIDED]

This document is an engineering draft created using industry-standard templates (Termly). It requires review and approval from qualified legal counsel before being published or relied upon.