Privacy Policy
Last updated: July 15, 2026
1. Who We Are
Chuned ("we," "us," or "our") is a house music track-identification service operated by Owen Duffy. We provide a mobile app (iOS), a web app, and related services that help users identify and organize tracks from DJ sets on YouTube.
If you have questions about this policy, contact us at: legal@chuned.io
2. What Information We Collect
2.1 Account Information
When you create an account, we collect:
- Email address — used for authentication and transactional emails (e.g. sign-up confirmation)
- Username — a user-chosen, publicly visible display name
- Password — stored in hashed form only, managed by Supabase Auth. We never see or store your plaintext password.
- Account metadata — creation timestamp, email-confirmed timestamp, reputation score, Pro/free status, and monthly usage counters (sets analyzed, snippets, live taps)
We also support anonymous sessions — you can use limited features without creating an account. Anonymous session data is tied to a temporary session token, not a permanent identity.
2.2 Content You Submit
All content you submit is stored in our database and associated with your account:
- YouTube URLs submitted for set analysis, and timestamps for snippet lookups
- Track ID submissions — artist name, track title, and an optional URL (short free-text fields)
- Full tracklist submissions — structured arrays of
{timestamp, artist, title}entries - Comments — free-form text up to 2,000 characters, stored verbatim
- Votes — your confirm/dispute votes on track IDs and tracklists, and upvote/downvote actions on comments. We record which user voted which way.
- Analysis history — a record of every set you have analyzed or viewed
2.3 Push Notification Token
If you allow notifications, we store your Expo push notification token to send you a notification when your set finishes processing. You can disable notifications at any time in your device's system settings. This token is cleared when you delete your account.
2.4 Device-Local Storage (On Your Phone)
The following data is stored locally on your device, not on our servers:
- Your Supabase auth session (access + refresh tokens), persisted via AsyncStorage
- A cached
{email, username}pair held temporarily between sign-up and email confirmation - A deduplication flag to prevent replaying a consumed email-confirmation link (this temporarily stores the raw confirmation URL including its token fragment, until overwritten)
2.5 What We Do NOT Collect
- No raw audio. Audio is downloaded transiently to an ephemeral serverless container (Modal) during processing and permanently discarded the moment analysis finishes. It is never written to any persistent storage.
- No raw video files
- No IP addresses — rate limiting is keyed on authenticated user ID and action type, not on IP address or device fingerprint
- No location data
- No camera, microphone, or contacts data — we do not request or access these permissions in the current version of the app
- No payment or financial information — the Pro tier is defined in our data model but no payment processor is integrated yet
- No advertising SDKs, analytics SDKs, or crash-reporting tools (no Sentry, Amplitude, Mixpanel, Firebase Analytics, or PostHog)
3. How We Use Your Information
| Purpose | Data Used |
|---|---|
| Identifying tracks in a submitted DJ set | YouTube URL, audio (transiently — never stored) |
| Returning a timestamped tracklist to you | Metadata returned by ACRCloud and Spotify API |
| Sending a push notification when your set is ready | Expo push token, notification title/body |
| Managing your account and session | Email, username, password hash, JWT |
| Displaying community submissions and votes | Track ID submissions, tracklist submissions, votes |
| Hosting discussion threads on sets and tracks | Comments |
| Bot/spam prevention on web requests | Cloudflare Turnstile challenge token (pass/fail only — not stored) |
| Sending transactional emails (confirmation links, etc.) | Email address (via Resend / Supabase Auth) |
| Normalizing pasted tracklists (admin/curation tool) | Raw pasted text sent to Google Gemini API; not persisted |
We do not sell your personal data. We do not use your data for advertising purposes.
4. Third-Party Services
Chuned uses the following third-party services. Each service's own privacy policy governs how they handle any data we send them.
| Service | What We Send | Why |
|---|---|---|
| Supabase | All account data, submitted content, votes, history (everything in §2) | Auth, database, JWT issuance |
| Modal | Audio (transiently, never stored) | Serverless processing containers for audio analysis |
| ACRCloud | Short (~10s) audio windows during fingerprinting | Core track-recognition engine |
| YouTube / Google | YouTube URLs, oEmbed/API calls for video metadata | Fetching video title, channel, duration, thumbnail |
| Spotify | ISRC codes, "artist + title" search strings | Canonical track links and artwork |
| Google Gemini API | Raw pasted tracklist text (admin tool only) | Normalizing messy tracklist text into structured format |
| Cloudflare Turnstile | Challenge token | Bot detection on web-originated analyze requests |
| Expo Push Notifications | Expo push token, notification title/body | Delivering in-app notifications |
| Resend | Recipient email address, confirmation link (via Supabase Auth) | Transactional email delivery |
| MixesDB | Search query built from set title/channel | Best-effort lookup of a published tracklist |
| Railway | Backend API traffic | Hosting the Chuned API server |
Note on YouTube API Services: Our use of YouTube API Services is subject to the YouTube Terms of Service and Google Privacy Policy. By using Chuned, you acknowledge and agree to be bound by these terms as they apply to your use of YouTube content through our service.
Note on SoundCloud: We do not call the SoundCloud API. We generate a SoundCloud search URL on the client side, which opens in your browser. No data is sent to SoundCloud by our servers.
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Raw audio | Never stored — discarded immediately after in-memory processing |
| Account email, username, password hash | Until you delete your account (see §6) |
| Push notification token | Until you delete your account or disable notifications |
| Track ID submissions, tracklist submissions, comments, votes | Indefinitely — survive account deletion in anonymized form (see §6) |
| Analysis history | Indefinitely while your account is active; anonymized on account deletion |
| Video metadata (title, channel, thumbnail) | Indefinitely once cached; no automatic refresh cycle currently |
| Rate-limit counters | Per fixed time-window buckets; automatically expire |
6. Your Rights and Account Deletion
You can delete your account from the Profile screen in the app at any time. Here is exactly what happens:
- Your email address and push notification token are cleared.
- Your username is replaced with a generated anonymous placeholder (e.g.,
deleted_xxxxxxxx). The account row is anonymized in place, not deleted. - Your Supabase Auth credential (email address, password hash, and all active sessions) is permanently and irreversibly hard-deleted.
- Your submitted content — track ID submissions, tracklist submissions, comments, and votes — remains in the database in anonymized form, attributed to the placeholder username. This is intentional: removing your contributions would break shared tracklists and discussion threads that other users depend on.
Other rights (where applicable under GDPR, CCPA, or similar laws):
- Access: You can request a copy of the personal data we hold about you.
- Correction: You can update your username at any time from your profile settings. To correct other account data, contact us.
- Portability: You can request an export of your submitted content.
- Restriction / Objection: You can contact us to request that we restrict processing of your data in specific circumstances.
To exercise any of these rights, email us at legal@chuned.io.
7. Children's Privacy
Chuned is not directed at children under the age of 13 (or 16 where required by applicable law). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
8. Security
We use industry-standard security practices, including:
- JWT-based authentication with short-lived access tokens and refresh tokens
- Passwords hashed and managed by Supabase Auth (we never see plaintext passwords)
- HTTPS for all data in transit
No system is perfectly secure. If you discover a security vulnerability, please contact us directly at legal@chuned.io rather than disclosing it publicly.
9. Changes to This Policy
We will update this policy as Chuned evolves. When we make material changes, we will update the "Last updated" date at the top of this page. Continued use of Chuned after a policy update constitutes acceptance of the updated policy. For significant changes, we will notify you by email or in-app notification.
10. Contact
Owen Duffy — Chuned
Email: legal@chuned.io
Location: Seattle, Washington, USA