Skip to content
Goat

Side B · Legal

Privacy Policy

Last updated: 2026-05-10

The short version

Goat Music is a place to rate albums and follow people whose taste you trust. We collect what we need to run the service, we don't sell your data, we don't serve ads, and you can delete your account at any time. The rest of this page is the long version.

Who we are

Goat Music ("we", "us") is a personal project operated by an independent developer. Production is hosted at www.goatmusic.me. If you have a privacy question, email privacy@goatmusic.me.

Information we collect

We only collect what we need to give you an account, render your board, and keep the service working. Specifically:

  • Account identity. When you sign in with Google, Apple, Spotify, or SoundCloud, the provider sends us a stable identifier, your display name, your email address, and a profile picture URL. We never receive your password.
  • Music-service tokens. For Spotify, Apple Music, Google (YouTube Music), and SoundCloud, we store an OAuth access token and refresh token so the app can read what you're currently playing or look up albums in your library. These tokens are scoped to read-only operations relevant to the feature you connected for.
  • Content you create. Album boards, ratings, reviews, tier-list placements, your chosen username, and your privacy preferences (public vs. private profile). Track ID requests include any title or context text you type alongside the clip.
  • Operational logs. Standard server logs (IP address, user agent, request path, status code, latency) retained for diagnostics and abuse prevention. Errors are forwarded to Sentry with personally identifying fields stripped.

How we use it

  • To authenticate you and keep your session alive.
  • To render your album board, your ratings, your reviews, and your public profile (if you've enabled one).
  • To call the music services you connected (e.g. fetching what you're currently playing on Spotify).
  • To run the optional Track IDs automatic match: we send the public URL of your uploaded snippet to our recognition partner so they can return title and artist metadata (see Track ID audio snippets).
  • To keep the service running — debugging errors, monitoring performance, and stopping abuse.

We do not use your data for advertising. We do not sell or rent it. We do not send marketing email — at all.

Third-party services

Goat Music depends on a small set of third parties. Each receives the minimum data needed to do its job.

  • OAuth providers (Google, Apple, Spotify, SoundCloud): handle sign-in and grant us scoped read access to your music library or playback state. Your relationship with each provider is governed by their respective privacy policies.
  • Last.fm integration (optional): if you connect your Last.fm account, we request read access to your listening history in order to import your scrobbled albums into your Goat Music board. We fetch this data only during an import you explicitly trigger; we do not store your Last.fm credentials and do not continuously read your listening activity after the import completes. Your use of Last.fm is also governed by Last.fm's privacy policy.
  • Hosting (Vercel and a managed Postgres provider): run the application and store the database that holds your account and ratings.
  • File storage (Vercel Blob) stores profile photos you upload and short audio files you attach to Track ID requests. Files are served from a public URL so other listeners can play the clip in the browser.
  • Error monitoring (Sentry): captures application errors so we can fix them. Errors include a stack trace and request metadata; PII is stripped before forwarding.
  • Anonymous analytics (Vercel Analytics and Vercel Speed Insights): record aggregate page views and Web Vitals. They do not set cookies and do not identify individual users.

Track ID audio snippets

Track IDs lets you upload a short audio clip so the community (and an optional automatic recognizer) can help identify the song. By posting a clip you understand that:

  • The file is stored on our infrastructure (Vercel Blob) and is reachable at a public URL so others can listen.
  • When automatic recognition is turned on for the deployment, we send that same public URL to AudD so they can analyze the audio and return metadata (title, artist, identifiers). We do not send your password or unrelated listening history to AudD — only the clip you chose to upload for that request.
  • You should upload only brief excerpts you are allowed to share, for identification purposes — not full commercial recordings.

Cookies

We use the following cookies to operate the service:

  • Session & auth cookies (strictly necessary): NextAuth session token, CSRF token, and short-lived OAuth state cookies during sign-in. These are required for authentication and cannot be disabled without breaking the service.
  • gm_did (functional): an anonymous device identifier set on your first visit (180-day lifetime). It helps us personalise the Discover feed for signed-out visitors without tying activity to any personal account. No name, email, or identifying information is stored in this cookie.
  • gm_ref (functional): set when you arrive via a referral link (30-day lifetime). Records which referral code brought you to the site so we can credit the referrer at sign-up. Only set when a ?ref= parameter is present in the URL.

We do not use advertising or third-party tracking cookies. Vercel Analytics is a cookie-free implementation. If you prefer not to have functional cookies set, you may decline via the cookie banner on your first visit.

How we protect it

All traffic is served over HTTPS. Database access is restricted to the application via credentialed connection. OAuth tokens are stored encrypted at rest by the database provider. We follow industry-standard practices — but no system is invulnerable, and we can't guarantee absolute security.

How long we keep it

We keep your account data for as long as your account is active. If you delete your account (Settings → Delete Account), we erase your profile, ratings, reviews, and tokens within 30 days, except where we are required to retain a record by law or for fraud prevention. Operational logs roll off automatically after 30 days.

Your rights

Wherever you live, you can:

  • See the data we have on you — most of it is already visible inside your account.
  • Correct anything that's wrong via your profile and account pages.
  • Delete your account and the data attached to it from Settings → Delete Account.
  • Disconnect any music service you previously connected; we revoke and discard the related tokens immediately.

If you are in the EU, UK, or California, you have additional rights under the GDPR / UK GDPR and CCPA respectively, including the right to request a portable copy of your data and the right to object to certain processing. To exercise any of these, email privacy@goatmusic.me from the address tied to your account and we'll respond within 30 days.

Children

Goat Music is not directed to children under 13, and we do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has signed up, email us and we will remove the account.

International transfers

Our hosting and database providers operate in the United States. By using Goat Music you consent to your data being processed in the United States, with appropriate contractual safeguards where required by your local law.

Payment processing and analytics

When Goat Pro becomes available, we will process payments through Stripe. Stripe handles all payment card data and is PCI-DSS compliant; we do not store or transmit card numbers directly. For details on Stripe's privacy practices, see Stripe's privacy policy.

We also use Vercel Analytics and Plausible Analytics to understand product usage and improve the service. Both are privacy-focused and do not collect personal identifying information. No cookies are set for analytics purposes.

Changes

If we change this policy in any material way, we'll update the "Last updated" date at the top of the page and, for significant changes, surface a notice the next time you sign in.

Contact

Privacy questions, deletion requests, GDPR/CCPA requests: privacy@goatmusic.me.