Privacy Policy
TrackList connects your Strava runs with your Spotify listening history to create visual run records. This policy explains exactly what data we collect, why we need it, and how we protect it. We've written it in plain English — no legal maze.
What we collect
Your account (via Strava)
- Your name, as provided by Strava.
- We use this to identify your account. We do not use your name for marketing.
Strava activity data
- Access and refresh tokens (encrypted at rest) to connect to your Strava account.
- Run metadata: title, date, distance, duration, pace, and heart rate if available.
- GPS route data: the sequence of coordinates that make up your run path.
Spotify listening history
- Access and refresh tokens (encrypted at rest) to connect to your Spotify account.
- Recently played tracks: song title, artist name, album name, album art URL, playback timestamp, and track duration.
- We read listening history only — we never read your playlists, saved songs, or account details beyond what's needed to match tracks to runs.
Last.fm scrobble history
- Your Last.fm username (no password or credentials are ever stored or transmitted to us).
- Scrobble history read via the Last.fm API: track title, artist name, album name, and playback timestamp.
- This data is used solely to match tracks to your runs — the same purpose as Spotify listening history.
Generated posters
- When you export a poster, we store metadata about the export (which run, which format, when). We do not store the poster image itself — it's generated in your browser and downloaded directly to your device.
Why we collect it
Everything we collect serves one purpose: matching the songs you listened to with the runs you recorded, and generating a poster that visualises both.
- Strava data gives us the run timeline and route.
- Spotify or Last.fm data gives us the music timeline.
- We overlay the two by timestamp to colour your GPS route by song.
We do not collect data for advertising, analytics resale, or any purpose beyond delivering this feature to you.
How your data is stored
Your data is stored in a PostgreSQL database hosted on Neon (a managed Postgres service), running on Vercel's infrastructure in the United States.
- All OAuth tokens (Strava and Spotify) are encrypted before being written to the database.
- Database connections use TLS in transit.
- Poster images are never uploaded — they exist only in your browser during generation, then saved to your device.
Third-party services we rely on
- Strava — activity data via Strava API. Subject to Strava's Privacy Policy.
- Spotify — listening history via Spotify Web API. Subject to Spotify's Privacy Policy.
- Last.fm — scrobble history via Last.fm API (if connected). Subject to Last.fm's Privacy Policy.
- Vercel — application hosting and serverless functions. Subject to Vercel's Privacy Policy.
- Neon — managed PostgreSQL database. Subject to Neon's Privacy Policy.
We do not share your data with any other third parties, ad networks, or data brokers.
What we don't do
We do not sell, license, or transfer your data to any third party. We do not use your data to train machine learning or AI models. We do not serve ads.
Cookies and local storage
TrackList does not use advertising cookies or third-party trackers.
We store your session token (a JWT) in your browser's localStorage so you stay logged in between visits. This token is scoped to TrackList only and is not readable by other websites.
You can clear this at any time by logging out of the app or clearing your browser's site data for this domain.
Your data, your rights
You can request deletion of your account and all associated data at any time by emailing us. We'll process your request and confirm deletion within 30 days.
You can also revoke TrackList's access to Strava or Spotify at any time through each service's connected apps settings:
Revoking access in those settings will prevent TrackList from fetching new data, but won't automatically delete existing data from our database — contact us to request full deletion.
Changes to this policy
If we make material changes to this policy, we'll update the date at the top. For significant changes, we'll do our best to notify you via the app. Continued use of TrackList after changes take effect constitutes acceptance of the updated policy.
Contact
Questions, deletion requests, or anything else about your privacy: