Privacy Policy
What personal data we collect, why we need it, who we share it with, and how you can control it.
1. Who is the data controller?
The data controller for personal data processed via acervus is the operator of the Service, reachable at privacy@acervus.app. If at any point a dedicated legal entity is established, this policy will be updated with its details.
2. Scope
This policy applies to personal data we process when you use acervus (the "Service"), whether through the web app at acervus.app, by receiving transactional emails from us, or when connecting third-party integrations we support.
3. What we collect
Information you give us directly
| Data | Why we need it | Legal basis |
|---|---|---|
| Email address, name (optional), password (hashed) | Authentication, account recovery, transactional emails | Contract (Art. 6(1)(b) GDPR) |
| Two-factor authentication secret (if enabled) | Verify your identity at sign-in | Contract · Legitimate interest (security) |
| Collection metadata: albums, artists, tracks, tags, notes, BPM, keys, playlists | The core function of the Service — store and display your collection | Contract |
| Third-party integration tokens (Discogs, cloud storage, Airtable, Notion, Sheets, ACRCloud, etc.) | Access the third-party service on your behalf for actions you initiate | Consent (Art. 6(1)(a)) · Contract |
Information we collect automatically
| Data | Why | Legal basis |
|---|---|---|
| IP address (for rate limiting & abuse prevention) | Protect the Service from brute-force and scraping attempts | Legitimate interest (Art. 6(1)(f)) |
| Server logs (request path, status, user agent, timestamp) | Debugging and security; rotated within 30 days | Legitimate interest |
| Session cookie (essential) | Keep you signed in between page loads | Essential (strictly necessary, no consent required) |
We do not use third-party analytics, advertising cookies, remarketing pixels, or behavioural profiling.
4. How we use your data
- To operate and provide the Service.
- To authenticate you and keep your account secure.
- To send transactional emails (magic links, password resets, account notices). We do not send marketing emails from this Service.
- To debug problems and improve reliability.
- To comply with legal obligations.
5. Who we share data with
We share personal data with a small number of trusted processors that help us run the Service. We do not sell your data. We do not allow these processors to use your data for their own purposes.
| Processor / recipient | Purpose | Location |
|---|---|---|
| Hosting provider | Run the server and store databases | EU (or equivalent safeguards) |
| Transactional email provider | Send magic links, password resets, invites | EU or US (with Standard Contractual Clauses) |
| Discogs API | Sync your Discogs collection — only when you connect Discogs | US |
| Cloud storage providers (Dropbox, Google Drive, OneDrive) | Access your audio files — only when you connect them | US / EU |
| External sync (Airtable, Google Sheets, Notion) | Sync your collection — only when you connect them | US / EU |
| YouTube API Services (Google) | Discover and link YouTube videos to tracks in your personal collection — only when the admin enables YouTube features and you use them | US |
Third-party services you connect are independent data controllers; their privacy practices apply to data they hold and are governed by their own policies.
5.1. YouTube API Services — specific notice
When you use the YouTube features within acervus (e.g. the YouTube tab in the Link Library, auto-linking, or the in-app YouTube player), the following data is exchanged with Google:
- Search queries: when you trigger an auto-link scan, the title and artist of each track in scope are sent to YouTube as a search query (e.g.
"Brazil Frank Sinatra"). These queries are not tied to your acervus account in any data shared with Google — they are sent from acervus' server using a single API key managed by the acervus administrator. - Video metadata: in response to a search, YouTube returns a list of matching video titles, channel names, and thumbnail URLs. acervus stores the videoId you accept (via Apply or auto-link) so the in-app player can embed it later.
- Playback signals: when you play a YouTube video inside acervus, the embedded YouTube IFrame Player communicates directly with YouTube using your browser; acervus is not involved in that traffic.
acervus' use of YouTube API Services is governed by the YouTube Terms of Service and the Google Privacy Policy. We do not download, mirror, or rebroadcast YouTube content. The acervus operator manages a single server-side YouTube API key for all users; you do not link a personal Google account to acervus to use these features, so there are no per-user Google API permissions for you to revoke. To delete your YouTube links saved within acervus, open the relevant track's Link Library and remove them, or close your acervus account (which deletes all link data per the retention policy below). Any YouTube playback history collected directly by your browser or YouTube account during embedded playback is governed by Google's own policies and is independent of acervus.
6. International transfers
Some processors we rely on (notably Discogs and cloud storage providers) are based outside the European Economic Area. When such transfers occur, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards approved under Article 46 GDPR.
7. How long we keep your data
- Account data (email, hashed password, 2FA secret): kept while your account is active. Deleted within 30 days after account closure, unless legally required to retain.
- Collection data (albums, tags, playlists, notes): kept while your account is active. Deleted with your account.
- Third-party integration tokens: kept until you disconnect the integration or close your account.
- Server logs: rotated within 30 days.
- Waiting-list emails: kept until we have either invited you or you request removal.
8. Your rights under GDPR
As a data subject in the EU/EEA you have the following rights. You can exercise them from Settings in the app, or by emailing privacy@acervus.app:
- Access (Art. 15) — obtain a copy of the personal data we hold about you.
- Rectification (Art. 16) — correct inaccurate or incomplete data.
- Erasure / “right to be forgotten” (Art. 17) — request deletion of your data. This is available from Settings as a one-click action after confirmation.
- Restriction (Art. 18) — request that we limit processing.
- Portability (Art. 20) — receive your data in a structured, machine-readable format (ZIP with JSON dumps). Available from Settings.
- Objection (Art. 21) — object to processing based on legitimate interest.
- Withdraw consent (Art. 7(3)) — where we rely on consent, you may withdraw at any time.
- Lodge a complaint with a supervisory authority. In Portugal the authority is the Comissão Nacional de Proteção de Dados (cnpd.pt).
9. Security
We apply reasonable technical and organisational measures to protect your data: passwords are hashed with a modern algorithm, sessions use HTTPS and HttpOnly cookies, rate limiting is in place on authentication endpoints, and access to production data is restricted. No system can be guaranteed perfectly secure; if we become aware of a personal-data breach we will notify affected users and competent authorities as required by law.
10. Children
The Service is not directed at children under 16. If we become aware that we have collected personal data from a child under 16 without parental consent, we will delete it.
11. Automated decision-making
We do not use your data for automated decisions that produce legal or similarly significant effects about you.
12. Changes to this Policy
We will update this Policy when practices change. If changes are material we will notify you by email and/or in-app notice at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.
13. Contact
For any questions about this Policy or to exercise your rights: privacy@acervus.app.
← Back to acervus