Leitmora
Home

Privacy Policy

Last updated: 2026-06-16

This policy explains what personal data Leitmora collects, why, and the rights you have over it. The data controller is Andrii Bashtovoi (sole proprietor, Poland; NIP 5243061257). For any privacy question or request, contact hello@leitmora.com.

What we collect

We collect only what is needed to build your listening visualizations:

  • Account identity from Google sign-in: your email, display name, profile picture URL, and Google account identifier.
  • Your Spotify listening history: tracks, timestamps and play details, collected either live from the Spotify API or from the listening-history export (GDPR dump) you upload yourself.
  • Spotify connection data: OAuth tokens and, on the bring-your-own-app path, your Spotify app credentials — all encrypted at rest.
  • A technical session cookie that keeps you signed in, and a cookie that remembers your language.

Why we process it, and our legal basis

We process your data solely to provide the service you asked for: collecting your listening history and rendering it as personal visualizations.

The legal basis is your consent and the performance of our service to you (GDPR Art. 6(1)(a) and (b)). We do not use your data for advertising, profiling for third parties, or sale.

Cookies

We use only essential cookies: a strictly-necessary session cookie to keep you authenticated, and a functional cookie that stores your chosen language. We do not use advertising or third-party tracking cookies, so no cookie-consent banner is required to gate them.

Who we share data with

We use a small set of processors strictly to run the service:

  • Google — sign-in / identity.
  • Spotify — the source of your listening history and catalog metadata.
  • Deezer — resolves 30-second audio previews; the audio is proxied through our server so your IP is not exposed to Deezer.
  • Resend — sends the occasional transactional email (e.g. a reminder to upload your export).
  • Sentry — error monitoring, configured to scrub personal data.
  • Hosting — our servers, located in EU (Contabo GmbH).

How long we keep it

We keep your data for as long as your account exists. Deleting your account permanently removes your profile, identities, listening history and connection data.

Uploaded history exports are processed and then deleted from temporary storage; a failed import may briefly retain the file so it can be retried.

Your rights

Under the GDPR you have the right to access, export (portability), correct, and delete your data, to withdraw consent, and to lodge a complaint with your local supervisory authority.

You can exercise the main rights yourself from the account menu: “Download my data” exports everything we hold, and “Delete account” erases it. For anything else, contact hello@leitmora.com.

Security

Access tokens and app credentials are encrypted at rest. Sessions are stored server-side; your browser only holds an opaque session identifier.

Changes

We may update this policy; the date above reflects the latest revision. Material changes will be communicated in the app.