Privacy Policy

Last Updated: April 2026

1. Introduction

This Privacy Policy describes how Annie Music Limited ("we," "us," or "our"), operating the Annie platform (including the website at anniemusic.app, APIs, and the Looops game — collectively, the "Service"), collects, uses, discloses, and protects your personal information.

This policy applies to all users of the Service, including registered users and anonymous visitors. By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

Where this policy references specific legal frameworks (such as the GDPR or CCPA/CPRA), those sections apply to individuals in the relevant jurisdictions.

2. Who We Are

Annie is a music aggregation platform that unifies Spotify, Apple Music, and Deezer, allowing you to discover and share music across streaming platforms. Annie also offers Looops, a daily music guessing game.

The Service is operated by:

3. Information We Collect

3.1 Information You Provide Directly

  • Phone number — provided when you create an account or sign in. Used for authentication via one-time passcode (OTP).
  • Email address (optional) — provided in your account settings. Used for account communications and profile identification.
  • Username — chosen by you in account settings. Displayed as your public name across the Service.
  • Avatar — selected from pre-defined options in account settings for profile personalization.
  • Complaint or support information — your name, email, and issue description when you submit a complaint.

3.2 Information Collected Automatically

  • IP address — used for security, rate limiting, and abuse prevention. For anonymous Looops players, your IP is hashed (HMAC-SHA256) to create a non-reversible session identifier.
  • Browser timezone — detected via your browser during Looops gameplay to calculate your local game date.
  • Device and browser information (User-Agent) — recorded with each authenticated session for security audit purposes.
  • Page views and interaction events — collected through Google Analytics only if you accept analytics cookies via our consent banner.
  • Cookies and similar technologies — see Section 8 below.

3.3 Information from Third-Party Services

When you connect a streaming service account, we receive the following from that streaming service:

  • OAuth tokens (access token, refresh token) — used to access your music data on your behalf. These are encrypted with AES-256-GCM before storage.
  • Platform user identifier — used to link your streaming account.
  • Recently played tracks — polled periodically from your connected platforms for music discovery, recommendations, and listening stats.
  • Track metadata (title, artist, album, duration) — used to display music information within the Service.

You can disconnect any connected streaming service at any time through your account settings, which revokes our access and deletes the associated tokens.

3.4 Derived and Generated Data

  • Monthly listening aggregates — top tracks, top artists, and play counts computed from your listening history for personalized music stats.
  • Game statistics — streaks, win/loss records, and rounds played, computed from your Looops gameplay.
  • AI-generated track descriptions — generated by Google Gemini from track metadata (not from your personal data) for content enrichment.

4. How We Collect Information

  • Directly from you: when you create an account, update your profile, submit a complaint, or play Looops.
  • Automatically: through cookies, server logs, and analytics tools when you interact with the Service.
  • From third parties: when you connect a streaming service via OAuth, we receive data from that platform's API.

5. How We Use Your Information

  • Providing the Service: operating your account, displaying your profile, aggregating music across platforms, running the Looops game, and showing personalized listening stats.
  • Authentication and security: delivering OTP codes via SMS, verifying your identity, managing sessions, enforcing rate limits, and blocking abusive IP addresses.
  • Music aggregation and discovery: syncing your listening history from connected platforms, generating recommendations, and computing your monthly listening stats.
  • Looops game operation: tracking daily play limits and maintaining streaks and statistics.
  • Product analytics and improvement: understanding how visitors interact with the Service through Google Analytics (only with your consent).
  • Customer support: responding to complaints and resolving issues you report.
  • Push notifications: sending notifications to your device via Firebase Cloud Messaging, where applicable.
  • Abuse prevention: rate limiting, IP blocking, and monitoring for suspicious activity.

6. Legal Bases for Processing (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or another jurisdiction where the GDPR applies, we process your personal data under the following legal bases:

  • Performance of a contract (Art. 6(1)(b)) — account creation, authentication, providing the music aggregation service, Looops game operation, and processing profile updates.
  • Consent (Art. 6(1)(a)) — analytics cookies (Google Analytics) and connecting optional streaming services.
  • Legitimate interests (Art. 6(1)(f)) — security measures (rate limiting, IP blocking, fraud prevention), product improvement, abuse prevention, and maintaining audit trails. We balance our legitimate interests against your rights and apply data minimization (e.g., IP hashing for anonymous users, log redaction of sensitive fields).
  • Legal obligation (Art. 6(1)(c)) — responding to lawful requests from authorities where required by applicable law.

Where processing is based on consent, you may withdraw your consent at any time (see Section 12).

7. How We Disclose and Share Information

7.1 Service Providers

We share personal data with service providers who process data on our behalf to operate the Service:

  • SMS delivery (Termii, Twilio) — your phone number and OTP code are transmitted to deliver authentication messages.
  • Email delivery (Resend) — your email address may be used to send transactional communications.
  • Hosting and infrastructure — all data is processed by our hosting provider as part of platform operations.
  • Analytics (Google Analytics) — pseudonymous usage data, page views, and events are shared with Google only if you have accepted analytics cookies.
  • AI content generation (Google Gemini) — track metadata (not personal data) is sent to Google Gemini to generate track descriptions.
  • Push notifications (Firebase Cloud Messaging) — device tokens are used to deliver push notifications where applicable.

7.2 Music Streaming Platforms

When you connect a streaming service, data flows bidirectionally. We send your authorization (OAuth) to the platform, and receive your listening history, platform user ID, and track metadata. These platforms operate as independent controllers of the data on their services. Please review their respective privacy policies.

7.3 No Sale of Data

We do not sell or share your personal information for cross-context behavioral advertising purposes.

7.4 Other Disclosures

We may disclose personal information:

  • To comply with applicable laws, regulations, or legal processes.
  • To protect the rights, property, or safety of Annie Music Limited, our users, or others.
  • In connection with a merger, acquisition, or sale of assets (with notice to you).

8. Cookies and Similar Technologies

8.1 Cookies We Set

CookieTypePurposeDuration
ANNIE_TOKEN_KEYStrictly necessaryAuthentication session (JWT)14 days
looops_player_idStrictly necessaryAnonymous browser identity for daily Looops continuity1 year
looops_session_idStrictly necessaryCurrent Looops session identifier for resume and audio playbackUntil midnight UTC

All cookies listed above are set with httpOnly, secure, and sameSite=lax flags.

8.2 Third-Party Cookies

If you accept analytics cookies via our consent banner, Google Analytics sets cookies (such as _ga and _ga_*) to distinguish users and measure engagement. These cookies are typically retained for up to 2 years by Google.

8.3 Local Storage

  • annie_analytics_consent — stores your analytics consent decision (accept or decline).

8.4 Your Cookie Choices

When you first visit the Service, a banner asks whether you accept analytics cookies. You can accept or decline. Strictly necessary cookies (authentication and game functionality) cannot be disabled as they are essential for the Service to function.

To change your analytics preference after your initial choice, clear the annie_analytics_consent entry from your browser's local storage and reload the page.

9. Data Retention

We retain personal data only as long as necessary for the purposes described in this policy, unless a longer retention period is required by law.

  • User account data (phone, email, username, avatar, timezone) — retained until you request account deletion.
  • Listening history (individual track plays) — automatically deleted after 40 days.
  • Monthly listening aggregates — automatically deleted after 30 days.
  • Looops game sessions and stats — retained indefinitely for the lifetime of your account.
  • Search history — retained indefinitely for the lifetime of your account.
  • Refresh tokens — deleted 7 days after expiration via automated cleanup.
  • OAuth tokens (encrypted) — retained while your streaming service is connected; deleted when you disconnect.
  • Complaints — retained indefinitely for record-keeping purposes.
  • Google Analytics data — retained per Google's configured retention settings.

10. Data Security

We implement technical and organizational measures to protect your personal information, including:

  • Encryption in transit: all connections use HTTPS/TLS.
  • Encryption at rest: OAuth tokens from streaming platforms are encrypted using AES-256-GCM before storage.
  • Hashing: OTP codes and refresh tokens are hashed with SHA-256 before storage. Anonymous player IP addresses are hashed with HMAC-SHA256 and cannot be reversed.
  • Secure authentication: JWT tokens use ECDSA (P-256) signatures. Refresh tokens implement family-based rotation with replay detection.
  • Access controls: admin functions are restricted to authorized users. API rate limiting is enforced on authentication endpoints.
  • Secure cookies: all cookies use httpOnly, secure, and sameSite=lax flags.
  • Log redaction: sensitive fields (emails, phone numbers, tokens, keys) are automatically redacted from application logs.
  • Security headers: including X-Content-Type-Options, X-Frame-Options, Cache-Control, and Referrer-Policy.

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

11. International Data Transfers

Annie Music Limited is based in Nigeria. Your personal data may be transferred to and processed in countries outside your own, including the United States and other jurisdictions where our service providers operate, which may not provide the same level of data protection as your home country.

When we transfer data internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) with our service providers, to protect your personal data in accordance with applicable law.

12. Your Privacy Rights

12.1 Rights Under GDPR (EEA/UK Residents)

If you are in the EEA or UK, you have the following rights under the GDPR:

  • Right of access (Art. 15) — request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — update your username, email, and avatar through your account settings. For other corrections, contact us.
  • Right to erasure (Art. 17) — request deletion of your personal data by contacting us.
  • Right to restriction (Art. 18) — request that we restrict processing of your data in certain circumstances.
  • Right to data portability (Art. 20) — request your data in a structured, machine-readable format.
  • Right to object (Art. 21) — object to processing based on legitimate interests.
  • Right to withdraw consent (Art. 7) — withdraw consent for analytics by declining cookies. Disconnect streaming services at any time via settings.
  • Right to lodge a complaint — you may file a complaint with your local data protection authority.

12.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

Categories of Personal Information Collected

  • Identifiers: phone number, email, username, user ID, IP address, platform user IDs.
  • Internet or electronic network activity: page views, interaction events, listening history, search history, game data.
  • Inferences: monthly music aggregates (top tracks, artists), game statistics.
  • Audio information: listening history metadata (not audio recordings).

Your California Rights

  • Right to know what personal information we collect, use, and disclose.
  • Right to delete your personal information.
  • Right to correct inaccurate personal information.
  • Right to opt out of sale/sharing. We do not sell or share your personal information for cross-context behavioral advertising.
  • Right to non-discrimination for exercising your rights.

Sources: directly from you, automatically from your device, and from connected streaming platforms.

Business purposes: providing the Service, authentication, security, analytics (with consent), and customer support.

Sale/Sharing: we do not sell or share personal information for cross-context behavioral advertising.

12.3 Exercising Your Rights

Currently, you can:

  • Update your profile (username, email, avatar) via account settings.
  • Disconnect streaming services via account settings.
  • Manage analytics cookies via the consent banner.

For all other privacy rights requests (access, deletion, portability, objection), please contact us at [email protected]. We will respond within the timeframe required by applicable law (30 days under GDPR, 45 days under CCPA).

13. Children's Privacy

The Service is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are between 13 and 18 (or the age of majority in your jurisdiction), you may only use the Service with parental or guardian consent.

If we learn that we have collected personal information from a child under 13, we will take steps to delete that information promptly. If you believe a child under 13 has provided us with personal information, please contact us at [email protected].

14. Third-Party Services and Links

The Service integrates with and links to third-party services, including:

When you connect a streaming service or interact with third-party content, those services' own privacy policies govern their handling of your data. The Service may also contain links to third-party websites. We are not responsible for the privacy practices of those websites.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date at the top of this page. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy. We encourage you to review this policy periodically.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

This Privacy Policy is provided for transparency. If you have questions about how your data is handled, please don't hesitate to contact us.