1. Introduction
This Privacy Policy describes how Annie Music Limited ("we," "us," or "our"), operating the Annie platform (including the website at anniemusic.app,
APIs, and the Looops game — collectively, the "Service"), collects, uses, discloses,
and protects your personal information.
This policy applies to all users of the Service, including registered users and anonymous
visitors. By accessing or using the Service, you acknowledge that you have read and
understood this Privacy Policy. If you do not agree with our practices, please do not use
the Service.
Where this policy references specific legal frameworks (such as the GDPR or CCPA/CPRA),
those sections apply to individuals in the relevant jurisdictions.
2. Who We Are
Annie is a music aggregation platform that unifies Spotify, Apple Music, and Deezer,
allowing you to discover and share music across streaming platforms. Annie also offers
Looops, a daily music guessing game.
The Service is operated by:
- Entity: Annie Music Limited
- Address: Lagos, Nigeria
- Privacy contact: [email protected]
3. Information We Collect
3.1 Information You Provide Directly
- Phone number — provided when you create an account
or sign in. Used for authentication via one-time passcode (OTP).
- Email address (optional) — provided in your account
settings. Used for account communications and profile identification.
- Username — chosen by you in account settings. Displayed
as your public name across the Service.
- Avatar — selected from pre-defined options in account
settings for profile personalization.
- Complaint or support information — your name, email,
and issue description when you submit a complaint.
3.2 Information Collected Automatically
- IP address — used for security, rate limiting,
and abuse prevention. For anonymous Looops players, your IP is hashed (HMAC-SHA256) to create
a non-reversible session identifier.
- Browser timezone — detected via your browser during
Looops gameplay to calculate your local game date.
- Device and browser information (User-Agent) — recorded
with each authenticated session for security audit purposes.
- Page views and interaction events — collected through
Google Analytics only if you accept analytics cookies via our consent banner.
- Cookies and similar technologies — see Section
8 below.
3.3 Information from Third-Party Services
When you connect a streaming service account, we receive the following from that streaming
service:
- OAuth tokens (access token, refresh token) — used
to access your music data on your behalf. These are encrypted with AES-256-GCM before storage.
- Platform user identifier — used to link your streaming
account.
- Recently played tracks — polled periodically from
your connected platforms for music discovery, recommendations, and listening stats.
- Track metadata (title, artist, album, duration) —
used to display music information within the Service.
You can disconnect any connected streaming service at any time through your account
settings, which revokes our access and deletes the associated tokens.
3.4 Derived and Generated Data
- Monthly listening aggregates — top tracks, top
artists, and play counts computed from your listening history for personalized music stats.
- Game statistics — streaks, win/loss records, and
rounds played, computed from your Looops gameplay.
- AI-generated track descriptions — generated by
Google Gemini from track metadata (not from your personal data) for content enrichment.
4. How We Collect Information
- Directly from you: when you create an account, update
your profile, submit a complaint, or play Looops.
- Automatically: through cookies, server logs, and analytics
tools when you interact with the Service.
- From third parties: when you connect a streaming service
via OAuth, we receive data from that platform's API.
5. How We Use Your Information
- Providing the Service: operating your account, displaying
your profile, aggregating music across platforms, running the Looops game, and showing personalized
listening stats.
- Authentication and security: delivering OTP codes via
SMS, verifying your identity, managing sessions, enforcing rate limits, and blocking abusive
IP addresses.
- Music aggregation and discovery: syncing your listening
history from connected platforms, generating recommendations, and computing your monthly
listening stats.
- Looops game operation: tracking daily play limits and
maintaining streaks and statistics.
- Product analytics and improvement: understanding how
visitors interact with the Service through Google Analytics (only with your consent).
- Customer support: responding to complaints and resolving
issues you report.
- Push notifications: sending notifications to your device
via Firebase Cloud Messaging, where applicable.
- Abuse prevention: rate limiting, IP blocking, and monitoring
for suspicious activity.
6. Legal Bases for Processing (GDPR)
If you are in the European Economic Area (EEA), United Kingdom, or another jurisdiction
where the GDPR applies, we process your personal data under the following legal bases:
- Performance of a contract (Art. 6(1)(b)) — account
creation, authentication, providing the music aggregation service, Looops game operation,
and processing profile updates.
- Consent (Art. 6(1)(a)) — analytics cookies (Google
Analytics) and connecting optional streaming services.
- Legitimate interests (Art. 6(1)(f)) — security
measures (rate limiting, IP blocking, fraud prevention), product improvement, abuse prevention,
and maintaining audit trails. We balance our legitimate interests against your rights and
apply data minimization (e.g., IP hashing for anonymous users, log redaction of sensitive
fields).
- Legal obligation (Art. 6(1)(c)) — responding to
lawful requests from authorities where required by applicable law.
Where processing is based on consent, you may withdraw your consent at any time (see
Section 12).
7. How We Disclose and Share Information
7.1 Service Providers
We share personal data with service providers who process data on our behalf to operate
the Service:
- SMS delivery (Termii, Twilio) — your phone number
and OTP code are transmitted to deliver authentication messages.
- Email delivery (Resend) — your email address may
be used to send transactional communications.
- Hosting and infrastructure — all data is processed
by our hosting provider as part of platform operations.
- Analytics (Google Analytics) — pseudonymous usage
data, page views, and events are shared with Google only if you have accepted analytics cookies.
- AI content generation (Google Gemini) — track metadata
(not personal data) is sent to Google Gemini to generate track descriptions.
- Push notifications (Firebase Cloud Messaging) —
device tokens are used to deliver push notifications where applicable.
7.2 Music Streaming Platforms
When you connect a streaming service, data flows bidirectionally. We send your
authorization (OAuth) to the platform, and receive your listening history, platform user
ID, and track metadata. These platforms operate as independent controllers of the data on
their services. Please review their respective privacy policies.
7.3 No Sale of Data
We do not sell or share your personal information for cross-context behavioral advertising
purposes.
7.4 Other Disclosures
We may disclose personal information:
- To comply with applicable laws, regulations, or legal processes.
- To protect the rights, property, or safety of Annie Music Limited, our users, or others.
- In connection with a merger, acquisition, or sale of assets (with notice to you).
8. Cookies and Similar Technologies
8.1 Cookies We Set
| Cookie | Type | Purpose | Duration |
|---|
| ANNIE_TOKEN_KEY | Strictly necessary | Authentication session (JWT) | 14 days |
| looops_player_id | Strictly necessary | Anonymous browser identity for daily Looops continuity | 1 year |
| looops_session_id | Strictly necessary | Current Looops session identifier for resume and audio playback | Until midnight UTC |
All cookies listed above are set with httpOnly, secure, and sameSite=lax flags.
8.2 Third-Party Cookies
If you accept analytics cookies via our consent banner, Google Analytics sets cookies
(such as _ga and _ga_*) to distinguish users and measure
engagement. These cookies are typically retained for up to 2 years by Google.
8.3 Local Storage
annie_analytics_consent — stores your analytics consent decision (accept
or decline).
8.4 Your Cookie Choices
When you first visit the Service, a banner asks whether you accept analytics cookies. You
can accept or decline. Strictly necessary cookies (authentication and game functionality)
cannot be disabled as they are essential for the Service to function.
To change your analytics preference after your initial choice, clear the annie_analytics_consent entry from your browser's local storage and reload the
page.
9. Data Retention
We retain personal data only as long as necessary for the purposes described in this
policy, unless a longer retention period is required by law.
- User account data (phone, email, username, avatar, timezone)
— retained until you request account deletion.
- Listening history (individual track plays) —
automatically deleted after 40 days.
- Monthly listening aggregates — automatically
deleted after 30 days.
- Looops game sessions and stats — retained indefinitely
for the lifetime of your account.
- Search history — retained indefinitely for the
lifetime of your account.
- Refresh tokens — deleted 7 days after expiration
via automated cleanup.
- OAuth tokens (encrypted) — retained while your
streaming service is connected; deleted when you disconnect.
- Complaints — retained indefinitely for record-keeping
purposes.
- Google Analytics data — retained per Google's configured
retention settings.
10. Data Security
We implement technical and organizational measures to protect your personal information,
including:
- Encryption in transit: all connections use HTTPS/TLS.
- Encryption at rest: OAuth tokens from streaming platforms
are encrypted using AES-256-GCM before storage.
- Hashing: OTP codes and refresh tokens are hashed with
SHA-256 before storage. Anonymous player IP addresses are hashed with HMAC-SHA256 and cannot
be reversed.
- Secure authentication: JWT tokens use ECDSA (P-256) signatures.
Refresh tokens implement family-based rotation with replay detection.
- Access controls: admin functions are restricted to authorized
users. API rate limiting is enforced on authentication endpoints.
- Secure cookies: all cookies use
httpOnly, secure, and sameSite=lax flags. - Log redaction: sensitive fields (emails, phone numbers,
tokens, keys) are automatically redacted from application logs.
- Security headers: including
X-Content-Type-Options, X-Frame-Options, Cache-Control, and Referrer-Policy.
No method of transmission or storage is 100% secure. While we strive to protect your data,
we cannot guarantee absolute security.
11. International Data Transfers
Annie Music Limited is based in Nigeria. Your personal data may be transferred to and
processed in countries outside your own, including the United States and other
jurisdictions where our service providers operate, which may not provide the same level of
data protection as your home country.
When we transfer data internationally, we ensure appropriate safeguards are in place,
including Standard Contractual Clauses (SCCs) with our service providers, to protect your
personal data in accordance with applicable law.
12. Your Privacy Rights
12.1 Rights Under GDPR (EEA/UK Residents)
If you are in the EEA or UK, you have the following rights under the GDPR:
- Right of access (Art. 15) — request a copy of the
personal data we hold about you.
- Right to rectification (Art. 16) — update your
username, email, and avatar through your account settings. For other corrections, contact
us.
- Right to erasure (Art. 17) — request deletion of
your personal data by contacting us.
- Right to restriction (Art. 18) — request that we
restrict processing of your data in certain circumstances.
- Right to data portability (Art. 20) — request your
data in a structured, machine-readable format.
- Right to object (Art. 21) — object to processing
based on legitimate interests.
- Right to withdraw consent (Art. 7) — withdraw consent
for analytics by declining cookies. Disconnect streaming services at any time via settings.
- Right to lodge a complaint — you may file a complaint
with your local data protection authority.
12.2 Rights Under CCPA/CPRA (California Residents)
If you are a California resident, you have the following rights under the California
Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
Categories of Personal Information Collected
- Identifiers: phone number, email, username, user ID,
IP address, platform user IDs.
- Internet or electronic network activity: page views,
interaction events, listening history, search history, game data.
- Inferences: monthly music aggregates (top tracks, artists),
game statistics.
- Audio information: listening history metadata (not audio
recordings).
Your California Rights
- Right to know what personal information we collect, use,
and disclose.
- Right to delete your personal information.
- Right to correct inaccurate personal information.
- Right to opt out of sale/sharing. We do not sell or share
your personal information for cross-context behavioral advertising.
- Right to non-discrimination for exercising your rights.
Sources: directly from you, automatically from your device,
and from connected streaming platforms.
Business purposes: providing the Service, authentication,
security, analytics (with consent), and customer support.
Sale/Sharing: we do not sell or share personal information
for cross-context behavioral advertising.
12.3 Exercising Your Rights
Currently, you can:
- Update your profile (username, email, avatar) via account
settings.
- Disconnect streaming services via account settings.
- Manage analytics cookies via the consent banner.
For all other privacy rights requests (access, deletion, portability, objection), please
contact us at [email protected]. We will respond within the timeframe required by applicable law (30 days under GDPR, 45
days under CCPA).
13. Children's Privacy
The Service is not directed to children under 13 years of age. We do not knowingly collect
personal information from children under 13. If you are between 13 and 18 (or the age of
majority in your jurisdiction), you may only use the Service with parental or guardian
consent.
If we learn that we have collected personal information from a child under 13, we will
take steps to delete that information promptly. If you believe a child under 13 has
provided us with personal information, please contact us at [email protected].
14. Third-Party Services and Links
The Service integrates with and links to third-party services, including:
When you connect a streaming service or interact with third-party content, those services'
own privacy policies govern their handling of your data. The Service may also contain
links to third-party websites. We are not responsible for the privacy practices of those
websites.
15. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we
will update the "Last Updated" date at the top of this page. Your continued use of the
Service after changes are posted constitutes your acceptance of the updated policy. We
encourage you to review this policy periodically.
16. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data
practices, please contact us:
This Privacy Policy is provided for transparency. If you have questions about how your
data is handled, please don't hesitate to contact us.