Crowdsurf Music, Inc. Privacy Policy

How we collect, use, and protect your information when you use Crowdsurf.

Crowdsurf Music, Inc. (“Crowdsurf,” “we,” “us,” or “our”) values your privacy. This Privacy Policy explains how we collect, use, and protect your information when you use the Crowdsurf mobile application, website, and related services (collectively, the “Service”).

By using Crowdsurf, you agree to this Privacy Policy. If you do not agree, please do not use the Service.

1. Information we collect

A. Information you provide

• Account information: your phone number, which you use to create and sign in to your account with a one-time SMS verification code. We do not use passwords, and we do not require an email address to sign up.
• Profile information: your username and display name, plus optional details you choose to add, such as a profile photo, bio, school, or your primary music-streaming service.
• Contacts: if you grant permission, we upload the names and phone numbers from your device’s address book to help you find friends on Crowdsurf — including suggesting a connection if one of your contacts joins later, which is why contact data is kept while your account is active. This can include information about people who are not Crowdsurf users; if that’s you and you’d like your number removed, see “Your choices” below.
• Recommendations and activity: when you share songs, surf, comment, or react, we store that content so it can appear in the app for you and the people you share with.
• Payment information: we do not currently process payments. If we offer paid features in the future, any payments would be processed by Apple or Google — not stored by Crowdsurf.

B. Automatically collected information

• Usage data: app interactions, features used, and time spent in the app.
• Device data: device type, operating system, app version, and time zone. We do not collect your device’s location.
• Log data: IP address, device identifiers, and crash logs to help us improve stability and security.
• Analytics and diagnostics: we use third-party services — including Mixpanel for product analytics and Sentry for crash and error reporting — that receive information such as your user ID, username, device details, and time zone.

C. Third-party integrations

If you connect your Spotify, Apple Music, or other streaming account, we may receive:

• Your public profile (name, username, or image).
• Music playback information (what you’re listening to, recently played tracks).

We only access this data with your permission and as allowed by the third party’s API.

2. How we use your information

We use your information to:

• Operate and improve the Service.
• Personalize recommendations and social features.
• Communicate with you (account updates, feature announcements, or support).
• Process payments and manage subscriptions, if and when paid features are offered.
• Enforce our Terms of Service.
• Detect, prevent, and address technical or security issues.

3. How we share information

We do not sell your personal information. We may share limited data in these cases:

• Service providers: trusted partners who host our servers, send SMS verification codes, or process analytics — under confidentiality obligations.
• Legal requirements: when required by law, subpoena, or government request.
• Business transfers: if Crowdsurf is acquired or merged, your information may transfer as part of that transaction (we’ll notify you if that happens).
• With your consent: for example, when you connect your Spotify account or share music with friends.

4. Your choices

• Access & update: you can edit your profile and account details anytime in the app.
• Export your data: you can download a machine-readable copy of the personal data we hold about you — your profile, shares, follows, listening history, connected accounts, and more — from Settings → Export My Data, or by emailing privacy@getcrowdsurf.com.
• Delete account: you can delete your account in the app (Settings → Delete Account) or by emailing privacy@getcrowdsurf.com. Deletion is permanent: we immediately delete your sign-in credentials and phone number, profile, photos, contacts, listening history, connected-account links, and your shares and the recommendation chains they created, and we instruct our analytics provider to erase your data (which completes within a few days). A non-identifying record that a deletion occurred (a random identifier and timestamp only) is kept indefinitely for audit integrity, and residual copies may persist in encrypted backups for up to 35 days before being purged.
• Not a Crowdsurf user? If someone who uses Crowdsurf synced their address book and you want your phone number removed from our systems, email privacy@getcrowdsurf.com. We will delete every stored copy of your number and add it to an opt-out list (stored only as a one-way hash) so future address-book syncs cannot re-add it. We keep this one-way hash for as long as necessary to honor your opt-out; in practice, this may be indefinitely.
• Notifications: you can manage push notifications at any time in your device settings.
• Third-party connections: you can revoke Spotify or Apple Music access at any time through their settings.

5. Data retention

We retain your information for as long as your account is active — it powers the music-discovery network, your scores, and your recommendations for the life of your account. When you delete your account, your personal data is permanently deleted as described above, with three narrow exceptions: residual copies in encrypted backups are purged on a rolling basis within 35 days; diagnostic logs and crash reports are kept on short retention windows by our providers; and we may retain limited information where required for legal, security, or fraud-prevention purposes. Aggregated statistics that do not identify anyone (for example, overall usage metrics) may be retained indefinitely.

6. Security

We use industry-standard practices (encryption, secure databases, and limited employee access) to protect your data. However, no system is completely secure. You use the Service at your own risk and should keep access to your phone number and device secure.

7. Children’s privacy

Crowdsurf is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a minor has created an account without consent, contact us at privacy@getcrowdsurf.com and we’ll promptly delete the information.

8. California privacy rights

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the CPRA, gives you the following rights regarding your personal information:

• Right to know: request the categories and specific pieces of personal information we have collected about you.
• Right to delete: request deletion of personal information we have collected, subject to certain exceptions.
• Right to correct: request correction of inaccurate personal information.
• Right to opt out of sale or sharing: Crowdsurf does not sell your personal information and does not share it for cross-context behavioral advertising.
• Right to non-discrimination: we will not discriminate against you for exercising any of these rights.

To exercise any of these rights, email privacy@getcrowdsurf.com and include the username and phone number associated with your account. We may verify your identity before responding. You may also designate an authorized agent to make a request on your behalf.

9. International users & European privacy rights

Crowdsurf is operated in the United States, and your information is processed and stored there. The data-protection laws of the U.S. may differ from those of your home country. We protect information from all of our users as described in this policy, including through data-processing agreements with the service providers that handle it on our behalf.

If you are in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data on the following legal bases: performance of our contract with you (providing the Service, including the social and music-discovery features it is built on), legitimate interests (personalizing recommendations, product analytics, keeping the Service secure, and suggesting connections from synced contacts), and consent where the law requires it. You have the right to:

• Access and portability: obtain a copy of your personal data in a machine-readable format (Settings → Export My Data).
• Rectification: correct inaccurate personal data (editable in the app, or email us).
• Erasure: have your personal data deleted (Settings → Delete Account, or email us).
• Restriction and objection: ask us to restrict processing, or object to processing based on legitimate interests (email privacy@getcrowdsurf.com; we respond within one month).
• Withdraw consent: where processing is based on consent, withdraw it at any time.
• Complain: lodge a complaint with your local data-protection supervisory authority.

To exercise any of these rights, use the in-app controls or email privacy@getcrowdsurf.com. We may verify your identity before responding.

Crowdsurf uses algorithms to personalize your feed and recommendations, but we do not make solely automated decisions about you that produce legal or similarly significant effects.

10. Changes to this policy

We may update this Privacy Policy from time to time. If changes are material, we’ll notify you through an in-app notice. The updated policy will take effect upon posting.

11. Contact us

If you have any questions or privacy concerns:

Crowdsurf Music, Inc.
San Francisco, CA
privacy@getcrowdsurf.com