← Back

Privacy Policy

Last updated: February 12, 2026

hangoutwithme ("we," "us," "our") is a concert discovery service that connects your Spotify listening data with upcoming live events. This policy explains what data we collect, how we use it, and your rights.

1. What We Collect

From Spotify (via OAuth)

When you connect your Spotify account, we access the following using Spotify's official OAuth 2.0 authorization flow. We never see or store your Spotify password.

  • Your profile: Spotify user ID, display name, and profile image.
  • Top artists (scope: user-top-read): Your most-listened-to artists across short, medium, and long-term time ranges. Used to find concerts you'd care about.
  • Followed artists (scope: user-follow-read): Artists you follow on Spotify. Used to broaden concert matching.
  • Saved track artists (scope: user-library-read): Artists from your saved/liked tracks. Used to catch artists you listen to but may not follow.

We request only read-only scopes. We never modify your Spotify account, playlists, library, or playback in any way.

Data we generate

  • An artist relevance score based on how many Spotify sources (top artists, follows, saved tracks) each artist appears in.
  • Friend connections you create through invite links (your Spotify user ID paired with your friend's).

Data we do NOT collect

  • Your email address
  • Your listening history or recently played tracks
  • Your playlists
  • Payment information

2. How We Use Your Data

  • Concert matching: We compare your artist list against upcoming events from Ticketmaster and SeatGeek to show you relevant shows.
  • Friend overlap: When you connect with a friend, we compare both artist lists to show shared taste and shared concerts you could attend together.
  • Display: Your display name and profile image are shown to friends you've connected with.

We do not use your data for advertising, profiling, analytics beyond the app's core features, or any purpose other than showing you concerts.

3. Data Storage and Security

  • Your Spotify access and refresh tokens are encrypted at rest using AES-256-GCM before storage.
  • All connections use HTTPS.
  • Session cookies are HttpOnly, Secure, and SameSite=Lax.
  • OAuth state parameters are validated to prevent CSRF attacks.
  • Your data is stored in a PostgreSQL database hosted by Supabase (US region). The application is hosted on Railway.

4. Data Sharing

We do not sell, rent, or share your data with third parties.

The only data visible to other users is:

  • Your display name and profile image, shown to friends you have explicitly connected with via invite links.
  • Shared artist overlap with connected friends.

We do not use ad networks, data brokers, or analytics services. We do not transfer your data to any third party for advertising or monetization purposes.

5. Data Retention

We retain your data for as long as your account is active. Artist data is refreshed each time you sync and overwrites previous data.

When you disconnect or delete your account, we delete all your personal data — including your profile, artist data, friend connections, and encrypted tokens — within 5 days.

6. Your Rights

Disconnect your Spotify account

You can disconnect hangoutwithme from your Spotify account at any time:

  • From Spotify: Go to spotify.com/account/apps and remove hangoutwithme.
  • From hangoutwithme: Log out from the feed page. This ends your session.

Delete your data

To request deletion of all your data, email us at the address below. We will delete your account and all associated data within 5 days.

Access your data

You can view all the data we hold about you directly in the app: your synced artists are visible in the artist list, and your friend connections are visible in the friends dropdown.

7. Cookies

We use the following cookies:

  • hangoutwithme_session — Encrypted session cookie for authentication. HttpOnly, 30-day expiry.
  • hangoutwithme_onboarded — Tracks whether you've completed initial setup. 30-day expiry.
  • hangoutwithme_oauth — Temporary cookie used during Spotify login for security (CSRF protection). 10-minute expiry, deleted after login completes.

We do not use tracking cookies, analytics cookies, or third-party cookies of any kind.

8. Children

hangoutwithme is not intended for users under 13 years of age. We do not knowingly collect data from children under 13. If you believe a child under 13 has used hangoutwithme, please contact us and we will delete their data.

9. AI and Machine Learning

We do not use your Spotify data or any data obtained through the Spotify Platform to train machine learning or AI models.

10. Changes to This Policy

If we make material changes to this policy, we will update the "Last updated" date at the top and, where practical, notify affected users through the app.

11. Contact

For privacy questions, data requests, or to request account deletion:

hangoutsupport@googlegroups.com