Skip to main content

Privacy Policy

Last updated: 4 April 2026

Version 1.3

CoffeeAlbum is currently in early access. This privacy policy applies to all data collected during the early access period and will continue to apply if the service transitions to general availability.

What is CoffeeAlbum?

CoffeeAlbum is a web app where you upload photos of friends and associate them with songs. When you view a board, hovering over a photo plays a 30-second song preview. Boards can be shared via link.

What we collect and why

DataWhyLegal basis
Google account info (name, email, profile picture)To create and identify your accountContract performance
Photos you uploadTo display on your boardsConsent (upload checkbox)
Song selections (Deezer track IDs, song metadata)To play song previews on your photosContract performance
Spotify liked songs (if you connect)To suggest songs from your library when choosing a songConsent (you choose to connect)
IP address (at photo upload)Audit trail for consent verificationLegitimate interest
Session token (cookie)To keep you logged inLegitimate interest (essential for service)
Report submissions (if you report a photo)To investigate and act on reports of harmful contentLegitimate interest (safety)

How we store your data

  • Database: Cloudflare D1 (SQLite, managed by Cloudflare)
  • Photo files: Cloudflare R2 (object storage)
  • All data encrypted in transit (HTTPS)
  • Infrastructure provided by Cloudflare, Inc. See their privacy policy
  • We do not store your Google or Spotify passwords

Who can see your data

  • Your boards: Anyone with the share link can see your photos and song selections. Boards are not indexed by search engines.
  • Google: We use Google OAuth for login. Google receives standard OAuth data during sign-in only.
  • Deezer: We query Deezer's public API for song search and preview URLs. No personal data is sent to Deezer.
  • Spotify: If you connect Spotify, we read your liked songs (read-only). We never modify your Spotify library.
  • Nobody else: We do not sell, rent, or share your personal data with any other third party.
  • External archiving: Board pages include technical directives to prevent search engine indexing. However, third-party services such as web archives or link preview generators may independently cache publicly accessible board content. Once a shared link has been accessed, CoffeeAlbum cannot control or remove copies held by external services. Making a board private or letting its share link expire prevents future access via CoffeeAlbum, but does not affect copies already captured externally.

Photos of other people

  • Photos uploaded to CoffeeAlbum may contain images of identifiable people other than the uploader.
  • Uploaders must confirm they have consent from people pictured before uploading.
  • If you appear in a photo on CoffeeAlbum and would like it removed, you can use the Report button on the photo or contact us at coffeealbumadmin@gmail.com. We will respond within 48 hours.
  • CoffeeAlbum strips location data and other metadata from all uploaded photos to protect privacy.

How long we keep your data

  • Account data: until you delete your account
  • Photos: until you delete them individually or delete your account
  • Sessions: 30 days, then automatically deleted
  • Spotify connection: until you disconnect or delete your account
  • Audit logs: 12 months, then deleted
  • Deleted photos: permanently removed from storage immediately upon deletion
  • Deleted accounts: all associated photos, boards, and personal data permanently deleted immediately
  • Reports: retained for 12 months for audit purposes, then deleted

Your rights

Under GDPR and UK GDPR, you have the following rights:

  • Access and export: Download all your data from your Profile page (Export My Data).
  • Deletion: Delete your entire account from your Profile page (Delete Account). This permanently removes all your data, photos, and boards.
  • Rectification: Edit your display name and profile picture from your Profile page.
  • Data portability: Your data export is provided in JSON format.
  • Restriction and objection: Contact us at the email below.
  • Withdraw consent: Disconnect Spotify any time. Delete photos or your account any time.
  • Complaint: You have the right to lodge a complaint with your local data protection authority.

Cookies

We only use essential cookies. No analytics, tracking, or advertising cookies. See our Cookie Policy for full details.

Children

CoffeeAlbum is not designed for anyone under 16. If you are under 16, please do not use this service.

Changes to this policy

If we change this policy, we will update this page and ask you to re-accept the new version.

Contact

For privacy questions or to exercise your rights: coffeealbumadmin@gmail.com