Privacy Policy
Last updated: June 25, 2026
Cosign (“we”, “us”) lets you upload your Spotify listening history to see how early you discovered artists who later blew up, and to compare with others. This policy explains what we collect, why, and your choices. We’ve kept it plain.
1. Data you give us
- Spotify listening history (your upload). When you upload your Spotify Extended Streaming History, we read artist names, the first time you played each artist, per-artist play counts, and track identifiers. We store the derived per-artist first-play dates, play counts, and scores — not the raw export file (the .zip is never retained).
- Spotify account (if you sign in). If you connect Spotify, we receive your Spotify display name, email, profile image, and recently-played tracks (used by the optional “Sync” feature). We hold a Spotify access/refresh token encrypted in your session cookie so we can refresh your data when you ask.
- Your profile. A display handle you choose, the scores, rankings, calls, and picks we derive from your data, and the people you follow.
2. Data we collect automatically
- A single essential session cookie to keep you signed in. We use no advertising cookies.
- Privacy-friendly analytics (opt-in). Only if you allow it via the consent banner, we use a cookieless analytics provider (Plausible) to count page views and basic events (such as an upload completing). It sets no cookies, collects no personal data, and doesn’t track you across sites. Analytics never run until you consent — if you decline, none run — and you can change your choice anytime via “Analytics preferences” in the footer.
- Basic server logs (request times, errors) for security and reliability.
3. How we use your data
To compute and show your Cosign score, early calls, medals, and picks; to run the public leaderboard and following; to refresh your data via the optional Spotify Sync; and to keep the service secure. We do not sell your data, and we do not use it to train machine-learning or AI models.
4. What is public
Cosign is a public leaderboard. Your handle, score, medals/standings, early calls, recent picks, and follower/following counts are visible to anyone. Your email, Spotify tokens, and raw listening history are never public. Don’t upload anything you wouldn’t want associated with your handle.
5. Who we share with
We share data only with providers that help us run Cosign:
- Spotify — for sign-in and the recently-played sync (governed by Spotify’s own privacy policy).
- Soundcharts — provides artist-popularity data (this involves artist data, not your personal data).
- Our hosting/infrastructure provider — stores the app’s data.
We may disclose data if required by law.
6. Legal bases (EEA/UK)
We process your data based on your consent (you choose to upload and to connect Spotify) and our legitimate interest in operating the service. You can withdraw consent at any time by deleting your account.
7. Retention
We keep your data until you delete your account. Deleting your account (on your profile, under Account → Delete account) removes your submission, derived listening data, picks, and follow relationships from our store.
8. Your rights
- Access your data — it’s shown on your profile.
- Correct your handle — Account → edit username.
- Delete your account and data at any time — Account → Delete account.
- Withdraw consent — sign out and delete your account.
Depending on where you live (e.g., the EEA/UK under GDPR, or California under CCPA/CPRA) you may have further rights, including requesting a copy of your data or lodging a complaint with your data-protection authority. We do not sell personal information. To exercise any right, email privacy@cosign.app.
9. Children
Cosign isn’t for anyone under 13 (or under 16 where required by local law). We don’t knowingly collect data from children.
10. Security
We take reasonable measures to protect your data, but no method of storage or transmission is perfectly secure. Cosign is an early-stage product — please don’t treat it as a vault.
11. International transfers
We may process and store data in the United States and other countries whose data-protection laws may differ from yours.
12. Changes
We may update this policy; we’ll change the date above and, for material changes, do our best to notify you.
13. Contact
Questions or requests: privacy@cosign.app.
Cosign is not affiliated with, endorsed by, or sponsored by Spotify AB. See also our Terms of Service.