Privacy Policy
Last updated: February 2025
Data controller
VinylTagger is published by Lucas Détré, an independent developer based in France.
Contact: contact@vinyltagger.com
Data collected
Account data
When you create an account via Discogs OAuth or magic link, we collect:
- Email address — for authentication and communication
- Discogs username — for collection import (if connected via Discogs)
- Discogs avatar — for profile display (if connected via Discogs)
Usage data
- Discogs collection — imported at your request, stored to display your releases and tracks
- Audio analyses — BPM, key, and Camelot notation of analyzed tracks
- Preferences — theme, language, display preferences (stored locally)
Waitlist
If you sign up for the waitlist, we collect:
- Email address
- Contact preference (notification or beta testing)
- Profile (record store, collector, curious)
- Suggestions (optional)
Traffic analysis
We use GoatCounter, a privacy-friendly traffic analysis tool. GoatCounter:
- Sets no cookies
- Collects no personal data
- Does not track users across pages
- Is hosted on our own servers
Purpose of processing
| Data | Purpose | Legal basis |
|---|---|---|
| Authentication, communication | Contract performance | |
| Discogs collection | Collection display and management | Contract performance |
| Audio analyses | Shared community cache | Legitimate interest |
| GoatCounter | Anonymous traffic statistics | Legitimate interest |
| Waitlist | Launch notification | Consent |
Data retention
- Account data: retained as long as the account is active, deleted on request
- Audio analyses: retained indefinitely (anonymous community cache)
- Waitlist: retained until launch, then deleted
Security
- Discogs OAuth tokens encrypted at rest in the database (AES-256-GCM)
- Session cookies signed (
httpOnly,securein production,sameSite: strict) - No passwords collected (auth only via Discogs OAuth or magic link email)
- HTTPS across the whole site
- Rate limiting on sensitive endpoints to prevent abuse
Data sharing
We do not sell, rent, or share any personal data with third parties.
Audio analyses (BPM, key) are shared anonymously with the community — they are not linked to your account.
Your rights
Under the GDPR, you have the following rights:
- Access — view the data we hold about you
- Rectification — correct inaccurate data
- Deletion — request deletion of your account and data
- Portability — receive your data in a structured format
- Objection — object to the processing of your data
To exercise these rights, contact us at contact@vinyltagger.com.
Hosting
Data is hosted in France (OVH, Gravelines datacenter) on a dedicated server.
Changes
This policy may be updated. In case of substantial changes, we will inform you by email or via the site.