Privacy Policy

On your Mac — Muvic stores the following data in a SQLite database at ~/Library/Application Support/Muvic/muvic.db:

• Account information — your email address and display name, used to identify your profile.
• Password hash — your app password is stored as a bcrypt hash. Your plaintext password is never saved.
• Platform credentials — your Beatport and Bandcamp login details are encrypted using your macOS Keychain (safeStorage API) at rest. They are decrypted only when needed to perform the sync actions you initiate.
• Spotify tokens — your Spotify access and refresh tokens are encrypted using your macOS Keychain (safeStorage API) and never leave your Mac.
• Sync history — track names, artists, and platforms synced, used to detect duplicates and display your sync history.
• License information — your license key and tier, stored to enforce usage limits.
• Preferences — your in-app settings (default platform, duplicate preferences, etc.).

On Muvic’s servers — Muvic operates a Google Cloud Run sync service and a Google Cloud SQL Postgres database in the us-central1 region. The Postgres database is configured with no authorized public networks, TLS-only connections, daily encrypted backups, deletion protection, and access restricted to the sync service via Google Cloud’s IAM. The following categories of data are stored there for users who have signed in to Muvic Cloud:

• Account record — your email, bcrypt-hashed app password (or Google OAuth provider link, if you signed in with Google), display name, and account creation timestamp. Used for cross-device login.
• Refresh token hashes — long-lived sign-in tokens are stored as SHA-256 hashes alongside their expiry, never in plaintext. Used to keep you signed in across app restarts without re-prompting for your password.
• License record — your license key, tier, and activation status. Used to validate your plan server-side and prevent the local-reset workaround that would otherwise grant unlimited free-tier syncs.
• Usage counters — monthly sync counts used to enforce your plan’s quota.
• Sync history — track names, artists, and platforms synced, used to detect duplicates across your devices.

Your Spotify, Beatport, and Bandcamp credentials remain on your Mac. They are not stored in Muvic’s database. If a future feature ever needs to store an OAuth token server-side (for example, to refresh playlists in the background while your Mac is closed), that token will be encrypted at rest using a server-held key, and we’ll update this policy and notify you in the app before that feature ships.

Muvic uses Spotify’s official OAuth 2.0 (PKCE) flow. The app never sees your Spotify password — you authenticate with Spotify directly, and Spotify returns an access token to Muvic. Your Spotify access token and refresh token are encrypted on your Mac via the macOS Keychain (Electron’s safeStorage API).

Muvic requests the following scopes, each used only as described below:

• playlist-read-private — read your private playlists so they can appear in the sync UI.
• playlist-read-collaborative — read your collaborative playlists for the same purpose.
• playlist-modify-private and playlist-modify-public — (write) used only when you explicitly choose one of these actions: (a) save tracks that weren’t found on Beatport / Bandcamp into a “Not Found” playlist Muvic creates for you, (b) remove successfully synced tracks from the source playlist after a sync, (c) move successfully synced tracks into a separate “— Synced” playlist Muvic creates for you, or (d) remove already-synced or already-owned duplicate tracks from the source playlist when prompted before a sync. Both private and public scopes are requested because Spotify keys playlist modification on the playlist’s public/private setting, not just on ownership — removing a track from a playlist you own but have set to public requires the public scope. Muvic never modifies playlists without your explicit configuration, and never modifies playlists you don’t own.
• user-read-private — read your Spotify display name and profile image so the sync UI can show who you’re signed in as.

Muvic does not read your listening history, your library, your followers, or any data beyond what these scopes provide. Muvic does not play, stream, download, or redistribute Spotify audio — track metadata is used only to search Beatport and Bandcamp on your behalf so you can purchase the tracks.

What leaves your Mac, and what doesn’t:

• Your Spotify access and refresh tokens are never sent to any Muvic server. Spotify API calls (listing playlists, reading playlist tracks, profile info, modify-private actions you trigger) go from your Mac directly to api.spotify.com.
• When you start a sync, the track names and artists for the tracks you selected are sent to Muvic’s sync server (a Cloud Run service) so it can search Beatport / Bandcamp on your behalf. The server processes them in memory and returns the results — it does not retain Spotify track metadata after the sync completes.
• A record of which tracks you’ve synced (track names, artists, target platform) is stored against your account in Muvic’s database so duplicates are detected across devices — this is sync-history data only, not Spotify tokens.
• Your Beatport and Bandcamp passwords (which you enter in Muvic, not into Spotify) are encrypted on your Mac and only sent to the sync server in the request that initiates a sync, so it can sign in to those platforms on your behalf. They are not retained server-side after the sync completes.

You can disconnect Spotify at any time from Account → Connected Accounts inside the app. Disconnecting deletes the stored tokens immediately. You can also revoke Muvic’s access from Spotify’s side at spotify.com/account/apps.

Muvic offers an optional “Continue with Google” button on the sign-in screen. If you choose it, the app opens your default browser to Google’s OAuth consent page; you authenticate with Google directly. Muvic does not see your Google password.

Google returns an ID token containing your email address, your Google-verified email status, your display name, and a Google-internal user ID. The Electron app passes this ID token to Muvic’s sync server, which verifies the signature against Google’s public keys and uses the email and display name to find or create your account record. Muvic does not request or receive any Google scopes beyond openid, email, and profile; we do not read your Gmail, Drive, contacts, or anything else from your Google account.

You can revoke Muvic’s access to your Google identity at myaccount.google.com/permissions. Revocation does not delete your Muvic account; use Settings → Account → Delete Account inside the app for that.

Muvic sends a small set of anonymous product-usage events to a logging endpoint at muvic.app/api/telemetry. The events do not contain your email, IP address, playlist names, track names, or any other identifying data. They are used to understand which features are being used and to spot regressions when a release goes out.

The events that are sent:

• app-opened — with the running app version
• login, register, spotify-connected — signed-in / connected, no payload
• credential-saved, credential-removed — with the platform name (Beatport or Bandcamp), no actual credentials
• sync-started — with the platform and the number of tracks selected (an integer count, no track names)
• sync-completed — with the platform, success/fail/fallback counts (integers), and timing measurements
• sync-cancelled — no payload
• license-activated — with the tier (free / pro / lifetime)

Muvic does not currently use a third-party analytics product (Amplitude, Mixpanel, PostHog, etc.) or a crash-reporting product (Sentry, Bugsnag, etc.). If a future version adds one, we’ll update this policy and notify you in the app before that data collection begins.

You can delete your Muvic data at any time by going to Settings → Account → Delete Account inside the app, or by deleting the folder ~/Library/Application Support/Muvic/ from your Mac.

Deleting your account from the app removes your local SQLite database and macOS Keychain entries immediately, and triggers a server-side cascade that deletes your account record, license record, usage counters, and sync history from Muvic’s Postgres database within 24 hours (target: minutes). Daily encrypted backups are retained for 7 days; deletion propagates as those backups roll off.

You can also revoke Muvic’s access to your Spotify account independently at spotify.com/account/apps. If Muvic detects that a stored Spotify token has been revoked, it stops using it on the next call.

Muvic is operated by Muvic LLC, a Colorado limited liability company. Questions about this policy? Reach out via the support channel listed on muvic.app.