Privacy Policy
SoSync — Music Link Converter
Last updated: March 15, 2026
1. Introduction
This Privacy Policy describes how SoSync ("we," "us," or "our") collects, uses, stores, shares, and protects your personal information when you use the SoSync application, website, and related services (the "Service").
By using SoSync, you agree to the collection and use of information in accordance with this Policy. If you do not agree, please do not use the Service.
2. Data Controller
Contact: help@sosync.online
3. Information We Collect
3.1 Information You Provide
- Account Registration Data: username, email address, and password.
- Profile Information: avatar image, preferred language, and country.
3.2 Third-Party Authentication
When you sign in via Google, Spotify, Yandex, or Telegram, we receive and store your provider identity (provider name and user ID), OAuth tokens for authentication, and basic profile data (e.g., display name, email, avatar URL).
We do not access your playlists, listening history, saved tracks, or any other content from your third-party accounts beyond what is needed for authentication.
3.3 Automatically Collected Information
- Conversion Data: source URLs you submit, the originating platform, and the resulting converted links and preview metadata (track title, artist name, album art URL).
- Usage Metadata: timestamps, conversion view counts, and request frequency for rate limiting.
- Technical Data: IP address (used for rate limiting and abuse prevention — not stored persistently), request timing, and standard HTTP headers.
3.4 Information We Do NOT Collect
- We do not collect music files, audio content, or streaming data.
- We do not access your playlists or listening history on any third-party service.
- We do not use tracking cookies, advertising identifiers, or third-party analytics trackers.
- We do not sell, rent, or trade your personal data to any third party.
4. How We Use Your Information
| Purpose | Legal Basis (GDPR) |
|---|---|
| Account creation and authentication | Performance of contract / Consent |
| Music link conversion | Performance of contract |
| Conversion history | Legitimate interest |
| Rate limiting and abuse prevention | Legitimate interest |
| Account-related emails (verification, OTP codes) | Performance of contract |
| Maintaining and improving the Service | Legitimate interest |
| Complying with legal obligations | Legal obligation |
We do not use your data for automated decision-making or profiling.
5. Third-Party Services and Data Sharing
5.1 Music Platform APIs
To perform conversions, we query APIs from Spotify, Apple Music, YouTube / YouTube Music, Yandex Music, Deezer, and MusicBrainz. We send only minimal track metadata (title, artist, ISRC) — never your personal data. We store only resulting links and preview metadata.
5.2 Authentication Providers
Google OAuth 2.0, Yandex OAuth 2.0, and Telegram Login Widget are used for sign-in. Each provider's own privacy policy governs how they handle your data.
5.3 Security Services
Cloudflare Turnstile is used for CAPTCHA verification during registration. Cloudflare may collect technical data during verification. See Cloudflare's Privacy Policy.
5.4 Email Services
We use a third-party email delivery provider to send transactional emails (account verification, one-time passcodes). Your email address is shared solely for delivery purposes.
We do not share your personal data with advertisers, data brokers, or marketing services.
6. Data Storage and Retention
| Data Type | Retention Period |
|---|---|
| User account data | Until you delete your account |
| OAuth tokens | Until you disconnect the provider or delete your account |
| Conversion history | Until you delete your account |
| Temporary tokens, rate-limiting data, OTP codes | Automatically expire after a short period |
Upon account deletion, we will delete or anonymize your personal data within 30 days, except where required by law.
Security Measures
- Passwords are cryptographically hashed and never stored in plaintext.
- Authentication tokens have limited lifetimes and are revocable.
- Rate limiting and CAPTCHA protect against abuse.
- Access controls restrict data to authorized users and systems.
- HTTPS/TLS encryption for all data in transit.
7. Your Rights
GDPR (EU/EEA)
- Access — request a copy of your personal data.
- Rectification — request correction of inaccurate data.
- Erasure — request deletion of your data.
- Restriction — limit how we process your data.
- Portability — receive your data in a machine-readable format.
- Object — object to processing based on legitimate interests.
- Withdraw Consent — at any time where processing is based on consent.
CCPA (California Residents)
- Right to Know — what personal information we collect and disclose.
- Right to Delete — request deletion of your information.
- Right to Opt-Out — we do not sell personal information.
- Non-Discrimination — we will not discriminate for exercising your rights.
To exercise your rights, contact help@sosync.online. We will respond within 30 days.
8. Children's Privacy
The Service is not directed to children under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal information, contact us and we will delete it promptly.
9. International Data Transfers
Your data may be transferred across international borders. We take appropriate safeguards to ensure protection in accordance with this Policy and applicable law.
10. Cookies and Local Storage
SoSync uses one functional cookie (sidebar:state, 7-day duration) for UI
preference. We do not use advertising, analytics, or third-party tracking
cookies.
Authentication tokens and a cached user profile are stored in your browser's local storage. This data stays on your device and is not shared. You can clear it by logging out.
11. Changes to This Policy
We may update this Policy. Material changes will be announced via updated date, email notification, or in-app notice. Continued use after changes constitutes acceptance.
12. Data Breach Notification
In the event of a breach, we will notify the relevant supervisory authority within 72 hours (where required by GDPR) and affected users without undue delay.