Privacy

• Submitted track metadata from Spotify oEmbed (id, canonical URL, title, artist, thumbnail, label, created_at).
• Elo ratings and game counts per track.
• Short-lived rate limit counters keyed by a hashed IP+UA bucket.
• Optional signed login assertion if you complete Spotify OAuth (kept client-side in sessionStorage).
• For charts: public playlist tracks fetched via Spotify Web API using client credentials.

• No analytics events, no long-lived profiles by default.
• No cookies unless you add them later; current flow is cookie-free.

Spotify iframes come from spotify.com. Spotify may collect usage or playback data according to their policies. Visit Spotify's privacy policy for details.

Requests are rate limited using a rotating HMAC key derived from IP, user agent, and the current hour bucket. Counters expire automatically.

Use the “Log out” button to clear the assertion token in your browser. We do not persist long-lived user sessions.