Who we are
CrateSense is operated by the SoilNerd team. For any privacy questions contact [email protected].
Data we collect
- Account: email address, DJ name (optional), login tokens.
- Social login: profile basics returned by the provider (e.g., name, email, profile ID).
- Library metadata: when you sync, the local agent sends derived metadata about your tracks (artist, title, duration, audio fingerprint, identifiers like ISRC or catalog number). No audio files, file paths, or binary data are transmitted — only mathematical derivatives and factual metadata.
- Audio fingerprints: short, non-reversible mathematical hashes computed from your audio files locally. These cannot be used to reconstruct or play back the original audio. They are used solely for track identification and deduplication.
- Device & app events: OS type/version, app version, timestamps of onboard/scan/sync actions.
- Service logs: IP address, user agent, request metadata for security/abuse prevention.
How we use data
- Authenticate users and deliver download links.
- Operate the catalog, discovery, and sync services.
- Aggregate derived metadata across users to build and maintain a shared music identity database. This improves catalog accuracy, identity resolution, and recommendation quality for all users. Only factual metadata and fingerprints are aggregated — never audio files or file paths.
- Security (fraud/abuse detection) and service analytics.
- Support and issue resolution.
Sharing
We do not sell data. We share only with processors that help us operate the service (e.g., email delivery, Cloudflare edge). We will disclose if required by law or to protect the service.
Retention
Account and auth data are retained while your account is active. Operational logs are kept for up to 90 days unless required for security investigations. You can request deletion at any time.
Your choices
- Request a copy or deletion of your data: [email protected].
- Disable catalog contribution in your account settings to stop your metadata from entering the shared database. You will still receive recommendations, though quality may be reduced.
- Request erasure of your observation records. When you do, we delete all records linking your account to specific tracks in the shared database, adjust aggregate counters, and remove your contribution attribution. Factual metadata about musical works (artist names, titles, identifiers) that has been independently confirmed by other users will remain.
- Revoke social-login access via your identity provider.
- Uninstall local agents to stop device telemetry.
Security
Transport is protected with HTTPS. Access requires authenticated tokens. Production data is access-controlled.
Cookies and local storage
The CrateSense web app uses session/local storage for auth tokens and basic preference caching. The web app does not set advertising cookies.
Advertising (Free tier, mobile apps only)
The CrateSense mobile apps (Android and iOS) show advertising to Free-tier users via Google AdMob. AdMob may collect device identifiers, IP address, and basic usage signals to serve relevant ads and measure performance. Paid and Pro tiers are ad-free; the Free tier’s server-side ad resolver, mobile-side renderer, and underlying SDK are all suppressed for non-Free accounts so no ad requests or identifiers are sent on their behalf.
Details of how Google handles this data are in the Google Advertising Policies and the AdMob data disclosure guide.
Users in the EU/EEA, UK, and Switzerland are shown a consent prompt before any personalised ads or measurement identifiers are used. Declining consent disables personalised advertising but does not affect other app functionality. Users under 13 (or the local age of digital consent) are not eligible for the Free advertising tier; ads are not served to accounts flagged as child-directed.
The CrateSense desktop / browser web app does not show advertising and does not initialise the AdMob SDK.
External-feed connectors (Pro DJ)
Pro DJ users can connect personal accounts at external services (YouTube Music, last.fm, and future providers) so CrateSense can pull personalised feeds — your Liked Songs, Discover Mix, Loved Tracks, recently played, and similar — and resolve them against your local library. Playback always happens on the local file you own; nothing streams from the source service.
- What we read: only your personal listening data exposed by the service's API for that feed (e.g., the list of tracks you've liked). We do not request broader scopes, profile data, or any social graph.
- What we never do: we never write, like, follow, subscribe, modify your playlists, or change any setting on your account at the source service. The connectors are strictly read-only as far as the upstream account is concerned.
- Where credentials live: the OAuth tokens or API key + username you provide are encrypted at rest with a device-scoped key on your CrateSense agent (ChaCha20-Poly1305 authenticated encryption). They are never sent to our cloud, never logged, and never shared with third parties.
- How feed data is stored: the per-feed snapshot (track titles + artists + provider IDs) is cached in your agent's local SQLite database so the UI works offline and refresh runs in the background. It is not uploaded.
- Disconnecting: use Settings → Connectors → External Feeds → Disconnect to wipe the encrypted credentials immediately. You can also revoke CrateSense's access from the source service's own account-security page; the agent will surface "needs reauth" on the next refresh attempt.
Contact
Email: [email protected]