Privacy Policy

Last updated: 20 May 2026

The short version. StreamSwap has no user accounts and stores no personal data. We hold a third-party access token only while your transfer is running, then delete it. We don't sell, share, or use your data for advertising — there is nothing to sell.

1. Who we are

StreamSwap is a free tool that copies a playlist from one streaming service (Spotify, YouTube Music, TIDAL, Apple Music) to another. This policy explains what data the service handles and how. It applies to https://streamswap.app.

2. Information we collect

We deliberately collect as little as possible. The service has no sign-up, no login, no profile, and no analytics tracking script.

Playlist URL you paste. Used in-memory to fetch the source playlist's public track list from the source platform's API. Not stored.
OAuth tokens for the destination platform. When you authorize the destination service in the popup, our server receives an access token (and, for Spotify and Google, a refresh token) from the platform and immediately forwards them to your browser tab. The access token is then re-sent to our server attached to your transfer request and held in temporary storage (Redis) only for the duration of that job, after which it is deleted. The refresh token is held in browser memory only for the current tab — never written to a cookie, localStorage, or any other persistent store — and is sent back to the server during the same transfer solely so we can mint a new access token if yours expires mid-transfer (long playlists). Closing the tab discards it; we never persist refresh tokens on the server.
Session cookie. A single HTTP-only session cookie tracks the OAuth handshake state (e.g. the PKCE verifier for TIDAL) so the popup callback can complete. The cookie is required for OAuth to work and contains no profile data.
Server logs. Our hosting provider records standard request metadata (IP, timestamp, path, user-agent) for normal abuse-prevention and uptime monitoring. We do not join these logs to any other data.

We do not collect: your name, your email, the contents of your library, your listening history, your account on any streaming service beyond the playlist being transferred, payment information, or any analytics events.

3. What each streaming service sees, and what we ask for

StreamSwap requests the narrowest practical permission on each destination platform — only what is required to create the new playlist and add the matched tracks.

Spotify. OAuth scopes requested: playlist-modify-public and playlist-modify-private. With your authorization we use them to create one new playlist in your account and add the tracks you reviewed. We do not read, modify, or follow any of your existing playlists, library, listening history, top items, or profile, and we never request scopes that would allow that.

YouTube (Google). OAuth scope requested: https://www.googleapis.com/auth/youtube. With your authorization we use it solely to create one new playlist on your YouTube channel and insert the matched videos into it. We do not read your subscriptions, watch history, comments, channel analytics, or any uploaded content; we do not request the youtube.upload scope and cannot upload videos. Reads of public YouTube search results are performed with an application API key — they do not touch any user account.

TIDAL. OAuth scopes requested: playlists.read and playlists.write. Used only to create one new playlist and add the matched tracks. We do not access your library, favourites, or listening data.

Apple Music. A Music User Token is issued in your browser by Apple's MusicKit JS SDK after you tap "Authorize". The token is sent to our server only to call Apple's create-playlist and add-tracks endpoints. We do not access your library, history, or recommendations.

4. Google API Services — Limited Use

StreamSwap's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

Data obtained via the YouTube Data API is used only to provide and improve the user-facing feature you invoked (creating the destination playlist).
We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features that are visible from the requesting application's user interface, to comply with applicable law, or as part of a merger or acquisition with appropriate notice to users.
We do not use Google user data to serve advertisements (including retargeted or personalised ads).
We do not allow humans to read Google user data unless we have your affirmative consent for specific data, it is necessary for security purposes, to comply with applicable law, or the data is aggregated and used for internal operations in accordance with the policy.
We do not use Google user data to develop, improve, or train generalised or non-personalised AI/ML models.

By using StreamSwap's YouTube functionality you agree to be bound by the YouTube Terms of Service and the Google Privacy Policy.

5. Sub-processors and infrastructure

Hosting. The service runs on Render (cloud infrastructure) and Redis Cloud. These providers process traffic on our behalf but have no independent access to your transferred playlists.
Streaming-platform APIs. Spotify, YouTube / Google, TIDAL, and Apple each see the request StreamSwap makes on your behalf. Each provider's privacy policy and terms govern that interaction: Spotify, Google / YouTube, TIDAL, Apple.

6. Caching

To make searches fast, the service keeps an anonymous cache of "track name + artist → best match on each platform" in Redis for up to 30 days. The cache is keyed by song metadata only — it contains no user identifier, no IP, no OAuth token, and is shared globally across all users. You cannot be re-identified from it.

7. How long we keep things

OAuth access tokens: held only while the transfer job is running, then deleted.
Session cookie: cleared when you close your browser, or earlier when the OAuth handshake completes.
Server access logs: retained by the hosting provider per their standard retention.
Search cache: 30 days, anonymous.

8. What we never do

We do not sell, rent, or share your data with third parties for advertising or any other purpose.
We do not use your data to train AI models.
We do not modify your existing playlists or library beyond creating the new playlist you explicitly asked for.
We do not run analytics, fingerprinting, or behavioural tracking.

9. Your rights

Because we don't store identifying data, there is nothing per-user to access, export, or delete. If you want to revoke StreamSwap's permission on any platform, do so directly in that platform's account settings:

Spotify: Account → Apps that can access your data
Google / YouTube: Third-party apps with account access
TIDAL: Account → Connections
Apple Music: System settings → Apple Account → Sign-In & Security

10. Children

StreamSwap is not directed at children under 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect data from children.

11. Changes

If this policy materially changes we will update the date at the top of the page. Continued use of the service after a change means you accept the updated policy.

12. Contact

Questions about privacy: support@streamswap.app.