privacy.

clockit is operated by Ashok Baniaas an individual (“we”, “us”). This policy describes what personal information we collect when you use clockit.space, how we use it, and the rights you have over it. For any privacy question, write to privacy@clockit.space.

1. What we collect

Account information

• Your email address (required to sign up; used to authenticate you and send transactional email).
• A password hash (if you sign up with email) or your Google identity (if you sign in with Google), both managed by our authentication provider, Supabase.

Profile information

• Your handle (username), display name, optional bio, optional location, optional “era” tag, and optional avatar.

User-generated content

• The drops you publish (a track plus your commentary), the drops you like, who you follow, and your profile customizations. All of this is public-by-default to other clockit users. clockit is a social platform, and that is how the service is meant to work.

Spotify data (if you connect Spotify)

• Your Spotify user identifier, the email associated with your Spotify account, and basic profile information.
• An OAuth refresh token issued by Spotify. We store it encrypted, server-side, and use it only to make Spotify API calls on your behalf as part of clockit’s features.
• Track metadata (titles, artists, albums, artwork) for any tracks you reference in drops.

Google data (if you sign in with Google)

• Your Google email address, name, and profile picture, via the openid, email, and profile scopes.

Technical data

• Server logs from our hosting providers (IP address, user agent, request paths). We use these only to operate, secure, and debug the service.
• We do not use third-party analytics or tracking pixels at this time. If we add any in the future, we’ll update this policy.

2. How we use information

• To authenticate you and maintain your session.
• To provide the service: display drops, follows, and likes; search tracks via Spotify; save tracks to your Spotify library when you tap “save”; surface your public content to other users.
• To send transactional emails (sign-up confirmation, password reset).
• To detect and prevent abuse, fraud, and security issues.

We do not use your data for advertising or ad-targeting, and we do not sell your data to anyone.

3. Spotify integration, specifically

clockit uses the Spotify Web API. When you connect your Spotify account:

• We request access only to the scopes we need (your identity, basic profile, and the ability to write to your library when you initiate a save). We do not read your full listening history, your full library, your private playlists, your follows on Spotify, or any other data that isn’t needed for clockit to function.
• We neverpost or write to your Spotify account on your behalf without you initiating the action. The only write operation we perform is “save to library,” and only when you tap save on a specific drop.
• You can revoke clockit’s access at any time, from either side:
  • In clockit, from settings → streaming → disconnect.
  • In Spotify, from spotify.com/account/apps.
• When you disconnect Spotify, or when you delete your clockit account, we delete the stored Spotify refresh token immediately.

4. Google integration, specifically

If you choose to sign in with Google, clockit uses Google OAuth to authenticate you. We request only the openid, email, and profile scopes, which give us your Google email, your name, and your profile picture.

We do not access Gmail, Google Drive, Google Calendar, Google Contacts, or any other Google service. We do not request any sensitive or restricted scopes.

clockit’s use of information received from Google APIs adheres to Google’s API Services User Data Policy, including the Limited Use requirements applicable to the scopes we use.

5. How we share information

Other clockit users

Your public profile information (your handle, display name, bio, drops, follows, and likes) is visible to anyone who can see your profile. clockit is a social application; that visibility is the point.

Sub-processors we use

We rely on a small number of third-party services to operate clockit. Each receives only the data they need to perform their function:

• Supabase handles authentication and database hosting (US region).
• Vercel handles web hosting, DNS, and CDN.
• Resend handles outbound transactional email delivery.
• Spotify, Google receive only the data you have authorized clockit to access via OAuth.

We do not share your data with advertisers, data brokers, or third parties for marketing purposes.

Legal requests

If we receive a valid, legally compelled request (subpoena, warrant, or equivalent), we may disclose data to the extent required. We push back on requests that appear overbroad.

6. Data retention and deletion

We retain your data while your account is active.

Account deletion (V1 limitation): a self-serve account-deletion flow is on our roadmap but is not yet built. To delete your account today, email privacy@clockit.space from the address associated with your account, and we will process the deletion within 30 days. Deletion removes your authentication record, your profile, your drops, your follows, your likes, and your stored Spotify refresh token.

7. Your rights

You can request to access, correct, delete, or export your data by emailing privacy@clockit.space. We respond within 30 days.

If you are in the European Union, EEA, or United Kingdom, you have additional rights under the GDPR (UK GDPR / EU GDPR), including the right to object to processing, the right to portability, and the right to lodge a complaint with your national data protection authority.

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA), including the right to know what categories of personal information we collect, the right to deletion, and the right to non-discrimination for exercising those rights. Use the same email address above.

8. Security

We use industry-standard measures to protect your data: HTTPS for all traffic, encrypted credentials at rest, restricted administrative access, and security review of our code. No system is perfectly secure. If we become aware of a material breach affecting your data, we will notify affected users in accordance with applicable law.

9. Children

clockit is intended for users aged 13 and older (in the United States, per COPPA). If you are in the European Union, the EEA, or the United Kingdom, you must be at or above the age of digital consent in your country (typically 16, lower in some member states). We do not knowingly collect personal data from anyone below the applicable age. If you believe a child has provided us their data, email privacy@clockit.space and we will delete it promptly.

10. International data transfers

clockit’s data is hosted in the United States. If you access clockit from outside the United States, your data will be transferred to and processed in the United States. By using clockit, you consent to this transfer.

11. Changes to this policy

We will post material changes to this page and update the “Last updated” date at the top. For significant changes, we will attempt to notify you in-app or by email.

12. Contact

Questions, requests, or concerns related to this policy or your data: privacy@clockit.space.