Politica de Privacidad

Track Flipper is operated as an independent service. For all matters related to your personal data, you can contact us at:

Email: hello@trackflipper.com

Website: trackflipper.com

We collect different categories of data depending on how you use Track Flipper:

2.1 Account Data (registered users)

• Email address — used for authentication, email verification, password resets, and transactional emails (welcome email).
• Password — stored as a salted hash by our authentication provider (Supabase Auth). We never store or have access to your plaintext password.
• Display name — a user-chosen name shown to swap partners. If not provided, we derive it from the part of your email before the @ symbol.
• Profile data — including flip completion count, trust score, and account creation date.

2.2 Flip and Track Data

• Audio files — the tracks you upload for flipping or to your personal library (WAV, MP3, FLAC, and other audio formats, up to 180 MB per file).
• Audio metadata — extracted automatically during analysis: file name, file size, duration, format, codec, bitrate, sample rate, bit depth, channel count.
• Audio analysis results — spectral analysis data, frequency range, spectral ceiling, peak frequencies, waveform data, rip detection results, and spectrogram images. This is generated server-side using FFmpeg and FFprobe.
• Preview files — lower-quality MP3 previews (192 kbps, up to 90 seconds) generated from your uploaded tracks so swap partners can listen before approving.
• Flip metadata — flip title, message, status, approval timestamps, download flags, expiration time, flip type (private or open), and short codes for shareable links.

2.3 Library Data (registered users)

• Library tracks — audio files stored in your personal library (up to 50 tracks).
• Folders — folder names and organization of your library tracks.

2.4 Session and Technical Data

• Session ID — a randomly generated UUID stored in an HTTP-only cookie. This identifies anonymous (non-registered) users and links them to their flips without requiring an account.
• Party tokens — unique tokens assigned to each side of a flip for identity verification, stored in cookies.
• IP address — used for rate limiting to prevent abuse. We do not store IP addresses persistently.

We use the data we collect for the following purposes:

• Providing the service — facilitating flips, processing uploads, generating previews and analysis, managing your library.
• Authentication — account creation, login, email verification, and password resets.
• Communication — sending transactional emails (verification, password reset, welcome email). We do not send marketing emails.
• Quality assurance — audio analysis and rip detection to help users evaluate track quality.
• Abuse prevention — rate limiting based on IP addresses to prevent spam and misuse.
• Real-time updates — broadcasting flip status changes to connected clients via WebSocket so both parties see updates immediately.

We process your personal data based on the following legal grounds:

• Contract performance (Art. 6(1)(b)) — processing necessary to provide the Track Flipper service, including account management, flip facilitation, file storage, and audio analysis.
• Legitimate interest (Art. 6(1)(f)) — rate limiting and abuse prevention to protect the service and its users; session management to enable anonymous flipping.
• Consent (Art. 6(1)(a)) — where you voluntarily create an account and provide your data. You may withdraw consent at any time by deleting your account.

We use the following third-party services to operate Track Flipper. Each acts as a data processor under GDPR:

5.1 Supabase

Purpose: Authentication, database (PostgreSQL), file storage (Supabase Storage), and real-time broadcasting.

Data stored: User accounts, profiles, tracks metadata, flip data, audio files, preview files, and spectrogram images.

Location: Supabase infrastructure. See Supabase Privacy Policy.

5.2 Vercel

Purpose: Application hosting, serverless function execution (including audio analysis and preview generation).

Data processed: HTTP requests, server-side audio processing (temporary — files are deleted from the server after analysis). Vercel may collect standard web server logs.

See Vercel Privacy Policy.

5.3 Resend

Purpose: Transactional email delivery (verification emails, password resets, welcome emails).

Data shared: Email address and display name (for personalization).

See Resend Privacy Policy.

5.4 Upstash

Purpose: Rate limiting via Redis to prevent abuse.

Data stored: Hashed IP addresses and request counts (temporary, expires automatically).

See Upstash Privacy Policy.

Audio files you upload are stored in Supabase Storage in two buckets:

• tracks — original audio files, organized by flip ID.
• previews — generated MP3 previews and spectrogram images.

When you upload a track, our server downloads it temporarily to perform analysis using FFmpeg and FFprobe. This server-side processing extracts audio metadata, generates spectral analysis data, creates a waveform visualization, performs rip detection (checking if a lossless file was transcoded from a lossy source), generates a spectrogram image, and creates a lower-quality preview clip. All temporary files are deleted from the server immediately after processing.

Original files are only downloadable by authorized flip participants after both parties have approved the flip. Preview files are accessible to flip participants during the review process.

Track Flipper uses the following cookies:

• session_id — an HTTP-only, secure, strict SameSite cookie containing a random UUID. Used to identify anonymous users and associate them with their flips. Expires after 1 year.
• Supabase authentication cookies — managed by Supabase Auth to maintain your login session. These are strictly necessary for the service to function.
• Party token cookies — used to identify which side of a flip you are on. Essential for the flipping process.
• Locale preference — set by next-intl to remember your language preference.

We do not use any analytics, advertising, or tracking cookies. All cookies we use are strictly necessary for the service to function.

• Flip data — flips expire 48 hours after creation if not completed. Expired flip data and associated files may be deleted periodically.
• Account data — retained for as long as your account exists. You may request deletion at any time (see Your Rights below).
• Library tracks — stored until you delete them or request account deletion.
• Temporary processing files — audio files downloaded for server-side analysis are deleted immediately after processing completes.
• Rate limiting data — request counts expire automatically within minutes.

If you are in the European Economic Area (EEA), you have the following rights regarding your personal data:

• Right of access — you may request a copy of all personal data we hold about you.
• Right to rectification — you may update your display name through your profile page, or contact us to correct other data.
• Right to erasure ("right to be forgotten") — you may request the deletion of your account and all associated data, including your profile, library tracks, and flip history. Contact us at hello@trackflipper.com to request deletion.
• Right to data portability — you may request a machine-readable export of your personal data. You can also download your library tracks at any time from your profile.
• Right to restrict processing — you may request that we limit how we use your data in certain circumstances.
• Right to object — you may object to the processing of your data based on our legitimate interests.
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at hello@trackflipper.com. We will respond to your request within 30 days.

You also have the right to lodge a complaint with a supervisory authority. In Hungary, this is the National Authority for Data Protection and Freedom of Information (NAIH).

We implement appropriate technical and organizational measures to protect your personal data:

• All data transmitted between your browser and our servers is encrypted using TLS (HTTPS).
• Passwords are hashed using bcrypt with salting by Supabase Auth — we never store or access plaintext passwords.
• Session cookies are HTTP-only, secure, and use strict SameSite policy to prevent cross-site attacks.
• File access is controlled through signed URLs and token-based authorization — original tracks are only downloadable after mutual approval.
• Rate limiting is applied to prevent brute-force attacks and abuse.
• Database access uses role-based authentication with row-level security policies.

Our service providers (Supabase, Vercel, Resend, Upstash) may process data outside the European Economic Area. Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or the service provider's compliance with recognized data protection frameworks.

Track Flipper is not intended for use by children under the age of 16. We do not knowingly collect personal data from children. If you believe a child under 16 has provided us with personal data, please contact us at hello@trackflipper.com and we will promptly delete it.

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make significant changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.

Continued use of Track Flipper after changes are posted constitutes your acceptance of the updated policy.

If you have any questions about this Privacy Policy, your personal data, or wish to exercise your rights, contact us at: