Privacy Policy

Last updated: April 9, 2026

Endless Music ("the Application") is an open-source AI-powered playlist studio that creates Spotify playlists using AI language models. It is operated by ARDW (ardw.net).

1. Data We Do NOT Collect

The Application has no user accounts, no database, and no server-side storage of user data. We do not collect, sell, or share any personal information. There are no analytics, no tracking pixels, no third-party advertising scripts, and no cookies.

2. Data Stored in Your Browser

The following data is stored in your browser's localStorage. This data never leaves your device except as described in Section 3.

  • Spotify OAuth tokens — access token and refresh token from the Spotify authorization flow, used to search tracks and create playlists in your Spotify account.
  • Spotify user profile — your display name and email, fetched from Spotify after authorization, shown in the settings page.
  • AI API keys — your OpenAI, Anthropic, or custom provider API keys, entered by you in the settings page.
  • Playlist session data — in-progress playlist state (tracks, journey plan, briefs) to allow resuming after page reload. Auto-expires after 24 hours.
  • Preferences — selected quality tier and provider configuration.

You can delete all stored data at any time by clearing your browser's localStorage for this site, or by using the disconnect/delete options in the settings page.

3. Data Transmitted to Third Parties

When you use the Application, the following data is sent to third-party services:

  • Your AI API key — sent from your browser to our Cloudflare Workers server in a request header, then forwarded to your chosen AI provider (OpenAI, Anthropic, or your custom endpoint) to generate playlist plans and evaluate tracks. Your API key is never stored, logged, or persisted on our server. It exists only in memory for the duration of each request.
  • Your Spotify access token — sent from your browser to our server in a request header, used by our server to search Spotify's catalog on your behalf during playlist building. Also used directly from your browser to create playlists and add tracks.
  • Playlist description and seed songs — sent to our server, then included in prompts sent to your AI provider. This is the text you type when describing your playlist vision.

4. Third-Party Services

The Application communicates with the following external services:

  • Spotify Web API (developer.spotify.com) — for track search, playlist creation, and user authentication. Governed by Spotify's Privacy Policy.
  • OpenAI API or Anthropic API (depending on your choice) — for AI language model inference. Your prompts and playlist descriptions are sent to these services using your own API key. Governed by their respective privacy policies.
  • Last.fm API (last.fm/api) — for music similarity data, artist information, and genre tags. No user data is sent to Last.fm; only track/artist names for lookup.
  • MusicBrainz API (musicbrainz.org) — for music metadata and genre information. No user data is sent.
  • Tavily Search API (tavily.com) — for web search about music context during seed analysis. Search queries are derived from track/artist names, not personal data.
  • Cloudflare Pages (pages.cloudflare.com) — for hosting and serverless function execution. Standard Cloudflare infrastructure logging applies as described in Cloudflare's Privacy Policy.

5. Spotify Authorization

The Application uses Spotify's OAuth 2.0 PKCE flow for authorization. This means:

  • No client secret is used or stored — the flow is entirely browser-based.
  • You authorize the Application directly with Spotify. We request the minimum scopes needed: playlist-modify-public, playlist-modify-private, user-read-private, and user-read-email.
  • You can revoke access at any time in your Spotify account settings.

6. AI API Key Security

Your AI API key is your responsibility. The Application stores it in your browser's localStorage and sends it to our server only when you initiate a playlist generation. Our server uses it for a single request to your AI provider, then discards it. We recommend:

  • Using API keys with spending limits set at your provider.
  • Revoking keys if you suspect compromise.
  • Not sharing your browser with untrusted parties while keys are stored.

7. Children's Privacy

The Application is not intended for use by children under 13. We do not knowingly collect data from children.

8. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Application after changes constitutes acceptance.

9. Contact

For questions about this Privacy Policy, contact dev@ardw.net.

← home