ENDLESS SYNTH

Last updated: May 2026

This is a small site run by one person. We don't sell your data. Here's exactly what we collect, why, and what choices you have.

What we collect when you sign in

You can use the site without signing in. If you do sign in, we receive the following from your chosen provider (Google, GitHub, Discord, or X/Twitter):

• Account data: your name, email (where the provider exposes it), profile picture URL, and the provider's stable account ID. That's it.
• A session cookie (HttpOnly, Secure, SameSite=Lax) so we can keep you signed in.
• Last login timestamp so admins can see active users.

We do not access your contacts, posts, files, repositories, or any other data on your provider account. We do not see your password — the provider handles authentication.

What we collect when you use the site

• Vibes you save: name, description, public/private flag, and the musical state (style, key, BPM, drum/bass/arp settings).
• Comments you post on public vibes.
• Likes you give on public vibes.
• Anonymous play counts per public vibe (no per-user listening history is stored).

Advertising and analytics

We run Google Ads to grow the site. Google's tracking pixel (gtag.js) loads on every page visit. This means Google may:

• See that you visited the site and which page
• Set cookies for ad attribution and remarketing
• Use this data per their own privacy policy

If you don't want to be tracked by Google, you can block third-party scripts in your browser, use an ad blocker, or opt out via Google's ads settings page. The site works without these scripts loaded.

We do NOT use Google Analytics or other behavior-profiling analytics. The Google Ads tag is the only third-party tracker on the site.

What we do NOT collect or do

• No third-party analytics that profile your behavior on the site.
• No selling of your data to anyone.
• No precise location data.
• No private listening history (we do not log "user X played vibe Y at time Z").
• No reading of your email, contacts, or other provider account data.

Where data is stored

All user data is stored in Cloudflare D1 (a SQLite-based serverless database hosted on Cloudflare's network). Cloudflare may retain operational logs per their own privacy policy.

Who can see what

• Public vibes: visible to anyone who visits the site.
• Private vibes: visible only to you.
• Comments: visible to anyone playing the same vibe with comments enabled.
• Your email and account ID: visible only to admins (currently a single seed admin) for moderation purposes.

Account deletion

You can delete your account at any time from the Account section. This permanently removes:

• Your account record (name, email, picture, provider ID)
• All vibes you created (private and public)
• All comments you posted
• All likes you gave
• All active sessions

Deletion is immediate and cannot be undone. Note: account deletion does not retroactively delete data Google may have collected via the Ads tracking pixel — for that, see Google's privacy controls.

Cookies

We set the following first-party cookies:

• session — your sign-in session (HttpOnly, Secure, expires after 30 days).
• oauth_state / oauth_provider / oauth_pkce — short-lived (10 minutes) cookies used during the OAuth sign-in handshake to prevent CSRF.

Google's gtag.js may set its own cookies for ad attribution. These are governed by Google's privacy policy, not ours.

Third parties

• OAuth sign-in providers (Google, GitHub, Discord, X/Twitter) — used only for sign-in. We send them your auth code; they send us back your basic profile.
• Google Ads — the gtag.js tracking pixel for ad campaign measurement.
• Cloudflare — hosts the site and the database. Their privacy policy applies to network-level data.
• Buy Me a Coffee — if you click the tip link, you leave our site and are subject to BMC's privacy policy. We do not see your payment details.
• Tone.js — JavaScript library that runs in your browser to generate the audio. Loaded from cdnjs.cloudflare.com. Does not phone home.

GDPR / CCPA

If you are in the EU/UK or California, you have rights to access, correct, and delete your personal data. The simplest way to exercise those rights is via the in-app account deletion feature. For other requests, email [email protected].

Children

Not directed at children under 13. Don't use this site if you're under 13.

Changes

If this policy changes meaningfully, we'll update the "Last updated" date at the top.