WEDIGFYI

Effective date: 20 June 2026

Privacy Policy

What WeDig.fyi collects, why, and the rights you have over your data.

1. Who is responsible for your data

Nanas Sound OÜ (registry code 16028176, VAT EE102880584), Tallinn, Estonia, is the data controller for personal data processed through WeDig.fyi. Contact: asep@wedig.fyi.

2. Our approach

We try to collect as little personal data as possible. We do not sell your data, we do not use advertising trackers, and we do not set third-party tracking cookies.

3. What we collect and why

a) Account data (if you create an account)

Your email address, to create your account, send sign-in links, and contact you about your account; an optional password, stored only as a secure bcrypt hash (we never store your password in plain text); and account timestamps such as when you confirmed your account and sign-in token metadata. Legal basis: performance of a contract (providing your account) and our legitimate interest in keeping accounts secure.

b) Crates you create

The prompts you enter and the crates generated for you (title, summary, track list, rationales). If you have an account, saved crates are linked to it. If you do not, an unsaved crate is temporarily linked to a random browser-session identifier so you can recover it after a refresh or after signing in. Legal basis: performance of a contract and acting on your request.

c) Usage and metering data

A random "dig session" identifier stored in your browser session, and counts of how many discovery requests you have made, so we can enforce daily limits and prevent abuse. For visitors without an account this is tied to the session identifier and the date; for accounts it is tied to your account. Legal basis: our legitimate interest in running a fair, sustainable service and preventing abuse.

d) Technical and log data

Standard server and infrastructure logs that may include IP addresses, request times, and basic browser information, used to operate and secure the service (for example to sign session cookies and protect against request forgery). We use a session cookie that is necessary for the site to function. We do not use this data to build advertising profiles of you. Legal basis: our legitimate interest in the security and operation of the service.

e) Purchase data (if you buy dig packs)

When you buy a dig pack, payment is handled by our payment provider, Polar (see clause 5); we do not see or store your card details. We do keep a record of the purchase linked to your account — such as the pack bought, the digs granted, and the provider's order reference — so we can deliver your digs, keep an accurate balance, and prevent duplicate fulfilment. Legal basis: performance of a contract and our legal obligation to keep accounting records.

f) Analytics

In production we use Plausible Analytics, a privacy-friendly, cookieless analytics tool, to understand aggregate usage such as page views. Plausible does not use cookies and does not collect data that identifies you. Legal basis: our legitimate interest in understanding and improving the service.

g) Music-service export data (if you export a crate)

If you choose to export a crate to Apple Music, your browser asks you to authorize with Apple and then obtains a temporary Music User Token, which it sends to us together with your Apple Music storefront (your region, such as "us" or "gb") so we can build the playlist in your library on your behalf. We use the token only to perform that one export and do not store it for later use. Legal basis: performance of a contract and acting on your request.

We do not knowingly collect device fingerprints, precise geolocation, advertising identifiers, or browsing history beyond what is described above.

4. Cookies and local storage

  • A session cookie that is strictly necessary for the site to work (sign-in and security/anti-forgery).
  • Your theme preference (light, dark, or system) is stored in your browser's local storage and is not sent to us.
  • We do not use advertising or cross-site tracking cookies. Plausible analytics is cookieless.
  • If you use the Apple Music export, your browser loads MusicKit JS from Apple's CDN to authorize you. Apple may set its own storage or cookies in your browser as part of that flow, under Apple's control and privacy policy.

5. Third parties that receive or process data

To run the service, limited data is shared with:

  • Mistral AI: your discovery prompt, and the searches derived from it, is sent to Mistral's language-model API to plan and rank results. Please do not include personal or sensitive information in prompts.
  • MusicBrainz, Discogs, ListenBrainz: we send track and artist search terms to these music-data services to fetch metadata. These terms are derived from your prompt, not from your identity.
  • Apple Music (Apple Inc.): only if you choose to export a crate. Apple receives your authorization and Music User Token, your storefront (region), the track artist and title (or Apple catalog IDs) we use to match each song, and the name, description, and matched track IDs of the playlist we create in your library. Apple processes this under its own terms and privacy policy.
  • Polar (Polar Software Inc.): our payment provider and merchant of record for dig-pack purchases. When you check out, Polar receives your email address and the payment details you enter, and processes your payment under its own terms and privacy policy. Your card details go to Polar, not to us.
  • Scaleway (Transactional Email): sends our account and sign-in emails; receives your email address and the message.
  • Hetzner: our hosting and infrastructure provider (a German company), which stores the data needed to run the service (our database and application) on servers located in Finland (EU/EEA).
  • Plausible Analytics: cookieless, aggregate usage analytics.

Each of these has its own privacy practices. Where data is processed on our behalf, we rely on data-processing terms with the provider. "Buy" and "stream" links take you to third-party stores (for example Beatport, Bandcamp, Discogs, YouTube); once you follow a link, that site's privacy policy applies.

6. International transfers

Your account data and saved crates are stored within the EU/EEA, on Hetzner servers in Finland. Some of the other providers above may process data outside the EEA. Where that happens, we rely on appropriate safeguards (such as the European Commission's standard contractual clauses or an adequacy decision) as required by the GDPR.

7. How long we keep data

  • Account data: for as long as you have an account. If you ask us to delete your account, we delete your account data, saved crates, and associated tokens.
  • Sign-in and session tokens: short-lived. Magic-link tokens expire after 15 minutes, sessions after 14 days, and email-change tokens after 7 days.
  • Unsaved crates and drafts: kept temporarily so you can recover recent work; tied to a session identifier rather than your identity.
  • Usage counters: retained only as long as needed to enforce daily limits and detect abuse.
  • Purchase records: retained for as long as needed to deliver and account for your digs, and for any longer period required by accounting and tax law.
  • Aggregate analytics: retained by Plausible in aggregate, non-identifying form.

8. Your rights (GDPR)

If you are in the EEA you have the right to access, correct, delete, restrict, or object to processing of your personal data, and the right to data portability. Where we rely on consent you can withdraw it at any time. To exercise any of these rights, email asep@wedig.fyi. You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, aki.ee) or your local supervisory authority.

9. Security

We protect data in transit with HTTPS, store passwords only as bcrypt hashes, store sign-in tokens as one-way hashes, and use signed session cookies. No system is perfectly secure, but we take reasonable measures to protect your data.

10. Children

WeDig.fyi is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has given us personal data, contact us and we will delete it.

11. Changes to this policy

We may update this policy. We will change the effective date above and, for material changes, take reasonable steps to let you know.

12. Contact

Questions or requests about your data? Email asep@wedig.fyi or write to Nanas Sound OÜ, Tallinn, Estonia (registry code 16028176). See also our Terms & Conditions.