Security

Last updated: February 26, 2026

At Tune Tracker, we take the security of your data seriously. This page describes the security measures we have in place to protect your information.

Infrastructure & Hosting

Tune Tracker is hosted on modern cloud infrastructure with built-in redundancy. Our hosting providers maintain industry-standard security certifications and undergo regular third-party audits.

Data Encryption

• In transit — All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS on all endpoints.
• At rest — Data stored in our databases is encrypted at rest using AES-256 encryption provided by our cloud infrastructure.

Authentication

Tune Tracker uses Spotify OAuth 2.0 for authentication. We do not store your Spotify password. Access tokens are securely stored and automatically refreshed. You can revoke Tune Tracker's access at any time through your Spotify account settings.

Payment Security

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. We never store, process, or have access to your full credit card details.

Access Controls

Access to production systems and user data is strictly limited to authorized personnel on a need-to-know basis. We follow the principle of least privilege for all internal access.

Dependency Management

We regularly update our dependencies and monitor for known vulnerabilities. Security patches are prioritized and deployed promptly.

Data Retention

We retain data only for as long as necessary to provide our service. When you delete your account, your personal data is removed within 30 days. For detailed retention periods by data type, see our Privacy Policy.

Responsible Disclosure

If you discover a security vulnerability in Tune Tracker, we encourage you to report it responsibly. Please email us at [email protected] with details of the vulnerability. We ask that you:

• Do not publicly disclose the vulnerability before we address it.
• Provide sufficient detail for us to reproduce and fix the issue.
• Do not access, modify, or delete other users' data during your research.

We will acknowledge your report within 48 hours and work to resolve confirmed vulnerabilities as quickly as possible.

Contact

For security-related inquiries, please contact us at [email protected].