My Flowlist

Legal

Privacy Policy

Last updated: 10 May 2026

1. Who we are

My Flowlist is a service operated by My Flow Limited, a company registered in England and Wales (company number 17289976). In this Policy, "we", "us" and "our" refer to My Flow Limited. We help you create energy-curated playlists from your Spotify or Apple Music library. This Privacy Policy explains what data we collect when you use myflowlist.app, how we use it, and the choices you have. If you have any questions, contact us at hello@myflowlist.app.

2. Data we collect

  • Account data: your email address and an encrypted password (or a federated sign-in identifier if you use Google).
  • Spotify data: when you connect Spotify, we receive an OAuth access token and read your saved tracks, playlists, top tracks, and audio features (tempo, energy, valence) so we can sequence Flowlists for you. We never see your Spotify password.
  • Apple Music data: when you connect Apple Music, MusicKit returns a Music-User-Token that we store so we can read your library tracks, playlists, and the storefront (country) of your Apple ID. We use ISRC codes from your library to look up tempo and energy data so we can sequence Flowlists. We never see your Apple ID password.
  • Flowlists you create: the playlists, titles, occasion templates, and energy curves you generate are stored against your account.
  • Usage data: standard request logs (IP address, user agent, timestamps) for security and debugging.

3. How we use your data

  • To provide the core Flowlist sequencing service.
  • To send you transactional emails (welcome, password reset, billing).
  • To debug issues and keep the service secure.
  • To process payments via our billing provider (if you subscribe).

We do not sell your data. We do not use your Spotify or Apple Music listening data for advertising or share it with third parties for marketing.

4. Spotify integration

My Flowlist uses the Spotify Web API under Spotify's Developer Terms of Service. Your use of Spotify through My Flowlist is also governed by Spotify's own Privacy Policy.

OAuth scopes we request. When you connect Spotify, we ask for the following scopes — and only these:

  • user-read-email, user-read-private — to identify your Spotify account.
  • user-library-read, user-follow-read, user-top-read — to read your saved tracks, followed artists, and top tracks so we can sequence Flowlists.
  • playlist-read-private — to read your existing playlists when you choose one as a source.
  • playlist-modify-private, playlist-modify-public — to save a Flowlist as a real playlist in your account, only when you tap "Save to Spotify".

What we do with Spotify data. We use it solely to generate, refresh, and save your Flowlists. We do not share Spotify data with any third party, do not use it for advertising, and do not use it to train machine-learning models. We never see your Spotify password.

Disconnecting and deletion. You can disconnect Spotify at any time from the Sources page — this immediately deletes your stored Spotify access and refresh tokens from our database, along with any cached library data we held to speed up sequencing. You can also revoke My Flowlist's access directly in your Spotify account settings. Deleting your My Flowlist account also removes all Spotify data we hold for you.

Spotify is a trademark of Spotify AB. My Flowlist is not affiliated with, endorsed by, or sponsored by Spotify.

5. Apple Music integration

My Flowlist uses Apple's MusicKit and Apple Music API under Apple's Apple Music API terms. Your use of Apple Music through My Flowlist is also governed by Apple's own Privacy Policy.

What we access. When you authorise Apple Music, MusicKit returns a Music-User-Token. We use it to read your library tracks and playlists, your storefront (country code), and ISRC codes for tempo and energy lookups so we can sequence Flowlists. We only write back to your library when you tap "Save to Apple Music".

What we do with Apple Music data. We use it solely to generate, refresh, and save your Flowlists. We do not share Apple Music data with any third party, do not use it for advertising, and do not use it to train machine-learning models. We never see your Apple ID password.

Disconnecting and deletion. You can disconnect Apple Music at any time from the Sources page — this immediately deletes your stored Music-User-Token and cached library data from our database. You can also revoke My Flowlist's access from your Apple ID account settings under "Sign in with Apple" / "Apps Using Apple ID". Deleting your My Flowlist account also removes all Apple Music data we hold for you.

Apple Music and Apple ID are trademarks of Apple Inc. My Flowlist is not affiliated with, endorsed by, or sponsored by Apple.

6. Where your data is stored and who we share it with

Account and Flowlist data is stored in our managed cloud database (hosted in the EU). Transactional emails are sent via a third-party email provider. Payments are processed by Paddle.com Market Limited, who acts as the Merchant of Record for our orders — Paddle receives your name, email, billing address, and payment details to process the transaction, handle tax, issue invoices, and manage subscriptions and refunds. We never see or store your card details. See Paddle's Privacy Notice.

Other recipients include our hosting and database provider (cloud infrastructure), our email delivery provider (transactional email), and professional advisers (legal, accounting) and authorities where required by law. We do not sell your data and do not share it for advertising.

7. How long we keep it

We keep your data for as long as your account is active. If you delete your account, your account record, Flowlists, and Spotify and Apple Music tokens are removed within 30 days. Anonymised logs may be retained for up to 90 days for security purposes.

8. Your rights

Under UK GDPR you have the right to access, correct, export, or delete your personal data, and to object to or restrict processing. Email hello@myflowlist.app and we'll action your request within 30 days.

9. Cookies

We use a small number of essential cookies to keep you signed in. We do not use third-party advertising cookies.

10. Changes to this policy

We'll update this page if our practices change and notify you by email for material changes. The "last updated" date at the top will always reflect the current version.

11. Contact

Questions, requests, or concerns? hello@myflowlist.app.