Privacy Policy

Effective date: 9 April 2025  ·  Last updated: 16 April 2026

boots.list ("the app", "we", "our") is a macOS application built by Fraser Muir. This policy explains what personal data we collect, how we use it, and your rights in relation to it.

The short version: we collect only what we need to run your account. Your Rekordbox library, your music files, and the results of any audio analysis never leave your Mac.

1. What we collect

When you create an account or sign in, we collect:

• Email address — used to identify your account and, for email/password users, to send password-reset emails.
• Display name (optional) — a name you choose to appear in the app. You can leave this blank.
• Region (optional) — if you enter one during sign-up, we store it alongside your account.
• Password (email sign-up only) — stored as a PBKDF2-SHA256 hash, never in plaintext. We never see or store your Apple or Google password.
• Sign-in provider metadata — if you use Sign in with Apple or Sign in with Google, we receive a unique provider identifier and, on first sign-in, the name associated with that provider account.
• Session records — each time you sign in, we create a session record (a random session ID, the user ID it belongs to, and a creation timestamp) so that we can validate and revoke tokens.

When you interact with the backend, our server automatically logs:

• IP address — used transiently for rate-limiting authentication endpoints (to prevent brute-force attacks). IP addresses are held only in short-lived, in-memory sliding windows and are not written to the database.
• Standard HTTP request metadata — timestamps, request paths, and response status codes are recorded in operational logs kept by our hosting provider (Render). These logs are retained only for troubleshooting.

We also store the following app preferences locally on your Mac:

• Access tokens issued to your device — stored in the macOS Keychain.
• Whether you have completed the in-app tutorial and whether you have chosen to stay signed in (UserDefaults).
• Security-scoped bookmarks for the music folders you have granted the app access to.
• Your imported Rekordbox library snapshot and generated playlist history (JSON files in Application Support).
• Your profile image, if you upload one (copied into Application Support).

2. What we do not collect

• Your Rekordbox library. The XML file you import is parsed entirely on your device. Track titles, BPM values, file paths, Camelot keys, and genre tags never leave your Mac and are never sent to our servers.
• Your music files. When you use the built-in BPM and key scanner, boots.list reads the first 60 seconds of each audio file directly from your Mac's storage, performs tempo and chroma analysis locally using Apple's AVFoundation and Accelerate frameworks, and writes the detected values back into the library snapshot on your device. No portion of any audio file, nor the analysis results, is ever uploaded or transmitted off your Mac.
• Generated playlists. Playlist history is stored locally on your device only.
• Analytics or crash data. We do not embed any analytics SDK, ad network, or crash-reporting service.
• Location data. We do not collect or access your location.
• Contacts, microphone, camera, or photos. The app does not request access to any of these.

3. How we use your data

We use your email address, display name, and region solely to:

• Create and manage your boots.list account.
• Allow you to sign in and restore your session.
• Send transactional emails you request (e.g. password reset).

We use request metadata (IP address, timestamps) solely to:

• Enforce rate limits on authentication endpoints to protect against brute-force attacks.
• Diagnose and fix operational issues with the backend.

We do not use your data for advertising, profiling, or any purpose beyond operating the app.

4. Data storage and third parties

Account data (email address, hashed password, display name, region, sign-in tokens, and session records) is stored in a PostgreSQL database we operate. The database and backend API run on Render, Inc., a cloud hosting platform that acts as our data processor. Render's own privacy practices are described in their privacy policy.

Sign-in provider verification is handled directly between your device and the provider:

• If you use Sign in with Apple, Apple authenticates you and sends us an identity token. Apple's handling of this is governed by their privacy policy.
• If you use Sign in with Google, Google authenticates you and sends us an identity token. Google's handling is governed by their privacy policy.

If you purchase boots.list as a direct download, the transaction is processed by Stripe under their privacy policy. Stripe receives your email address (used to send the receipt) and billing address (required to calculate applicable sales tax / VAT). If you purchase through the Mac App Store, the transaction is processed by Apple. We do not receive or store your payment card details in either case.

We do not sell, rent, or share your personal data with any other third parties.

5. Data security

We use industry-standard measures to protect your data:

• Passwords are hashed using PBKDF2-SHA256 before being stored; we never store plaintext passwords.
• All traffic between the app and our backend is encrypted in transit via HTTPS/TLS.
• Access tokens are issued as signed, time-limited credentials that expire after 30 days.
• Sessions expire after 90 days and are purged automatically thereafter.
• Access tokens stored on your Mac are held in the macOS Keychain with the kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly protection class.

6. Data retention

Your account data is retained for as long as your account is active. Revoked sessions are purged from our database automatically within 7 days; sessions older than 90 days are purged regardless of activity. If you request deletion of your account, we will permanently remove all associated personal data from our systems within 30 days.

7. Your rights

Depending on where you live, you may have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your account and associated data.
• Object to or restrict how we process your data.
• Request a copy of your data in a portable format.

To exercise any of these rights, contact us via our support form. We will respond within 30 days.

8. Children

boots.list is not directed at children under 13. We do not knowingly collect personal data from anyone under 13. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

9. Changes to this policy

If we make material changes to this policy, we will update the date at the top of this page. Continued use of the app after changes are posted constitutes acceptance of the updated policy.

10. Contact

Questions about this policy? Reach us via our support form or at contact@bootslist.app.