Privacy Policy
No tracking, no analytics SDKs, no data sales. Your data stays in the EU.
English is the binding version of this policy. Localized translations may follow as convenience copies.
Last updated: 28 April 2026
1. Data Controller
Qija is operated by Alisdair Mills Software, a registered Dutch sole proprietorship (ZZP).
Contact: privacy@qija.nl
2. What Data We Collect
| Data | Source | Purpose |
|---|---|---|
| Username | You provide at signup | Account identity |
| Password (bcrypt hash) | You provide at signup | Authentication — we never store your password in plaintext |
| Auth token | Generated at signup | Session management |
| Recovery code | Generated at signup | Account recovery |
| Display name | You provide (optional) | Profile personalisation |
| Bio | You provide (optional) | Profile personalisation |
| Avatar image | You provide (optional) | Profile personalisation |
| Listening history | Collected automatically on playback | Core feature — history, streaks, trends, discovery |
| UTC offset per listen | Collected automatically on playback | Timestamp context — reveals your approximate geographic region |
| Genre tags | You submit | Music categorisation |
| Follows / followers | Your actions | Social feature |
| Likes | Your actions | Library curation |
| Pins | Your actions | Library curation |
| Shares | Your actions | Social feature |
| Group memberships | Your actions | Social feature |
| Reports & blocks | Your actions | Moderation — see Section 7 |
| APNS device token | Collected automatically | Push notifications |
| Qija+ subscription state | From Apple App Store | Unlocking Qija+ features |
| Circle membership | Your invites and acceptances | Determining who shares your Qija+ access |
| Circle invite tokens | Generated when you invite someone | Allowing an invitee to accept a slot |
3. Why We Collect It (Legal Basis)
We process your data on these legal bases under the GDPR:
- Contract (Article 6(1)(b)): When you create an account, we process data necessary to provide the service you signed up for — account management, listening history, social features, and push notifications.
- Legitimate interest (Article 6(1)(f)): Listening history and derived analytics (streaks, trends, discovery playlists) are the core purpose of the app. You can enable Incognito mode at any time to stop new listens from being recorded. Moderation records (reports, blocks) are kept to keep the platform safe.
- Legal obligation (Article 6(1)(c)): Payment records are retained as required by Dutch tax and accounting law.
4. UTC Offset Disclosure
Each listen submission includes the UTC offset of your device at the time of playback. This reveals your approximate geographic region (e.g., UTC+1 suggests Central Europe). We use this solely to display timestamps in your local time and to calculate listening streaks correctly across time zones. We do not use it for location tracking, advertising, or profiling.
5. Incognito Mode
The app includes an Incognito toggle in Settings. When enabled, no new listens are submitted to the server. Existing listening history is not deleted — use the data export or account deletion features for that.
6. Payment Processing
The TestFlight beta is free for everyone and exposes no in-app purchases. At App Store launch, Qija+ subscriptions are processed by Apple via the App Store. Apple acts as the merchant of record and a separate data controller; see Apple's privacy policy. We receive transaction receipts and entitlement state from Apple — we never see your payment details. Apple Family Sharing is not enabled on Qija+: a Qija+ subscription cannot be shared via Apple Family Sharing.
What we keep on our side after a successful payment is limited to: the Apple transaction identifier, the Qija+ flag on your account, and the date that flag became active. This information is retained for as long as your account exists, plus the period required for Dutch tax and accounting compliance.
7. Moderation Data
To keep Qija safe under Apple App Store Guideline 1.2 we operate a user-moderation system:
- Reports: When you report a user or share, we record the reporter, the target, the reason, any free-text detail you supplied, and a timestamp. Reports are reviewed within 24 hours and may result in account suspension or removal of content. Reports are not visible to the reported user.
- Blocks: When you block another user we record the (blocker, blocked) pair so we can hide content in both directions. Blocks are not visible to the other party.
Moderation records are retained as long as your account exists, or as long as needed to enforce previous decisions if your account has been suspended or removed.
8. Data Sharing
We do not share your personal data with any third parties, except for Apple as the App Store payment processor described above.
- No third-party analytics (no Firebase, Amplitude, Mixpanel, or any tracking SDKs)
- No advertising identifiers (no IDFA or IDFV collection)
- No cross-app tracking
- No data sales
- The iOS app has zero third-party tracking dependencies
9. Where Data Is Stored
All server-side data is stored on infrastructure hosted in the European Union (Hetzner, Germany). Data does not leave the EU.
10. Data Retention
- Active accounts: Data is retained for as long as your account exists.
- Inactive accounts: Accounts with no activity (no listens and no authenticated requests) for 6 months are automatically deleted, along with all associated data. This frees up usernames and reduces stored data.
- Device tokens: APNS device tokens older than 90 days with no associated activity are automatically removed.
- Deleted usernames: After account deletion, your username is reserved for 90 days to prevent confusion from immediate re-registration. After 90 days the reservation expires.
- Payment records: Retained as required by Dutch tax law (currently 7 years).
11. Your Rights
Under the GDPR, you have the following rights:
Right of Access & Data Portability (Articles 15 & 20)
You can export all your data at any time from Settings > Export My Data in the app. This downloads a JSON file containing your full profile, listening history (in ListenBrainz-compatible format), likes, pins, follows, groups, shares, tags, and device information.
Right to Erasure (Article 17)
You can permanently delete your account and all associated data from Settings > Delete Account in the app. Deletion requires password confirmation and is irreversible. All data across all tables is removed, including listening history, social connections, moderation records, and uploaded content. Payment records may be retained for the period required by Dutch tax law.
Right to Restrict Processing
Enable Incognito mode to stop new data collection while retaining your existing account.
Right to Object
If you object to the processing of your data, you may delete your account at any time.
Right to Lodge a Complaint
You have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or the supervisory authority in your country of residence.
12. Security
- Passwords are hashed with bcrypt before storage — we never store or transmit plaintext passwords on the server
- On the client, credentials are stored in the iOS Keychain (not in plaintext)
- Authentication uses unique UUID tokens per session
- Account recovery requires a unique recovery code
- Payment data never touches our infrastructure — it is handled entirely by Apple via the App Store
13. Children
Qija is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has created an account, please contact us at privacy@qija.nl.
14. Third-Party Music & Event Data
Qija enriches your listening experience with music metadata and event listings drawn from public sources. This data is not personal data — it describes albums, artists, releases, and shows, not you. We attribute these sources and respect their licences:
- MusicBrainz — release, artist, and recording metadata (CC0 / public domain)
- Cover Art Archive — album cover artwork (Creative Commons; per-image licences vary)
- Wikidata, Wikipedia (Wikimedia Commons) — artist images and biographies (Creative Commons / per-file licences vary)
- Deezer — artist images via the public Deezer API
- Apple Music — artist artwork rendered on-device via MusicKit when no other source is available
- Public venue and promoter listings — event facts (date, artist, venue) for shows we surface as invites
If you are a rights holder and want content removed, email takedown@qija.nl with the URL or identifier and proof of rights. We act on legitimate takedown requests within seven days.
15. Changes to This Policy
We may update this policy from time to time. The "Last updated" date at the top reflects the most recent revision. Continued use of the app after changes constitutes acceptance.
16. Contact
For any privacy-related questions, data requests, or concerns:
privacy@qija.nl