Legal Document

Privacy Policy

Last updated: April 11, 2026 · Version 2.0 · Applies to @MusicPlayListMaker_bot and playlistmaker.ru

Table of Contents
  1. Data Controller
  2. What data we collect
  3. Purpose of processing
  4. Data storage
  5. Third party transfers
  6. AI and data isolation
  7. Google API
  8. Apple Music API
  9. Spotify API (Beta)
  10. Yandex Music API
  11. User rights
  12. Retention period
  13. Cookies
  14. Cross-border transfers
  15. Policy changes
  16. Contacts

01 Data Controller

This Privacy Policy is developed in accordance with the requirements of Federal Law No. 152-FZ of 27.07.2006 (Russia) and Regulation (EU) 2016/679 (GDPR) and describes the data processing procedures for PlaylistMaker users.

Data Controller

IE Beshkarev Vladislav Viktorovich
Email: info@playlistmaker.ru
GDPR Representative: info@playlistmaker.ru

02 What data we collect

Important: pseudonymization

PlaylistMaker works with pseudonymized technical identifiers. We do not collect names, addresses, phone numbers or other classic personal data. Telegram ID is a platform technical identifier that does not allow identifying a natural person without access to Telegram.

DataPurposeRequired
Telegram ID, username, nameBot user identificationYes
OAuth tokens (AES-256 encrypted)Access to music servicesYes
Playlist historyStatistics, usage limitsYes
Credit balancePaid and free operations accountingYes
EmailPayment receipt only (tax requirement)No
Interface languageBot localizationNo

03 Purpose of processing

Legal basis: user consent (Art. 9 152-FZ; Art. 6(1)(a) GDPR), contract performance (Art. 6(1)(b) GDPR), legitimate interest (Art. 6(1)(f) GDPR).

04 Data storage and processing location

Data is stored on secure servers in Finland (EU, Hetzner Helsinki). Finland is an EU member state and provides a level of data protection compliant with GDPR requirements.

EU/EEAGDPR

Primary servers are located in Finland (EU). Database backups are stored on servers in the Russian Federation for service reliability. All data is processed in accordance with GDPR.

All OAuth tokens are encrypted before storage using AES-256.

05 Third party data transfers

We do not sell or transfer data to third parties for commercial purposes. Transfers occur only to the extent necessary for service delivery:

RecipientPurposeCountry
Apple Inc. (Apple Music API)Creating playlists in Apple MusicUSA
Google LLC (YouTube Data API)Creating playlists in YouTube MusicUSA
Spotify AB (Spotify Web API)Creating playlists in Spotify (Beta)Sweden/USA
Yandex LLC (Yandex Music)Creating playlists in Yandex MusicRussia
AudD APIMusic track recognitionUSA
DeepSeek AIPlaylist generation (user text prompt only)China
YooKassaPayment processingRussia
Telegram MessengerBot platformUAE

06 AI usage and data isolation between services

PlaylistMaker uses DeepSeek AI for playlist generation. The architecture is built on the principle of complete data isolation in accordance with GDPR requirements.

GDPR Art. 5 principles
  • Purpose Limitation — each service's data is used strictly for its stated purpose and is not transferred to other services
  • Data Minimisation — only the minimum necessary data is transferred to each external service
  • Storage Limitation — data is stored no longer than necessary
  • Integrity and Confidentiality — all tokens encrypted AES-256, transmission via HTTPS only
Complete data isolation between services
  • 🔴 YouTube Music (Google API) — receives only track names. No YouTube data is sent to Apple, Spotify, Yandex or DeepSeek
  • 🍎 Apple Music API — receives only track names. No Apple data is transferred to other services
  • 🟢 Spotify API — receives only track names. No Spotify data is transferred to other services
  • 🟡 Yandex Music API — receives only track names. No Yandex data is transferred to other services
  • 🤖 DeepSeek AI — receives only the user text prompt. DeepSeek does not receive OAuth tokens or data from Google/Apple/Spotify/Yandex APIs
User → text prompt → DeepSeek AI → track list (Artist - Title) | YouTube OAuth token ──> YouTube API ──> playlist created Apple token ──────────> Apple Music API > playlist created Spotify token ────────> Spotify API ───> playlist created Yandex token ─────────> Yandex API ────> playlist created No DeepSeek access to OAuth tokens or music service API data No music service receives data from other services

This architecture complies with Google API Services User Data Policy (Limited Use), Apple Music API Terms and Spotify Developer Policy.

07 Google API usage

PlaylistMaker uses Google API exclusively for creating playlists in YouTube Music. We request access to the youtube.force-ssl scope.

Data flow separation
  • Google/YouTube API → used only to write playlists to the user's library
  • DeepSeek AI → receives only the user's text prompt. No Google API data is sent to DeepSeek

Access tokens are stored encrypted (AES-256). We do not read the contents of the user's YouTube account.

PlaylistMaker's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

08 Apple Music API usage

PlaylistMaker uses Apple Music API exclusively for creating playlists. Authorization via MusicKit — Apple's official mechanism. We do not access payment data or Apple ID passwords. Music User Token is stored encrypted and used only for playlist creation on user request.

09 Spotify API usage (Beta)

PlaylistMaker uses Spotify Web API in closed beta testing mode exclusively for creating playlists. Authorization via OAuth 2.0. We do not access payment data or passwords. Token is stored encrypted. Beta participation — by request to info@playlistmaker.ru.

10 Yandex Music API usage

PlaylistMaker uses the unofficial Yandex Music API. The user independently obtains an OAuth token via Yandex authorization service. We do not access the account password. Token is stored encrypted. The user can revoke the token at any time in Yandex ID settings.

11 User rights

EU · GDPR

Users from EU/EEA have the following rights under Art. 15–22 GDPR:

  • Right of access — right to obtain a copy of your data
  • Right to rectification — right to correct inaccurate data
  • Right to erasure ("right to be forgotten") — right to delete data
  • Right to restriction — right to restrict processing
  • Right to data portability — right to transfer data
  • Right to object — right to object to processing
  • Right to lodge a complaint — right to complain to an EU supervisory authority

Finnish supervisory authority: Office of the Data Protection Ombudsman (tietosuoja.fi)

To exercise your rights: info@playlistmaker.ru. Response time — 30 days.

Revoke access: Google · Apple ID Settings · Spotify · Yandex ID

12 Data retention period

13 Cookies

The playlistmaker.ru website does not use cookies to track users. The Telegram bot operates without cookies.

14 Cross-border data transfers

When using third-party APIs (Apple Music, Google, AudD, DeepSeek) some data may be transferred outside the EU based on standard contractual clauses (SCCs) or other GDPR mechanisms (Chapter V). Transfers to DeepSeek (China) are limited to user text prompts and do not include data from Google/Apple/Spotify APIs.

15 Policy changes

The current version is always available at playlistmaker.ru/en/privacy. Users will be notified of significant changes via the bot.

16 Contacts

Data Controller
IE Beshkarev Vladislav Viktorovich
Email (general / GDPR)
info@playlistmaker.ru
Telegram
@MusicPlayListMaker_bot
EU Supervisory Authority
tietosuoja.fi