Privacy Policy

Last updated: May 22, 2026

Purrlist is built to respect your privacy. This policy explains what we collect, how we use it, and what we don't do with it.

What we do not collect

We do not require accounts or registration.
We do not collect your name, email address, phone number, or location.
We do not use third-party analytics or advertising SDKs in the app.
We do not sell, rent, or share user data with third parties.

What stays on your device

All saved cat profiles, cat photos, and generated playlists are stored locally on your device using the operating system's secure storage. We do not transmit or store these on our servers.

Cookies and on-device storage

Purrlist stores, accesses, and collects information directly on your device, and allows the third-party services listed in this policy to do the same on or from your device, in the following limited ways. This may include placing, accessing, or recognizing cookies, local storage, secure-storage entries, or similar technologies on your device or browser.

Mobile app (iOS / Android): Cat profiles, generated playlists, cat photos, and your service preferences are stored locally in the app's sandboxed storage (AsyncStorage / Expo SecureStore on iOS and Android). YouTube OAuth access and refresh tokens are stored in the operating system's secure storage (iOS Keychain / Android Keystore). A device identifier generated on first launch is stored locally and sent with each playlist-generation request for rate-limiting only. Purrlist does not use third-party analytics, advertising, or tracking SDKs in the app.
Website (purrlist.app): The site uses only the strictly-necessary cookies and local-storage entries required for the site to function (for example, remembering that you dismissed a banner or which streaming service you prefer to open). The site does not set advertising, retargeting, or third-party analytics cookies. We do not use Google Analytics, Meta Pixel, or any similar tracker.
Third-party services that may set their own storage: When you authorize Purrlist to create a playlist in YouTube Music, Google's OAuth flow runs in the system browser or an in-app browser tab; during that flow Google may place or access its own cookies and storage on your device under Google's privacy policy. Apple's App Store, Expo's push-notification service, Vercel (our hosting provider), and Upstash (our rate-limit cache) may set or read their own technical storage on or from your device as required to deliver their service. Each is governed by its own privacy policy.

You can clear Purrlist's local storage at any time by deleting and reinstalling the app, by clearing your browser's site data for purrlist.app, or by revoking Purrlist's YouTube access at myaccount.google.com/permissions.

What is sent to third parties

When you generate a Purrlist, the cat photo you select is sent to Google's Gemini AI service for the purpose of generating a playlist description. Google processes the image and returns the result to our backend, which forwards it to your device. We do not retain the image on our servers. Google's handling of Gemini API input is governed by their terms (see https://ai.google.dev/terms).

Track metadata (artist, title, preview URL, artwork URL) is looked up via the Apple iTunes Search API, which is a public service that does not require any personal information.

YouTube Music integration

If you choose to create a playlist in YouTube Music, Purrlist uses YouTube Data API Services (operated by Google) to create the playlist in your YouTube account. Purrlist's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

What we request: The https://www.googleapis.com/auth/youtube scope, which allows Purrlist to create a new playlist in your YouTube account and add the 20 generated tracks to it.
What we do with it: We create exactly one playlist per generation, add the 20 matched tracks, and stop. We do not read your existing playlists, library, subscriptions, watch history, or any other YouTube account data.
Where tokens are stored: The access and refresh tokens Google issues are stored only on your device, in the operating system's secure storage (Keychain on iOS). Tokens are never transmitted to or stored on Purrlist's servers.
What we do not do: We do not sell, transfer, use for advertising, or allow humans to read your YouTube data. We do not use this data to train AI or ML models.
Revoking access: You can revoke Purrlist's access at any time at myaccount.google.com/permissions.

Push notifications

If you grant permission for push notifications, your device registers with Expo's push service, which returns a push token. That token is sent with each playlist-generation request so our backend can notify you when your playlist is ready. We store the token only as long as needed to deliver the notification.

Subscriptions and payments

Subscriptions are processed entirely by Apple's App Store. We never see or handle your payment information. Apple's privacy practices apply to your subscription data.

Rate limiting and abuse protection

To protect against abuse, our backend temporarily logs the IP address of each playlist generation request along with a timestamp. These logs are retained for a maximum of 24 hours and are used solely to enforce rate limits. They are not used for analytics, targeting, or any other purpose.

Children's privacy

Purrlist is not directed at children under 13 and does not knowingly collect information from them. If you believe a child has provided us information, please contact us and we will delete it.

Legal basis for processing (EEA & UK)

If you are in the European Economic Area or United Kingdom, Purrlist processes your personal data under the following legal bases (GDPR Article 6 and UK GDPR equivalents):

Contract performance: Processing the cat photo you submit, generating the playlist, and returning it to you are all necessary to deliver the service you requested.
Consent: Push notifications (if you opt in) and YouTube Music playlist creation (if you authorize it) are processed only after your explicit consent, which you can withdraw at any time.
Legitimate interests: Rate-limiting, fraud prevention, and service integrity rely on our legitimate interest in protecting the service from abuse, balanced against your rights. The only data processed for this purpose is an IP address retained for up to 24 hours.

Your rights

Depending on where you live, you have rights over the personal data we process. Under GDPR, UK GDPR, the California Consumer Privacy Act (CCPA), and similar laws, you have the right to:

Access a copy of the personal data we hold about you.
Correct inaccurate or incomplete data.
Delete your data (right to erasure / right to be forgotten).
Port your data to another service in a machine-readable format.
Restrict or object to processing based on legitimate interests.
Withdraw consent at any time for processing that relies on consent (push notifications, YouTube Music).
Lodge a complaint with your local data-protection authority. For EU residents, a list is available at edpb.europa.eu/about-edpb/members. For UK residents: ico.org.uk.
California residents additionally have the right to know what personal information is collected, to know whether it is sold or shared (we do not sell or share personal information with any third party for their own use), and to non-discrimination for exercising these rights.

Most of your data never leaves your device, so many of these rights are automatically fulfilled by deleting or resetting the app. For data we do process server-side (push tokens, 24-hour IP logs), see the next section for how to make a request.

How to exercise your rights

Email support@purrlist.app with "Data Request" in the subject line. Tell us which right you want to exercise. We will respond within 30 days (GDPR maximum; California CCPA requires response within 45 days, which we also meet). There is no charge unless the request is manifestly unfounded or excessive.

For California residents, you also have the right to use an authorized agent to make a request on your behalf. Agents must provide written authorization and identity verification.

Data retention

Cat photos: Transiently processed through Google's Gemini service during playlist generation and not retained by Purrlist. Google's retention is governed by the Gemini API terms.
Saved cat profiles, playlists, and photos: Stored locally on your device only. Deleted when you delete the app or reset your device.
YouTube OAuth tokens: Stored locally on your device in the operating system's secure storage. Deleted when you sign out in-app or revoke access at myaccount.google.com/permissions.
IP addresses (rate limiting): Retained for up to 24 hours in our backend's Redis cache, then automatically evicted.
Push notification tokens: Retained only as long as needed to deliver the notification tied to a generation request, typically under 60 seconds.
Support emails: Retained for up to 12 months to help us resolve follow-up issues, then deleted.
Subscription receipts: Subscription state is handled by Apple. We retain only what is necessary to verify entitlement (an anonymous user identifier and subscription status), for as long as you are a Premium subscriber and for up to 12 months after cancellation for tax and accounting purposes.

International data transfers

Purrlist is operated from the United States. When you use the service from outside the US, your data (cat photos during processing, IP addresses, push tokens) is transferred to and processed in the United States and other countries where our service providers operate.

These transfers rely on appropriate safeguards:

Google (Gemini, YouTube Data API): Certified under the EU-US and UK-US Data Privacy Framework.
Vercel (backend hosting): Standard Contractual Clauses.
Upstash (Redis cache for rate-limiting): Standard Contractual Clauses.
Sentry (error monitoring, if enabled): Standard Contractual Clauses.
Apple (subscriptions, push notifications): Standard Contractual Clauses and Apple's own privacy commitments.

EU representative

Purrlist is a US-based service. For EU and UK residents: you may contact us directly at support@purrlist.app for any privacy-related inquiry. If we appoint a formal EU representative under GDPR Article 27, their contact details will be published in this section.

Data breach notification

In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR Article 33) and, where the risk is high, notify affected users directly via in-app message and the "Last updated" date at the top of this policy.

Changes to this policy

If we update this policy, we will update the "Last updated" date above. Material changes will be communicated in-app.

Contact

Questions or concerns? Email us at support@purrlist.app.