The short version. Earworm shows you what your friends are listening to, in real time. To do that, we read what's playing on your phone (only while music apps are open and broadcasting metadata), share it with the people you choose to follow, and store enough to make the social features work. We don't sell your data, we don't run ads, and you can turn sharing off at any time with the incognito toggle.
1. Who runs Earworm
Earworm is built and operated by an individual developer. For privacy questions, account requests, or anything else, email support@earwormapp.com.
2. What we collect, and why
Account info
- Email address and password, or a Google sign-in identifier — used to create and authenticate your account (via Firebase Authentication).
- Display name and profile picture (from Google sign-in if you use it).
- A username you choose, plus a small avatar color.
Music listening data
- The track name, artist name, album name, and album art URL of the song currently playing on your device, plus which music app it came from (Spotify, YouTube Music, etc.).
- A history of recently played tracks (capped at the most recent 50 per user).
- Listen-along events when you and a friend happen to be playing the same song.
- Likes you give on friends' tracks, and drops you send to friends or circles.
- "Earworm session" data — a small record describing how a song spreads through your social graph when multiple followers play it within a short window.
Listening data is read by Earworm via Android's standard NotificationListenerService permission, which lets us see the metadata that music apps already broadcast to the system (the same data that powers media controls in your notification shade and lock screen). Earworm does not use the microphone, does not read other apps' notifications, and does not read SMS, contacts, calls, photos, or files.
Social graph
- The list of people you follow and people who follow you.
- Follow requests you send and receive.
- Circles you create (custom groups for sharing) and the members in each.
- Drops you send and receive, including the like state on each drop.
Device + diagnostic info
- A push-notification token (Firebase Cloud Messaging) so we can deliver social pushes to your device. Tied to your account; refreshed automatically by Android.
- Crash reports (Firebase Crashlytics): stack traces, device model, OS version, app version, and an anonymized installation ID. No personal content is captured. We use these to fix bugs.
- Aggregate usage analytics (Firebase Analytics): screen views, button taps, app sessions. Used to understand which features work well and which don't.
3. How we use the data
- To run the social features. Friends see each other's currently-playing tracks; likes and drops are delivered; listen-along events are matched server-side; earworm sessions are computed.
- To deliver push notifications — when someone follows you, likes your music, sends you a drop, or joins an earworm you started.
- To improve reliability and quality — crash data and usage analytics help us spot regressions and prioritize fixes.
We don't use your data for advertising, profiling outside Earworm's product features, or any third-party marketing.
4. Who can see what
- People you follow see your currently-playing track and your past drops to circles they're in.
- Earworm session participants can see the names of people they directly follow within a session; everyone else in the session is shown as an anonymous count ("+ N others"). Direct followers of the song's seeder are named in milestone push notifications.
- You can pause sharing entirely with the in-app incognito toggle (or via the widget). When incognito is on, your currently-playing track is not broadcast, and you don't appear in earworm sessions until you turn it back off.
- Strangers and the public see nothing. There is no public profile or feed.
5. Where the data lives
Earworm stores account and listening data in Google Firebase (Firestore database, Cloud Functions, Cloud Messaging, Crashlytics, Analytics). Firebase is operated by Google LLC; data is hosted in Google data centers in the United States. Push notifications transit Firebase Cloud Messaging, which delivers via Apple Push Notification service for iOS users and directly for Android users.
We do not share data with any other third parties. There are no advertising trackers, marketing pixels, or data brokers.
6. How long we keep things
- Account data — for as long as your account exists.
- Currently-playing track — overwritten on every track change; cleared automatically after 10 minutes of pause.
- Recent tracks history — last 50 plays per user; older entries are deleted automatically.
- Drops and likes — retained while your account is active; useful for the "Your Music" history surface.
- Earworm sessions — retained for analytics and your "Your Music → Earworms" history; older than 7 days drop off the in-app surface but are kept in our database for product analysis.
- Crash reports — retained per Firebase Crashlytics defaults (typically 90 days).
- Usage analytics — retained per Firebase Analytics defaults (configurable by us; currently 14 months).
7. Your rights
You can:
- See and edit most of your account data directly in the app.
- Pause sharing any time with the incognito toggle.
- Delete your account by emailing support@earwormapp.com. We'll delete your user record, your now-playing entry, your recent tracks, your follow graph, and your drops within 30 days. Listen-along events and earworm session participation involving you are anonymized rather than deleted (your UID is removed; the count remains).
- Request a copy of your data by emailing the same address. We'll send a JSON export of everything tied to your UID.
- Lodge a complaint with your local data protection authority if you believe we're handling your data incorrectly.
If you're in the EU/EEA, UK, California, or India, you have specific rights under GDPR, UK GDPR, CCPA, and DPDPA respectively (access, rectification, erasure, portability, objection, restriction). The mechanisms above cover them in practice. Contact us if you want to invoke a specific right by name.
8. Children
Earworm is not directed to children under 13. We don't knowingly collect data from children under 13. If you believe a child under 13 has created an account, email us and we'll delete it.
9. Security
Data is transmitted to Firebase over TLS. Authentication is handled by Firebase Auth; passwords are not stored by us in any reversible form. Firestore security rules restrict access so users can only read and write their own data, plus the social data they're explicitly party to (their followers' currently-playing tracks, drops sent to them, etc.). No system is perfectly secure; if you discover a vulnerability, please report it to support@earwormapp.com.
10. Permissions Earworm asks for
- Notification access — required so we can read what music app is playing. Earworm does not read or transmit any non-music notifications.
- Notifications display — required so we can deliver social pushes to you.
- Internet — required to talk to Firebase.
You can revoke notification access at any time from Android Settings → Notifications → Special access → Notification access. Earworm continues to work but won't detect what's playing on your device.
11. Changes to this policy
If we materially change how we handle data, we'll update this page and bump the "Last updated" date at the top. For significant changes (new data we collect, new third parties, expanded sharing), we'll also notify active users in-app.
12. Contact
Email support@earwormapp.com for any privacy question, account request, or correction. We aim to respond within 7 days.