Privacy Policy

Account information. When you create an account we collect your email address, a username you choose, and a password (which is securely hashed and managed by Firebase Authentication — we never see or store your plain-text password). You may also sign in using Google or Apple Sign-In, in which case we receive your name and email address from that provider.

Profile content. You may upload a profile photo, add a bio, and add a website link. Profile photos are stored in Firebase Cloud Storage.

Posts and activity. When you share a song, we store the song metadata (track name, artist, album, and album art URL sourced from Spotify), any caption or hashtags you add, and engagement data such as likes, comments, saves, and follower relationships.

Direct messages. Messages you send to other users are stored on our servers to deliver the messaging service. Messages are not end-to-end encrypted.

Voice notes. If you send voice notes through the app, the audio files are stored in Firebase Cloud Storage and linked to your account.

Comments. Comments you leave on posts are stored alongside your user ID and a timestamp.

Push notification tokens. If you enable push notifications, we store your device token to send you notifications about activity on your account (likes, comments, follows, messages).

Subscription information. If you subscribe to Corus Club, purchase and subscription status is managed by RevenueCat and Apple. We store your club membership status (active or inactive) but do not have access to your payment method, credit card details, or Apple ID password.

We use the following third-party services:

• Firebase (Google) — authentication, database (Firestore), file storage, cloud functions, and push notifications. Google's privacy policy: policies.google.com/privacy
• Spotify Web API — we search Spotify's catalog to let you find and share songs. We use Spotify's public API with app-level credentials; we do not access your personal Spotify account or listening history. Spotify's privacy policy: spotify.com/legal/privacy-policy
• RevenueCat — manages in-app subscriptions and purchase receipts. RevenueCat receives an anonymous app user ID and purchase data from Apple. RevenueCat's privacy policy: revenuecat.com/privacy
• Apple App Store — processes all payments for Corus Club subscriptions. Apple's privacy policy: apple.com/legal/privacy
• Cloudflare — hosts our website (corus.fm) and provides DNS, CDN, and security services. Cloudflare's privacy policy: cloudflare.com/privacypolicy

• To create and maintain your account
• To display your profile, posts, and activity to other users
• To enable social features (following, likes, comments, direct messages, voice notes, and notifications)
• To show trending songs and hashtags
• To manage your Corus Club subscription status and deliver subscription benefits
• To send push notifications about activity on your account (you can disable these in your device settings at any time)
• To enforce our Terms of Use and protect users from abuse
• To improve the app and develop new features

• We do not collect precise location data
• We do not access your contacts or address book
• We do not track you across other apps or websites
• We do not use cookies for advertising or tracking purposes
• We do not access your Spotify listening history or playlists
• We do not sell your personal information to any third party
• We do not use your data for targeted advertising

We do not sell your personal information. We do not share your data with advertisers. Your data is shared only in the following ways:

• Public profile and posts. Your username, profile photo, bio, and posts are visible to other Corus users. Posts may also appear in trending feeds and search results within the app.
• Service providers. We use Firebase (Google) to store data, Spotify to retrieve song information, and RevenueCat to manage subscriptions, as described above. These providers process data on our behalf and are contractually obligated to protect it.
• Legal requirements. We may disclose your information if required to do so by law, regulation, or legal process, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Cymbal Media, Inc., our users, or the public.
• Business transfers. If Cymbal Media, Inc. is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change via the app or email.

You can delete your account at any time from the Settings screen in the app. When you delete your account, we permanently remove your profile, all your posts, comments, likes, saves, follower relationships, messages, voice notes, and notifications. This action cannot be undone.

If you cancel your Corus Club subscription, your subscription benefits end at the close of your current billing period. Your account and content remain intact.

All data is transmitted over HTTPS. Passwords are hashed by Firebase Authentication. We do not use any custom or non-exempt encryption. We implement reasonable administrative, technical, and physical safeguards to protect your information. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

Corus is not intended for children under 13. We do not knowingly collect information from children under 13. If we learn that we have collected personal information from a child under 13, we will delete that information promptly. If you believe a child under 13 has provided us with personal information, please contact us at help@corus.fm.

Depending on your jurisdiction, you may have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your information
• Object to or restrict certain processing of your information
• Request a portable copy of your information
• Withdraw consent where processing is based on consent

To exercise any of these rights, please contact us at help@corus.fm. We will respond within 30 days.

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information, including the right to know what information we collect, the right to delete your information, and the right to opt out of the sale of your information. We do not sell personal information. To exercise your CCPA rights, contact us at help@corus.fm.

Corus is operated from the United States. If you are accessing the app from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States. By using Corus, you consent to the transfer of your information to the United States.

We may update this policy from time to time. If we make material changes to how we collect, use, or share your information, we will notify you through the app or by updating the date at the top of this page. Your continued use of the Service after changes constitutes acceptance of the updated policy.

If you have questions about this privacy policy, please contact Cymbal Media, Inc. at help@corus.fm.