Privacy Policy

TakeoutFM is a copyleft self-hosted personal media system. Privacy as it relates to the intended design and use of TakeoutFM is described within this document. TakeoutFM refers to the Takeout server, mobile apps, TV apps, watch apps, console apps, and the web interface.

If you have questions regarding this privacy policy, please contact [email protected].

Design Considerations

TakeoutFM is designed around a server and APIs for clients/apps to browse and consume media. Clients are not required to store any information but may do so to improve performance. State may be stored by a client on the server such that activity and progress can be resumed or shared across multiple client devices. TakeoutFM does not store or manage any media and instead media must be stored in an S3 bucket (or local storage) that is available for the server to index and for clients to access directly using time-based pre-signed URLs.

When using media stored in S3, the Takeout server does not store or manage any media and instead media in the S3 bucket is available for the server to index and for clients to access directly using time-based pre-signed URLs. The Takeout server does not directly access any S3 media.

When using local media files, The Takeout server will index media directories, compute ETags for media files, access metadata, and serve media files using time-based pre-signed URLs.

Personal Information

The Takeout server requires a userid and password for each user to access related media and services. The userids and passwords are stored in the server auth database. The userid is stored in the clear and the password is stored with Scrypt. No other personal information is requested or stored by TakeoutFM.

The Takeout server may temporarily store access logs that contain client request information and IP addresses. This information, if used, is only used for debugging or development purposes.

The Takeout server is recommended to be configured with TLS to ensure all communication is encrypted and avoid unintended disclosure of userids, passwords, cookies, and tokens.

Cookies and JWTs

Cookies are small tokens or files stored on your device as part of the user login process to uniquely identify you later without requiring you to provide your userid and password again. Each cookie is a UUID comprised of 122 random bits, stored within the Takeout server auth database, and within the client app or web browser. Cookies are valid for a limited time (based on server configuration) and when expired, you will be required to login again.

The Takeout server uses JWTs for API and media access authorization. JWTs are not stored by the server, however, they are stored on app/client devices similar to cookies. The refresh token is the same as a cookie and stored by the Takeout server. Please see the security design for further details.

JWTs claims are stored in plain-text within the token. The Takeout server uses subject and/or audience claims which specify a userid and/or media file name respectively. Unintended disclosure of a JWT could explode a userid or media file name.

The Takeout server is recommended to be configured with TLS to ensure all communication is encrypted to avoid unintended disclosure of cookies and tokens.

Media in S3

The Takeout server requires access to your S3 bucket to obtain a listing of media stored within the S3 bucket. The bucket object names are used to obtain further metadata related to music and video files. These object names are stored in the corresponding music, film, tv, and search databases to enable media streaming or downloading directly from your S3 bucket using time-based pre-signed URLs.

The Takeout server does not access your S3 media, it does not parse your S3 media containers, and it does not parse any embedded tags or related information in your S3 media. All related metadata is obtained using third-party services based on file naming conventions.

Media stored in your S3 bucket can potentially be visible to the S3 bucket service provider. Contact your service provider to obtain further information regarding the S3 bucket privacy policy. Personal S3 bucket self-hosting options, such as Minio, are available.

Local media can also be used without requiring S3. However, similar to when using S3, file names are stored in databases and files are streamed using their original file names with embedded tokens.

Metadata

The Takeout server uses the following services to discover your media metadata:

• Cover Art Archive - obtain links to cover images
• Fanart.tv - obtain links to Artist images (requires API key)
• ListenBrainz - obtain popular tracks
• MusicBrainz - obtain music metadata
• Last.fm - obtain popular tracks, artist name resolving (requires API key)
• The Movie Database - obtain movie metadata (requires API key)

The Takeout server uses the respective service APIs to query and store related metadata based on your media object/file names. Requests to the service APIs will include an API key (where required), media information (such as artist or movie name), and the Takeout server IP address. Third-party services can infer information about your music or movies that are being indexed and potentially relate the media to a unique IP address. No other information is directly provided to these third-party services.

Metadata related to your object/file names is stored in the respective music, film, tv, and search databases to improve performance and reduce the overall impact on third-party services. Similarly, API responses can also be cached to avoid repeated or duplicate requests for the same information.

Metadata includes links or URLs to images such as covers, posters, and profiles. The Takeout server includes such URLs or information to construct URLs in responses to API clients. The URLs are used by clients to render associated media images. Third-party services can infer information about your media from image requests and relate to a unique IP address. No other information is directly provided to these third-party services.

Podcast URLs that have been added to the Takeout server configuration are periodically queried and metadata is stored in the podcast database. Requests to the podcast providers can infer information about your interests and potentially relate the podcasts to a unique IP address. No other information is directly provided to the podcast providers.

Radio stream URLs that have been added to the Takeout server configuration are used to create a radio station in the music database. The URLs for these streams are sent directly to API clients and clients can use them to directly stream media. Requests to radio stream providers can infer information about your interests and potentially relate streams to a unique IP address. No other information is directly provided to the radio providers.

Progress

The Takeout server provides APIs for clients to store media watch/listen progress which is intended to allow playback to be conveniently resumed on the same or other devices at a later time. The Takeout server stores progress using the ETag (or entity tag) of the media and an offset in the media stream. An ETag is generally an MD5 digest of the media content obtained from the S3 bucket or directly computed from a local file. This design of ETag based progress provides a layer of indirection such that user media consumption is not readily available. It’s possible, with access to the progress database and the S3 bucket or local files, to reconstruct media consumption information by mapping progress ETags to media.

Activity

The Takeout server provides APIs for clients to optionally store activity events which are intended to allow the user to easily access recently consumed media on the same or other devices. Activity events can relate to music, video, and podcasts. Activity events are stored in the activity database and each event uses third-party identifiers (MBIDs, GUIDs, IMDB IDs) such that activity data is stable. It is possible, with access to the activity database, to reconstruct media consumption information by mapping third-party identifiers to actual metadata.

ListenBrainz

TakeoutFM apps can be configured to send playing now and listens to ListenBrainz. This is optional but when configured, ListenBrainz will be made aware of music artist, release, and track listening behavior. With this information ListenBrainz can infer information about your music and other information. ListenBrainz also can make this information available publicly on their website and in other data exports. Please consult the ListenBrainz site and their privacy policy for further information.

Information Disclosure

TakeoutFM does not directly disclose any information to any outside parties beyond what is needed to obtain metadata or access media.

Children’s Online Privacy Protection Act Compliance

TakeoutFM is directed at people that are 13 years old or older. If the Takeout server is in the USA, and you are under age of 13, per the requirements of COPPA (Children’s Online Privacy Protection Act), do not use TakeoutFM.

Consent

By using TakeoutFM, you consent to this privacy policy.

Changes

Any changes made to this privacy policy will be made available on takeoutfm.com.