Overview
This notice explains what data is processed when you use V0 Visualizer and why.
The project is operated as a hobby project from Turkey. The statements below are limited to the current product behavior implemented in this repository as of March 23, 2026.
Data controller scope
V0 Visualizer is not presented as a corporate service in this notice. It is a community-facing hobby application.
For legal and privacy requests, signed-in users can use the in-app feedback flow. If you cannot access that flow, use the public community Discord channel linked in the product while a dedicated public contact channel is not yet published.
Data categories processed
- Profile and music data from Last.fm (username, listening counters, artists, tracks, albums, profile image, profile URL, privacy status, and related derived snapshots used for product features).
- Account and session data (short-lived access cookie named auth_token, durable session cookie named auth_session, login timestamps, role flags, session user-agent, and hashed session IP metadata).
- Optional linked-account data (provider IDs or usernames and encrypted access tokens, refresh tokens, or Last.fm session material for Last.fm, Discord, GitHub, Twitch, X, YouTube, and, when enabled in-product, Instagram or SoundCloud).
- User-submitted content (feedback threads, support replies, uploaded feedback attachments, profile social links, wall entries, and reactions).
- Security and telemetry data (request metadata, user-agent, anti-abuse and rate-limit identifiers, hashed IP values in some logs, audit and activity records, and production error or trace events).
- Operational data in caches, queues, snapshots, and job logs used to speed up visualization, sync, community metrics, and background processing.
Processing purposes
- Authenticate users and maintain session continuity.
- Fetch, cache, sync, and display Last.fm-based analytics, visualizations, and community surfaces.
- Enable optional linked-account connections and related user-facing profile features.
- Provide moderation, abuse prevention, and platform safety controls.
- Run diagnostics, error monitoring, tracing, and reliability improvements.
- Respond to support or privacy requests and maintain service records.
Legal basis under Turkey-focused approach
Processing may rely on one or more of the following depending on the action: explicit consent where required, necessity for service requested by the user, legitimate interest for security and continuity, and legal obligations.
If a feature requires optional external account linking, processing starts only after the user triggers that connection.
Third-party transfers and processors
The service communicates with third-party providers based on feature use. This can include Last.fm, linked-account providers, image providers, Discord infrastructure, hosting and database infrastructure, Redis-backed queue infrastructure, and production monitoring services.
Some provider calls can be routed through additional infrastructure used by the project, such as a configured Cloudflare Worker proxy for Discord-related requests. Because these services may operate internationally, data flow may involve cross-border transfer outside Turkey based on user action and technical routing.
Retention highlights
- The auth_token access cookie is configured for about 15 minutes. The auth_session cookie follows a 30-day idle window and a 90-day absolute maximum, and is cleared on logout or revocation.
- Revoked or expired server-side auth session rows are retained for up to about 30 additional days for operational review before cleanup jobs delete them.
- Linked-provider secrets are intended to remain only while the related connection is active, and are deleted when the user disconnects that provider or related cleanup occurs.
- Feedback records, support replies, and uploaded attachments can remain until deletion, moderation cleanup, or a valid request or operational need requires change. Uploaded attachments are stored in application-managed upload storage.
- Soft-deleted account or profile records, profile-view analytics, activity or audit logs, community metrics, caches, and job history may remain for integrity, abuse review, or reliability operations until cleanup policies remove them.
- Browser-side cache data is time-bound by cache policies and may be cleaned automatically.
- Some account and feature records are kept while the account remains active or until cleanup, moderation, or valid request workflows require change.
Your rights (KVKK article 11 summary)
- Learn whether your personal data is processed.
- Request information about processing and its purpose.
- Learn third parties receiving data where applicable.
- Request correction of incomplete or inaccurate data.
- Request deletion or restriction where legal conditions apply.
- Object to outcomes produced exclusively by automated evaluation that harms you.
- Request compensation where processing causes unlawful damage under applicable law.
- Use the contact channels described in this notice to submit privacy-related requests.
Age and child privacy
The service is not directed to children under 13. If you believe data for a child was submitted improperly, use the contact channels in this notice so review or removal can be evaluated.
Policy updates
This notice can be updated as features and infrastructure evolve. Material changes are reflected by updating the version and effective date on this page.
This notice is intended for practical transparency in a hobby project setting. It does not create guarantees beyond implemented technical behavior.