Reibu

Last updated: 2026-05-21

Privacy Policy

Summary

This policy describes what Reibu (the “Service”) collects, where it goes, and how long it is kept. The Service runs no advertising or analytics trackers, sells no data, and uses only the third parties listed below. Questions and data requests can be sent to gabecurran01@gmail.com.

Information collected

Account

Email address, chosen handle, Ory identity id, and (held by the auth service only) a password hash. If a third-party sign-in provider is enabled, the Service also records the link between an account and its Google or Discord identifier. Email-verification state is tracked so that unverified accounts can be prompted to verify. If a user enables two-factor authentication, the auth service also holds an authenticator-app (TOTP) secret and any one-time backup recovery codes.

Profile

Uploaded avatar image, selected theme, theme mode (light, dark, or system), interface locale, direct-message privacy setting (everyone or friends only), the “show last seen” preference, and an optional manual presence override (online, away, busy, or invisible).

Presence

The browser sends a periodic heartbeat that records the most recent activity timestamp and whether the tab is idle. The Service derives a presence state (online, away, or offline) from those signals. Setting presence to invisible hides the last-seen timestamp from friends and reports the account as offline; the underlying heartbeat is still received by the server so that features like room membership keep working.

Room activity

Room memberships, queue additions, votes (Nice, Mid, Grab, Replay, Rewind), chat messages, room favorites, moderator promotions, ban records, and the configuration of any bots installed in a room. Bot and moderator actions (message deletions, kicks, bans, slow-mode triggers) are written to an audit log with the target account id, action kind, and timestamp; that log is visible to room owners and moderators.

Playlists and themes

Playlists, the tracks they contain, and custom themes. Playlists and themes marked public are visible to anyone who can reach the Service and may be cloned by other accounts; private playlists and themes are visible only to their owner.

Direct messages and friends

The friends list, friend requests, and block relationships are managed through the membership processor named below. One-to-one direct messages are end-to-end encrypted: they are encrypted on your device (a Signal-style Double Ratchet) and the operator relays only ciphertext, so we cannot read their contents and cannot disclose their contents even if compelled. Room chat is end-to-end encrypted (a Megolm group session) among the room's participants. If a room has a moderation bot, that bot is one of the participants and can read the room's messages so it can moderate; because the bot runs on our servers, the operator can read that room's chat. A room without a bot is not readable by the operator. The room indicates when a bot is present. When you block a user, their device is excluded from your message key and a fresh key is issued, so they cannot read your subsequent messages (and you will not see theirs). If you enable “only friends can read my room messages,” only your friends' devices receive your message key, so non-friends in the room cannot read your messages and you will not see theirs.

End-to-end encryption protects message content, not metadata: we still necessarily know who messages whom and when, room membership, and timing. If you need to hide that metadata from the operator, use a tool designed for it (Signal, Briar). Messages that predate end-to-end encryption, and any room chat handled by a bot, remain operator-readable as described above.

Anonymized presence

If you enable “only friends can see I'm in a room,” non-friends never receive your handle, avatar, or account id on any room surface (the listener list, chat author, booth, DJ slot, queue, play history, vote markers, and the moderation lists). Instead they see a random alias that is stable inside a single room and different in every other room, so they cannot link your activity across rooms by name. You likewise see all non-friends under aliases. Friends always see you normally. A room owner or moderator who is not your friend also sees only your alias; they can still remove you, because the action is resolved to your account on our servers without revealing your identity to them.

This hides your identity, not your activity. What you play, when you are active, your typing and join/leave timing, and the fact that some anonymous person is present remain observable to others in the room. A friend can still state who you are. In rooms with end-to-end encrypted chat, hiding your presence also means non-friends do not receive your messages at all (your message key is shared only with friends and any moderation bot), because delivering the key would necessarily reveal your account to them. This feature reduces the chance of being identified by a hostile observer; it is not a guarantee of anonymity against a determined adversary with other means.

A stronger setting, “hide my account from non-friends,” extends this beyond rooms: non-friends cannot open your public profile or find you by handle in search, and it turns on anonymized presence as well. Friends are unaffected, and you can turn it off at any time.

Listening history

Per-room history of tracks that have played, including the source, track id, title, artist, artwork, start and end times, the account that DJ'd the track, and aggregate vote counts. This history is used to populate the in-app history view and to influence the autoplay fallback when a queue runs dry.

Track metadata cache

For each track that has been played, the Service computes and stores a small set of derived properties (tempo, musical key, energy curve, normalized tags, and genre). This cache is keyed by source and track id and is shared across all rooms and accounts; it does not contain user-identifying information. Refresh and deletion rules for cached YouTube data are described under YouTube data caching.

Cookies and local storage

Cookies

  • ory_session_*: authentication session, issued by Ory Kratos. HTTP-only, SameSite=Lax. Lifetime up to 30 days.
  • csrf_token_*: cross-site request forgery protection, issued by Ory Kratos for self-service flows.

The Service sets no advertising, analytics, or cross-site tracking cookies. Embedded YouTube and SoundCloud iframes may set their own cookies; see third parties and processors.

Local storage

The Service stores the following keys in the browser's local storage. Local storage data is not transmitted to the server and can be cleared by the browser's site-data controls.

  • reibu:preferences:*: interface preferences (panel sizes, popout positions, player layout, volume, equalizer, playback speed, duration-display mode).
  • reibu:notifications:<userId>: up to 50 recent notification entries (friend requests, room invites).
  • reibu:notifications-seen:<userId>: last-seen timestamps used to compute the unread badge.
  • reibu:hotkeys: custom keyboard-shortcut overrides.
  • NEXT_INTL_LOCALE, theme-mode: locale and theme-mode fallbacks for first paint.

The Service stores your end-to-end-encryption keys (your device's identity key and message-session keys) in the browser's IndexedDB. These keys never leave your device and are not transmitted to the server. Clearing site data deletes them; you can restore message history on a new device from your encrypted backup using your recovery key. The backup is encrypted on your device under that recovery key, which the operator never receives, so the operator cannot read the backup. The Service uses no service-worker storage.

In transit and at rest

Traffic between the browser and the Service is served over HTTPS, including the real-time event streams used to deliver chat, presence, and playback updates. Embedded YouTube and SoundCloud players contact those services directly, also over HTTPS, but on connections the Service does not control.

Direct messages and room chat are end-to-end encrypted: the database stores only ciphertext the operator cannot decrypt. The exceptions are messages that predate end-to-end encryption and room chat handled by a moderation bot, which are encrypted at rest with AES-256-GCM under a key held by the operator and decrypted on demand. All other database columns (handles, room names, playlist titles, vote tallies, timestamps, metadata for room-invite cards, and so on) are stored in plaintext at the Postgres layer and rely on the hosting provider's disk-level encryption only.

What is not collected

  • No third-party advertising or analytics trackers.
  • No payment information; the Service is free.
  • No sale, rental, or sharing of personal data with marketers or data brokers.
  • No transmission of chat or direct-message bodies to error reporting. When Sentry is configured, only exception stack traces and minimal request context (path, status, release tag) are reported.

Third parties and processors

  • YouTube: video and audio playback uses the YouTube IFrame Player. When an embed loads, the browser contacts YouTube directly, and YouTube receives the request IP address, the User-Agent string, and any cookies the browser has for the YouTube domain. Server-side search calls send only the search query and an API key. Use of the YouTube embed is subject to the YouTube Terms of Service and the Google Privacy Policy.
  • SoundCloud: audio playback uses the SoundCloud Widget. The same iframe data flow applies. Server-side search uses the SoundCloud public API with a client-credentials token.
  • Ory Kratos (self-hosted on Railway): identity service. Holds email, password hash, verification and recovery state, and any linked third-party identifiers.
  • Junjo: membership processor used for groups, invitations, passcodes, friend graphs, and bans. Receives account ids and the group ids those accounts belong to.
  • Resend (production deployments only): transactional email delivery for sign-up verification, password recovery, and one-time-code login. Messages are routed through Kratos's courier configuration.
  • Railway: application and database hosting. Receives the same request traffic the Service does and retains standard infrastructure logs.
  • Sentry (when configured): error reporting. Receives exception traces, release tags, and minimal request context. Source maps are uploaded at build time and stripped from the deployed bundle.

YouTube data caching

Cached metadata derived from the YouTube Data API (titles, channel names, thumbnails, durations, and the derived audio properties listed under track metadata cache) is refreshed or removed on a rolling thirty-day window so that stored data does not drift from the source. When a source video is no longer accessible on YouTube (removed, made private, or regionally restricted such that it cannot be fetched), the cached row is deleted and any user-owned copies in queues, playlists, and history are flagged as unavailable in the interface. Requests to remove specific cached tracks can be sent to gabecurran01@gmail.com.

Server logs and IP addresses

The hosting provider receives the IP address, User-Agent, and request line of every request and retains standard infrastructure logs on its own retention schedule (typically around 30 days). The application emits additional diagnostic lines tagged [reibu.*] for playback and connection issues. Those lines may include an account handle and the room id involved; they do not contain chat or direct-message bodies.

Avatar uploads

Avatars are resized to 256×256 WebP at upload time and written to the application server's local filesystem. In the current deployment that filesystem is ephemeral: avatar files may be lost when the server is redeployed and will need to be re-uploaded. A future migration to persistent object storage will remove this limitation.

Data retention and deletion

Account, profile, room, playlist, theme, chat, direct-message, queue, vote, and friendship records persist until the account is deleted. Closing an account removes the account row and cascades to owned rooms, playlists, themes, queue items, votes, chat messages, direct messages sent by the account, and Junjo membership state. Aggregate listening history may be retained in a form that does not identify the account (for example, anonymous track-level play counts that feed the autoplay scorer). The shared track metadata cache is not deleted with an account, since it does not contain user-identifying information.

An account can be deleted at any time, without contacting anyone, from Preferences → Danger zone → Delete account. Deletion is immediate and permanent: it removes the Ory identity (email, password hash, two-factor secrets, and any linked sign-in providers) and the account row, which cascades to owned rooms, chat messages, direct messages sent by the account, queue items, votes, playlists, themes, and presence. Data export requests can still be sent to gabecurran01@gmail.com from the address on file. Requests are honored within a reasonable period; there is no formal service-level agreement.

Children

The Service is not directed to children. Accounts may only be created by people who are at least 13 years old, or the minimum age required by their local law where higher. Accounts found to belong to children below that age will be removed.

Changes to this policy

This policy may change. The “Last updated” date at the top reflects the most recent revision. Material changes will be surfaced in the application before they take effect.

Contact

Privacy questions, data export requests, deletion requests, and takedown requests can be sent to gabecurran01@gmail.com.