undefined - Rewind

Last updated:

1. Overview

Rewind is a personal data aggregation service. This policy explains what data is collected, how it is stored, and how it is used.

2. Data We Collect

Rewind syncs data from third-party services on behalf of the account owner. This includes:

Listening data from Last.fm (scrobbles, artist/album metadata)
Running data from Strava (activities, splits, gear, personal records)
Watching data from Plex and Letterboxd (watch history, ratings, reviews)
Collecting data from Discogs and Trakt (collection items, wantlist)
Reading data from Instapaper (articles, highlights, reading progress)

3. How Data is Stored

All data is stored in Cloudflare D1 (SQLite) databases. Images are stored in Cloudflare R2 object storage. All data is associated with a user ID and is not shared between users.

4. How Data is Used

Data is used solely to power the Rewind API. We do not sell, share, or transfer your data to third parties. Data is only accessible via authenticated API requests using your API key.

5. Third-Party Services

Rewind connects to third-party APIs (Last.fm, Strava, Plex, Letterboxd, Discogs, Trakt, Instapaper, TMDB) to sync data. Your use of those services is governed by their respective privacy policies.

5a. MCP Connector (Claude Integration)

Rewind provides an MCP (Model Context Protocol) server that allows Claude (by Anthropic) to access your Rewind data. When you connect Claude to Rewind:

Authentication: You authenticate via GitHub OAuth. Rewind does not store your GitHub password. We receive a GitHub user ID which is mapped to your Rewind account.
Data accessed: Claude can read your listening, running, watching, collecting, and reading data through the Rewind API. All access is read-only.
Data transmitted to Anthropic: When you use Claude with the Rewind connector, your data is sent to Anthropic’s servers as part of tool call results. Anthropic’s handling of this data is governed by Anthropic’s privacy policy and your Claude plan terms.
OAuth tokens: Access tokens (1 hour) and refresh tokens (90 days, sliding) are stored encrypted in Cloudflare KV. Tokens are hashed before storage and are automatically deleted upon expiration or when you disconnect the integration.
No additional data collection: The MCP server is a stateless passthrough. It does not log, store, or analyze your queries or the data returned to Claude beyond what is necessary for the OAuth token lifecycle.
Disconnecting: You can disconnect the Rewind connector from Claude at any time via Claude’s settings. This removes Anthropic’s stored tokens. Server-side tokens expire naturally or can be revoked by contacting us.

6. Data Retention

Data is retained indefinitely unless you request deletion. You can export all your data at any time via the API’s export endpoints.

7. Security

API access is protected by API keys. Keys are hashed using SHA-256 before storage. The raw key is only shown once at creation time and cannot be retrieved.

8. Changes to This Policy

We may update this policy from time to time. Changes will be reflected by updating the “Last updated” date above.

9. Contact

Questions about this policy? Contact Pat Dugan.