Last updated 2026-05-30
Privacy policy
This policy covers two distinct services operated by Trimplayer: the PortCast spec site at portcast.org and the PortCast Spotify export service at import.portcast.org. They handle data very differently, so each is described on its own.
1. portcast.org — the spec site
portcast.org is a static documentation site describing
the PortCast protocol. It does not require an account, does not
accept user input, and does not collect personal information.
The site loads Google Analytics 4
(measurement ID G-F72L90KQPR) for aggregate traffic
statistics. Google may set cookies and process IP-address-based
location data under
Google’s
privacy policy. You can opt out by blocking analytics in
your browser or installing the
Google Analytics
opt-out add-on.
No other third-party scripts run on portcast.org.
2. import.portcast.org — the Spotify export service
import.portcast.org is a stateless service that takes
a listener’s Spotify library and returns it as a
.portcast.json download. It exists as a reference
implementation of the PortCast protocol — you can read its
source on
GitHub.
What data we access
When you click Connect Spotify, you are redirected to Spotify’s authorization screen. If you approve, we request the following scopes only:
user-library-read— your followed shows and saved episodes.user-read-playback-position— the resume position Spotify records for your saved episodes.user-read-email,user-read-private— your Spotify display name and email, written to theownerfield of the export so the file is self-identifying when you re-import it elsewhere.
What we do with the data
We use the access token Spotify issues to call the Spotify Web API and fetch the data above once. We assemble it into a PortCast document and return it to you as a file download.
We do not store the data on disk, in a database, or in any backup. There is no user account, no server-side history, and nothing to delete — once the response is sent, the data exists only in your downloaded file. The PortCast export service has no database.
Cookies
To complete the OAuth round-trip we set two short-lived cookies on
import.portcast.org, both
HttpOnly, Secure, and
SameSite=Lax:
pc_state— a signed anti-CSRF state value valid for 10 minutes, used to verify the redirect coming back from Spotify.pc_tok— a signed cookie carrying your Spotify access token from the OAuth callback to the export step, valid for 5 minutes and cleared the moment the export response is generated.
Both cookies are cryptographically signed with a server-side
secret. We use no analytics cookies or third-party trackers on
import.portcast.org.
Third parties
The only third party involved is Spotify (the source of the data you are exporting). Your use of the Spotify authorization flow is governed by Spotify’s privacy policy and terms of use. We do not share your Spotify data with any party other than you.
Revoking access
You can revoke our app’s access to your Spotify account at any time from your Spotify account’s connected-apps page. Because we hold no long-lived token, revocation takes effect immediately the next time you would otherwise return to the service.
3. Hosting and jurisdiction
Both services are operated by Trimplayer. The static site at
portcast.org is served by GitHub Pages. The
export service at import.portcast.org runs on
infrastructure hosted by Amazon Web Services in the United States.
4. Changes to this policy
We will update this page if the data flows above change. Material changes will be reflected in the “Last updated” date at the top of this page.
5. Contact
Questions or concerns about privacy can be sent to trimplayerapp@gmail.com.