Privacy Policy - MYO Magic

Effective April 17, 2026

MYO Magic is a personal project built and maintained by me, Carissa Allen. This Privacy Policy explains how your information is handled when you use the MYO Magic app at yotomyomagic.com. I want to be transparent about what data is collected, how it's used, and how it's protected.

1. Information I Collect

Account Information: When you log in through Yoto, I receive your Yoto user ID to associate your session with your playlists. I never see or store your Yoto password. During login, MYO Magic requests only the Yoto API permissions it needs to provide its features:

• user:content:manage — Create, edit, and delete MYO playlists; upload audio files and cover images
• user:icons:manage — Browse the icon library and upload custom icons for your playlist tracks
• family:library:manage — Organize your cards into groups (create, rename, and delete groups)
• family:devices:view — Display your connected Yoto players
• family:device-status:view — Show player details like battery level and online status
• offline_access — Keep your session active so you don't have to log in again for each visit

Google Account Information: If you choose to connect your Google Drive, I receive your Google email address and OAuth tokens (access and refresh tokens) through Google's standard OAuth 2.0 flow. These tokens are stored in your encrypted session and are not saved to a database or shared with anyone.

Google Drive Data: When you use the Google Drive import feature, MYO Magic accesses your Google Drive in read-only mode to:

• List folders and files you navigate to within the app
• Download audio files and ZIP archives that you explicitly select for import
• Display your Google account email so you can see which account is connected

I only access files you select or navigate to. MYO Magic does not scan, index, or access your entire Drive. Selected files are temporarily streamed through the server to process your import, then stored in temporary cloud storage until your import job completes, after which they are deleted.

Uploaded Files: Audio files you upload (directly or from Google Drive) are temporarily stored in Google Cloud Storage to process your MYO card import. These temporary files are automatically cleaned up after processing.

Contact Form: If you reach out through the contact form on yotostorylab.com, I receive the name, email, and message you provide. This information is sent to me via email and is not stored in a database.

2. How Your Information Is Used

• To provide the app's core features: importing audio and image files, creating and managing MYO playlists
• To authenticate your session with Yoto and (optionally) Google Drive
• To respond to your messages through the contact form

3. Google Drive Integration

MYO Magic's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

• MYO Magic only requests the drive.readonly scope, which provides read-only access to your Google Drive files
• Only the files and folders you explicitly select or navigate to are accessed
• Your Google Drive data is never used for advertising, market research, or any purpose unrelated to providing the app
• Your Google Drive data is never shared with third parties
• Your Google OAuth tokens are stored only in your encrypted browser session and are never persisted to a database
• You can disconnect your Google Drive at any time from within the app, which immediately removes your tokens from your session

4. Data Sharing

I do not sell, rent, or share your personal information with third parties, except as needed to make the app work:

• Yoto: MYO Magic interacts with the Yoto API on your behalf to manage your MYO cards and playlists, using the credentials you provide
• Google: Google Cloud Platform services (Cloud Storage, Cloud Tasks) are used to process your file imports. Google processes this data according to their own privacy policies
• Infrastructure Providers: Google Cloud Platform and Cloudflare are used to host and operate the app

5. Data Retention

• Session Data: Your session (including Google OAuth tokens) expires automatically and is not permanently stored
• Temporary Files: Uploaded and imported audio files are stored temporarily during processing and are automatically deleted afterward
• No User Database: MYO Magic does not maintain a user database or store long-term user profiles

6. Data Security

I use industry-standard security measures to protect your data, including:

• HTTPS encryption for all data in transit
• Encrypted session storage for authentication tokens
• Security headers (CSP, HSTS, X-Frame-Options) on all responses
• Google Cloud Platform's built-in security for data at rest

7. Your Rights and Choices

• You can disconnect your Google Drive at any time from within the app
• You can revoke MYO Magic's access to your Google account at any time through your Google Account permissions
• You can stop using the app at any time — since there are no user accounts, no deletion request is necessary

8. Children's Privacy

MYO Magic is intended for parents, teachers, and other adults who own a Yoto player. I do not knowingly collect personal information from children under 13. If you believe a child has provided personal information, please get in touch.

9. Changes to This Policy

I may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. Your continued use of MYO Magic after changes constitutes acceptance of the updated policy.

10. Contact

If you have questions about this Privacy Policy or how your data is handled, please reach out through the Contact page or email me at hello@yotostorylab.com.