Privacy

Last updated: 26 April 2026

1-bit-bridge is a companion server you install on your own machine and pair with the 1-bit iOS music player. It does not phone home. It collects no analytics. It has no user account. This page explains what it stores on your machine, what it sends out, and what it doesn't.

This policy is open-source. It lives next to the code in the public repo at docs/privacy.html — every revision is in git log. If something here doesn't match what the binary does, that's a bug; please open an issue.

Regulatory note

1-bit-bridge collects no personal data. This design inherently complies with the GDPR (EU), the Swiss Federal Act on Data Protection (FADP), and the CCPA (California). There is no data subject access request to file, because there is no data.

What 1-bit-bridge is and where it runs

The bridge is a Go binary that runs as a background service on your machine — under launchd on macOS, systemd on Linux, or as a Windows Service. It indexes a music library you point it at, and serves it to a paired 1-bit iOS device over HTTPS. Everything happens between your machine and your phone; no acoseac-controlled server is involved.

Data stored on your machine

By default under ~/Library/Application Support/1-bit-bridge/ (macOS), ~/.config/1-bit-bridge/ (Linux), or %LOCALAPPDATA%\1-bit-bridge\ (Windows):

bridge.yaml — configuration: library paths, listen addresses, scan interval, backup schedule, update-check toggle.
bridge.db — SQLite manifest of your library: file paths, sizes, mtimes, parsed tag metadata (title, artist, album, year, sample rate, MusicBrainz IDs when enrichment finds them). Used to serve the manifest to the iOS app in a single request instead of re-scanning every connect.
tokens.json — paired-device tokens. Raw tokens are never stored; only their SHA-256 hashes, plus a device name, creation date, last-used timestamp, and last-reported client version. File permissions 0600 (owner-only).
server.crt / server.key — self-signed TLS keypair generated on first run. The certificate's SHA-256 fingerprint is what the iOS app pins.
artwork/ — JPEG cache for album covers and artist photos fetched during enrichment.
backups/<timestamp>/ — optional dated snapshots of the above. Operator-tunable in bridge.yaml; can be set to 0 to disable.

Logs (errors and startup messages) go to your service manager — journalctl / log show / %PROGRAMDATA%\1-bit-bridge\bridge.log on Windows. Bearer tokens, client IP addresses, full file paths, request bodies, and artist names are not logged.

What the bridge sends to your iOS app

Every /v1/* endpoint requires the bearer token issued at pairing, served over TLS pinned to the server's certificate fingerprint. The one exception is /v1/health, which is unauthenticated so the iOS app can probe it during pairing. The admin web console at http://127.0.0.1:7789/ binds loopback-only — it is not reachable from the network.

On the wire to the iOS app: directory listings, file metadata (size, mtime), byte ranges of music files, the full manifest, and cached artwork. No transcoding — the bridge delivers bytes exactly as they sit on your disk.

What the bridge sends to the internet

If you enable metadata enrichment, the bridge looks up missing album / artist information from public APIs. For each lookup, the bridge sends the artist name (or release MBID) only. No user identifier, no library inventory, no IP address you control — just the standard HTTPS request that any browser would make.

MusicBrainz — https://musicbrainz.org/ws/2/release/?query=…. Sends artist name + album title. Receives release IDs. MusicBrainz data is CC0.
Cover Art Archive — https://coverartarchive.org/release/<mbid>/front-…. Sends a release ID in the URL path; receives a JPEG. Cached locally.
Deezer public API — https://api.deezer.com/search/artist?q=…. Sends artist name; receives artist photo URL (then fetched from Deezer's CDN). Deezer privacy.
iTunes Search API — https://itunes.apple.com/search?term=…. Last-resort fallback for cover art when the others miss. Sends artist + album.

All four are rate-limited server-side and can be disabled by removing the corresponding section from bridge.yaml (or by running with --no-enrich).

Update check

The bridge polls https://api.github.com/repos/acoseac/1-bit-bridge/releases/latest every six hours to discover new releases. The poll is unauthenticated, sends no device identifier, no library statistics, no usage data — just a standard GET that any unauthenticated GitHub API client would make.

As with any standard HTTPS request, GitHub will see the source IP address of the bridge machine. We do not see it, and the request carries no other identifier tying it to you. update.checkIntervalHours in bridge.yaml tunes the cadence (values below 1 hour are clamped at 1 hour; 0 resolves to the 6-hour default rather than disabling the poll). To stop the bridge from making any outbound requests at all, stop the service or block its egress at your firewall — operators running over Tor, a VPN, or Tailscale tend to do the latter for everything except their tunnel anyway.

Pairing & tokens

Pairing happens entirely between your machine and the iOS app. The admin console generates a 256-bit random token, shows it to you once (as a bridge://pair?… URL or QR code), and persists only its SHA-256 hash. The raw token never touches disk on the server. From the admin console you can rename, rotate, or revoke any paired device at any time; revoked tokens fail the very next request.

What we do not do

No telemetry, no analytics, no usage reporting.
No crash reporting to acoseac infrastructure.
No advertising, no third-party trackers, no ad identifiers.
No transcoding (the bridge is bit-exact by mission).
No user account; no acoseac-operated server you connect to.
No data sold, shared, or disclosed to third parties.
No knowingly-collected data from children.

Your rights

Because the bridge collects no personal data, there is nothing for us to access, correct, or delete. To remove all bridge state, stop the service and delete the data directory listed above.

Security

Vulnerabilities go through the process documented in SECURITY.md — GitHub's private security advisory flow, or support@ars.md with [1-bit-bridge-security] in the subject.

Changes to this policy

If this policy changes, the updated version replaces this page with a new "Last updated" date. Because the file lives in the public repo, every previous version is in git log at commits/main/docs/privacy.html.

Contact

support@ars.md