GDPR Article 15 Information

Below you will find the information you are entitled to about the processing of your personal data under Article 15 of the General Data Protection Regulation (‘GDPR’). This information is meant to supplement, and be read in conjunction with, your downloaded personal data, to help you understand the personal data processing specific to your particular use of the Spotify Service. If you have not yet requested a copy of your personal data, please see section ‘Obtaining a copy of your personal data’ for how to do so.

Confirmation as to whether or not personal data about you is being processed

When you use the Spotify service under our free or paid options (each a ‘Service Option’ and collectively called the ‘Spotify Service’), we process your personal data as described below.

Purposes of the processing of your personal data

The table below sets out:

  • our purpose for processing your personal data
  • categories of personal data which we use for each purpose (see more about these categories in section 'Categories of personal data' below)

If you also would like to see the legal basis applicable to each purpose of processing, please see the table in section 4 of our Privacy Policy.

Purpose for processing your data

Categories of personal data used for the purpose

To provide the Spotify Service.

  • User Data
  • Street Address Data
  • Usage Data
  • Voice Data
  • Payment and Purchase Data

To understand, diagnose, troubleshoot, and fix issues with the Spotify Service.

  • User Data
  • Usage Data

To evaluate and develop new features, technologies, and improvements to the Spotify Service.

  • User Data
  • Usage Data
  • Voice Data

For marketing, promotion and advertising purposes.

  • User Data
  • Usage Data
  • Survey and Research Data

To comply with a legal obligation that we are subject to.

This might be:

  • an obligation under the law of the country / region you are in
  • Swedish law (because of our headquarters in Sweden), or
  • EU law that applies to us
  • User Data
  • Street Address Data
  • Usage Data
  • Voice Data
  • Payment and Purchase Data
  • Survey and Research Data

To comply with a request from law enforcement.

This will only apply when a competent law enforcement authority contacts us. These include the police, the courts or prisons.


  • User Data
  • Street Address Data
  • Usage Data
  • Voice Data
  • Payment and Purchase Data
  • Survey and Research Data

To fulfill contractual obligations with third parties. For example, our agreements with owners of content on the Spotify Service.

  • User Data
  • Usage Data
  • Voice Data
  • Payment and Purchase Data

To take appropriate action with reports of intellectual property infringement and inappropriate content.

  • User Data
  • Usage Data
  • Voice Data
  • Payment and Purchase Data

To establish, exercise, or defend legal claims.

  • User Data
  • Street Address Data
  • Usage Data
  • Voice Data
  • Payment and Purchase Data
  • Survey and Research Data

To conduct business planning, reporting, and forecasting.

  • User Data
  • Usage Data
  • Payment and Purchase Data

To process your payment.

  • User Data
  • Payment and Purchase Data

To detect and prevent fraud. For example, fraudulent payments and fraudulent use of the Spotify Service.

  • User Data
  • Street Address Data
  • Usage Data
  • Payment and Purchase Data

To conduct research and surveys.

  • User Data
  • Usage Data
  • Voice Data
  • Survey and Research Data

Categories of personal data

The table below describes the categories of personal data we process and use. As detailed below, the collection and processing of some personal data is dependent on your Service Option (e.g. Free or Premium) and the features you choose to use (such as creating a playlist or turning on a voice feature). If you are unsure about which of the described data has been processed in your particular use of the Spotify Service, please see your personal data download to understand the specific data items we have collected and processed in your case or contact us.

Category

Description

User Data

Personal data that we need to create your Spotify account and that enables you to use the Spotify Service. The type of data collected and used depends on the type of Service Option you have, how you create your account, the country you are in, and if you use third party services to sign in. This may include your:

  • profile name
  • email address
  • phone number
  • date of birth
  • gender
  • street address (see further details below)
  • country

We receive some of this data from you from the sign up form or account page.

We also collect some of this data from your device e.g. country or region. For more information about how we collect and use this data, see ‘Your general (non-precise) location’ in the Usage Data category.

Street Address Data

If your Street Address Data is included in your downloaded data, we process it for the following reasons:

  • to check eligibility for a Service Option
  • to deliver notices which are required by law
  • to deliver support options
  • for billing and tax administration
  • to deliver physical goods or gifts which you have requested

In some cases, we may use a third party application to help you verify your address, such as Google Maps.

Usage Data

Personal data processed about you when you’re accessing or using the Spotify Service.

There are a few types of information this includes, listed in the following sections and as you will find if you download your data.

Information about how you use Spotify

Examples include:

  • information about your Spotify Service Option
  • your actions with the Spotify Service (including date and time), such as:
    • search queries
    • streaming history
    • playlists you create
    • your library
    • browsing history
    • account settings
    • interactions with other Spotify users
    • your use of third party services, devices and applications in connection with the Spotify Service
  • inferences (i.e., our understanding) of your interests and preferences based on your usage of the Spotify Service
  • content you provide when participating in Spotify promotions, such as contests or sweepstakes
  • content you post to any part of the Spotify Service. For example: images, audio, text, titles, descriptions, communications, and other types of content

Your technical data

Examples include:

  • URL information
  • online identifiers such as cookie data and IP addresses
  • information about the devices you use such as:
    • device IDs
    • network connection type (e.g. wifi, 4G, LTE, Bluetooth)
    • provider
    • network and device performance
    • browser type
    • language
    • information enabling digital rights management
    • operating system
    • Spotify application version
  • information which enables us to discover and connect with third party devices and applications. Examples of this information are the device name, device identifiers, brand and version. Examples of third party devices and applications are:
    • devices on your wifi network (such as speakers) which can connect to the Spotify Service
    • devices made available by your operating system when connecting via Bluetooth, plugin, and installation
    • Spotify partner applications to determine whether the application is installed on your device

Your general (non-precise) location

Your general location includes country, region or state. We may learn this from technical data (e.g. your IP address, language setting of your device) or payment currency.

We need this to

  • meet geographic requirements in our agreements with the owners of content on the Spotify Service
  • to deliver content and advertising that’s relevant to you

Your device sensor data

Motion-generated or orientation-generated mobile sensor data (e.g. accelerometer or gyroscope) if needed to provide features of the Spotify Service that require this data.

Voice Data

If voice features are available in your market and where you’ve chosen to use a voice feature, we collect and process voice data. Voice data means audio recordings of your voice and transcripts of those recordings.

For more information on how different voice features work, and how you can control and turn them off, see our Voice Control Policy.

Payment and Purchase Data

If you make any purchases from Spotify or sign up for a trial, we process your payment data. This includes if you buy a paid Service Option.

The exact personal data collected and used will vary depending on the payment method. It will include information such as:

  • name
  • date of birth
  • payment method type (e.g. credit or debit card)
  • if using a debit or credit card, the card type, expiration date, and certain digits of your card number (Note: For security, we never store your full card number)
  • ZIP/postal code
  • mobile phone number
  • details of your purchase and payment history

Survey and Research Dat

If you have responded to a survey or taken part in user research, we collect and use the personal data you have provided.

Categories of recipients to whom the personal data may be disclosed

This section sets out the categories of recipients of the personal data collected or generated through your use of the Spotify Service.

Publicly available information

The following personal data will always be publicly available on the Spotify Service:

  • your profile name
  • your profile photo
  • your public playlists
  • other content you post on the Spotify Service, and any associated titles, descriptions and images
  • who you follow on the Spotify Service
  • who follows you on the Spotify Service (you can block followers)

You or another user can share certain publicly available information on third party services, like social media or messaging platforms. This includes:

  • your profile
  • any content you post on Spotify and details about that content
  • your public playlists

When this sharing occurs, the third party service may store a copy of it to support their features.

Personal data you may choose to share

We will only share the following personal data with those outlined in the table below:

  • where we need to share personal data for the use of a Spotify Service feature, or a third party application, service or device, which you have chosen to use, or
  • if you otherwise grant us your permission to share the personal data. For example, you can do it by selecting the appropriate setting in the Spotify Service or by giving your consent

Categories of recipients

Categories of data you can choose to share

Reason for sharing

Third party applications, services and devices you connect to your Spotify Account

  • User Data
  • Usage Data

To connect your Spotify account, or allow you to use the Spotify Service in connection with third party applications, services or devices.

Examples of such third party applications, services and devices include:

  • social media applications
  • speaker devices
  • televisions
  • automotive platforms
  • voice assistants

You can see and remove many third party connections under ‘Apps’ in your account.

Support community

  • User Data

To enable you to use the Spotify Support Community service.

When you register for an account on the Spotify Support Community, we’ll ask you to create a specific profile name. This will be publicly displayed to anyone who uses the Spotify Support Community. We’ll also display any questions or comments you post.

Other Spotify users

  • User Data
  • Usage Data
  • Voice Data

To share information about your use of the Spotify Service with other Spotify users, including your followers on Spotify.

For example, under ‘Social’ settings you can choose whether to share your recently played artists and your playlists on your profile. You can also choose to create or join a shared playlist with others that gives you social recommendations based on your listening activity.

Artists and record labels

  • User Data

To receive news or promotional offers from artists, record labels or other partners.

You may choose to share your User Data for this purpose. You’ll always have the option to change your mind and withdraw your consent at any time.

Information we may share

See this table for details of who we share to and why.

Categories of recipients

Categories of data

Reason for sharing

Service providers

  • User Data
  • Street Address Data
  • Usage Data
  • Voice Data
  • Payment and Purchase Data
  • Survey and Research Data

So they can provide their services to Spotify.

These service providers include those we hire to:

  • give customer support
  • operate the technical infrastructure we need to provide the Spotify Service
  • assist in protecting and securing our systems and services (e.g. Google’s reCAPTCHA)
  • help market Spotify’s (and our partners’) products, services, events and promotions

Payment partners

  • User Data
  • Payment and Purchase Data

So they can process your payments, and for anti-fraud purposes.

Advertising partners

  • User Data
  • Usage Data

So they can help us deliver more relevant advertising to you on the Spotify Service, and help measure the effectiveness of ads.

For example, our ad partners help us facilitate tailored advertising.

What is tailored advertising?

  • This is when we use third party information to tailor ads to be more relevant to you. This is also known as interest based advertising.
  • An example of a tailored ad is when an ad partner has information suggesting you like cars. This could enable us to show you ads about cars.

How to control tailored advertising:

  • You can control tailored advertising in your account Privacy Settings under ‘Tailored Ads’.
  • You can also control tailored advertising for some podcasts using the link in the episode’s show description. This applies where the content provider is funding their podcast by inserting either tailored advertising or content-based advertising into the podcast itself. These controls are managed by the hosting provider for the podcast, which might not be Spotify.

If you are ‘opted out’ of Tailored Ads in your Privacy Settings, you may still get advertising on ad-supported services (e.g. podcasts or the Free Service Option). Such advertising is based on your registration information and the content you are currently streaming on our services. For example, if you are listening to a cooking podcast, you may hear an ad for a food processor.

Marketing Partners

  • User Data
  • Usage Data

To promote Spotify with our partners. We share certain User Data and Usage Data with these partners where necessary to:

  • enable you to participate in Spotify promotions, including trials or other bundled offers
  • to promote Spotify in media and advertising published on other online services
  • help us and our partners to measure the effectiveness of Spotify promotions

Examples of partners include:

  • marketing or sponsorship partners
  • websites and mobile apps who sell us advertising space on their services
  • device, app and mobile partners who also offer Spotify promotions

Our partners may also combine the personal data we share with them with other data they collect about you, e.g. your use of their services. We and our partners may use this information to present you with offers, promotions, or other marketing activities that we believe will be relevant to you.

Hosting Platforms

  • Usage Data

Hosting platforms host podcasts so that they can be delivered to you. We share certain data, such as your IP address, with the hosting platforms when you play a podcast. Spotify owns two hosting platforms, Megaphone and Anchor. We also allow you to stream podcasts available from other hosting platforms not owned by Spotify.

Podcast providers should explain in the show or episode description which platform is hosting the podcast. Please see the hosting platform’s own privacy policy on how they use data shared with them.

Other partner sharing

  • User Data
  • Usage Data
  • Survey and Research Data

To help us understand and improve the performance of our products and partnerships.

You can see and remove many partner connections under ‘Apps’ in your account.

Academic researchers

  • User Data
  • Usage Data

For activities such as statistical analysis and academic study, but only in a pseudonymised format. Pseudonymised data is where your data is identified by a code rather than your name or other information that directly identifies you.

Spotify Measurement Companies

  • User Data
  • Usage Data

We share data with the following Spotify companies in order to measure the effectiveness of ad campaigns that run on the Spotify Service:

  • In Defense of Growth Incorporated d/b/a Podsights
  • Chartable Holding, Inc.

Other Spotify group companies

  • User Data
  • Street Address Data
  • Usage Data
  • Voice Data
  • Payment and Purchase Data
  • Survey and Research Data

To carry out our daily business operations and so we can maintain and provide the Spotify Service to you.

Law enforcement and other authorities

  • User Data
  • Usage Data

When we believe in good faith it’s necessary for us to do so, for example:

  • to comply with a legal obligation
  • to respond to a valid legal process (such as a search warrant, court order, or subpoena)
  • for our own or a third party’s justifiable interest, relating to:
    • national security
    • law enforcement
    • litigation (a court case)
    • criminal investigation
    • protecting someone’s safety
    • preventing death or imminent bodily harm.

Purchasers of our business

  • User Data
  • Street Address  Data
  • Usage Data
  • Voice Data
  • Payment and Purchase Data
  • Survey and Research Data

If we were to sell or negotiate to sell our business to a buyer or possible buyer.

In this case, we may transfer your personal data to a successor or affiliate as part of that transaction.

Criteria for the retention of personal data

We keep your personal data only as long as necessary to provide you with the Spotify Service and for Spotify’s legitimate and essential business purposes, such as:

  • maintaining the performance of the Spotify Service
  • making data-driven business decisions about new features and offerings
  • complying with our legal obligations
  • resolving disputes

Criteria used to determine the retention periods include:

  • How can we minimize the data retention period? Our systems are designed to age out personal data in 90 days, unless another period is selected for legitimate business reasons.
  • Do we need to keep data to ensure the service that users expect? We keep personal data for an appropriate period to deliver a personalized service to our users over time. We typically keep streaming history for the life of an account, for example, to provide retrospective playlists that users enjoy (e.g. Your Summer Rewind and the end-of-year Wrapped campaign) and personalized recommendations based on current listening habits.
  • Are users able to update or delete the data themselves? Where users are able to see and update the personal data themselves, we keep the information for as long as the user chooses. For example, we keep your Spotify email address and other profile information until you choose to change or delete it yourself.
  • Do we need to keep the data to uphold our rules and keep our service safe? To help ensure user safety, protect against harmful content on our platform, and take action with reports of intellectual property infringement, we may keep data that has been removed from the Spotify Service for a limited period of time. This helps us investigate potential breaches of our User Guidelines and Platform Rules.
  • Is Spotify subject to a legal or contractual obligation to keep or delete the data? Examples include mandatory data retention laws, government orders to preserve data relevant to an investigation or data kept for the purposes of litigation. Conversely, we will remove unlawful content if the law requires us to do so.

Your rights

Privacy laws, including the GDPR, give rights to individuals over their personal data.

Some rights only apply when Spotify uses a certain ‘legal basis’ to process your data. We explain each legal basis, and when Spotify uses each one, in section 4 of our Privacy Policy.

The table below explains:

  • your rights
  • circumstances when they apply (such as the legal basis required)
  • how to use them

It’s your right to...

How?

Be informed

Be informed of the personal data we process about you and how we process it.

We inform you:

  • through our Privacy Policy
  • through information provided to you as you use the Spotify Service and
  • by answering your specific questions and requests when you contact us

Access

Request access to the personal data we process about you.

To request a copy of your personal data from Spotify, either:

For additional information about what data you may request access to, see section ‘Obtaining a copy of your personal data’.

Rectification

Request that we amend or update your personal data where it’s inaccurate or incomplete.

You can edit your User Data under ‘Edit profile’ in your account or by contacting us.

Erasure

Request that we erase certain of your personal data.

For example, you can ask us to erase personal data:

  • that we no longer need for the purpose it was collected for
  • that we process based on the legal basis of consent, and you withdraw your consent
  • when you object (see section ‘Object’ below) and
    • you make a justified objection, or
    • you object to direct marketing

There are situations where Spotify is unable to delete your data, for example when:

  • it’s still necessary to process the data for the purpose we collected it for
  • Spotify’s interest in using the data overrides your interest in having it deleted. For example, where we need the data to protect our services from fraud
  • Spotify has a legal obligation to keep the data, or
  • Spotify needs the data to establish, exercise or defend legal claims. For example, if there’s an unresolved issue relating to your account

There are several ways you can erase personal data from Spotify:

  • you can remove audio content from your profile by selecting the relevant content and choosing to remove it. For example, you can remove playlists from your profile, or remove a track from your playlist
  • to request erasure of your other personal data from Spotify, follow the steps on our support page. This data includes your User Data, Usage Data and other data listed in section 3 of our Privacy Policy
  • you can also contact us directly to request erasure

Restriction

Request that we stop processing all or some of your personal data.

You can do this if:

  • your personal data is inaccurate
  • our processing is unlawful
  • we do not need your information for a specific purpose, or
  • you object to our processing and we are assessing your objection request. See section ‘Object’ below

You can request that we stop this processing temporarily or permanently.

You can exercise your right to restriction by contacting us.

Object

Object to us processing your personal data.

You can do this if:

  • Spotify is processing your personal data on the legal basis of legitimate interests, or
  • Spotify is processing your personal data for direct marketing

To exercise your right to object:

  • you can use controls on Spotify Service to switch off or adjust some features which process your personal data. For example, you can switch off ‘Tailored Ads’ in your Privacy Settings
  • where Spotify does not provide a control, contact us to object

Data portability

Request a copy of your personal data in electronic format and the right to transmit that personal data for use in another party’s service.

You can request us to transmit your data when we are processing your personal data on the legal basis of consent or performance of contract. However Spotify will try to honour any request to the extent possible.

For information about how to exercise the right to portability, please see ‘Access’ above.

Not be subject to automated decision making

Not be subject to a decision based solely on automated decision making (decisions without human involvement), including profiling, where the decision would have a legal effect on you or produce a similarly significant effect.

Spotify does not carry out this type of automated decision making in the Spotify Service.

Withdrawal of consent

Withdraw your consent to us collecting or using your personal data.

You can do this if Spotify is processing your personal data on the legal basis of consent.


To withdraw your consent, you can:

Right to lodge a complaint

Contact the Swedish Authority for Privacy Protection or your local data protection authority about any questions or concerns.

You can find the Swedish Authority’s details here, or go to the website of your local data protection authority.

Information regarding the source of the personal data

In addition to the data we collect from you when you sign up for the Spotify Service, update your account, or throughout your use of the Spotify Service, we may collect certain data from other (‘third party’) sources. The table below sets out the categories of the third parties and a description of them.

Categories of third parties

Description

Authentication partners

If you register for or log into our services using another service, we’ll receive your information from them to help create your account with us.

Third party applications, services and devices you connect to your Spotify account

If you connect your Spotify account to a third party application, service or devices, we may collect and use certain information from them to make the integration possible.

These third party apps, services or devices may include:

  • social media
  • devices including:
    • audio (e.g. speakers and headphones)
    • smart watches
    • televisions
    • mobile phones and tablets
    • automotive (e.g. cars)
    • games consoles
  • services or platforms such as voice assistants

We’ll ask your permission before we collect your information from certain third parties.

Technical service partners

We work with technical service partners that give us certain data. This includes mapping IP addresses to non-precise location data (e.g., country or region, city, state).

This makes it possible for Spotify to provide the Spotify Service, content, and features.

Payment partners and Merchants

If you choose to pay through third parties (e.g. telco carriers) or by invoice, we may get data from our payment partners.

This allows us to:

  • send you invoices
  • process your payment
  • give you what you’ve purchased

If we direct you to a merchant, we receive data from the merchant that is related to your purchase. For example, we might direct you to an artist’s merchandise store on a third party platform or to a third party ticketing website.

Receiving this data allows us to:

  • calculate any commissions owed to us
  • analyze the effectiveness of our partnership with these merchant partners
  • understand your interests

Advertising and marketing partners

From certain advertising or marketing partners, we receive inferences (i.e., their understanding) of your interests and preferences.

This allows us to deliver more relevant ads and marketing.

International transfers

Because of the global nature of our business, Spotify shares your personal data internationally with Spotify group companies, subcontractors and partners when carrying out the activities described in our Privacy Policy. They may process your data in countries whose data protection laws are not considered to be as strong as EU laws or the laws which apply where you live. For example, they may not give you the same rights over your data.

Whenever we transfer personal data internationally, we use tools to:

  • make sure the data transfer complies with applicable law; and
  • help to give your data the same level of protection as it has in the EU

To ensure each data transfer complies with applicable EU legislation, we use the following legal mechanisms:

  • Standard Contractual Clauses (‘SCCs’). These clauses require the third party to protect your data and to provide you with EU-level rights and protections. For example, we use SCCs to transfer your personal data to our hosting provider which uses servers in the US. You can exercise your rights under the Standard Contractual Clauses by contacting us or the third party who processes your personal data.
  • Adequacy Decisions. This means that we transfer personal data to countries outside of the European Economic Area which have adequate laws to protect personal data, as determined by the European Commission. For example, we transfer your personal data to vendors based in the United Kingdom, Canada, Japan, Republic of Korea and Switzerland.

We also identify and use additional protections as appropriate for each data transfer. For example, we use:

  • technical protections, such as encryption and pseudonymisation
  • policies and processes to challenge disproportionate or unlawful government authority requests

Obtaining a copy of your personal data

By using our Download your data tool on the Privacy Settings section of your account page or by contacting us, you can download your personal data. You may download three different packages of data, either separately or at once. The packages will include a copy of the following data (if applicable to you).


Account data

  • Playlists
  • Search queries
  • Streaming history for the past year
  • A list of items saved in your library
  • The number of followers you have and the number of accounts you follow
  • Payment and subscription data
  • User data
  • Inferences
  • Voice input
  • Podcast interactivity
  • Episodes (data relating to podcasts you have created on the Spotify Service)
  • Family Plan data
  • Spotify for Artists data

Extended streaming history

  • Extended streaming history for the life of your account

Technical log information

  • Technical log information that we have collected about your account to provide and troubleshoot the Spotify service

If you have requested a copy of your personal data either via our Download your data tool or through our support team, you should have received an email letting you know that the data is ready for download or will receive one shortly.

Contact us

In providing this information, our goal is for you to understand how your personal data is processed in the Spotify Service and be able to exercise the privacy rights and choices available to you. If we have failed to do that in any way, please contact us! We are happy to explain any of the personal data included in your data download or answer any questions you have about the information we have provided and how it applies to your specific use of the Spotify Service.

The best way to contact us is via email at privacy@spotify.com.

Related Articles

Was this article helpful?