GDPR Article 15 Information
Table of Contents
- About your data download packages
- Confirmation as to whether or not personal data about you is being processed
- Purposes for the processing of your personal data
- Categories of personal data
- Categories of recipients to whom the personal data may be disclosed
- Criteria for the retention of personal data
- Your rights
- Information regarding the source of the personal data
- International transfers
- Contact us
1. About your data download packages
Below you will find supplemental information about the processing of your personal data, including the information you are entitled to under Article 15 of the General Data Protection Regulation (‘GDPR’). This information is meant to supplement, and be read in conjunction with, your downloaded personal data, to help you understand the personal data processing specific to your particular use of the Spotify Service.
We deliver your personal data in three separate packages that you can request from your Account Privacy page, or by contacting us. You may download three different packages of data, either separately or at once. The packages will include a copy of the following data (if applicable to you).
Account data
- Playlists
- Search queries
- Streaming history for the past year
- A list of items saved in your library
- The number of followers you have and the number of accounts you follow
- Payment and subscription data
- User data
- Customer Service History
- Inferences
- Voice input
- Podcast interactivity
- Family Plan data
- Spotify for Artists data
- Spotify for Creators data (previously known as Spotify for Podcasters)
- AI Playlists
- Wrapped data
Extended streaming history
- Extended streaming history for the life of your account
Technical log information
- Technical log information that we have collected about your account to provide and troubleshoot the Spotify service
2. Confirmation as to whether or not personal data about you is being processed
When you use the Spotify service under our free or paid options (each a ‘Service Option’ and collectively called the ‘Spotify Service’), we process your personal data as described below.
3. Purposes for the processing of your personal data
The tables below set out:
- our purpose for processing your personal data
- our legal justifications (each called a 'legal basis') under data protection law, for each purpose
- categories of personal data which we use for each purpose (see more about these categories in section 'Categories of personal data' below)
Here is a general explanation of each 'legal basis' to help you understand the table:
- Performance of a Contract: When it's necessary for Spotify (or a third party) to process your personal data to:
- comply with obligations under a contract with you. This includes Spotify's obligations under the Terms of Use to provide the Spotify Service to you, or
- verify information before a new contract with you begins.
- Legitimate Interest: When Spotify or a third party has an interest in using your personal data in a certain way, which is necessary and justified considering any possible risks to you and other Spotify users. For example, using your Usage Data to improve the Spotify Service for all users.
- Consent: When Spotify asks you to actively indicate your agreement to Spotify’s use of your personal data for a certain purpose.
- Compliance with Legal Obligations: When Spotify must process your personal data to comply with a law.
The data processing we carry out depends on your use of the Spotify Service. Thus, we have divided information about this processing into the following tables with explanations that help you understand which processing applies to you.
General use of the Spotify Service
When you use the Spotify Service, we process your personal data for the purposes described below. This section is applicable to all users.
|
Purpose for processing your data
|
Legal basis that permits the purpose
|
Categories of personal data used for the purpose
|
|---|---|---|
|
To provide the Spotify Service in accordance with our contract with you.
For example, when we use your personal data to:
|
Performance of a Contract
|
|
|
To provide further parts of the Spotify Service.
For example, when we use your personal data to enable you to share a link to Spotify content with someone else.
|
Legitimate Interest
Our legitimate interests here include:
|
|
|
To diagnose, troubleshoot, and fix issues with the Spotify Service.
|
Performance of a Contract
|
|
|
To evaluate and develop new features, technologies, and improvements to the Spotify Service.
For example:
|
Legitimate Interest
Our legitimate interests here include developing and improving products and features for our users.
|
|
|
For marketing, promotion and advertising purposes where the law does not require consent.
For example, when we use your personal data to tailor advertising to your interests.
|
Legitimate Interest
Our legitimate interests here include using advertising to fund the Spotify Service, so that we can offer much of it for free.
|
|
|
To comply with a legal obligation that we are subject to.
This might be:
For example, when we use your date of birth when required for age verification purposes.
|
Compliance with Legal Obligations
|
|
|
To fulfil contractual obligations with third parties. For example, when we provide pseudonymised data about our users' listening because we have an agreement with a Spotify rightsholder to do so.
|
Legitimate Interest
Our legitimate interests here include:
|
|
|
To conduct business planning, reporting, and forecasting.
For example, when we look at aggregated user data like the number of new sign ups in a country in order to plan new locations to launch our products and features in.
|
Legitimate Interest
Our legitimate interests here include researching and planning so that we can keep running our business successfully.
|
|
|
To keep the Spotify Service secure and to detect and prevent fraud.
For example, when we analyse Usage Data to check for fraudulent use of the Spotify Service.
|
Legitimate Interest
Our legitimate interests here include protecting the Spotify Service and our users against fraud and other illegal activity.
|
|
Using Spotify Service features based on consent
These purposes are applicable to you if you have decided to use features that require your consent.
|
Purpose for processing your data
|
Legal basis that permits the purpose
|
Categories of personal data used for the purpose
|
|---|---|---|
|
To provide certain additional voluntary features of the Spotify Service. When this is the case, we will clearly ask for your consent.
|
Consent
|
|
|
For marketing or advertising where the law requires us to collect your consent.
For example, when we use cookies to understand your interests or the law requires consent for email marketing.
|
Consent
|
|
Making payments in the Spotify Service
This section is relevant if you have made payments in the Spotify Service. For example, it applies if you have subscribed to our Premium Service Option or have purchased an audiobook.
|
Purpose for processing your data
|
Legal basis that permits the purpose
|
Categories of personal data used for the purpose
|
|---|---|---|
|
To process your payment.
For example, when we use your personal data to let you purchase a Spotify subscription.
|
Performance of a Contract, and Consent
|
|
Other specific situations
Sometimes we’ll process your data for more specialised purposes. If any of the specific situations below apply to you, we process your personal data for these purposes.
|
Purpose for processing your data
|
Legal basis that permits the purpose
|
Categories of personal data used for the purpose
|
|---|---|---|
|
To comply with a request from law enforcement, courts, or other competent authorities.
|
Compliance with Legal Obligations, and Legitimate Interest
Our legitimate interests here include assisting law enforcement authorities to prevent or detect serious crime.
|
|
|
To take appropriate action with reports of intellectual property infringement and inappropriate content.
|
Legitimate Interest
Our legitimate interests here include protecting intellectual property and original content.
|
|
|
To establish, exercise, or defend legal claims.
For example, if we are involved in litigation and we need to provide information to our lawyers in relation to that legal case.
|
Legitimate Interest
Our legitimate interests here include:
|
|
|
To conduct research and surveys.
For example, when we contact our users to ask for your feedback.
|
Legitimate Interest
Our legitimate interests here include to understand more about how users think about and use the Spotify Service.
|
|
4. Categories of personal data
The table below describes the categories of personal data we process and use. As detailed below, the collection and processing of some personal data is dependent on your Service Option (e.g. Free or Premium) and the features you choose to use (such as creating a playlist or turning on a voice feature). If you are unsure about which of the described data has been processed in your particular use of the Spotify Service, see your personal data download to understand the specific data items we have collected and processed in your case or contact us.
|
Category
|
Description
|
|
|---|---|---|
|
User Data
|
Personal data that we need to create your Spotify account and that enables you to use the Spotify Service. The type of data collected and used depends on the type of Service Option you have, how you create your account, the country you are in, and if you use third party services to sign in. This may include your:
We receive some of this data from you from the sign up form or account page.
We also collect some of this data from your device e.g. country or region. For more information about how we collect and use this data, see ‘Your general (non-precise) location’ in the Usage Data category.
|
|
|
Street Address Data
|
If your Street Address Data is included in your downloaded data, we process it for the following reasons:
In some cases, we may use a third party application to help you verify your address, such as Google Maps.
|
|
|
Usage Data
|
Personal data processed about you when you’re accessing or using the Spotify Service.
There are a few types of information this includes, listed in the following sections and as you will find it if you download your data.
Information about how you use Spotify
Examples include:
Your technical data
Examples include:
Your general (non-precise) location
Your general location includes country, region or state. We may learn this from technical data (e.g. your IP address, language setting of your device) or payment currency.
We need this to
Your device sensor data
Motion-generated or orientation-generated device sensor data if needed to provide features of the Spotify Service that require this data. This is data which your device collects about the way you move or hold your device.
|
|
|
Voice Data
|
If voice features are available in your market and where you’ve chosen to use a voice feature, we collect and process voice data. Voice data means audio recordings of your voice and transcripts of those recordings.
For more information on how different voice features work, and how you can control and turn them off, see our Voice Control Policy.
|
|
|
Payment and Purchase Data
|
If you make any purchases from Spotify or sign up for a paid Service Option or a trial, we process your payment data.
The exact personal data collected and used will vary depending on the payment method. It will include information such as:
|
|
|
Survey and Research Data
|
When you respond to a survey or take part in user research, we collect and use the personal data you have provided.
|
5. Categories of recipients to whom the personal data may be disclosed
This section sets out who receives personal data which is collected or generated through your use of the Spotify Service.
Publicly available information
The following personal data will always be publicly available on the Spotify Service (except to any user you have blocked):
- your profile name
- your profile photo
- your public playlists
- other content you post on the Spotify Service, and any associated titles, descriptions and images
- who you follow on the Spotify Service
- who follows you on the Spotify Service
You or another user can share certain publicly available information on third party services, like social media or messaging platforms. This includes:
- your profile
- any content you post on Spotify and details about that content
- your playlists and any associated titles, descriptions and images
When this sharing occurs, the third party service may store a copy of it to support their features.
Personal data you may choose to share
We will only share the following personal data with those outlined in the table below:
- where you have chosen to use a Spotify Service feature, or a third party application, service or device, and we need to share personal data to enable this, or
- if you otherwise grant us your permission to share the personal data. For example, you can do it by selecting the appropriate setting in the Spotify Service or by giving your consent
|
Categories of recipients
|
Categories of data you can choose to share
|
Reason for sharing
|
|---|---|---|
|
Third party applications, services and devices you connect to your Spotify Account
|
|
To connect your Spotify account, or so that you can use the Spotify Service in connection with third party applications, services or devices.
Examples of such third party applications, services and devices include:
You can see and remove many third party connections under ‘Apps’ in your account.
|
|
Support community
|
|
To enable you to use the Spotify Support Community service.
When you register for an account on the Spotify Support Community, we’ll ask you to create a specific profile name. This will be publicly displayed to anyone who uses the Spotify Support Community. We’ll also display any questions or comments you post.
|
|
Other Spotify users
|
|
To share information about your use of the Spotify Service with other Spotify users, including your followers on Spotify.
For example, under ‘Social’ settings you can choose whether to share your recently played artists and your playlists on your profile. You can also choose to create or join a shared playlist with others that gives you social recommendations based on your listening activity.
|
|
Artists and record labels
|
|
To receive news or promotional offers from artists, record labels or other partners.
You may choose to share your User Data for this purpose. You’ll always have the option to change your mind and withdraw your consent at any time.
|
Information we may share
See this table for details of who we share to and why.
|
Categories of recipients
|
Categories of data
|
Reason for sharing
|
|---|---|---|
|
Service providers
|
|
So they can provide their services to Spotify.
These service providers include those we hire to:
|
|
Payment partners
|
|
So they can process your payments, and for anti-fraud purposes.
|
|
Advertising partners
|
|
So they can help us deliver more relevant advertising to you on the Spotify Service, and help measure the effectiveness of ads.
For example, our ad partners help us facilitate tailored advertising. See section ‘Your rights’ for more information on tailored advertising.
|
|
Marketing Partners
|
|
To promote Spotify with our partners. We share certain User Data and Usage Data with these partners where necessary to:
Examples of partners include:
Our partners may also combine the personal data we share with them with other data they collect about you, e.g. your use of their services. We and our partners may use this information to present you with offers, promotions, or other marketing that we think you'll find relevant.
|
|
Hosting Platforms
|
|
Hosting platforms host podcasts so that they can be delivered to you. We share certain data, such as your IP address, with the hosting platforms when you play a podcast. We also allow you to stream podcasts available from other hosting platforms not owned by Spotify.
Podcast providers should explain in the show or episode description which platform is hosting the podcast. See the hosting platform’s own privacy policy on how they use data shared with them.
|
|
Academic researchers
|
|
For activities such as statistical analysis and academic study, but only in a pseudonymised format. Pseudonymised data means that your data is identified by a code rather than your name or other directly identifying information.
|
|
Other Spotify group companies, including companies that Spotify acquires
|
|
To carry out our daily business operations and so we can maintain, improve and provide the Spotify Service and acquired companies’ services to you.
For example:
|
|
Law enforcement and other authorities, or other parties to litigation
|
|
When we believe in good faith it’s necessary for us to do so, for example:
|
|
Purchasers of our business
|
|
If we were to sell or negotiate to sell our business to a buyer or possible buyer.
In this case, we may transfer your personal data to a successor or affiliate as part of that transaction.
|
You can find a list of third parties we may share your data with in the ‘Recipients.json’ file in the technical log information data download package.
6. Criteria for the retention of personal data
We keep your personal data only as long as necessary to provide you with the Spotify Service and for Spotify’s legitimate and essential business purposes, such as:
- maintaining the performance of the Spotify Service
- making data-driven business decisions about new features and offerings
- complying with our legal obligations
- resolving disputes
Here are some of the categories of our retention periods, and the criteria we use to determine them:
- Data retained until you remove it
It’s your right to request that we delete certain of your personal data. See section on ‘Erasure’ in ‘Your rights’ for more information, and the circumstances in which we can act on your request.
You can also delete certain personal data directly from the Spotify Service: for example, you can edit or delete your profile picture. Where users are able to see and update the personal data themselves, we keep the information for as long as the user chooses unless one of the limited purposes described below applies.
- Data that expires after a specific period of time
We have set certain retention periods so that some data expires after a specific period of time. For example, personal data you may input as part of search queries is generally deleted after 90 days. - Data retained until your Spotify account is deleted
We keep some data until your Spotify account is deleted. Examples of this include your Spotify username and profile information. We also typically keep streaming history for the life of an account, for example, to provide retrospective playlists that users enjoy and personalised recommendations that take listening habits into account (for example, Your Time Capsule or Your Summer Rewind). When your Spotify account is deleted, this category of data is deleted or de-identified. - Data retained for extended time periods for limited purposes
After your account is deleted, we keep some data for a longer time period but for very limited purposes. For example, we may be subject to legal or contractual obligations that require this. These may include mandatory data retention laws, government orders to preserve data relevant to an investigation, or data kept for the purposes of litigation. We may also keep data that has been removed from the Spotify Service for a limited period of time. This could be:- to help ensure user safety, or
- to protect against harmful content on our platform.
This helps us investigate potential breaches of our User Guidelines and Platform Rules. On the other hand, we will remove unlawful content if the law requires us to do so.
7. Your rights
Privacy laws, including the GDPR, give rights to individuals over their personal data.
Some rights only apply when Spotify uses a certain ‘legal basis’ to process your data. We explain each legal basis, and when Spotify uses each one, in section ‘Purposes for the processing of your personal data’.
The table below explains:
- your rights
- circumstances when they apply (such as the legal basis required)
- how to use them
|
It’s your right to...
|
How?
|
|
|---|---|---|
|
Be informed
|
Be informed of the personal data we process about you and how we process it.
|
We inform you:
|
|
Access
|
Request access to the personal data we process about you.
|
To request a copy of your personal data from Spotify, either:
For additional information about what data you may request access to, see section ‘About your data download packages’.
|
|
Rectification
|
Request that we amend or update your personal data where it’s inaccurate or incomplete.
|
You can edit your User Data under ‘Edit profile’ in your account or by contacting us.
|
|
Erasure
|
Request that we erase certain of your personal data.
For example, you can ask us to erase personal data:
There are situations where Spotify is unable to delete your data, for example when:
|
There are several ways you can erase personal data from Spotify:
|
|
Restriction
|
Request that we stop processing all or some of your personal data.
You can do this if:
You can request that we stop this processing temporarily or permanently.
|
You can exercise your right to restriction by contacting us.
|
|
Object
|
Object to us processing your personal data.
You can do this if:
|
To exercise your right to object, you can:
|
|
Data portability
|
Request a copy of your personal data in electronic format and the right to transmit that personal data for use in another party’s service.
You can request us to transmit your data when we are processing your personal data on the legal bases of consent or performance of contract. However Spotify will try to honour any request to the extent possible.
|
For information about how to exercise the right to portability, see ‘Access’ above.
|
|
Not be subject to automated decision making
|
Not be subject to a decision based solely on automated decision making (decisions without human involvement), including profiling, where the decision would have a legal effect on you or produce a similarly significant effect.
|
Spotify does not carry out this type of automated decision making in the Spotify Service.
|
|
Withdrawal of consent
|
Withdraw your consent to us collecting or using your personal data.
You can do this if Spotify is processing your personal data on the legal basis of consent.
|
To withdraw your consent, you can:
|
|
Right to lodge a complaint
|
Contact the Swedish Authority for Privacy Protection or your local data protection authority about any questions or concerns.
|
You can find the Swedish Authority’s details here. You can also go to the website of your local data protection authority.
|
Tailored advertising controls
What is tailored advertising?
- This is when we use third party information about you to tailor ads to be more relevant to you. This is also known as interest based advertising.
- An example of tailored advertising is when an advertising partner has information suggesting you like cars. This could enable us to show you ads about cars.
How to control tailored advertising:
- You can control tailored advertising on your Account Privacy page under ‘Tailored Ads’.
- You can also control tailored advertising for some podcasts using the link in the episode’s show description. This applies where the content provider inserts advertising into the podcast to fund it. The hosting provider, which might not be Spotify, manages these controls for the podcast.
If you are ‘opted out’ of Tailored Ads on your Account Privacy page, you may still get advertising. This can include on our free Service Option, as well as our paid Service Option, as applicable (for example, advertising in podcasts). This type of advertising is based on your registration information and what you are currently listening to on our services. For example, if you are listening to a cooking podcast, you may hear an ad for a food processor.
8. Information regarding the source of the personal data
In addition to the data we collect from you when you sign up for the Spotify Service, update your account, or throughout your use of the Spotify Service, we may receive certain data from other (‘third party’) sources. The table below sets out the categories of the third parties and a description of them.
|
Categories of third parties
|
Description
|
Data categories
|
|---|---|---|
|
Authentication partners
|
If you register for or log into our services using another service, that service will send your information to us. This information helps create your account with us.
|
User Data
|
|
Third party applications, services and devices you connect to your Spotify account
|
If you connect your Spotify account to a third party application, service or devices, we may collect and use information from them. This collection is to make the integration possible.
These third party apps, services or devices may include:
We’ll ask your permission before we collect your information from certain third parties.
|
User Data
Usage Data
|
|
Technical service partners
|
We work with technical service partners that give us certain data. This includes mapping IP addresses to non-precise location data (e.g. country or region, city, state).
This makes it possible for Spotify to provide the Spotify Service, content, and features.
We also work with security service providers who help us protect user accounts.
|
User Data
Usage Data
|
|
Payment partners and Merchants
|
If you choose to pay through third parties (e.g. telco carriers) or by invoice, we may get data from our payment partners.
This allows us to:
If we direct you to a merchant, we receive data from the merchant that is related to your purchase. For example, we might direct you to an artist’s merchandise store on a third party platform or to a third party ticketing website.
Receiving this data allows us to:
|
Payment and Purchase Data
|
|
Advertising and marketing partners
|
We receive inferences from certain advertising or marketing partners. These inferences are the partners' understanding of your interests and preferences.
This allows us to deliver more relevant ads and marketing.
|
Usage Data
|
|
Acquired companies
|
We may receive data about you from companies we acquire. This is to enhance our services, products, and offerings.
|
User Data
Usage Data
|
9. International transfers
Because of the global nature of our business, Spotify shares your personal data internationally with Spotify group companies, subcontractors and partners when carrying out the activities described in our Privacy Policy. They may process your data in countries whose data protection laws are not considered to be as strong as EU laws or the laws which apply where you live. For example, they may not give you the same rights over your data.
Whenever we transfer personal data internationally, we use tools to:
- make sure the data transfer complies with applicable law; and
- help to give your data the same level of protection as it has in the EU
To ensure each data transfer complies with applicable EU legislation, we use the following legal mechanisms:
- Standard Contractual Clauses (‘SCCs’). These clauses require the third party to protect your data and to provide you with EU-level rights and protections. You can exercise your rights under the Standard Contractual Clauses by contacting us or the third party who processes your personal data.
- Adequacy Decisions. This means that we transfer personal data to countries outside of the European Economic Area which have adequate laws to protect personal data, as determined by the European Commission. For example, we transfer your personal data to vendors based in the United Kingdom, Canada, Japan, Republic of Korea and Switzerland.
We also identify and use additional protections as appropriate for each data transfer. For example, we use:
- technical protections, such as encryption and pseudonymisation
- policies and processes to challenge disproportionate or unlawful government authority requests
10. Contact us
In providing this information, our goal is for you to understand how your personal data is processed in the Spotify Service and be able to exercise the privacy rights and choices available to you. If we have failed to do that in any way, please contact us! We are happy to explain any of the personal data included in your data download or answer any questions you have about the information we have provided and how it applies to your specific use of the Spotify Service.
The best way to contact us is via email at privacy@spotify.com.