Effective as of 8 June 2022
This Policy describes how we process your personal data at Spotify AB.
It applies to your use of:
- all Spotify streaming services as a user. For example this includes:
- your use of Spotify on any device
- the personalization of your user experience - watch our personalization explainer video to learn more about this
- the infrastructure required to provide our services
- connection of your Spotify account with another application
- both our free or paid streaming options (each a 'Service Option')
From now on, we'll collectively call these the 'Spotify Service'.
From time to time, we may develop new or offer additional services. They'll also be subject to this Policy, unless stated otherwise when we introduce them.
This Policy is not...
Other resources and settings
Key information about your personal data is right here in this Policy. However, you might want to take a look at our other privacy resources and controls:
- Privacy Center: A user-friendly hub with summaries of key topics and helpful videos. It includes the 'Your Privacy Controls' video which shows you how to exercise your user rights and make choices about the way we process your data (see Section 2 'Your personal data rights and controls' for more on user rights).
- Privacy Settings: Control the processing of certain personal data, including Tailored Ads.
- Notification Settings Set which marketing communications you get from Spotify.
- Settings (found in the Desktop and Mobile versions of Spotify): Control certain aspects of the Spotify Service such as 'Social' or 'Explicit Content'. On the 'Social' setting, you can:
- start a Private session
- choose whether to share what you listen to on Spotify with your followers
- choose whether to show your recently played artists on your public profile
On the 'Explicit Content' setting you can control whether explicit-rated content can be played on your Spotify account.
Privacy laws, including the General Data Protection Regulation ('GDPR'), give rights to individuals over their personal data.
Some rights only apply when Spotify uses a certain 'legal basis' to process your data. We explain each legal basis, and when Spotify uses each one, in Section 4 'Our purpose for using your personal data'.
The table below explains:
- your rights
- circumstances when they apply (such as the legal basis required)
- how to use them
You can also watch our video about Your Privacy Controls.
|It's your right to...||How?|
|Be informed||Be informed of the personal data we process about you and how we process it.||We inform you:
|Access||Request access to the personal data we process about you.||To request a copy of your personal data from Spotify, either:
|Rectification||Request that we amend or update your personal data where it’s inaccurate or incomplete.||You can edit your User Data under ‘Edit profile’ in your account or by contacting us.|
|Erasure||Request that we erase certain of your personal data.For example, you can ask us to erase personal data:
||There are several ways you can erase personal data from Spotify:
|Restriction||Request that we stop processing all or some of your personal data.You can do this if:
||You can exercise your right to restriction by contacting us.|
|Object||Object to us processing your personal data.You can do this if:
||To exercise your right to object:|
|Data portability||Request a copy of your personal data in electronic format and the right to transmit that personal data for use in another party’s service.You can request us to transmit your data when we are processing your personal data on the legal basis of consent or performance of contract. However Spotify will try to honour any request to the extent possible.||For information about how to exercise the right to portability, please see ‘Access’ above.|
|Not be subject to automated decision making||Not be subject to a decision based solely on automated decision making (decisions without human involvement), including profiling, where the decision would have a legal effect on you or produce a similarly significant effect.||Spotify does not carry out this type of automated decision making in the Spotify Service.|
|Withdrawal of consent||Withdraw your consent to us collecting or using your personal data.You can do this if Spotify is processing your personal data on the legal basis of consent.||To withdraw your consent, you can:
|Right to lodge a complaint||Contact the Swedish Authority for Privacy Protection or your local data protection authority about any questions or concerns.||You can find the Swedish Authority’s details here, or go to the website of your local data protection authority.|
These tables set out the categories of personal data we collect and use. You can also watch our video about Personal Data at Spotify.
|Collected when you sign up for the Spotify service or when you update your account|
|User Data||Personal data that we need to create your Spotify account and that enables you to use the Spotify Service. The type of data collected and used depends on the type of Service Option you have. It also depends on how you create your account, the country you are in, and if you use third party services to sign in. This may include your:
|Street Address Data||We may ask for and process your street address for the following reasons:
|Collected through your use of the Spotify service|
|Usage Data||Personal data collected and processed about you when you’re accessing or using the Spotify Service.There are a few types of information this includes, listed in the following sections.Information about how you use SpotifyExamples include:
|Additional data you may choose to give us|
|Voice Data||If voice features are available in your market and where you’ve chosen to use a voice feature, we collect and process voice data. Voice data means audio recordings of your voice and transcripts of those recordings.For more information on how different voice features work, and how you can control and turn them off, see our Voice Control Policy.|
|Payment and Purchase Data||If you make any purchases from Spotify or sign up for a trial, we will need to process your payment data. This includes if you buy a paid Service Option. The exact personal data collected and used will vary depending on the payment method. It will include information such as:
|Survey and Research Data||When you respond to a survey or take part in user research, we collect and use the personal data you provide.|
|Third party sources that we collect your data from|
|Categories of third parties||Description|
|Authentication partners||If you register for or log into the Spotify Service using another service, we’ll receive your information from them to help create your account with us.|
|Third party applications, services and devices you connect to your Spotify account||If you connect your Spotify account to a third party application, service or devices, we may collect and use certain information from them to make the integration possible. These third party apps, services or devices may include:
|Technical service partners||We work with technical service partners that give us certain data. This includes mapping IP addresses to non-precise location data (e.g., country or region, city, state).This makes it possible for Spotify to provide the Spotify Service, content, and features.|
|Payment partners and Merchants||If you choose to pay through third parties (e.g. telco carriers) or by invoice, we may get data from our payment partners.This allows us to:
|Advertising and marketing partners||From certain advertising or marketing partners, we receive inferences (i.e., their understanding) of your interests and preferences.This allows us to deliver more relevant ads and marketing.|
If you download the Spotify mobile app and try Spotify using a logged out user experience, we will collect limited information about your usage of the Spotify Service, including Usage Data. We do this to understand how you are accessing and using the Service. We also do this to ensure we provide the right experience for you, for example based on your country or region. If you decide to create a Spotify account to experience our service in full, then we will combine this data with your Spotify account data.
The table below sets out:
- our purpose for processing your personal data
- our legal justifications (each called a 'legal basis') under data protection law, for each purpose
- categories of personal data which we use for each purpose. See more about these categories in Section 3 'Personal data we collect about you'
You can also watch our video about Personal Data at Spotify.
Here is a general explanation of each 'legal basis' to help you understand the table:
- Performance of a Contract: When it's necessary for Spotify (or a third party) to process your personal data to:
- verify information before a new contract with you begins.
- Legitimate Interest: When Spotify or a third party has an interest in using your personal data in a certain way, which is necessary and justified considering any possible risks to you and other Spotify users. For example, using your Usage Data to improve the Spotify Service for all users. Contact us if you want to understand a specific justification.
- Consent: When Spotify asks you to actively indicate your agreement to Spotify's use of your personal data for a certain purpose.
- Compliance with Legal Obligations: When Spotify must process your personal data to comply with a law.
|Purpose for processing your data||Legal basis that permits the purpose||Categories of personal data used for the purpose|
|To provide the Spotify Service (as defined in Section 1 ‘About this Policy’.)||
|To understand, diagnose, troubleshoot, and fix issues with the Spotify Service.||
|To evaluate and develop new features, technologies, and improvements to the Spotify Service.||
|For other marketing, promotion and advertising purposes where the law does not require consent.For example, when we use your personal data to tailor advertising to your interests.
|To comply with a legal obligation that we are subject to. This might be:
|To comply with a request from law enforcement. This will only apply when a competent law enforcement authority contacts us. These include the police, the courts or prisons.||
|To fulfill contractual obligations with third parties. For example, our agreements with owners of content on the Spotify Service.
|To take appropriate action with reports of intellectual property infringement and inappropriate content.||
|To establish, exercise, or defend legal claims.||
|To conduct business planning, reporting, and forecasting.||
|To process your payment.||
|To detect and prevent fraud. For example, fraudulent payments and fraudulent use of the Spotify Service.||
|To conduct research and surveys.||
This section sets out the categories of recipients of the personal data collected or generated through your use of the Spotify Service.
Publicly available information
The following personal data will always be publicly available on the Spotify Service:
- your profile name
- your profile photo
- your public playlists
- other content you post on the Spotify Service, and any associated titles, descriptions and images
- who you follow on the Spotify Service
- who follows you on the Spotify Service (you can block followers)
You or another user can share certain information on third party services, like social media or messaging platforms. This includes:
- your profile
- any content you post on Spotify and details about that content
- your public playlists
When this sharing occurs, the third party service may store a copy of it to support their features.
Personal data you may choose to share
We will only share the following personal data with those outlined in the table below:
- where we need to share personal data for the use of a Spotify Service feature, or a third party application, service or device, which you have chosen to use, or
- if you otherwise grant us your permission to share the personal data. For example, you can do it by selecting the appropriate setting in the Spotify Service or by giving your consent
|Categories of recipients||Categories of data you can choose to share||Reason for sharing|
|Third party applications, services and devices you connect to your Spotify Account||
||To connect your Spotify account, or allow you to use the Spotify Service in connection with third party applications, services or devices.Examples of such third party applications, services and devices include:
||To enable you to use the Spotify Support Community service.When you register for an account on the Spotify Support Community, we’ll ask you to create a profile name. This will be publicly displayed to anyone who uses the Spotify Support Community. We’ll also display any questions or comments you post.|
|Other Spotify users||
||To share information about your use of the Spotify Service with other Spotify users. These could include your followers on Spotify.For example, under ‘Social’ settings you can choose to share your recently played artists and your playlists on your profile. You can also choose to create or join a shared playlist with other users. Shared playlists give you social recommendations based on your listening activity.|
|Artists and record labels||
||To receive news or promotional offers from artists, record labels or other partners. You may choose to share your User Data for this purpose. You’ll always have the option to change your mind and withdraw your consent at any time.|
Information we may share
See this table for details of who we share to and why.
|Categories of recipients||Categories of data||Reason for sharing|
||So they can provide their services to Spotify.These service providers include those we hire to:
||So they can process your payments, and for anti-fraud purposes.|
||So they can help us deliver more relevant advertising to you on the Spotify Service, and help measure the effectiveness of ads. For example, our ad partners help us facilitate tailored advertising.What is tailored advertising?
||To promote Spotify with our partners. We share certain User Data and Usage Data with these partners where necessary to:
||Hosting platforms host podcasts so that they can deliver them to you. We share certain data, such as your IP address, with the hosting platforms when you play a podcast. Spotify owns two hosting platforms, Megaphone and Anchor. We also allow you to stream podcasts available from other hosting platforms not owned by Spotify.
|Other partner sharing||
||To help us understand and improve the performance of our products and partnerships. You can see and remove many partner connections under ‘Apps’ in your account.|
||For activities such as statistical analysis and academic study, but only in a pseudonymised format. Pseudonymised data is where your data is identified by a code rather than your name or other information that directly identifies you.|
|Spotify Measurement Companies||
||We share data with the following Spotify companies to measure the effectiveness of ad campaigns that run on the Spotify Service:
|Other Spotify group companies||
||To carry out our daily business operations and so we can maintain and provide the Spotify Service to you.|
|Law enforcement and other authorities||
||When we believe in good faith it’s necessary for us to do so, for example:
|Purchasers of our business||
||If we were to sell or negotiate to sell our business to a buyer or possible buyer. In this case, we may transfer your personal data to a successor or affiliate as part of that transaction.|
We keep your personal data only as long as necessary to provide you with the Spotify Service and for Spotify's legitimate and essential business purposes, such as:
- maintaining the performance of the Spotify Service
- making data-driven business decisions about new features and offerings
- complying with our legal obligations
- resolving disputes
Criteria used to determine the retention periods include:
- How can we minimize the data retention period? Our systems are designed to age out personal data in 90 days, unless another period is selected for legitimate business reasons.
- Do we need to keep data to ensure the service that users expect? We keep personal data for an appropriate period to deliver a personalized service to our users over time. We typically keep streaming history for the life of an account, for example, to provide retrospective playlists that users enjoy (e.g. Your Summer Rewind and the end-of-year Wrapped campaign) and personalized recommendations based on current listening habits.
- Are users able to update or delete the data themselves? Where users are able to see and update the personal data themselves, we keep the information for as long as the user chooses. For example, we keep your Spotify email address and other profile information until you choose to change or delete it yourself.
- Do we need to keep the data to uphold our rules and keep our service safe? To help ensure user safety, protect against harmful content on our platform, and take action with reports of intellectual property infringement, we may keep data that has been removed from the Spotify Service for a limited period of time. This helps us investigate potential breaches of our User Guidelines and Platform Rules.
- Is Spotify subject to a legal or contractual obligation to keep or delete the data? Examples include mandatory data retention laws, government orders to preserve data relevant to an investigation or data kept for the purposes of litigation. Conversely, we will remove unlawful content if the law requires us to do so.
Because of the global nature of our business, Spotify shares personal data internationally with Spotify group companies, subcontractors and partners when carrying out the activities described in this Policy. They may process your data in countries whose data protection laws are not considered to be as strong as EU laws or the laws which apply where you live. For example, they may not give you the same rights over your data.
Whenever we transfer personal data internationally, we use tools to:
- make sure the data transfer complies with applicable law
- help to give your data the same level of protection as it has in the EU
To ensure each data transfer complies with applicable EU legislation, we use the following legal mechanisms:
- Standard Contractual Clauses ('SCCs'). These clauses require the other party to protect your data and to provide you with EU-level rights and protections. For example, we use SCCs to transfer the personal data described in Section 3 'Personal data we collect about you' to our hosting provider which uses servers in the US. You can exercise your rights under the Standard Contractual Clauses by contacting us or the third party who processes your personal data.
- Adequacy Decisions. This means that we transfer personal data to countries outside of the European Economic Area which have adequate laws to protect personal data, as determined by the European Commission. For example, we transfer the personal data described in Section 3 'Personal data we collect about you' to vendors based in the United Kingdom, Canada, Japan, Republic of Korea and Switzerland.
We also identify and use additional protections as appropriate for each data transfer. For example, we use:
- technical protections, such as encryption and pseudonymisation
- policies and processes to challenge disproportionate or unlawful government authority requests
We're committed to protecting our users' personal data. We put in place appropriate technical and organizational measures to help protect the security of your personal data. However, be aware that no system is ever completely secure.
We have implemented various safeguards to guard against unauthorised access and unnecessary retention of personal data in our systems. These include pseudonymisation, encryption, access, and retention policies.
To protect your user account, we encourage you to:
- use a strong password which you only use for your Spotify account
- never share your password with anyone
- limit access to your computer and browser
- log out once you have finished using the Spotify Service on a shared device
- read more detail on protecting your account
You can log out of Spotify in multiple places at once by using the 'Sign out everywhere' function on your account page.
If other individuals have access to your Spotify account (for example if you've given them permission to use your account on a shared device), then they can access personal data, controls and the Spotify Service available in your account.
It's your responsibility to only provide individuals with permission to use your account where you're comfortable sharing this personal data with them. Anyone else's use of your Spotify account may impact your personalised recommendations and be included in your data download.
The Spotify Service has a minimum 'Age Limit' in each country or region. The Spotify Service is not directed to children whose age:
- is under the age of 13 years, or
- makes it illegal to process their personal data, or
- requires parental consent to process their personal data
We do not knowingly collect or use personal data from children under the applicable Age Limit. If you're under the Age Limit, please do not use the Spotify Service, and do not provide any personal data to us. Instead, we recommend using a Spotify Kids account.
If you're a parent of a child under the Age Limit and become aware that your child has provided personal data to Spotify, please contact us.
If we learn that we've collected the personal data of a child under the applicable Age Limit, we'll take reasonable steps to delete the personal data. This may require us to delete the Spotify account for that child.
When using a shared device on the main Spotify Service, you should be cautious about playing or recommending any content to individuals under 18 years old which could be inappropriate for them.
We may occasionally make changes to this Policy.
When we make material changes to this Policy, we'll provide you with prominent notice as appropriate under the circumstances. For example, we may display a prominent notice within the Spotify Service or send you an email or device notification.
For any questions or concerns about this Policy, contact our Data Protection Officer any one of these ways:
- email firstname.lastname@example.org
- write to us at: Spotify AB, Regeringsgatan 19, 111 53 Stockholm, Sweden
Spotify AB is the data controller of personal data processed under this Policy.
© Spotify AB