Spotify Ad Analytics Privacy Policy

Last Updated and Effective Date: June 13, 2023

Spotify Ad Analytics is a service offered by Spotify ("we," or "us"). We are committed to treating the personal data we process with respect and sensitivity. We want to transparently explain how and why we gather, store, share and use your personal data - as well as outline the controls and choices you have around when and how you choose to share your personal data. This Privacy Policy ("Policy") aims to explain what we mean in further detail below.

1. About this Policy

This Policy sets out the essential details relating to our collection, use, and disclosure of personal data as you use the Spotify Ad Analytics platform (the "Platform"), and any other products and services that link to this Policy (collectively, the "Services").

In this policy we describe our personal data processing activities for the following types of data subjects:

  • Individuals at brands and content publishers who use the Platform to use our analytics services ("Platform Users").
  • Consumers who visit a brands' website where the brand has deployed the Spotify Ad Analytics Pixel ("Brand Consumers").

From time to time, we may develop new or offer additional services. Unless stated otherwise when we introduce these new or additional services, they will be subject to this Policy.

This policy is not...

  • the Spotify Ad Analytics Terms of Service, which is a separate document. The Terms of Service outline the legal contract between you and Spotify for using the Spotify Ad Analytics Platform.
  • About your use of other services offered by Spotify Ad Analytics affiliates which have their own privacy policy, such as the Spotify service, Spotify for Podcasters, and Megaphone.

2. Your Personal Data Rights and Controls

Rights

As provided by applicable privacy laws, you may have certain rights as individuals in relation to their personal data. As available and except as limited under applicable law, the rights afforded to individuals are detailed in the table below:


It's your right to...
Be informed
Be informed of the personal data we process about you and how we process it.
Access
Request access to the personal data we process about you.
Rectification Request that we amend or update your personal data where it’s inaccurate or incomplete.
Erasure
Request that we erase certain personal data about you.

For example, you can ask us to erase personal data:

  • that we no longer need for the purpose it was collected for
  • that we process based on the legal basis of consent, and you withdraw your consent
  • when you make a justified objection (see section ‘Object’ below)

There are situations where we are unable to delete your data, for example when:

  • it’s still necessary to process the data for the purpose we collected it for
  • Spotify’s interest in using the data overrides your interest in having it deleted
  • Spotify has a legal obligation to keep the data, or
  • Spotify needs the data to establish, exercise or defend legal claims
Restriction
Request that we stop processing all or some of your personal data.

You can do this if:

  • your personal data is inaccurate
  • our processing is unlawful
  • we do not need your information for a specific purpose, or
  • you object to our processing and we are assessing your objection request. See section ‘Object’ below

You can request that we stop this processing temporarily or permanently.
Object
Object to us processing your personal data.

You can do this if Spotify is processing your personal data on the legal basis of legitimate interests
Data portability
Request a copy of your personal data in electronic format and the right to transmit that personal data for use in another party’s service.

You can request us to transmit your data when we are processing your personal data on the legal basis of consent or performance of contract. However Spotify will try to honour any request to the extent possible.
Not be subject to automated decision making
Request a manual review of a decision based solely on automated decision making (decisions without human involvement), including profiling, where the decision would have a legal effect on you or produce a similarly significant effect.

We currently do not use automated decision-making.
Withdrawal of consent
Withdraw your consent to us collecting or using your personal data.

You can do this if Spotify is processing your personal data on the legal basis of consent.
Right to lodge a complaint Contact your local data protection authority about any questions or concerns.

You can request to access, remove or update the personal data that you have provided to us in your application by contacting us at privacy-adanalytics@spotify.com, or the address below.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). We may decline requests to exercise these rights where we are unable to authenticate you as the person to whom the data relates. We will not discriminate against you for exercising any of your rights.

You may designate, in writing or through a power of attorney, an authorized agent to make requests on your behalf to exercise your rights. Before accepting such a request from an agent, we will require the agent to provide proof you have authorized it to act on your behalf, and we may need you to verify your identity directly with us.

If your request is denied you may have the right to appeal the denial in accordance with the instructions provided to you when the denial was made.

No Sales or Sensitive Data

We do not sell personal data and have taken substantial steps to identify and remediate any data sharing arrangements that could constitute us "selling" to third parties under the CCPA following our acquisition by Spotify.

We also do not process any data that is sensitive or special category data as defined by applicable law.

Questions

If you have any questions about your privacy, your rights or how to exercise them, please see the "How to contact us" section below for information on how to contact us. If you have concerns around our processing of your personal data, we hope you will continue to work with us to resolve them. You can also contact and have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Sw. Integritetsskyddsmyndigheten) or your local Data Protection Authority.

3. Personal Data We Collect About You

If you are a Platform User, the following tables below describe the categories of personal data we collect about you and how we collect it.

Categories of Personal Data Categories under CCPA Description of Category
Account Data
Identifiers
Personal data that you provide us that we need to create and identify Platform User accounts, including name and email.
Usage Data
Internet or other electronic network activity information
Personal data collected and processed about you when you’re accessing or using the Platform. Examples include: browsing history, interactions such as clicks, information about devices you use to access the Platform.

If you are a Brand Consumer, the following tables below describe the categories of personal data we collect about you and how we collect it.

Categories of Personal Data Categories under CCPA Description of Category
Pixel Data
Internet or other electronic network activity information
Personal data that we collect when Brand Consumers visit a brand’s website that has an active Spotify Ad Analytics pixel.

Personal data can also be collected when a Brand Consumer uses a brand’s mobile app. Such data is collected via the brand’s third party mobile attribution partner.
Audience Insights Data
Inferences
We receive data from third party data enrichment partners only to provide aggregated audience insights in our platform.

4. Purposes of Processing

We have set out in the table below the reasons why we process your personal data, the associated legal bases we rely upon to legally permit us to process your personal data, and the categories of personal data (identified in Section 3) used for these purposes:

Purpose for processing your data Legal basis that permits the purpose Categories of personal data used for the purpose
Purpose for processing your data
Legal basis that permits the purpose
Categories of personal data used for the purpose
To provide and personalize the Services.
  • Performance of a contract

  • Account Data
  • Usage Data

To understand, diagnose, troubleshoot, and fix issues with the Service.
  • Performance of a contract
  • Account Data
  • Usage Data
  • Pixel Data
To evaluate and develop new features, technologies, and improvements to the Services and our affiliates’ products and services.
  • Legitimate interest
  • Usage Data
  • Pixel Data
  • Audience Insights Data
To comply with a legal obligation that we are subject to.

This might be:
  • an obligation under the law of the country / region you are in
  • Swedish law (because of our headquarters in Sweden), or
  • EU law that applies to us
  • Compliance with legal obligations

  • Account Data
  • Usage Data
  • Pixel Data
  • Audience Insights Data
To comply with a request from law enforcement.

This will only apply when a competent law enforcement authority contacts us. These include the police, the courts or prisons.
  • Compliance with legal obligations
  • Legitimate interest
  • Account Data
  • Usage Data
  • Pixel Data
  • Audience Insights Data
To establish, exercise, or defend legal claims.
  • Legitimate interest
  • Account Data
  • Usage Data
  • Pixel Data
  • Audience Insights Data
To conduct business planning, reporting, and forecasting.
  • Legitimate Interest
  • Usage Data
  • Pixel Data
  • Audience Insights Data

5. Sharing of Information

With respect to personal data we are controllers of, we may share or disclose the data under the following circumstances, or as otherwise described in this Policy:

  • Within the Spotify group of companies. We may share your personal data with Spotify affiliates to carry out our daily business operations and to enable us to maintain and provide the Services and our affiliates' products and services.
  • Service Providers. We may share your information with our agents and service providers that perform certain functions or services on our behalf, such as to host our Services, manage databases, or send communications for us. We have direct relationships with certain advertising, marketing and analytics services (including some of our measurement partners) who also are our service providers that help us collect and analyze personal data.
  • In connection with a transfer of assets. If we sell all or part of our business, or make a sale or transfer of assets, or are otherwise involved in a merger or business transfer, or in the event of bankruptcy, we may transfer your personal data to one or more third parties as part of that transaction;
  • To comply with legal requirements. We will share your personal data when we in good faith believe it is necessary for us to do so in order to comply with a legal obligation under applicable law, or respond to a valid legal process, such as a search warrant, a court order, or a subpoena. We also will also share your personal data where we in good faith believe that it is necessary for the purpose of our own, or a third party's legitimate interest relating to national security, law enforcement, litigation, criminal investigation, protecting the safety of any person, or to prevent death or imminent bodily harm, provided that we deem that such interest is not overridden by your interests or fundamental rights and freedoms requiring the protection of your personal data.
  • Other parties with your consent. We may share information about you with third parties when you consent to such sharing.

6. Opt-Outs.

Promotional Communications. If you are a subscriber to our email newsletter, you may opt out of receiving promotional communications from us by following the instructions in those messages or by contacting us at any time. If you opt out from promotional communications, we may still send you non-promotional emails, such as those about your account or our ongoing business relations.

7. Data Security

We are committed to protecting the personal data in our systems. We implement appropriate technical and organizational measures to help protect the security of personal data; however, please note that no system is ever completely secure. We have implemented various policies including pseudonymisation, encryption, access, and retention policies to guard against unauthorized access and unnecessary retention of personal data in our systems.

If you are a Platform User and have an account with us, you are responsible for maintaining the confidentiality of your account password and for any access to or use of your account using your password, whether or not authorized by you. Please notify us immediately of any unauthorized use of your password or account or any other breach of security.

8. Data Retention and Deletion

We keep your personal data only as long as necessary to provide you with the Spotify Service and for Spotify's legitimate and essential business purposes, such as:

  • maintaining the performance of the Spotify Service
  • making data-driven business decisions about new features and offerings
  • complying with our legal obligations
  • resolving disputes

When determining the retention period, we take into account various criteria, such as the type of information, the nature and length of our relationship with you, the impact on such relationship if data is deleted, mandatory retention periods provided by law or statute of limitations.

9. International Transfers

Because of the global nature of our business, we share personal data internationally with Spotify group companies, subcontractors and partners when carrying out the activities described in this Policy. They may process your data in countries whose data protection laws are not considered to be as strong as EU laws or the laws which apply where you live. For example, they may not give you the same rights over your data.

Whenever we transfer personal data internationally, we use tools to:

  • make sure the data transfer complies with applicable law
  • help to give your data the same level of protection as it has in the EU and the laws which apply where you live

10. Changes to this Policy

We may change this Policy from time to time. If we make changes, we will notify you by revising the date at the top of the policy and, in case of material changes, we will provide you with additional notice (such as adding a statement to our homepage or sending you a notification). We encourage you to review the Policy whenever you access the Services or otherwise interact with us to stay informed about our information practices and the choices available to you.

11. Contact Us

Thank you for reading our Policy. If you have any questions about this Policy, please contact our Data Protection Officer by emailing privacy-adanalytics@spotify.com or by writing to your relevant data controller at the address below.

If you reside within the U.S., the Spotify data controller can be reached at:

Spotify USA Inc.

150 Greenwich St.

New York, NY 10007

USA

If you reside outside the U.S., the Spotify data controller can be reached at:

Spotify AB

Regeringsgatan 19

111 53 Stockholm

Sweden