Spotify for Backstage

PRIVACY POLICY

LAST UPDATED: DECEMBER 15, 2022
  1. About this Policy
    This Policy describes how we process your personal data in connection with Spotify's Plugins for Backstage.
    It applies to your use of:
    • this, the Backstage website (the 'Site'); and
    • the Spotify Plugins for Backstage software, and the services and products we offer in connection with the software (we'll collectively call these the 'Service').
    This Policy is not...
    • the Licence Terms for Spotify Plugins for Backstage, which are the terms which govern access to and use of the Plugins software.
    • about your use of the Backstage open source platform.
    • about your use of other Spotify services, which have their own privacy policy.
    For information about how we use cookies and how to manage your cookie preferences, see our cookie policy.
  2. Your personal data rights and controls
    Many privacy laws give rights to individuals over their personal data. These laws include the General Data Protection Regulation, or 'GDPR'.
    Some rights only apply when Spotify uses a certain 'legal basis' to process your data. We explain each legal basis, and when Spotify uses each one, in Section 4 'Our purpose for using your personal data'.
    The table below explains:
    • your rights,
    • circumstances when they apply (such as the legal basis required), and
    • how to use them.
    It's your right to...How?
    Be informedBe informed of the personal data we process about you and how we process it.We inform you:
    • through this Privacy Policy
    • by answering your specific questions and requests when you contact us
    AccessRequest access to the personal data we process about you.
    To request a copy of your personal data from Spotify, please contact us.
    When you are provided with your data you will receive the information about your data that Spotify has to provide under Article 15 of the GDPR. If you would like more information about how we process your personal data, you can contact us.
    RectificationRequest that we amend or update your personal data where it's inaccurate or incomplete.Please contact us to exercise your right to rectification.
    Erasure
    Request that we erase certain of your personal data.
    For example, you can ask us to erase personal data:
    • that we no longer need for the purpose it was collected for
    • that we process based on the legal basis of consent, and you withdraw your consent
    • when you object (see section 'Object' below) and
      • you make a justified objection, or
      • you object to direct marketing
    There are situations where Spotify is unable to delete your data, for example when:
    • it's still necessary to process the data for the purpose we collected it for
    • Spotify's interest in using the data overrides your interest in having it deleted. For example, where we need the data to protect our services from fraud
    • Spotify has a legal obligation to keep the data, or
    • Spotify needs the data to establish, exercise or defend legal claims. For example, if there's an unresolved issue relating to your account
    Please contact us to exercise your right to erasure.
    Restriction
    Request that we stop processing all or some of your personal data.
    You can do this if:
    • your personal data is inaccurate
    • our processing is unlawful
    • we do not need your information for a specific purpose, or
    • you object to our processing and we are assessing your objection request. See section 'Object' below
    You can request that we stop this processing temporarily or permanently.
    Please contact us to exercise your right to restriction.
    Object
    Object to us processing your personal data.
    You can do this if Spotify is processing your personal data on the legal basis of legitimate interests.
    Please contact us to request objection.
    Data portability
    Request a copy of your personal data in electronic format and the right to transmit that personal data for use in another party's service.
    You can request us to transmit your data when we are processing your personal data on the legal bases of consent or performance of contract. However Spotify will try to honour any request to the extent possible.
    For information about how to exercise the right to portability, see 'Access' above.
    Not be subject to automated decision makingNot be subject to a decision based solely on automated decision making (decisions without human involvement), including profiling, where the decision would have a legal effect on you or produce a similarly significant effect.Spotify does not carry out this type of automated decision making in the Service.
    Withdrawal of consent
    Withdraw your consent to us collecting or using your personal data.
    You can do this if Spotify is processing your personal data on the legal basis of consent.
    To withdraw your consent, you can:
    • adjust the relevant control on the Service
    • contact us
    Right to lodge a complaintContact the Swedish Authority for Privacy Protection or your local data protection authority about any questions or concerns.You can find the Swedish Authority's details here. You can also go to the website of your local data protection authority.
  3. Personal data we collect about you
    These tables set out the categories of personal data we collect from you.
    CategoriesDescription
    Collected when you make a Backstage purchase or create a Backstage account
    Administrator Account Data
    Personal data that we need to create a Backstage account which is enabled to make purchases on the Service.
    This may include your:
    • name
    • business email address
    • password
    • job title
    • company name and information
    • company address
    We receive some of this data from you e.g. from the order form or account creation page.
    If you are not the individual in charge of making purchases on the Service, for example because your employer is providing you with access to the Service, then we do not collect this data about you.
    Collected through your use of the Service
    Usage Data
    Personal data collected and processed about you when you're accessing or using the Service.
    There are a few types of information this includes, listed in the following sections.
    Information about how you use the Backstage system and plugins
    Examples include:
    • information about your Service offering or package
    • your interactions with the Service (including date and time), such as the way you navigate through the system or how often you use a particular plugin and its features
    Your technical data
    Examples include:
    • URL information
    • online identifiers such as cookie data and IP addresses
    • information about the devices you use such as:
      • device IDs
      • network connection type (e.g. wifi, 4G, LTE, Bluetooth)
      • provider
      • network and device performance
      • browser type
      • language
      • information enabling digital rights management
      • operating system
    Your general (non-precise) location
    Your general location includes country, region or state. We may learn this from technical data (e.g. your IP address, language setting of your device).
    Additional data you may choose to give us
    Survey and Research DataWhen you respond to a survey or take part in user research, we collect and use the personal data you provide.
  4. Our purpose for using your personal data
    The table below sets out:
    • our purpose for processing your personal data
    • our legal justifications (each called a 'legal basis') under data protection law, for each purpose
    • categories of personal data which we use for each purpose. See more about these categories in Section 3 'Personal data we collect about you'
    Here is a general explanation of each 'legal basis' to help you understand the table:
    • Performance of a Contract: When it's necessary for Spotify (or a third party) to process your personal data to:
      • comply with obligations under a contract with you. This includes Spotify's obligations under the Licence Terms for Spotify Plugins for Backstage to provide the Service to you, or
      • verify information before a new contract with you begins.
    • Legitimate Interest: When Spotify or a third party has an interest in using your personal data in a certain way, which is necessary and justified considering any possible risks to you and other Spotify users. Contact us if you want to understand a specific justification.
    • Consent: When Spotify asks you to actively indicate your agreement to Spotify's use of your personal data for a certain purpose.
    • Compliance with Legal Obligations: When Spotify must process your personal data to comply with a law.
    Purpose for processing your dataLegal basis that permits the purposeCategories of personal data used for the purpose
    To provide the Service in accordance with our contract with you / your employer. See Section 1 'About this policy' for what we mean by the Service.Performance of a Contract
    • Administrator Account Data
    • Usage Data
    To provide further parts of the Service.
    Legitimate Interest
    Our legitimate interests include keeping our website running and operational.
    • Administrator Account Data
    • Usage Data
    To understand, diagnose, troubleshoot and fix issues with the Service.Performance of a Contract
    • Administrator Account Data
    • Usage Data
    To evaluate and develop new features, technologies, and improvements to the Service.
    Legitimate Interest
    Our legitimate interests include keeping our website running and operational.
    • Administrator Account Data
    • Usage Data
    • Survey and Research Data
    For marketing or advertising where the law requires us to collect your consent.Consent
    • Administrator Account Data
    • Usage Data
    • Survey and Research Data
    For other marketing, promotion and advertising purposes where the law does not require consent.
    Legitimate Interest
    Our legitimate interests include keeping our website running and operational.
    • Administrator Account Data
    • Usage Data
    • Survey and Research Data
    To comply with a legal obligation that we are subject to.
    This might be:
    • an obligation under the law of the country / region you are in
    • Swedish law (because of our headquarters in Sweden), or
    • EU law that applies to us
    Compliance with Legal Obligations
    • Administrator Account Data
    • Usage Data
    • Survey and Research Data
    To comply with a request from law enforcement, courts, or other competent authorities.
    Compliance with legal obligations, and legitimate interest
    Our legitimate interests here include assisting law enforcement authorities to prevent or detect serious crime.
    • Administrator Account Data
    • Usage Data
    • Survey and Research Data
    To establish, exercise, or defend legal claims.
    Legitimate Interest
    Our legitimate interests here include:
    • seeking legal advice
    • protecting ourselves, our users, or others in legal proceedings
    • Administrator Account Data
    • Usage Data
    • Survey and Research Data
    To conduct business planning, reporting, and forecasting.
    Legitimate Interest
    Our legitimate interests here include researching and planning so that we can keep running our business. successfully.
    • Administrator Account Data
    • Usage Data
    To detect and prevent fraud.
    Legitimate Interest
    Our legitimate interests here include protecting the Service and our users against fraud and other illegal activity.
    • Administrator Account Data
    • Usage Data
    • Survey and Research Data
    To conduct research and surveys.
    Legitimate Interest.
    Our legitimate interests here include how to understand more about how users think about and use the Service.
    • Administrator Account Data
    • Usage Data
    • Survey and Research Data
  5. Sharing your personal data
    This section sets out who receives personal data which is collected or generated through your use of the Service.
    See this table for details of who we share to and why:
    Categories of recipientsCategories of dataReason for sharing
    Administrator of your Backstage Service account (i.e. the person who manages access to the Service for you, such as your employer)
    • Administrator Account Data
    • Usage Data
    If you are using the Service as purchased by someone else e.g. your employer, we may share information with them as part of providing the Service to them.
    Service providers
    • Administrator Account Data
    • Usage Data
    • Survey and Research Data
    So they can provide their services to Spotify.
    These service providers include those we hire to:
    • give customer support
    • operate the technical infrastructure we need to provide the Service
    • assist in protecting and securing our systems and services
    Other Spotify group companies, including companies that Spotify acquires
    • Administrator Account Data
    • Usage Data
    • Survey and Research Data
    To carry out our daily business operations and so we can maintain, improve and provide the Service to you.
    Law enforcement and other authorities, or other parties to litigation
    • Administrator Account Data
    • Usage Data
    When we believe in good faith it's necessary for us to do so, for example:
    • to comply with a legal obligation
    • to respond to a valid legal process (such as a search warrant, court order, or subpoena)
    • for our own or a third party's justifiable interest, relating to:
      • national security
      • law enforcement
      • litigation (a court case)
      • criminal investigation
      • protecting someone's safety
      • preventing death or imminent bodily harm
    Purchasers of our business
    • Administrator Account Data
    • Usage Data
    • Survey and Research Data
    If we were to sell or negotiate to sell our business to a buyer or possible buyer.
    In this case, we may transfer your personal data to a successor or affiliate as part of that transaction.
  6. Data retention
    We keep your personal data only as long as necessary to provide you with the Service and for Spotify's legitimate and essential business purposes, such as:
    • maintaining the performance of the Service
    • making data-driven business decisions about new features and offerings
    • complying with our legal obligations
    • resolving disputes.
    Criteria used to determine the retention periods include:
    • What is the appropriate retention period to carry out our purpose? We choose the retention period based on its legitimate business purpose.
    • Do we need to keep data to ensure the service that users expect? We keep personal data for an appropriate period to deliver a bespoke service to our users over time.
    • Are users able to update or delete the data themselves? Where users are able to see and update the personal data themselves, we keep the information for as long as the user chooses.
    • Is Spotify subject to a legal or contractual obligation to keep or delete the data? Examples include mandatory data retention laws, government orders to preserve data relevant to an investigation or data kept for the purposes of litigation. Conversely, we will remove unlawful content if the law requires us to do so.
  7. Transfer to other countries
    Because of the global nature of our business, Spotify shares personal data internationally with Spotify group companies, subcontractors and partners when carrying out the activities described in this Policy. They may process your data in countries whose data protection laws are not considered to be as strong as EU laws or the laws which apply where you live. For example, they may not give you the same rights over your data.
    Whenever we transfer personal data internationally, we use tools to:
    • make sure the data transfer complies with applicable law
    • help to give your data the same level of protection as it has in the EU
    To ensure each data transfer complies with applicable EU legislation, we use the following legal mechanisms:
    • Standard Contractual Clauses ('SCCs'). These clauses require the other party to protect your data and to provide you with EU-level rights and protections. You can exercise your rights under the Standard Contractual Clauses by contacting us or the third party who processes your personal data.
    • Adequacy Decisions. This means that we transfer personal data to countries outside of the European Economic Area which have adequate laws to protect personal data, as determined by the European Commission.
    We also identify and use additional protections as appropriate for each data transfer. For example, we use:
    • technical protections, such as encryption and pseudonymisation
    • policies and processes to challenge disproportionate or unlawful government authority requests
  8. Keeping your personal data safe
    We're committed to protecting our users' personal data. We put in place appropriate technical and organisational measures to help protect the security of your personal data. However, be aware that no system is ever completely secure.
    We have put various safeguards in place to guard against unauthorised access and unnecessary retention of personal data in our systems. These include pseudonymisation, encryption, access, and retention policies.
    To protect your user account, we encourage you to:
    • use a strong password which you only use for your Backstage account
    • never share your password with anyone
    • limit access to your computer and browser
    • log out once you have finished using the Service on a shared device
    • read more detail on protecting your account
  9. Changes to this policy
    We may occasionally make changes to this Policy.
    When we make material changes to this Policy, we'll provide you with prominent notice as appropriate under the circumstances.
  10. How to contact us
    For any questions or concerns about this Policy, contact our Data Protection Officer any one of these ways:
    • email odpo@spotify.com
    • write to us at Spotify AB, Regeringsgatan 19, 111 53 Stockholm, Sweden
    Where European data protection law applies, Spotify AB is the data controller of personal data processed under this Policy. Where US data protection law applies, Spotify USA Inc. is the data controller of personal data processed under this Policy.