Confidence Website Privacy Policy

Effective as of 2024-08-22

1. About this Policy

2. Your personal data rights and controls

3. Personal data we collect about you

4. Our purpose for using your personal data

5. Sharing your personal data

6. Data retention

7. Transfer to other countries

8. Keeping your personal data safe

9. Changes to this Policy

10. How to contact us

  1. About this Policy

This Policy describes how we process your personal data in connection with this, the Confidence website (the ‘Site’). In this Policy, ‘we’ refers to Spotify AB or Spotify US, Inc., as applicable - please see Section 10 ‘How to contact us’ for more detail.

For information about how we use cookies and how to manage your cookie preferences, see our Cookie Policy here.

  1. Your personal data rights and controls

Many privacy laws give rights to individuals over their personal data. These laws include the General Data Protection Regulation, or ‘GDPR’.

Some rights only apply when Spotify uses a certain ‘legal basis’ to process your data. We explain each legal basis, and when Spotify uses each one, in Section 4 ‘Our purpose for using your personal data’.

The table below explains:

  • your rights,
  • circumstances when they apply (such as the legal basis required), and
  • how to use them.
It’s your right to...How?
Be informedBe informed of the personal data we process about you and how we process it.We inform you: through this Policy by answering your specific questions and requests when you contact us
AccessRequest access to the personal data we process about you.To request a copy of your personal data from Spotify, please contact us. When you are provided with your data you will receive the information about your data that Spotify has to provide under Article 15 of the GDPR. If you would like more information about how we process your personal data, you can contact us.
RectificationRequest that we amend or update your personal data where it’s inaccurate or incomplete.Please contact us to exercise your right to rectification.
ErasureRequest that we erase certain of your personal data. For example, you can ask us to erase personal data: that we no longer need for the purpose it was collected for that we process based on the legal basis of consent, and you withdraw your consent when you object (see section ‘Object’ below) and you make a justified objection, or you object to direct marketing There are situations where Spotify is unable to delete your data, for example when: it’s still necessary to process the data for the purpose we collected it for Spotify’s interest in using the data overrides your interest in having it deleted. For example, where we need the data to protect our services from fraud Spotify has a legal obligation to keep the data, or Spotify needs the data to establish, exercise or defend legal claims. For example, if there’s an unresolved issue relating to your accountPlease contact us to exercise your right to erasure.
RestrictionRequest that we stop processing all or some of your personal data. You can do this if: your personal data is inaccurate our processing is unlawful we do not need your information for a specific purpose, or you object to our processing and we are assessing your objection request. See section ‘Object’ below You can request that we stop this processing temporarily or permanently.Please contact us to exercise your right to restriction.
ObjectObject to us processing your personal data. You can do this if Spotify is processing your personal data on the legal basis of legitimate interests.Please contact us to request objection.
Data portabilityRequest a copy of your personal data in electronic format and the right to transmit that personal data for use in another party’s service. You can request us to transmit your data when we are processing your personal data on the legal bases of consent or performance of contract. However Spotify will try to honour any request to the extent possible.For information about how to exercise the right to portability, see ‘Access’ above.
Not be subject to automated decision makingNot be subject to a decision based solely on automated decision making (decisions without human involvement), including profiling, where the decision would have a legal effect on you or produce a similarly significant effect.Spotify does not carry out this type of automated decision making in relation to the Site.
Withdrawal of consentWithdraw your consent to us collecting or using your personal data. You can do this if Spotify is processing your personal data on the legal basis of consent.To withdraw your consent, you can contact us.
Right to lodge a complaintContact the Swedish Authority for Privacy Protection or your local data protection authority about any questions or concerns.You can find the Swedish Authority’s details here. You can also go to the website of your local data protection authority.
  1. Personal data we collect about you

These tables set out the categories of personal data we collect from you.

CategoriesDescription
User DataPersonal data that you provide via the Site to contact us or create a Confidence account. This may include your: name business email address password job title company name and information company address If you are not the individual in charge of making Confidence purchases, for example because your employer is providing you with access to Confidence, then we do not collect this data about you.
Survey and Research DataWhen you respond to a survey or take part in user research, we collect and use the personal data you provide.
  1. Our purpose for using your personal data

The table below sets out:

  • our purpose for processing your personal data
  • our legal justifications (each called a ‘legal basis’) under data protection law, for each purpose
  • categories of personal data which we use for each purpose. See more about these categories in Section 3 ‘Personal data we collect about you’

Here is a general explanation of each ‘legal basis’ to help you understand the table:

  • Performance of a Contract: When it’s necessary for Spotify (or a third party) to process your personal data to:
    • comply with obligations under a contract with you, or
    • verify information before a new contract with you begins.
  • Legitimate Interest: When Spotify or a third party has an interest in using your personal data in a certain way, which is necessary and justified considering any possible risks to you and other Spotify users. Contact us if you want to understand a specific justification.
  • Consent: When Spotify asks you to actively indicate your agreement to Spotify’s use of your personal data for a certain purpose.
  • Compliance with Legal Obligations: When Spotify must process your personal data to comply with a law.
Purpose for processing your dataLegal basis that permits the purposeCategories of personal data used for the purpose
To provide the Site in accordance with our contract with you / your employer.Performance of a ContractUser Data
To provide further parts of the Site.Legitimate Interest Our legitimate interests include keeping the Site running and operational.User Data
For marketing or advertising where the law requires us to collect your consent.ConsentUser Data Survey and Research Data
For other marketing, promotion and advertising purposes where the law does not require consent.Legitimate InterestUser Data Survey and Research Data
To comply with a legal obligation that we are subject to. This might be: an obligation under the law of the country / region you are in Swedish law (because of our headquarters in Sweden), or EU law that applies to usCompliance with Legal ObligationsUser Data Survey and Research Data
To comply with a request from law enforcement, courts, or other competent authorities.Compliance with Legal Obligations, and Legitimate Interest Our legitimate interests here include assisting law enforcement authorities to prevent or detect serious crime.User Data Survey and Research Data
To establish, exercise, or defend legal claims.Legitimate Interest Our legitimate interests here include: seeking legal advice protecting ourselves, our users, or others in legal proceedingsUser Data Survey and Research Data
To conduct business planning, reporting, and forecasting.Legitimate Interest Our legitimate interests here include researching and planning so that we can keep running our business. successfully.User Data
To detect and prevent fraud.Legitimate Interest Our legitimate interests here include protecting the Site against fraud and other illegal activity.User Data Survey and Research Data
To conduct research and surveys.Legitimate Interest. Our legitimate interests here include how to understand more about how users think about and use the Confidence service.User Data Survey and Research Data
  1. Sharing your personal data

This section sets out who receives personal data which is collected or generated through your use of the Site.

See this table for details of who we share to and why:

Categories of recipientsCategories of dataReason for sharing
Service providersUser Data Survey and Research DataSo they can provide their services to Spotify. These service providers include those we hire to: operate the technical infrastructure we need to provide the Site assist in protecting and securing our systems and services
Other Spotify group companies, including companies that Spotify acquiresUser Data Survey and Research DataTo carry out our daily business operations and so we can maintain, improve and provide the Site to you.
Law enforcement and other authorities, or other parties to litigationUser Data Usage DataWhen we believe in good faith it’s necessary for us to do so, for example: to comply with a legal obligation to respond to a valid legal process (such as a search warrant, court order, or subpoena) for our own or a third party’s justifiable interest, relating to: national security law enforcement litigation (a court case) criminal investigation protecting someone’s safety preventing death or imminent bodily harm
Purchasers of our businessUser Data Survey and Research DataIf we were to sell or negotiate to sell our business to a buyer or possible buyer. In this case, we may transfer your personal data to a successor or affiliate as part of that transaction.
  1. Data retention

We keep your personal data only as long as necessary to provide you with the Site and for Spotify’s legitimate and essential business purposes, such as:

  • maintaining the performance of the Site
  • complying with our legal obligations
  • resolving disputes.

Criteria used to determine the retention periods include:

  • What is the appropriate retention period to carry out our purpose? We choose the retention period based on its legitimate business purpose.
  • Do we need to keep data to ensure the service that users expect? We keep personal data for an appropriate period to deliver a bespoke service to our users over time.
  • Are users able to update or delete the data themselves? Where users are able to see and update the personal data themselves, we keep the information for as long as the user chooses.
  • Is Spotify subject to a legal or contractual obligation to keep or delete the data? Examples include mandatory data retention laws, government orders to preserve data relevant to an investigation or data kept for the purposes of litigation. Conversely, we will remove unlawful content if the law requires us to do so.
  1. Transfer to other countries

Because of the global nature of our business, Spotify shares personal data internationally with Spotify group companies, subcontractors and partners when carrying out the activities described in this Policy. They may process your data in countries whose data protection laws are not considered to be as strong as EU laws or the laws which apply where you live. For example, they may not give you the same rights over your data.

Whenever we transfer personal data internationally, we use tools to:

  • make sure the data transfer complies with applicable law
  • help to give your data the same level of protection as it has in the EU

To ensure each data transfer complies with applicable EU legislation, we use the following legal mechanisms:

  • Standard Contractual Clauses (‘SCCs’). These clauses require the other party to protect your data and to provide you with EU-level rights and protections. You can exercise your rights under the Standard Contractual Clauses by contacting us or the third party who processes your personal data.
  • Adequacy Decisions. This means that we transfer personal data to countries outside of the European Economic Area which have adequate laws to protect personal data, as determined by the European Commission.

We also identify and use additional protections as appropriate for each data transfer. For example, we use:

  • technical protections, such as encryption and pseudonymisation
  • policies and processes to challenge disproportionate or unlawful government authority requests
  1. Keeping your personal data safe

We’re committed to protecting our users’ personal data. We put in place appropriate technical and organisational measures to help protect the security of your personal data. However, be aware that no system is ever completely secure.

We have put various safeguards in place to guard against unauthorised access and unnecessary retention of personal data in our systems. These include pseudonymisation, encryption, access, and retention policies.

  1. Changes to this Policy

We may occasionally make changes to this Policy.

When we make material changes to this Policy, we’ll provide you with prominent notice as appropriate under the circumstances.

  1. How to contact us

For any questions or concerns about this Policy, contact our Data Protection Officer any one of these ways:

  • email odpo@spotify.com
  • write to us at Spotify AB, Regeringsgatan 19, 111 53 Stockholm, Sweden

Where European data protection law applies, Spotify AB is the data controller of personal data processed under this Policy. Where US data protection law applies, Spotify USA Inc. is the data controller of personal data processed under this Policy.

© Spotify AB
© Spotify USA Inc.