INFORMED CONSENT BY EUROPEAN UNION (“EU”) DATA SUBJECTS UNDER THE EU’S GENERAL DATA PROTECTION REGULATION (“GDPR”).
At Roon Labs, Our mission is to connect people with music. To do that, We make software and provide information services used by that software. Unlike many other music players, Roon doesn’t just display your music and let You play it, but instead creates rich context about Your music using information about the music.
This metadata includes editorial information (like genre, rating, and review) as well as factual information (like which label released a recording, who performed on it, and who composed, produced, and conducted the performance). Roon uses all that information to make it easy to access the music You want to listen to, to display the most relevant possible music in a given context, to provide insight into relationships between pieces of music, and to give You a healthy dose of serendipity.
What that means in practice is that Roon has to identify the music You have so it can be cross-referenced by our metadata service, and to achieve this We send information about Your music collection to Our servers. We also have mechanisms for authenticating Our users, collecting payments, and communicating with them.
Each of these systems has been designed with Our Users’ privacy in mind. We understand that by allowing Roon to do what We designed it to do, You place a great deal of trust in us. It’s Our aim to continue to earn that trust every day.
The following provisions demonstrate Our commitment to privacy:
Your personal information (name, email address, password) is collected and stored in Our account database to facilitate Your access to Our software.
Your payment information (credit card details) is transmitted to our payment processor when You enter it and is held in Our systems only as long as necessary to facilitate that payment process.
Your location information is used to determine which content (for example, lyrics and streaming music) We are allowed to display to You.
Information about Your music collection is used to provide You with rich metadata, and is stored in Roon’s database on Your computer. This metadata may also be stored on Roon’s servers, including any servers of Roon’s third party cloud providers..
Information about how one particular User utilizes Roon is generally stored separately from information about another User.
No method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, We cannot guarantee its absolute security. However, we make efforts to protect Your personal information from improper or unauthorized loss, misuse, access, disclosure, alteration, or destruction. If You have questions about the security of Your personal information, contact the Company at the email or regular mailing address specified in the Contact Us section below.
We will retain Your personal information for as long as necessary to fulfill the purposes for which We collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal information, We consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of Your personal information, the purposes for which We process Your personal information, whether We can achieve those purposes through other means, and the applicable legal requirements.
The information We gather falls into three categories, each of which serves a specific purpose: personal information, profile information, and analytics data.
Personal information you must provide
In order to create Your Roon account and accept payment for your membership, We must collect certain personal information about You.
See Section 4 below regarding communication with Our Users below for more details.
Your password is stored in an encrypted form on your computer or Roon core appliance as well as on Our servers and possibly on those of our third party cloud providers. Your Roon password is used to authenticate You when You use Roon software, so We can be sure that people using the service are real members and not baddies. We can’t decrypt your password, so if You forget it, You will have to reset it by using the Roon or Roon remote app.
Passwords are reset by sending an email to Your email address for verification. Roon isn’t free, and for now, we only accept payment by credit card. Your credit card information (which includes cardholder name, card number, expiration date, and CVV code) is transmitted directly to Our payment processor using secure socket layer (SSL) technology. We keep a record of the cardholder name, expiration date, zip code and the last four digits of the card number so We can display that information to You on Your account page.
Profile information you may optionally give us
We introduced User profiles to make Roon more useful in multi-user households, so different Users can have their own favorites, play history, and playlists. Having access to profile information enhances Roon’s functionality, but isn’t required for it to operate properly.
We use Your birth date (but most importantly, Your birth year) to look for insights into Your music taste. It’s stored on Your computer or Roon core appliance as well as on Our servers, and it’s never shared with any third party.
If you want to scrobble your plays, we need your Last.fm login credentials. Your Last.fm credentials are stored in Roon’s database on Your computer or Roon core appliance and possibly on those of our third party cloud providers.
To access the streaming content You’ve favorited and to authorize Roon to playback streams, We need Your login credentials. Your credentials for streaming services are stored in Roon’s database on Your computer or Roon core appliance and possibly on those of our third party cloud providers.
Analytics data gathered by Roon Labs software
Roon captures information about how and where You use the software, and statistical reports about this information are stored on our servers for analysis and possibly also stored on servers of our third party cloud providers. The data is generally transmitted and stored without any reference to Your personal information. The purpose of the analytics data is to help us understand Our users and how they utilize Roon.
Your geographic location. We are contractually obligated by some of our data providers and service partners to filter the content You see based on where You’re located. Yes, this feels very “21stcentury” to Us, too, but draconian laws are draconian laws.
Information about Your music collection. Roon transmits some summary information about the files in Your music collection to our servers and possibly using those of our third party cloud providers.
Information about what music You play. For the development of radio and other features, Roon builds musical taste profiles based on Your play history.
Information about how You use Roon. In order to understand our members and their needs better, We capture data about how You use Roon, including, but not limited to: the features You use, how often You use Roon, statistics about Your music library, geographic location, and the audio devices You stream to.
We send email messages to our Uusers when specific actions or feedback are required of them (password reset, credit card expiration, renewal notification). Receiving these messages is not optional since the actions or feedback being solicited are necessary for the software to work properly.
Our software contains links to other web sites, including Wikipedia, Facebook, Instagram, Twitter, Songkick, and various artists’ web sites (collectively, “Third Party Sites”). Please be aware that Our Privacy Policies (as defined above) do not apply to these other Third Party Sites. Although we use great care when selecting content for Our software (including links to Third Party Sites of third parties) We disclaim any responsibility for the content that found on those other Third Party Sites.
We encourage You to review the privacy statements of the other Third Party Sites to understand their information practices. IN PARTICULAR, EACH USER SHOULD REVIEW THE PRIVACY STATEMENTS OF SUCH THIRD PARTY SITES TO DETERMINE THAT PARTICULAR THIRD PARTY SITES’ PRACTICES WITH REGARD TO THE COLLECTION AND USE OF YOUR PERSONALLY IDENTIFIABLE INFORMATION.
WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, EACH USER AGREES THAT IF THE USER USES ANY THIRD PARTY SITES IN ANY WAY, THE USER IS AWARE THAT ANY OF THE USER’S PERSONAL INFORMATION THAT THE USER PROVIDES TO THAT THIRD PARTY SITE MIGHT BE READ, COLLECTED, SHARED, DISTRIBUTED, OR OTHERWISE USED BY OTHER USERS OF THAT THIRD PARTY SITE OR BY ANY OTHER THIRD PARTIES, AND COULD BE USED TO SEND THE USER UNSOLICITED MESSAGES. THE COMPANY IS NOT RESPONSIBLE FOR ANY PERSONAL INFORMATION THAT THE USER ELECTS TO SUBMIT IN, OR OTHERWISE MAKE AVAILABLE TO, THESE THIRD PARTY SITES.
We send email messages to Our Users when specific actions or feedback are required of them (password reset, credit card expiration, renewal notification).
Receiving these messages is not optional since the actions or feedback being solicited are necessary for the software to work properly.
Users can correct or update their personal and payment information by signing in to Your account page on the Roon web site.
Users are solely responsible for correcting, updating, or modifying any and all of the User’s personal information. Without in any way limiting the foregoing, You acknowledge and agree that the Company does not have an independent obligation to maintain the accuracy or completeness of any of personal information You provide to the Company.
Data Subjects (as such term is defined in the GDPR) are hereby notified that they have the following additional rights pursuant to the GDPR:
Pursuant to GDPR Article 15 (Right of Access by the Data Subject), to obtain from Us confirmation as to whether Personal Data (as such term is defined in the GDPR) has been Processed (as such term is defined in the GDPR) and, if that is the case, access to that Personal Data and additional information about how it has been Processed, including without limitation: (i) the purpose of the Processing; (ii) the category of Personal Data concerned; (iii) the categories of recipients to whom the Data Subject’s Personal Data has been disclosed; (iv) the planned retention period; (v) the existence of Your right of rectification, deletion, limitation of processing, or opposition; (vi) the existence of a right to complain; (vii) the source of the collection of Personal Data if not collected from Us; (viii) and the existence of automated decision-making including profiling and, where appropriate, meaningful information about their details;
Pursuant to GDPR Article 16 (Right to Rectification), to request the correction (modification) of incorrect Personal Data or any completed Personal Data stored by Us;
Pursuant to GDPR Article 17 (Right to Erasure; “Right to be Forgotten”), to request the deletion of the Data Subject’s Personal Data stored by Us, except for the allowed continued uses permitted by the GDPR, including without limitation as far as the Processing is needed to exercise the right to freedom of expression and information, for the fulfillment of a legal obligations, for reasons of the public interest, or for the assertion, exercise, or defense of legal claims, if required;
Pursuant to GDPR Article 18 (Right to Restriction of Processing), to demand the restriction of the Processing of the Data Subject’s Personal Data where one of the following applies: (i) as far as the accuracy of the Personal Data is disputed by the Data Subject; (ii) the Processing of the Personal Data is unlawful, but the Data Subject rejects its deletion; (iii) We no longer need the Personal Data, but the Data Subject requires it to exercise or defend legal claims; or (iv) the Data Subject has objected to the Processing of the Personal Data in accordance with GDPR Article 21;
Pursuant to GDPR Article 20 (Right to Data Portability), the right of the Data Subject to receive his/her Personal Data as provided to Us, in a structured, common, and machine-readable format or to request the transfer to another person responsible;
Pursuant to GDPR Article 7(3) (Conditions of Consent), the Data Subject’s right to withdraw, at any time, the Data Subject’s once granted consent. As a result, We are no longer allowed to continue the Processing of Personal Data based on that consent for the future, but such withdrawal does not affect the lawfulness of the Processing of Personal Data based on such consent before such withdrawal; and
Pursuant to GDPR Article 77 (right to Lodge a Complaint with a Supervisory Authority), the right of the Data Subject to complain to a Supervisory Authority, as such term is defined in the GDPR. As a general rule, the Data Subject can contact the Supervisory Authority of the Data Subject’s usual place of residence or work or place of the alleged infringement.
The Company may process Your Personal Data (as such term is defined under the GDPR) under the following conditions:
Performance of a contract: Provision of Personal Data is necessary for the performance of an agreement with You and/or for any pre-contractual obligations thereof.
Legal obligations: Processing Personal Data is necessary for compliance with a legal obligation to which the Company is subject.
Vital interests: Processing Personal Data is necessary in order to protect Your vital interests or of another natural person.
Public interests: Processing Personal Data is related to a task that is carried out in the public interest or in the exercise of official authority vested in the Company.
Legitimate interests: Processing Personal Data is necessary for the purposes of the legitimate interests pursued by the Company.
In any case, the Company will gladly help to clarify the specific legal basis that applies to the Processing of Your Personal Data, and, in particular, whether the provision of Personal Data (as defined under the GDPR) is a statutory or contractual requirement, or a requirement necessary to enter into a contract.