Many companies state they don’t share “personally identifiable information”, which is true on a technicality. As presented it’s not inclusive of actual name, address, phone number, etc. However often time’s that’s dancing around reality. It may include IP addresses, other pattern or system information that, on it’s own, is not personally identifiable, but when included with other data that the same aggregate bulk data purchasers also purchase/obtain, it’s easily very identifiable. Thus company A sells “non-identifiable information”, company B sells “non-identifiable information”, and company C buys the information from both, puts them both together, and now they know what you ate for breakfast and how long you spent eating it, and that you have a serious Coltrane fetish.
Who knows what Roon does or doesn’t sell, but when dealing with any cloud service, always assume whatever information you offer can be identifiable and sold, even if it’s not bundled specifically as “user x listened to these tracks during x time.” Regardless of what the legal wording in a privacy policy says.
Heck, every Google privacy policy proudly announces they don’t collect personally identifiable information, despite that being their entire business. Legally it’s true. It’s only personally identifiable when you connect the 10 different non-identifiable points of data together. Which they do, in real-time. 