What information is Roon server collecting from me?

(Pepe A.) #1

I would like to hear from Roon Labs what information is collecting from my Roon Server, either associated or dissociated with my identity, where is located and stored, and also whether that informations is being sold or shared by any means with or without my consent.

Best regards
Pepe

3 Likes
(Martin Webster) #2

Hello @Pepe_A. Welcome to the forum!

Take a look at the Privacy Policy.

There are also some threads on this topic, e.g.:

(Pepe A.) #4

As per your privacy policy summary page, literally :slight_smile:

What that means in practice is that Roon has to identify the music you have so it can be cross-referenced by our metadata service, and to achieve this we send information about your music collection to our servers. , found in the following page: https://kb.roonlabs.com/Privacy_Policy

So please, again, what information is Roon sending to the company servers about my music collection? It is not enough to say you guys value customer’s privacy, you need to specifically say what information is being collected, and as a customer I enquiry to do so.

Best regards

(Danny Dulai) #5

Everything about the “files library” and “streaming library” minus the actual PCM/DSD content. For example: your streaming service stared music ids and region, file tags, file names, directory names, audio fingerprints, file lengths, hashes of the file content, etc.

(Martin Webster) #6

Not my privacy policy. I’m a community member too.

(Pepe A.) #7

substitute “your” per “company”, is that ok?.

Thank you for your help and contributions

1 Like
(Pepe A.) #8

if I understand correctly, please correct me if I am wrong Martin, Roon Labs is getting from my Roon server all of the metadata of my music library, right ?. If that is correct, then Roon Labs needs specific authorization from each user to collect and keep that (private) information in their servers.
Just to be clear, Roon Labs as company, knows the content from each user’s personal library. Would that be right to say ?

thanks again Martin for chiming in

(Martin Webster) #9

I believe @danny has answered this already. Without this information Roon would not be able to provide a rich user experience unique to your music collection. Moreover, I believe we consent to this when we signup to their services and install the software.

This information isn’t shared with anyone and it doesn’t contain personally identifiable information.

(Ged) #10

Users sign up for

2 Likes
(Danny Dulai) #11

Correct. How else would we identify your music to provide enhanced metadata?

Correct. We get that specific authorization in the Terms and Conditions that you accept on first-run of the software.

We don’t do this because we haven’t required it for anything, but our T&C’s do allow us to do so. See point 6.2 in @ged_hickman1’s post.

(Pepe A.) #12

Thank you for addressing my questions.

I don´t really know, guess that is a question for you guys to answer. Sometimes it is necessary to state clearly the obvious.

So we (users) give an authorization on the first run, got it. Do you happen to provide and opt-out option should we change our minds ?. How do you ensure all private information collected to that point is deleted ?. I don´t see any mention on your Terms and Conditions about opting-out or quiting the relationship with Ron Labs. How does Roon Labs address that ?

And so that is the problem, users need to understand what accepting your terms of use really mean, namely that they allow Roon Labs use our private information should they please at any moment.

We live in times where companies show little respect for people’s privacy. There are well known cases of that nature as is publicly well known, being Facebook a notorious one. So the least I expect from any company having my personal data (with or without consent) is to show the utmost respect for my enquiries and providing me reasonable information that I can understand.

Thank you
Pepe

(Danny Dulai) #13

It is not possible. The metadata is sent to our servers. This is a requirement of our service.

We do not use the term private information - its definition is far too subjective.

We divide your information into 5 explicit definitions in our privacy policy. See the “Our commitment to your privacy” section.

The personal information and sometimes profile information in our privacy policy are the parts that can identify you as a person. This is called linked personal data by many sources, including the GDPR and the EU DPDs.

There is an additional concept of linkable personal data that can be combined together with other data to personally identify you. Examples of this data include your IP address and location, which is tied to your linked personal data by way of your membership.

We also consider location information and payment information as explicitly important personal-level data, falling into the category of linked personal data and linkable personal data.

The rest is all about your music collection and what you do with Roon. This is not stored with your personal data (all of the above). Let’s call this analytics data. There is a 1-way relationship to this analytics data (personal-to-analytics, not analytics-to-personal). There is no way to link your play or what is in your library, back to you personally.

For linked personal data, you can change/remove them at any time. Pursuant to GDPR Article 17 Section 3(e) , we do not delete the fact that you signed up for a Roon trial.

For linkable personal data, when you cancel/expire your license, the linkable personal data information is deleted.

For analytics data, stop using Roon. We only have access when the Core sends it. If you don’t use Roon, it can’t send anything. For historical analytics data, we may or may not delete it. It can not be used to personally identify you.

We’ve given this much thought and I believe we have treated the matter with respect, and have provided reasonable information which is easily understandable.

While we have not had an external audit on this matter, we believe we are compliant with GDPR and the European directives for data privacy.

Many Roon members have read and have understood our privacy policy (as evidenced by the others posting here). The policy was written in plain language as to not confuse to obscure what we are doing.

I am a co-founder of Roon Labs and our COO. If you need any clarifications, I’m happy to respond.

11 Likes
(Pepe A.) #14

agreed, let us call it personal data, shall we ?, and according to the european law that it is any piece of information that relates to an identifiable person.

Understood, thank you

Read it, thank you. Respectfully, your privacy policy seems clear, but (and according to the question I stated first in this thread) where is stored the information you collect from me ?, Is it transferred outside of the EU by any chance ?, Is it share with any third party in any way, shape or form ?. If you provided answers to that original questions and I missed them, I apologize. Otherwise, please provide answers to those questions, I would appreciate it.

According to the European Law and subsequent right for citizens, the following is the information that I should receive when I provide personal my data: (from ec.erope.eu/info/law)

—begining of quote
When you provide your personal data, you must receive, among other things, information about:

  • the name of the company or organisation that is processing your data (including the contact details of the DPO, if there is one);
  • the purposes for which the company/organisation will use your data;
  • the categories of personal data concerned;
  • the legal basis for processing your personal data;
  • the length of time for which your data will be stored;
  • other companies/organisations that will receive your data;
  • whether data will be transferred outside the EU;
  • your basic rights in the field of data protection (for example, the right to access and transfer data or have it removed);
  • the right to lodge a complaint with a Data Protection Authority (DPA);
  • the right to withdraw your consent at any time;
  • the existence of automated decision-making and the logic involved, including the consequences thereof.

The information should be presented in a concise, transparent, intelligible way and drafted in clear and plain language.
------end of quote

The last paragraph is very important.
The fact that “many members have read and understood”, as you stated, does not preclude you from complying with my rightfully and respectful enquire from the beginning and answering the information in accordance with the European law. You need to provide that (all of that) information when requested.

It is a good idea though to have an external audit for this matter. Data protection and online privacy is a serious matter here in Europe for consumers and service providers alike.

I am using my trial period with Roon to not only evaluate the product, but also the company policies and respect for consumer privacy. I quit Facebook in the blink of a eye right after knowing they were selling consumer data to Cambridge Analytica. It is in the hands of the companies who provided the services to honor that beautiful promise in their Terms of Service statements, with facts.

Nice to meet you Danny, my name is Pepe. If you are so kind to address the questions unanswered, it would be great and I would be really grateful.

(Danny Dulai) #15

As noted above, your music collection does not qualify as your linked or unlinked personal data, nor is your play history or any other thing we collect about how you use Roon.

This only applies to your “personal information”, “payment information”, and “location information” as per our privacy policy. The rest does not fall under any of these laws because it can not be tied back to you personally.

It is stored in the US. If you have a problem with that, let us know and we will cancel your account. We will get that added to the T&C so accepting it qualifies you to accept it.

Yes it is, I answered this here, as stated above by @Martin_Webster

To answer your other EC information:

Roon Labs LLC

To provide functionality and support for the software Roon, and the services associated with your subscription. Your email is your login, your name is used for addressing you, and your IP/location is used for licensing copyright materials.

This is all listed on the privacy policy under personal information, payment information, location information.

The name/email is for obvious reasons. The questionable one is location/IP, and that is for copyright reporting.

I noted this above.

I noted this above. None.

Yes.

You can change it all or cancel your account.

We are not stopping you :slight_smile:

Just cancel your membership and/or change what you want. We will remove all except what was noted above.

There are none.

It is for us too. We have worked hard to do the lawful thing. As for an auditor, I don’t think you realize that we are under 20 employees, and quite a small company. We are doing well, but the costs associated with an audit like this are quite large.

We’ve architected our system so that it fits the legal requirements, not so it meets the needs of every person that has their own personal definition of “privacy”.

If you don’t like that your Roon usage is known to us, vote with your dollars. If you are worried about us telling someone that Pepe A listens to Michael Jackson, you have nothing to worry about. If you are worried about adding a tick to Michael Jackson’s popularity, now is the time to leave.

14 Likes
(Pepe A.) #16

Thank you for taking the time to answer my questions.

As I already stated and according to the european law, any piece of information that relates to an identifiable person is considered personal data. Full stop. Maybe it does not qualify in the USA, but we are talking about european law. I thought we were on the same page here, weren’t we ?

Well, it seems that not hard enough. As I stated before and according to the european data protection and privacy laws, there is information that you need to provide when somebody gives you personal data. I urge to read in their website here:


and understand you need to provide that information somehow, somewhere (ie. privacy policy, terms of use, etc). I had to show you that list here and look for your answers, wasting unnecessary time to obtain something that you should have made public already.

I fully understand that doing business by the law is more expensive that with no law at all, but well that is the cost of doing business. Do you happen to know what will cost your company in Europe a complaint for violating European data protection and privacy law ?. The answer is 2% of your yearly gross income for the first complain. I am not responsible for your P&L, but I bet it does look worse than accounting a sunk cost 1 time and doing things right.

That would be true in the USA, maybe, but not the European Union. Why do you insist in making this about the “privacy” of one person ?. Please stop using the straw man fallacy. It is about respecting the European laws of data protection and privacy whenever you collect personal data, and that counts for one persons or for many. And to recap, that was the subject and content of my enquiry so everybody can see that I was asking for what the European Law says you have had to provide:


What information is Roon server collecting from me?
I would like to hear from Roon Labs what information is collecting from my Roon Server, either associated or dissociated with my identity, where is located and stored, and also whether that informations is being sold or shared by any means with or without my consent.


Please keep away that condescending tone, it is not for you to tell me what to worry about. What I do not like is that your Privacy Policy does not provide the information required by the European law and hence my enquiry for you to provide it. Your tone is anything but treating this issue with respect. But hey, who am I to tell you what treating a customer with respect is. I tried to be heard out and get first hand your point of view on this matter. If your only recommendation is “if you don´t like it, vote with your dollars and/or leave”, then coming here and letting you guys know was a total waste of your time and mine as well.

1 Like
(Martin Webster) #17

I think you are stretching the definition if you think someone can be identified by their record collection. This is not personally identifiable information.

Personal data means any information relating to an identifiable person. In other words, information that is clearly about a particular person.

Can you be identified directly or indirectly because, for example, you have the Beatles White Album in your collection? The answer is clear: no you can’t. Likewise, you can’t be identified because you played that album at 21:07 CET yesterday evening.

7 Likes
(Ged) #19

I think you need to study GDPR more. Your definitions are incorrect as to what is personally identifiable information.
I do IT GDPR compliance as part of my job and the split in personal and collective that Danny describes is fairly standard and correct.

5 Likes
(Robert Daines) #20

I’m not sure what more you want from the Roon folks? Danny has patiently and clearly answered your repeated questions. I don’t think there is anything more to say, clearly Roon is not for you. Ask them to delete your account if it makes you feel more secure, but you’ll be missing out on an enjoyable music experience.

(Coltrane) #21

I cannot assess whether Roon complies with EU data protection law or not, but I can totally understand where Pepe’s discomfort comes from. I was also very hesitant to use Roon as my main music software, but the urge to use it was greater than my concerns…
For example, I find it problematic when Roon does not delete information about my music library when I quit my contract with them. I assume that this information is worth a lot, and can be a real asset (if Roon is ever sold). This data should be deletable.

My understanding is that when I buy a product I want full control over my data. This is different from using google product, which you don’t have to pay for to use them. I am paying with my data. But with Roon it seems to me that I give them information about the content of my library and how I use it for free. It is a gift to improve their algorithms.

4 Likes
#22

I agree data protection should be taken seriously (in my day job I too have be fully aware of the GDPR compliance and its implications). I believe Roon are doing the right (legal) thing here … I agree their privacy policy statement should be improved to aid clarity … but I firmly believe Roon are being transparent and not attempting to hide anything in this respect.

The point that Danny made is that this data is not linked to user accounts (it is anonymous and not consider personal information). thus Roon has no way to remove it even if it wished to … as there is no link from one to the other.

Pepe (or any of us have the right to ask these questions) … I believe the tone of this discussion has been civil, but the interpretation of what is considered personal data under the terms of GDPR and what individuals consider personal data are often misaligned. When that’s the case it is upto the individual to make a call and do what they see fit for them.

1 Like