From the privacy policy
Ah thanks for clarifying. It was not clear from my understanding of this topic that only these info were collected and nothing about songs plays, path of songs, genre, artists etc and other data was collected.
Danny’s posts above say that music play history is stored in the cloud. But, as I understand it, it is anonymised so that Roon cannot tell who’s history is who’s, meaning it does not constitute personal data for the purposes of the GDPR.
roonlabs has the ability right now to know everything about the content of each user’s local library without keeping copies on their servers. Whether this is true, or if they utilize it, I do not know.
For every item (track, album, artist, etc) in a local library, the local core must make a call to retrieve the metadata from one of roonlabs’ backend services to obtain the metadata. This must be done at least once when new music is being cataloged for the first time. Likewise, roonlabs’ services possibly get the metadata from some 3rd party provider’s services [unless roonlabs licenses 3rd party data for use on roonlabs’ servers without calling to 3rd party APIs, which is not likely]. By keeping records of these service calls (which is pretty much a certainty in my mind, even if only in service logs and not in databases) both roonlabs and their third parties can build profiles of users’ libraries. The question is if these profiles contain or can be associated with PII.
Does roonlabs log any personal identifier with these metadata service calls, for example, the customer’s ip address (which is PII)? Does roonlabs provide a personal identifier, or any other identifier such as a session id, that would enable third parties to log the requests in a way that would allow them to build library profiles either?
Thanks,
-Eric
On the broader issue, roonlabs is free to build value from aggregated information that lacks PII – but they must be careful how they do this. As hard as they try, I’m not sure a small company can get this right. I was an engineer at Amazon for several years. Amazon truly puts a premium on getting customer confidence and data security right, and this is embedded in the culture. I don’t know how many people work on these issues directly there (and couldn’t say even if I did) but it’s probably an order of magnitude more than is working at roonlabs. More important, perhaps, all code that will end up in a service or face the public goes through rigorous security audits w.r.t. to customer information.
If you want to make money off of our data, you need to spend money to secure it.
The big question for society is whether the raw data source for this value, namely us, the putative customers, should be compensated and/or have control of how our data footprints are used, even if anonymized and aggregated. To my knowledge, there are no laws giving consumers this control. We are the batteries in the matrix, blissfully unaware of the machines that couldn’t exist without our unwitting participation.
Red pill, anyone? Google “surveillance capitalism”. Or use an anonymized search engine instead 
. There’s a new book doing the rounds that could enrage citizens to do something about the current state of affairs. There are lots of online interviews with the author of the book which may be enough to get your hackles up about it.
Thanks,
- Eric
We know who you are when you make the request. It’s how we allow you to make there request (authentication). We do not save the personal part of this information.
We do not pass on personal data to anyone except our payment processor, and the respective parties when dealing with your facebook/twitter/lastfm/tidal/qobuz/dropbox/etc information.
Not only is it likely, it is exactly what we do. We license data and refused to work with Qobuz until they provided data.
From my Roon account:
What are you trying to state ?
That my payment information IS stored on your systems.
Not necessarily. roon can request the information shown in the screenshot from their payment processor (stripe) when needed.
roonlabs and stripe have to agree on some common identifier for you, for example, your “Software Serial” as seen in the “About Roon” page. roonlabs could tell stripe they have a relationship with you and use this id to represent you, or maybe stripe gives roon some id for you, it doesn’t matter to understand this. Then roon would get your credit card info from you the first time, along with your name, address, etc, and send all this data to stripe along with the id and the amount to bill you, and never store your credit card number on their own systems. It’s true that your credit card data would flow through roonlabs’ software and the internet, but they don’t have to hang on to it after giving it to (or requesting it from) stripe.
Thanks,
-Eric
Well, you’d be wrong. Read the privacy policy more carefully and you will see we state that it is stored on our payment processor servers and not ours.
Payment information is stored in a PCI compliant method (for which there are audits) with our payment processor only. When we display that screen, we request information from our payment processor. They give us some of the data (PCI compliance does not allow the full CC #). That partial information passes through our servers to make it to the website but is never stored.
Making snide (screenshot only), accusations based on incomplete information is disappointing, especially from you @evand. You’ve been here long enough to know better that there is a good way and a fighty way to talk about these subjects.
My intent was not to antagonise anyone, but simply to point out that it looked to me like it is stored on your servers. Thanks for clarifying that it’s in fact retrieved from Stripe and shown as such in the Roon Labs user account, and apologies for any inadvertent confusion/ frustration.
FYI, I’ve updated our privacy policy to include a statement that we store your personal information in the US, and I’ve removed the references to Stripe, as we are currently in the process of switching to another payment processor. Additionally, we already do use Paypal for some users (if they request it), so saying “Stripe” only didnt really paint the picture right.
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.