Redemption Code Privacy Policy

Redemption Codes Privacy Policy

Effective as of 1/12/2023

  1. About this Policy
  2. Your personal data rights and controls
  3. Personal data we collect about you
  4. Our purpose for using your personal data
  5. Sharing your personal data
  6. Data retention
  7. Transfer to other countries
  8. Keeping your personal data safe
  9. Changes to this Policy
  10. How to contact us

1. About this Policy

This Policy describes how we process your personal data in connection with redemption codes.

It applies to your use of the Spotify redemption codes website at url (the ‘Service’).

This Policy is not about your use of Spotify services, which have their own privacy policy (see here).

2. Your personal data rights and controls

Many privacy laws give rights to individuals over their personal data. These laws include the General Data Protection Regulation, or ‘GDPR’.

Some rights only apply when we use a certain ‘legal basis’ to process your data. We explain each legal basis, and when we use each one, in Section 4 ‘Our purpose for using your personal data’.

The table below explains:

  • your rights;
  • circumstances when they apply (such as the legal basis required); and
  • how to use them.
It’s your right to... How?
Be informed Be informed of the personal data we process about you and how we process it. We inform you:
  • through this Privacy Policy
  • by answering your specific questions and requests when you contact us
Access Request access to the personal data we process about you. To request a copy of your personal data, please contact us
Rectification Request that we amend or update your personal data where it’s inaccurate or incomplete. Please contact us to exercise your right to rectification.
Erasure Request that we erase certain of your personal data.
For example, you can ask us to erase personal data that we no longer need for the purpose it was collected for. There are situations where we are unable to delete your data, for example when:
  • it’s still necessary to process the data for the purpose we collected it for
  • our interest in using the data overrides your interest in having it deleted. For example, where we need the data to protect our services from fraud
  • we have a legal obligation to keep the data, or
  • we need the data to establish, exercise or defend legal claims. For example, if there’s an unresolved issue relating to your account
Please contact us to exercise your right to erasure.
Restriction Request that we stop processing all or some of your personal data.
You can do this if:
  • your personal data is inaccurate
  • our processing is unlawful
  • we do not need your information for a specific purpose, or
  • you object to our processing and we are assessing your objection request. See section ‘Object’ below
You can request that we stop this processing temporarily or permanently.
Please contact us to exercise your right to restriction.
Object Object to us processing your personal data.
You can do this if Spotify is processing your personal data on the legal basis of legitimate interests.
Please contact us to request objection.
Data portability Request a copy of your personal data in electronic format and the right to transmit that personal data for use in another party’s service. For information about how to exercise the right to portability, see ‘Access’ above.
Not be subject to automated decision making Not be subject to a decision based solely on automated decision making (decisions without human involvement), including profiling, where the decision would have a legal effect on you or produce a similarly significant effect. We do not carry out this type of automated decision making in the Service.
Right to lodge a complaint Contact your local data protection authority about any questions or concerns. You can go to the website of your local data protection authority.

3. Personal data we collect about you

These tables set out the categories of personal data we collect from you.

Categories Description
Collected when you use the Service to redeem a redemption code
User Data
  • email address
  • redemption code
Collected through your use of the Service
Usage Data Personal data collected and processed about you when you’re accessing or using the Service.Examples include:
  • your interactions with the Service (including date and time), such as the way you navigate through the website
  • online identifiers such as IP addresses
  • information about the devices you use such as:
    • device IDs
    • network connection type (e.g. wifi, 4G, LTE, Bluetooth)
    • browser type
    • language
    • operating system
Your general (non-precise) location Your general location includes country, region or state. We may learn this from technical data (e.g. your IP address).

4. Our purpose for using your personal data

The table below sets out:

  • our purpose for processing your personal data
  • our legal justifications (each called a ‘legal basis’) under data protection law, for each purpose
  • categories of personal data which we use for each purpose. See more about these categories in Section 3 ‘Personal data we collect about you’

Here is a general explanation of each ‘legal basis’ to help you understand the table:

  • Legitimate Interest: When we or a third party has an interest in using your personal data in a certain way, which is necessary and justified considering any possible risks to you and other users. Contact us if you want to understand a specific justification.
  • Compliance with Legal Obligations: When we must process your personal data to comply with a law.

Purpose for processing your data Legal basis that permits the purpose Categories of personal data used for the purpose
To provide the Service Legitimate Interest
  • User Data
  • Usage Data
To understand, diagnose, troubleshoot and fix issues with the Service. Legitimate Interest
  • User Data
  • Usage Data
To evaluate and develop new features, technologies, and improvements to the Service. Legitimate Interest
  • User Data
  • Usage Data
For other marketing, promotion and advertising purposes where the law does not require consent. Legitimate Interest
  • User Data
  • Usage Data
To comply with a legal obligation that we are subject to. Compliance with Legal Obligations
  • User Data
  • Usage Data
To comply with a request from law enforcement, courts, or other competent authorities. Compliance with legal obligations, and legitimate interest
  • User Data
  • Usage Data
To establish, exercise, or defend legal claims. Legitimate Interest
  • User Data
  • Usage Data
To conduct business planning, reporting, and forecasting. Legitimate Interest
  • User Data
  • Usage Data
To detect and prevent fraud. Legitimate Interest
  • User Data
  • Usage Data
To conduct research and surveys. Legitimate Interest.
  • User Data
  • Usage Data

5. Sharing your personal data

This section sets out who receives personal data which is collected or generated through your use of the Service.

So that you can unlock your content on Spotify, the Service will generate a unique web token which is passed from Findaway to Spotify. This token does not contain any identifying information relating to you.

See this table for details of who we share to and why:

Categories of recipients Data being shared Reason for sharing
Service providers
  • User Data
  • Usage Data
So they can provide their services to us. These service providers include those we hire to operate the technical infrastructure we need to provide the Service and assist in protecting and securing our systems and services.
Law enforcement and other authorities, or other parties to litigation
  • User Data
  • Usage Data
When we believe in good faith it’s necessary for us to do so, for example:
  • to comply with a legal obligation
  • to respond to a valid legal process (such as a search warrant, court order, or subpoena)
  • for our own or a third party’s justifiable interest, relating to:
    • national security
    • law enforcement
    • litigation (a court case)
    • criminal investigation
    • protecting someone’s safety
    • preventing death or imminent bodily harm
Purchasers of our business
  • User Data
  • Usage Data
If we were to sell or negotiate to sell our business to a buyer or possible buyer. In this case, we may transfer your personal data to a successor or affiliate as part of that transaction.

6. Data retention

We keep your personal data only as long as necessary to provide you with the Service and for our legitimate and essential business purposes, such as:

  • maintaining the performance of the Service
  • making data-driven business decisions about new features and offerings
  • complying with our legal obligations
  • resolving disputes.

7. Transfer to other countries

Because of the global nature of our business, we share personal data internationally with contractors and partners when carrying out the activities described in this Policy. They may process your data in countries whose data protection laws are not considered to be as strong as EU laws or the laws which apply where you live. For example, they may not give you the same rights over your data.

Whenever we transfer personal data internationally, we use tools to:

  • make sure the data transfer complies with applicable law
  • help to give your data the same level of protection as it has in the EU

To ensure each data transfer complies with applicable EU legislation, we use the following legal mechanisms:

  • Standard Contractual Clauses (‘SCCs’). These clauses require the other party to protect your data and to provide you with EU-level rights and protections. You can exercise your rights under the Standard Contractual Clauses by contacting us or the third party who processes your personal data.
  • Adequacy Decisions. This means that we transfer personal data to countries outside of the European Economic Area which have adequate laws to protect personal data, as determined by the European Commission.

We also identify and use additional protections as appropriate for each data transfer. For example, we use:

  • technical protections, such as encryption and pseudonymisation
  • policies and processes to challenge disproportionate or unlawful government authority requests

8. Keeping your personal data safe

We’re committed to protecting our users’ personal data. We put in place appropriate technical and organisational measures to help protect the security of your personal data. However, be aware that no system is ever completely secure. We have put various safeguards in place to guard against unauthorised access and unnecessary retention of personal data in our systems. These include pseudonymisation, encryption, access, and retention policies.

9. Changes to this Policy

We may occasionally make changes to this Policy.

When we make material changes to this Policy, we’ll provide you with prominent notice as appropriate under the circumstances.

10. How to contact us

For any questions or concerns about this Policy, contact our Data Protection Officer by emailing

Where European data protection law applies, Findaway World LLC is the data controller of personal data processed under this Policy.

Findaway World LLC, 4 World Trade Center 150 Greenwich Street, Floor 62 New York, NY 10007