Spotify
Stockholm-operated music and podcast streaming under the NYSE-listed Spotify Technology S.A. (Luxembourg) group, primarily on Google Cloud.
Profile last updated: · View sources
About Spotify
Spotify is a music, podcast and audiobook streaming service founded in Stockholm in 2006 by Daniel Ek and Martin Lorentzon. The group is headed by Spotify Technology S.A., a Luxembourg société anonyme listed on the NYSE (ticker SPOT) since April 2018; the Swedish operating company Spotify AB contracts with EEA and UK users, while Spotify USA Inc. is the named data controller for US users.
As of 31 December 2025 the service had 751 million monthly active users and 290 million paid Premium subscribers across 184 markets, offering 100+ million tracks, 7 million podcast titles and 500,000 audiobooks. The streaming stack runs primarily on Google Cloud Platform with Fastly as the edge CDN. Founders Daniel Ek and Martin Lorentzon retain combined 69.3% of voting power via the dual-class beneficiary-certificate structure.
Integrations
Features
- 751M monthly active users + 290M paid Premium subscribers across 184 markets (FY2025)
- 100M+ tracks + 7M+ podcasts + 500k audiobooks; plans Free / Individual / Duo / Family / Student
- Primary cloud: Google Cloud Platform under multi-year EUR 1.575B minimum spend commitment (FY2025 20-F)
- Edge CDN on Fastly with EU points of presence (e.g. Munich for DACH); internal edgeproxy + Envoy service mesh
- Developer APIs: Web API (REST, OAuth 2.0), Web Playback SDK, iOS + Android SDK; Spotify Connect spans 2,000+ devices across 200+ brands
- Spotify for Backstage (CNCF-donated open-source dev portal as SaaS) carries an annual SOC 2 Security TSC examination
- Open-source publisher at github.com/spotify: Backstage, Luigi, Pedalboard, Voyager, Annoy, Basic Pitch, Scio, Mobius
- Annual EU DSA and TCO Regulation transparency reports since 2024; covers Spotify for Artists / Creators / Authors
- Self-service GDPR data export + account deletion via Privacy Settings; data delivered within 30 days
Sovereignty Scorecard
Procurement-grade signals on data sovereignty, ownership, and EU residency.
We score every European vendor against six sovereignty dimensions captured in the SHIELD acronym. Each card below maps to one letter — read them as a checklist when comparing providers.
The third parties that touch customer data — payment processors, KYC vendors, support chatbots, analytics.
Where the legal entity sits, who controls it, and which subsidiaries operate under the same group.
Where customer data is physically stored, who runs the hosting stack, which CDN sits in front.
Whether the vendor or its subprocessors fall under the US CLOUD Act or other extraterritorial reach.
Public terms, privacy policy, DPA, subprocessor list, impressum, and security or trust pages.
Independent audits and certifications (ISO 27001, BSI C5, TISAX, SOC 2) plus open-source transparency.
Publicly traded
Parent: Spotify Technology S.A. (Luxembourg)
Spotify Technology S.A. (RCS Luxembourg B 123052) is a Luxembourg société anonyme listed on the NYSE (ticker SPOT) since 3 April 2018; Spotify AB (Stockholm) is the principal operating subsidiary. As of 31 December 2025, founders Daniel Ek and Martin Lorentzon controlled 28.8% and 40.5% of combined voting power respectively (69.3% in the aggregate) via the dual-class beneficiary-certificate structure. Tencent Holdings owns ~9% of economic equity through Hong Kong entities but holds no voting power (irrevocable proxy to Daniel Ek's D.G.E. Investments). 'European control: majority' reflects founder voting control from Europe; capital structure and a Delaware operating subsidiary (Spotify USA Inc.) sit outside Europe.
🇸🇪 Stockholm, Sweden
Spotify AB
- Spotify USA Inc. — 🇺🇸 United StatesNamed data controller for US users (Delaware-incorporated). Address: 4 World Trade Center, 150 Greenwich Street, Fl 62, New York, NY 10007. Also the designated US copyright agent.
- Spotify GmbH — 🇩🇪 GermanyGerman legal entity named in the Impressum (Unter den Linden 10, 10117 Berlin); local sales and marketing operations.
- Spotify France SAS — 🇫🇷 FranceFrench operating entity (48 Rue la Bruyere, 75009 Paris).
- Spotify Ltd — 🇬🇧 United KingdomUK operating entity (Adelphi Building, 4 Savoy Place, London WC2N 6AT) handling local sales and marketing. The named data controller for EEA and UK users remains Spotify AB in Stockholm per the privacy policy.
- Spotify Spain S.L. — 🇪🇸 SpainSpanish operating entity (Paseo de Recoletos 7-9, 28004 Madrid).
- Spotify Italy S.r.l. — 🇮🇹 ItalyItalian operating entity (Via Joe Colombo 4, 20124 Milano).
Website: Fastly anycast edge (151.101.x.x; EU POPs incl. Munich) fronting Spotify's internal edgeproxy and Envoy service mesh
Application: Google Cloud Platform (Google LLC, US) -- vast majority of primary data storage and computing per FY2025 20-F
CDN: Fastly, Inc. (US-incorporated); confirmed via DNS (atc.spotify.map.fastly.net) and HTTP headers (via: HTTP/2 edgeproxy, 1.1 google, 1.1 varnish; x-served-by: cache-muc13960-MUC)
| Name | Country | Purpose |
|---|---|---|
| Google LLC | 🇺🇸 United States | Primary cloud provider (Google Cloud Platform); the vast majority of primary data storage including user personal data and licensed audio, plus computing. Also the registrar/DNS provider for spotify.com. |
| Okta, Inc. | 🇺🇸 United States | Identity and access management for the Confidence by Spotify B2B experimentation product (named in Confidence DPA Schedule 2). |
| Fastly, Inc. | 🇺🇸 United States | Edge CDN for open.spotify.com and www.spotify.com (Varnish-based; EU POPs include Munich). |
| OneTrust, LLC | 🇺🇸 United States | Cookie and consent management (cdn.cookielaw.org, geolocation.onetrust.com observed in Content Security Policy). |
| Contentsquare | 🇫🇷 France | Product analytics (t.contentsquare.net observed in Content Security Policy). |
| Hotjar Ltd | 🇲🇹 Malta | Product analytics and behaviour insights (script.hotjar.com observed in Content Security Policy). |
| Heap, Inc. | 🇺🇸 United States | Product analytics (heapanalytics.com / cdn.us.heap-api.com observed in Content Security Policy). |
| Comscore, Inc. | 🇺🇸 United States | Audience measurement (sb.scorecardresearch.com observed in Content Security Policy). |
Spotify for Backstage (developer-portal SaaS) only -- annual third-party SOC 2 examination on the Security trust service criterion. Report available under NDA via backstage-support@spotify.com. No equivalent public certification is published for the consumer streaming service.
Pricing
EUR 0
- Full 100M+ track catalogue with ads
- Shuffle play on mobile, on-demand on desktop and web
- No downloads, lower-bitrate audio
- No audiobook access tier
EUR 12.99
- Ad-free music, podcasts and audiobooks
- Download for offline, up to 320 kbps OGG Vorbis
- 12 hours per month of audiobook listening
- Group Session, Spotify Connect to 2,000+ devices
EUR 6.99
- All Individual features
- Verified annually via SheerID
- Up to 4 years of eligibility
EUR 17.99
- Two separate Premium accounts for one household
- Duo Mix collaborative playlist
- 12 hours per month of audiobooks for the primary account
EUR 21.99
- Up to six Premium accounts at one address
- Spotify Kids app with curated catalogue
- Explicit-content blocking and Family Mix playlist
- 12 hours per month of audiobooks for the primary account
Official downloads
FY2025 Annual Report (Form 20-F)
SEC filing for fiscal year ended 31 December 2025 (filed 10 February 2026). Includes the consolidated list of subsidiaries (Exhibit 8.1).
html
Q4 2025 Shareholder Deck
Quarterly results presentation covering MAU, Premium subscribers, revenue and operating income for Q4 2025.
Equity & Impact Report 2024
ESG / sustainability disclosure (~8.6 MB).
List of Subsidiaries (FY2025 20-F Exhibit 8.1)
Consolidated list of Spotify Technology S.A. subsidiaries by jurisdiction (Sweden, USA, UK, Germany, France, Spain, Canada, Australia, Brazil, Japan, India, Mexico, Singapore, Italy).
html
Questions & Answers
6 questions
Where is Spotify legally established, and which entity will I contract with?
Spotify Technology S.A., a Luxembourg société anonyme (RCS Luxembourg B 123052), is the group parent and the entity listed on the NYSE under ticker SPOT since 3 April 2018. Day-to-day operations run from Spotify AB in Stockholm (Bolagsverket org-nr 556703-7485, VAT SE556703748501). For EEA and UK users the named data controller is Spotify AB; for US users it is Spotify USA Inc. (4 World Trade Center, 150 Greenwich Street, New York, NY 10007, Delaware-incorporated). Regional subsidiaries handle local sales and marketing in Germany, France, the United Kingdom, Spain, Italy and beyond.
Where is my listening data stored?
Spotify states in its FY2025 20-F that Google Cloud Platform hosts 'the vast majority of our primary data storage (including personal data of users and audio data licensed from rights holders) and computing.' The edge layer is served by Fastly with European points of presence (e.g. Munich for DACH traffic). Spotify does not publish a specific GCP region for EU users and does not offer an EU-only residency plan; international transfers rely on Standard Contractual Clauses (SCCs) with technical protections such as encryption and pseudonymisation.
Is Spotify subject to US legal process?
Yes, in three ways. (1) The Luxembourg parent Spotify Technology S.A. files annual 20-F reports with the SEC as a foreign private issuer and is subject to US securities laws. (2) Spotify USA Inc. (Delaware) is the named data controller for US users and is a direct subject of the CLOUD Act, FISA 702 and other US national-security process. (3) Spotify's primary cloud provider (Google LLC) and several named operational subprocessors (Okta Inc., Fastly Inc., OneTrust) are US-incorporated. For EEA users the immediate controller is Spotify AB in Sweden, but the underlying storage and compute run on US-operated infrastructure.
Who controls Spotify?
Founders Daniel Ek and Martin Lorentzon held combined 69.3% of voting power as of 31 December 2025 (28.8% and 40.5% respectively) via the dual-class beneficiary-certificate structure. Tencent Holdings owns approximately 9% of economic equity through several Hong Kong holding entities (Tencent Music Entertainment Hong Kong, Image Frame Investment, Tencent Mobility, Distribution Pool), but those shares are subject to an irrevocable proxy in favour of Daniel Ek's D.G.E. Investments and therefore carry no voting power. The remaining free float is held by US and global institutional investors.
Does Spotify hold ISO 27001 or SOC 2 certifications?
Only Spotify for Backstage, the developer-portal SaaS, publicly maintains an annual SOC 2 examination by a third-party auditor (report available under NDA via backstage-support@spotify.com). For the main consumer streaming service Spotify does not publish a certification page; third-party aggregator claims of ISO 27001, SOC 2, PCI DSS, HIPAA or FedRAMP coverage for the streaming product are not corroborated by any Spotify-published URL. Spotify's public commitments for the consumer service are framed in terms of GDPR compliance and the EU Digital Services Act rather than vendor-neutral security certifications.
Can I export or delete my data?
Yes. The Spotify Privacy Settings page offers three GDPR data-export packages -- account data, extended streaming history and technical logs -- delivered within 30 days. Account deletion is self-service via the same flow. The privacy policy describes retention criteria categorically rather than naming a specific post-deletion retention window; the data-protection contact is privacy@spotify.com and the EEA controller is Spotify AB (no separate GDPR Article 27 representative is named, since Spotify AB sits inside the EEA).
Alternatives
Other European companies in the same category as Spotify.
Quick facts
Sources & verification
Every fact on this page is backed by a primary or independent source. Most recent verification: May 13, 2026.
Found an error? Report it
Profile content
- registry · sec-filingwww.sec.gov/Archives/edgar/data/1639920/000162828026006874/ck0001639920-20251231.htmFY2025 20-F: Luxembourg incorporation, NYSE listing date and GCP infrastructure dependency
- registry · sec-filingwww.sec.gov/Archives/edgar/data/1639920/000162828026006874/ck0001639920-20251231.htmFounding date, group structure, founder voting power
- primary · impressumwww.spotify.com/de/about-us/impressumSpotify AB Stockholm registration, board representatives Daniel Ek and Martin Lorentzon
- primary · press-releasenewsroom.spotify.com/2026-02-10/spotify-q4-2025-earningsQ4 2025 MAU and Premium subscriber counts as of 31 December 2025
- primary · pricing-pagewww.spotify.com/de/premiumDE/EN/ES/FR/IT/NL/PL/PT/SV are confirmed-supported product UI locales via the language switcher; full count is ~74 per Wikipedia but Spotify does not publish a canonical list
- primary · pricing-pagewww.spotify.com/de/premiumGermany Individual/Student/Duo/Family monthly prices in EUR
- registry · sec-filingwww.sec.gov/Archives/edgar/data/1639920/000162828026006874/ck0001639920-20251231.htmFY2025 20-F: NYSE listing date, MAU/Premium counts, catalogue size, GCP minimum-spend commitment, founder voting power, Tencent stake, employee headcount
- primary · about-pagenewsroom.spotify.com/company-infoCatalogue and product-line summary
- primary · about-pagedeveloper.spotify.com/documentation/web-apiWeb API and SDK programme
- primary · blogengineering.atspotify.com/opensourceBackstage CNCF Incubating donation and open-source portfolio
- primary · impressumwww.spotify.com/de/about-us/impressum
- primary · privacy-policywww.spotify.com/de/legal/privacy-policyEEA controller, US transfer mechanisms, retention criteria
- primary · privacy-policywww.spotify.com/us/legal/privacy-policy/plainSpotify USA Inc. named as US data controller
- primary · security-pagebackstage.spotify.com/securityAnnual SOC 2 examination for Spotify for Backstage
- primary · about-pagedeveloper.spotify.com/documentation/web-apiDeveloper documentation entry point for Web API, Web Playback SDK, iOS/Android SDKs, Embeds and Commercial Hardware
- registry · sec-filingwww.sec.gov/cgi-bin/browse-edgarSEC EDGAR filing index for Spotify Technology S.A. (CIK 0001639920); FY2025 20-F filed 10 February 2026
- primary · press-releases29.q4cdn.com/175625835/files/doc_financials/2025/q4/Q4-2025-Shareholder-Deck-FINAL.pdfQ4 2025 Shareholder Deck PDF (~2.5 MB) on Spotify investor-relations CDN
- primary · press-releases29.q4cdn.com/175625835/files/doc_governance/2025/Mar/10/Spotify-Equity-Impact-Report-2024-9b1865.pdfEquity & Impact Report 2024 PDF (~8.6 MB) on Spotify investor-relations CDN
Sovereignty (SHIELD)
- primary · dpaconfidence.spotify.com/dpaConfidence by Spotify DPA Schedule 2 names Google LLC (cloud) and Okta Inc. (IAM); only public Spotify subprocessor list
- primary · http-headersopen.spotify.comContent Security Policy on open.spotify.com observed to allow Fastly, OneTrust, Hotjar, Contentsquare, Heap and Comscore endpoints
- registry · sec-filingwww.sec.gov/Archives/edgar/data/1639920/000162828026006874/ck0001639920-20251231.htmGCP commitment of EUR 1.575B minimum spend
- primary · privacy-policywww.spotify.com/de/legal/privacy-policyCategorical list (service providers, payment partners, advertising and marketing partners, podcast hosting platforms, academic researchers, other Spotify group companies, courts and authorities); no named consumer-service subprocessor list is published
- primary · impressumwww.spotify.com/de/about-us/impressumSpotify AB Regeringsgatan 19 Stockholm, Bolagsverket 556703-7485, VAT SE556703748501
- registry · sec-filingwww.sec.gov/Archives/edgar/data/1639920/000162828026006874/ck0001639920-20251231.htmLuxembourg parent, NYSE listing, dual-class beneficiary-certificate structure, founder 69.3% voting power
- tertiary · newswww.musicbusinessworldwide.com/tencent-set-to-control-10-of-universal-also-owns-9-1-of-spotify-but-daniel-ek-has-the-final-say-on-firms-stakeTencent ~9% economic equity with proxy to Daniel Ek (corroborates 20-F)
- registry · sec-filingwww.sec.gov/Archives/edgar/data/1639920/000162828026006874/spot-20251231xexx81.htmExhibit 8.1 to FY2025 20-F: consolidated list of Spotify Technology S.A. subsidiaries by jurisdiction
- primary · about-pagewww.spotify.com/de-en/about-us/contactRegional office addresses for the subsidiary list
- primary · dns-recordsopen.spotify.comdig open.spotify.com A -> atc.spotify.map.fastly.net + 151.101.x.x Fastly anycast block
- primary · http-headersopen.spotify.comcurl -I -> 'server: envoy', 'via: HTTP/2 edgeproxy, 1.1 google, 1.1 varnish', 'x-served-by: cache-muc13960-MUC'
- registry · sec-filingwww.sec.gov/Archives/edgar/data/1639920/000162828026006874/ck0001639920-20251231.htmGCP as primary infrastructure
- registry · sec-filingwww.sec.gov/Archives/edgar/data/1639920/000162828026006874/ck0001639920-20251231.htmLuxembourg parent files 20-F as foreign private issuer; consolidated subsidiaries include Spotify USA Inc. (Delaware)
- primary · privacy-policywww.spotify.com/us/legal/privacy-policy/plainSpotify USA Inc. is the named data controller for US users -- basis for 'partial-via-subsidiaries' rather than 'partial-via-subprocessors' alone
- primary · termswww.spotify.com/de/legal/end-user-agreement
- primary · privacy-policywww.spotify.com/de/legal/privacy-policy
- primary · impressumwww.spotify.com/de/about-us/impressum
- primary · security-pagewww.spotify.com/safetyandprivacy
- primary · security-pagebackstage.spotify.com/securitySpotify states the Backstage product undergoes annual SOC 2 examination; report available under NDA
- primary · about-pagespotify.github.ioSpotify open-source catalogue
- primary · blogengineering.atspotify.com/opensourceEngineering blog open-source overview, including Backstage CNCF donation