Privacy Policy

Last updated: March 24, 2026

1. Introduction

1.0 Who we are (private initiative—not a registered company)

The Spotify Voice AI browser extension (the "Extension") is operated as a private, personal initiative by an individual based in Austin, Texas, United States. AI Voice Music Search Services and Spotify Voice AI are project and product names only. They are not the name of a registered corporation, limited liability company (LLC), limited company (Ltd), incorporated entity (Inc.), or similar legal entity, unless and until separately disclosed in writing. Throughout this Privacy Policy, "we," "us," and "our" refer to the operator of the Extension in this individual capacity.

Nothing in this Privacy Policy is intended to suggest that we are a formal company, partnership, or other registered organization if we are not. If you require contracting with a registered entity, do not use paid features until you have confirmed the counterparty you need.

This Privacy Policy explains how we collect, use, disclose, and safeguard personal information when you use the Extension.

By installing or using the Extension, you agree to the practices described in this Privacy Policy. If you do not agree, please do not install or use the Extension.

1.1 Relationship to Spotify: music, search results, and streams are not ours

We do not provide Spotify’s music streaming service, music catalog, actual search results, playlists, accounts, Spotify billing, or playback. All of those products and experiences are provided solely by Spotify and its affiliates on websites, apps, and domains they operate—including www.spotify.com, the Spotify Web Player at open.spotify.com, and other official Spotify-registered domains and properties—under Spotify’s own terms and privacy policy.

For identification only (Spotify’s corporate structure may change; rely on Spotify’s own filings and disclosures for the current list), companies in the Spotify group include, among others:

Spotify Technology S.A. — the public holding company based in Luxembourg;

Spotify AB — the Swedish operating company;

Spotify USA Inc. — a primary United States subsidiary;

Spotify Ltd — the United Kingdom entity;

Spotify Canada Inc. — the Canadian entity.

What we provide: The Extension adds voice search and voice-driven controls in your browser so you can speak commands that are passed into Spotify’s web interface. We provide only that voice-assist layer and nothing more. We do not host audio, operate Spotify’s search engine, curate results, or control what plays—that is entirely Spotify’s service.

Spotify account: You must have a valid Spotify account to use the Extension; we do not control your Spotify account. See our Terms & Conditions.

Complaints and claims about Spotify: If something is wrong with streams, sound quality, search results, missing content, your Spotify account, or anything related to Spotify’s platform, you must contact Spotify through www.spotify.com or Spotify’s official support channels. Do not treat us as Spotify, as Spotify’s agent, or as responsible for Spotify’s services. We are not affiliated with Spotify; we cannot fix Spotify-side issues.

Removing the Extension: You may uninstall the Extension at any time. You can then use the default Spotify Web Player in Google Chrome, Microsoft Edge, or another supported browser exactly as Spotify provides it, without our voice features.

1.2 Use of “AI” in the name; no AI or machine learning operated by us for search

The names Spotify Voice AI, AI Voice Music Search Services, and phrases like “AI voice search” are used for branding and product naming only. They are not a claim that we operate artificial intelligence or machine learning to perform, rank, score, or select Spotify search results or playback for you.

Non-misrepresentation. We do not use AI or machine learning that we own or operate to run Spotify’s catalog search or to substitute for Spotify’s search and playback systems. Your voice commands are used to direct and initiate searches and playback requests in the Spotify Web Player; Spotify’s services then execute the search and supply results and playback. What you see and hear after that—including search results and streams—comes from Spotify’s services and systems, which are separate from us and may use their own technologies under Spotify’s terms and policies.

We do not run large language models or generative AI for your queries, and we do not train AI or machine learning models on your voice or queries for our Extension features. Where the Extension uses rules, patterns, and keywords in code to help interpret requests (for example routing toward mood or genre terms), that is not machine learning operated by us for search ranking on Spotify.

2. Information We Collect

2.1 Information You Provide

Account information: When you sign in with Google, we receive your name, email address, and profile picture from Google OAuth. We use this to create and manage your account.

Payment information: When you subscribe to a paid plan, payment details are collected and processed directly by Stripe, Inc. We do not store credit card numbers, bank account details, or other full payment instrument data on servers we operate for our own copy of those details.

Support inquiries: If you contact us via the in-extension contact form or at support@voicesearchai.shop, we receive your name, email address, selected topic (when using the form), and inquiry message.

2.2 Information Collected Automatically

Voice input: When you use voice search, audio is captured through your device microphone after you activate the in-page control. Recognition is performed using your browser and/or operating system (see Sections 2.5–2.6), which may include network-assisted processing under their vendors’ policies. We do not upload or store raw audio recordings on our servers or our account/billing backends for voice recognition (see Sections 2.4–2.6). Text-derived commands are used to direct searches and playback requests on the Spotify Web Player; Spotify executes search and provides results (see Section 1.2).

Usage data: We track the number of voice searches you perform per billing period (labeled in the product as “AI voice searches” for branding; see Section 1.2) to enforce plan limits. This count is stored on our backend (Supabase).

Extension settings: Your selected language preference and behavior toggles are stored in browser sync storage.

Transcript history: Recent recognized voice commands may be stored locally on your device in extension storage to help with troubleshooting. There is no in-extension setting to turn this off. By installing and using the Extension, you agree to this local processing as part of this Privacy Policy and our Terms & Conditions. This information is not transmitted to our servers.

2.3 Express consent for voice search (required to use the feature)

By installing the Extension and by using voice search (activating the microphone control and speaking to search or control playback), you expressly consent to the Extension processing your voice input for the sole purpose of enabling you to search for and request content on the Spotify Web Player—such as artists, songs, albums, genres, moods, playlists, and similar music-related queries—and to submit those requests into Spotify’s interface so that Spotify’s services can execute search and playback.

You may withdraw consent for voice processing by not using voice search or uninstalling the Extension, subject to Section 6 (rights).

2.4 What we do not do with your voice (training and our backends)

No model training by us: We do not use your voice, voiceprint, or speech patterns to train, fine-tune, or improve machine learning or artificial intelligence models for the Extension or for our own products.

No voice storage on our backend for recognition: We do not upload, store, or archive raw audio recordings of your voice on servers or databases we operate or control for speech recognition, voiceprinting, or analytics. Our backend providers are used for accounts, billing-related metadata, and usage counts—not for retaining your voice audio.

No sale of voice data: We do not sell voice recordings or voiceprints.

2.5 Your browser, operating system, and speech providers

Speech recognition is performed using capabilities provided by your browser and/or operating system. Depending on your device, browser, and settings, that processing may occur locally, remotely, or both, and may involve third-party services operated by your browser or OS vendor (for example cloud-assisted speech recognition). Those processes are governed by their terms and privacy policies, not ours. We do not control Google, Microsoft, Apple, or other vendors’ speech infrastructure.

2.6 Voiceprints and biometrics

We do not create, store, or use a biometric “voice signature” or voiceprint for identification purposes on our systems. We do not operate a voice biometric database.

2.7 Extension data versus infrastructure metadata

What the Extension does not intentionally collect for analytics: We do not build a database of your general browsing history on the web, use tracking pixels in the Extension for cross-site advertising, or fingerprint your browser for marketing. We do not collect page content from websites other than open.spotify.com as needed for the Extension to function.

What may still occur on infrastructure: When you connect to our backends (Supabase), payment processors (Stripe), or Google OAuth, those providers may automatically receive technical metadata such as IP addresses, timestamps, device/browser identifiers in HTTP headers, and similar connection data in server logs and fraud-prevention systems. We do not use that metadata to run our own behavioral advertising network, but we cannot truthfully state that “no IP address ever exists” in all systems involved in delivering the service. See our subprocessors’ privacy policies for how they handle such data.

3. Chrome Extension Permissions and Technical Scope

The Extension is distributed as a Manifest V3 extension. The following permissions and host access appear in the manifest (and may evolve in future releases):

storage: to save settings, local transcript history, and related Extension state;

identity: to support Google sign-in flows where applicable;

sidePanel: to present Extension UI in the browser side panel where supported;

Host access: https://open.spotify.com/* (to inject the voice controls and interact with the Web Player) and https://*.supabase.co/* (to reach our backend for account and usage data).

We do not request broad <all_urls> access. Microphone access is not listed as a standalone extension permission; audio capture is initiated when you use the in-page microphone control and uses the Web Speech / media APIs available in the page context, subject to browser permission prompts.

4. How We Use Your Information

We use the information we collect for the following purposes:

To provide, maintain, and improve the Extension's functionality

To manage your account, authenticate your identity, and sync plan status across devices

To process subscriptions, billing, and refund requests through Stripe

To enforce plan-based search limits and language access (usage counts are billing and plan enforcement, not “profiling” in the sense of automated decision-making about your legal or similarly significant situation)

To respond to your support inquiries

To send service-related communications (e.g., subscription renewal notices)

To detect and prevent fraud, abuse, or violations of our Terms and Conditions

5. Legal Bases for Processing (EEA, UK, and similar jurisdictions)

If you are in the European Economic Area, the United Kingdom, or another jurisdiction that requires a “legal basis” for processing, we rely on the following bases for the core activities below. This table is a summary; specific rights and exceptions are governed by applicable law.

Processing activity Categories of data Legal basis

Providing the Extension, accounts, and paid entitlements Account identifiers, email, name, plan status, usage counts Performance of a contract (Art. 6(1)(b) GDPR) and, where necessary, legitimate interests in operating a secure service (Art. 6(1)(f))

Voice search (when you activate the feature) Audio processed by browser/OS; derived text commands; optional local transcript history on device Consent (Art. 6(1)(a)) for the voice feature; you may withdraw by not using voice search

Payment processing Billing data processed by Stripe; limited records we receive Performance of a contract (Art. 6(1)(b)); legal obligations for tax and accounting where applicable (Art. 6(1)(c))

Security, fraud prevention, and abuse detection Account data, usage counts, technical metadata from providers Legitimate interests (Art. 6(1)(f)) and/or legal obligation where applicable

Support requests Contact details and message content Legitimate interests and/or contract (Art. 6(1)(b)/(f))

Where we rely on legitimate interests, you may have a right to object under applicable law, subject to conditions. We do not use “special category” biometric data under GDPR for the purpose of uniquely identifying you; browser/OS speech processing is governed by your relationship with those vendors.

For users who are minors in the EEA/UK, processing may rely on contract or consent as permitted by Article 8 GDPR and national law (including parental authority where the child is below the digital-consent age in their country). See Section 14.

6. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We share data only with the following third-party service providers, solely to operate the Extension:

6.1 Third-Party Service Providers (subprocessors)

Supabase, Inc.: Provides authentication, database hosting, and serverless functions for account management, plan status, and usage tracking. Subject to the Supabase Privacy Policy.

Stripe, Inc.: Processes payment transactions, subscription management, and refunds. Subject to the Stripe Privacy Policy.

Google LLC: Provides OAuth authentication for sign-in. Subject to the Google Privacy Policy.

6.2 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

7. Data Retention

Account data: Retained for as long as your account is active. Upon account deletion, personal data is removed within 30 calendar days, except where retention is required by law or for legitimate business purposes (e.g., billing records for tax compliance).

Usage data: Search counts reset at the start of each billing year. Historical usage counts are not retained beyond the current billing period except as needed for billing disputes or legal compliance.

Payment records: Stripe retains transaction records in accordance with their own retention policies and applicable financial regulations.

Local extension data: Transcript history and settings stored locally on your device are removed when you uninstall the Extension or clear extension data.

8. Data Security

We implement reasonable administrative, technical, and physical safeguards to protect your personal information, including:

Data in transit is encrypted using TLS 1.2 or higher where we control the channel

Database access is controlled through row-level security policies and service-role authentication where applicable

Payment processing is handled by Stripe, a PCI DSS Level 1 certified service provider

Extension permissions are limited to the minimum required for functionality described in the manifest

Sign-in, billing, and calls from the Extension to our backends and payment providers use HTTPS with TLS 1.2 or higher where we control the channel. Your browser negotiates cipher suites with each server; common modern suites include AES-256-GCM or ChaCha20-Poly1305, which use 256-bit symmetric keys for the session when those suites are selected. Session-specific Extension data (such as settings and sign-in state) is stored in Chrome extension storage on your device and is not embedded in web pages you visit.

No method of electronic transmission or storage is completely risk-free. We cannot guarantee absolute security.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States, where we and our providers operate. Those countries may have different data protection laws.

Where required by applicable law (for example EEA and UK rules), we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (SCCs) and, where relevant, the UK International Data Transfer Agreement / Addendum to the EU SCCs, as implemented by our service providers (including Supabase and Stripe). Details are available in those providers’ documentation.

We do not represent that every transfer meets every national law worldwide; we implement commercially reasonable safeguards in line with provider tools available to us.

10. Your Rights Under GDPR (European Economic Area)

If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (EU) 2016/679:

Right of access (Article 15): You may request a copy of the personal data we hold about you.

Right to rectification (Article 16): You may request correction of inaccurate or incomplete personal data.

Right to erasure / Right to be forgotten (Article 17): You may request deletion of your personal data. Upon receiving a valid erasure request, we will delete your personal data without undue delay and no later than 30 calendar days, unless an exception under Article 17(3) applies.

Right to restriction of processing (Article 18): You may request that we limit the processing of your personal data under certain circumstances.

Right to data portability (Article 20): You may request to receive your personal data in a structured, commonly used, and machine-readable format.

Right to object (Article 21): You may object to processing based on legitimate interests, subject to conditions.

Right to withdraw consent (Article 7(3)): Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

To exercise any of these rights, please use either our Contact Us form on the Settings page or email support@voicesearchai.shop. We will respond within 30 calendar days. If we need additional time (up to 60 additional days for complex requests under some laws), we will notify you within the initial 30-day period.

You also have the right to lodge a complaint with your local data protection supervisory authority.

11. Your Rights Under CCPA (California)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) grant you the following rights:

Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.

Right to delete: You may request deletion of personal information we have collected from you, subject to certain exceptions.

Right to correct: You may request correction of inaccurate personal information.

Right to opt out of sale or sharing: We do not sell or share personal information for cross-context behavioral advertising. No opt-out is necessary.

Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, please use either our Contact Us form on the Settings page or email support@voicesearchai.shop. We will verify your identity and respond within 45 calendar days.

12. Your Rights Under Texas Data Privacy and Security Act (TDPSA)

If you are a Texas resident, the Texas Data Privacy and Security Act (effective July 1, 2024) provides you with the following rights:

Right to confirm whether we are processing your personal data

Right to access your personal data

Right to correct inaccuracies in your personal data

Right to delete your personal data

Right to obtain a portable copy of your personal data

Right to opt out of the processing of personal data for targeted advertising, sale, or certain profiling

We do not sell personal data or use personal data for targeted advertising. We do not conduct “profiling” that produces legal or similarly significant effects solely on the basis of automated processing of your personal data under TDPSA; usage counts for plan limits are subscription metering, not behavioral profiling for advertising.

To exercise TDPSA rights, use either our Contact Us form on the Settings page or email support@voicesearchai.shop.

13. How to Request Data Deletion (Right to Be Forgotten)

You may request complete deletion of your personal data at any time by:

Using our Contact Us form on the Settings page or emailing support@voicesearchai.shop. If you use the form, select "General Questions" as the topic and include "Data Deletion Request" in the inquiry.

Including your registered email address and full name so we can verify your identity.

Upon verification, we will:

Delete your account and all associated personal data from our Supabase database within 30 calendar days.

Request that Stripe delete or anonymize your customer record in accordance with their data retention policies.

Confirm deletion to you via email.

Data that we are legally required to retain (e.g., transaction records for tax compliance) will be retained only for the minimum period required by law, after which it will be securely deleted.

14. Minors and Children’s Privacy

Minimum age: The Extension is intended for users who are at least 13 years old, as stated in our Terms & Conditions (Section 2). We do not knowingly collect personal information from anyone under 13.

United States (COPPA): COPPA regulates the collection of personal information from children under 13. Our 13+ rule is intended to avoid directing the service at children under 13 and to avoid knowingly collecting their personal information. If we learn that we have collected personal information from a child under 13 without proper authorization, we will delete that information and may terminate the associated account, subject to law.

EEA / UK and other regions: If you are between 13 and the age of digital consent in your country (often up to 16, depending on the member state), applicable law may require parental consent for some processing—we rely on lawful bases in Section 5 and applicable user representations. Parents or guardians with questions may contact us.

Not legal advice: This summary does not guarantee compliance with every statute. If you believe someone under 13 has provided information to us, contact us through our Contact Us form or at support@voicesearchai.shop.

15. Additional regional rights (United Kingdom, Canada, Brazil, Australia, and others)

Laws in your country or region may grant privacy rights beyond those listed above. Without limiting the generality of Sections 10–12, the following summaries are provided for convenience only and do not waive or limit any right you may have under applicable law:

United Kingdom: If you are in the UK, the UK GDPR and Data Protection Act 2018 may apply. You may lodge a complaint with the Information Commissioner’s Office (ICO).

Canada: If you are in Canada, federal or provincial privacy laws (including PIPEDA, where applicable) may give you access, correction, and deletion rights subject to legal exceptions.

Brazil: If you are in Brazil, the Lei Geral de Proteção de Dados (LGPD) may provide rights including confirmation, access, correction, anonymization, deletion, and information about sharing.

Australia: If you are in Australia, the Privacy Act 1988 (Cth) and Australian Privacy Principles may apply to certain personal information.

Other regions: If you believe another statute applies, contact us using Section 17 and describe your jurisdiction; we will respond in good faith consistent with applicable law.

No document can list every country’s law. If you are unsure of your rights, consider consulting qualified legal counsel in your jurisdiction.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where required by law, notify you through the Extension or by email. Your continued use of the Extension after any changes constitutes acceptance of the updated policy, except where applicable law requires a different process.

17. Contact Us

You may reach us in either of these ways (use whichever you prefer):

Contact Us form: Open the form on the Extension Settings page (select the topic that best matches your request).

Email: support@voicesearchai.shop

We will respond promptly. When using the form, select the appropriate topic (e.g., "General Questions" for privacy inquiries, "Billing" for payment-related requests).

For GDPR-related inquiries, you may also contact your local data protection authority.

Disclaimer: This Privacy Policy is provided to explain our practices in good faith. It is not offered as legal advice for you or for us, and it does not guarantee any particular legal outcome in any court or agency proceeding.