rkeenan you need to understand what an app "can see".
Spotify is an extremely "surveiling" app filled with the worst analytics elements. Naturally an app like spotify WILL gather EVERYTHING it can see.
My memory is not great on this but i believe it can see:
- android ID
- vanadium fingerprint
- device fingerprint (??. Audio, gpu, etc. ? )
- MediaDRM fingerprint
- devices on the network (perhaps?)
- list of installed apps
- google play store IDs (if play store is installed)
- files it has created
- files you have given it access to.
- system settings like: time zone, language, color mode, background colors, country code
- ip address
- If you click a link and it opens in a different browser than vanadium and takes you to Spotify or affiliated website then the fingerprint of that browser.
I might have missed something.
There are known tracker library binaries included in spotify that can be detected by apps like exodus privacy. These trackers could be blocked using some tracker blocking network filter apps, however this is not effective. Spotify can also use other methods that are unblockable to still export all data it has access to to their servers.
If google play is present then spotify will definitely link and share data with it such that your "identity" will likely pass from one to another. Remember that spotify has your CC info and hence your identity.
If so then that identity becomes associated with the android ID of that profile; and any other privacy invasive app that doesn't know your identity but knows your android ID and colludes with spotify/facebook then will know who that profile belongs to.
I say facebook because spotify uses facebook analytics and colludes with facebook (aside from others). So once Spotify has your profile identity, so does facebook, and instagram, and whatsapp.
I dont wanna scare you further by delving into what happens if they get a hold of your home IP. So lets stop here.
So it might be a good idea to put an app like spotify in a separate profile where every app in that profile "knows" your identity and put an always on VPN on that profile. That way that can have an orgy with your identity in that profile all they want. and no further harm is done. There will be nothing to gain further for them.