aria.fm

Legal · Privacy

Privacy policy

Effective 9 July 2026 · applies to the aria.fm desktop application and the aria.fm website · change history

The short version. aria.fm sends no data to its maintainer and collects nothing for itself; everything it stores stays on your device.

The only services the app talks to are Spotify (to play your music) and GitLab (to check for updates). This website is a static page with no cookies and no analytics.

1Who is responsible

aria.fm is free, open-source software (MIT license) maintained under the cmdly project. Because the project does not collect or process personal data on any server, there is no data controller relationship in normal use. For anything privacy-related, contact the maintainer by opening an issue at gitlab.com/cmdly/aria.fm — mark it confidential if you'd rather it not be public.

2What the application stores on your device

aria.fm processes data locally so the app works and stays fast:

DataWhere it livesWhy
Spotify OAuth tokens Your operating system's credential store (Secret Service / keyring on Linux, Credential Manager on Windows) Keeping you signed in without storing your password (sign-in opens in your own web browser on Spotify's pages; aria.fm does not read or store your Spotify password)
Library metadata A local SQLite database under your user cache directory (~/.cache/aria.fm on Linux, %LOCALAPPDATA%\aria.fm on Windows) Fast, offline-tolerant browsing of albums, artists, playlists, and liked tracks
Audio cache Same cache directory, up to a size cap you control in Preferences Smooth playback and fewer refetches
Settings Your user config directory (~/.config/aria.fm on Linux, %APPDATA%\aria.fm on Windows) Remembering your preferences

None of this is sent to the maintainer or to anyone else — except that the stored tokens are, by design, presented to Spotify to authenticate your session (see section 3). To remove all of it: sign out (which deletes the stored tokens), uninstall the app, and delete the two directories above.

3What the application transmits

To Spotify

aria.fm is a Spotify client: it authenticates against Spotify, streams audio, and reads and writes your library (likes, playlists, follows) on your instruction. Cover art and artist images are fetched from Spotify's image servers. All of this is the ordinary traffic any Spotify client produces and is governed by Spotify's privacy policy. aria.fm requires a Spotify Premium account and adds no tracking or telemetry data of its own to these requests; it appears in Spotify Connect as a device named "Aria", not as your computer's name.

To GitLab

On a manual "Check for updates", the app requests the project's public releases API on gitlab.com. This request carries no account data or identifiers beyond an ordinary HTTPS connection (which, like any web request, exposes your IP address and a user agent to GitLab — see GitLab's privacy statement). Installs managed by a package manager (e.g. the AUR package) don't use the built-in updater.

Nowhere else

The current version of aria.fm makes no other network requests:

  • No telemetry, analytics, or usage statistics
  • No crash reporting
  • No advertising or advertising identifiers
  • Browser-engine background services that would phone home (such as the spellchecker's dictionary downloads) are disabled
  • No selling, sharing, or monetization of data of any kind — there is nothing collected to sell

4This website

aria.fm (this site) is a static site served by GitLab Pages. It sets no cookies, runs no analytics, and embeds no third-party resources. As with any website, GitLab's servers see standard HTTP request data (IP address, user agent) to deliver the pages; see GitLab's privacy statement for their handling. GitLab does not currently make those logs available to the project.

5Code signing (Windows releases)

Windows release binaries are signed through the SignPath Foundation on the SignPath.io platform. Build artifacts submitted for signing and the identity of the release approver are processed by SignPath solely to produce signed binaries, under the SignPath Foundation terms. No aria.fm user data is involved at any point.

6Legal bases and your rights

Under the GDPR and similar laws (UK GDPR, CCPA), most rights — access, correction, deletion, portability — apply to personal data an organization holds about you. The aria.fm project holds none — other than information you choose to share on the public issue tracker, which is hosted and governed by GitLab. Everything else is processed locally on your device under your control, and deleting it is described in section 2. For data held by Spotify, GitLab, or SignPath, exercise your rights with those services directly through the policies linked above.

7Children

aria.fm is not directed at children and provides no accounts of its own; use of Spotify is subject to Spotify's own age requirements.

8Changes to this policy

Changes take effect when published on this page, with the effective date updated above. Because this site is version-controlled, the full history of every change is public. Material changes — meaning changes in what the software or this website actually does with data — will also be called out in release notes.

9Contact

Open an issue at gitlab.com/cmdly/aria.fm; mark it confidential if it concerns personal data.