We believe that transparency is key to trust, hence this list. For any question regarding those matters, mods please move new posts here, so we keep a centralized information Knowledge Base.
This post will be dynamically updated.
If you are surprised at how many calls over internet Volumio has to do, consider that nowadays any piece of equipment, to work in a nice fashion, requires a constant flow of information taken from outside. Especially when you want to integrate several third party services and vendors.
Should you need to prevent any of the endpoints to be reached, you have several ways of blocking them. But this is strongly advised against, as it will probably break some core functionality and make it very difficult to debug the specific issue you have.
Volumio has an internal tool to check if the vital and ancillary endpoints required for its operation are reachable or not. To check, connect via SSH and type:
Also, if you have troubles reaching one of more endpoints, make sure you reach out to our status page. Here you’ll find a comprehensive list of all the endpoints that we operate, their current status, and their uptime and APDEX.
We designed our systems, authentication, cloud infrastructures and endpoints to maximize security and lower personal data leak impact in case of compromission.
- Use third-party providers which can guarantee state of the art security. This is why we decided to use Firebase Authentication instead of our own user management system.
- No-read default policies for databases. This way we minimize possible errors due to unsafe-misconfigurations.
- Separate data storage from personal identification storage. This way, in case of compromission, user data cannot be linked to the real identity and vice-versa.
- Use auth tokens instead of username and passwords where possible. This way we minimize compromission due to password spoofing.
- Use https on all endpoints which require authentication information, to defeat man in the middle attacks.
- We try to be sensible. We try not to overengineer and reduce the number of tools and technologies used.
Due to the nature of the services and the features that we offer, we store (in a very secure manner) some of your data, specifically:
- Name, surname, email and geographical location (if you create a MyVolumio account)
- Favourites, Playlists, Radio Favourites, Personal Radios and the last played song on each device (if you create a MyVolumio account)
- Date and time of your first subscription (if you create a MyVolumio account)
- Data pertaining to your devices: anonimized Unique Identifier, Hardware type, Friendly name, System version and date of first addition
- Matching the nearest server to your location to enhance your experience with the lowest possible latency
- Synchronize in real time Favourites, Playlists, Radio Favourites, Personal Radios
- Verify that you have an active subscription
- Offering a clear overview of how many devices are linked to your account and if they are currently available and what they are currently playing
By cancelling your account, your data will be permanently deleted instantly
We will not sell, share or grant access to your data to anyone.
You will be able to download a file containing all your aforementioned data (except those that might result in a security issue), just send a request via our contact form.
Actually, Volumio is what it has always been: an open-source project, backed by a company, which needs funding to operate and improve.
In the beginning, our source of income was just the OEM (providing Volumio technology to manufacturers), but this ended up in us developing only what was prioritized by such companies.
With MyVolumio we achieved the ability to develop features asked by the community, since the revenues helped do the required investments.
The plugin store as we have designed it will allow any developer to publish their plugins either free (as it is now) or paid. The infrastructure is already there (with this new iteration) and once Volumio3 is up and running we will do the remaining part (UI and payment provider).
The idea behind it is that this way, if someone wishes to sell their plugins, they can do so, and hopefully get something back from it. Or, attract other services providers to publish “top-notch” stuff into Volumio.
I’ve already stated elsewhere (in a couple of discussions) that we (as Volumio) are not against “competitor plugins” and that they will be accepted if they respect the same guidelines as all other plugins have to respect (first of which: do not conflict with the good working of Volumio core).
And that’s not just wishful thinking: we already do that. There is a third-party CD plugin (paid one) that is currently accepted into Volumio2. So, if we would have wanted to “boycott competitors” we would already have done it.
The example of CD Plugin is actually something that made us see the potential of this system. We offer a simple way for people who want to sell plugins to do it (without setting up clunky authentication and so on) and we provide a seamless experience to those who want to use them.
Publishing a plugin, free or paid, will be a prerogative of the developer.
Last, but not least, I personally think that competition (if fair) eventually lead to making things better. And this is our ultimate goal with Volumio = make it the best music player out there.
This requires skill, passion, motivation but also financial resources, hence the “commercial part”.
Last, consider that it requires us double the effort to do anything, as we are an open source project, trying to grow without betraying FOSS principles (which is freedom of choice). It would be much much more simpler to just do something proprietary, but we truly believe in the FOSS principles and in open ecosystem, so we won’t change this.
Those are APIs called by our user management tool, which is based on Firebase. The information sent is just your auth token and its validation or refresh.
Those are calls to our serverless functions, mainly used by MyVolumio to update your list of devices, enable\disable MyVolumio plugins. Those calls are necessary to use MyVolumio functions and the MyVolumio plugins.
This is the OAUTH handler, which allows you to log-in to Spotify, TIDAL, Qobuz in Volumio. The data received is just an auth token provided by the music service.
This is our music services browsing aggregator. This is used to browse TIDAL and QOBUZ and get the stream URL of the tracks you request.
This is our CDDB mirror. We use it to fetch Audio CD Metadata and Ripping informations.
This is used to request updates to our server. Data sent is anonymous and contains: version, hwuuid (anonymous), device, name and architecture.
This is the endpoint used to fetch the list of plugins and download them. We send your auth token, device and architecture.
This provides REST Api access to MyVolumio Realtime database. It contains MyVolumio plugins names and some cloud related settings.
This is our WebRadio selection API, used to fetch “Volumio Selection” of webradios.
This is Volumio’s metadata aggregator. We use it to retrieve album art, artist info, album stories and credits. We send your device name, hwuuid (anonymous).
This is our mqtt broker and its used to notify MyVolumio if your device is online or not, to notify it in your MyVolumio Dashboard. We send the device hwuuid (anonymous).
This is our OAUTH Server, used to authorise external services to access your MyVolumio account in a safe way. This is currently only used for the Alexa skill.
This is our statistics informations collector, which receives usage statistics on which music service is used and for how long (in minutes). Also it collects events such as signup, logins, logout, account upgrades/downgrades.
If there are additional questions or concerns, please post in this thread and this post will be updated.