The popularity of internet radio services like Pandora and Spotify has led to the creation of mobile apps, handy little music sources right at your fingertips that let you hear fully-customizable, endless music selections.

But what if your streaming music service is doing more than just playing your favorite songs? What if it’s sending your photos to other people, or following you via GPS?

That’s the claim experts are warning consumers about with music service Spotify. Like other companies, Spotify offers a free membership that inserts advertising into your listening experience—just like traditional radio has always done—while also giving listeners the option to pay for unlimited music selections without commercial interruptions. Unfortunately, the company’s terms of service leave a lot to be desired when it comes to your privacy.

According to data expert Bernard Marr, “Streaming music service Spotify recently released a new privacy policy that reads more like the manifesto of a jealous partner than a music service.  Among the new terms, Spotify now claims the right to go through your phone and access your photos, media files, GPS location, sensor data (like how fast you’re walking), and your contacts — which, somewhat hilariously, Spotify suggests you clear with all of them first.”

Why would the company even want these things, let alone need them? By some accounts, it’s all for advertising, although the company has said they will share the content with not just advertisers, but also the rights’ holders to the music (such as the independent artist or record label), the mobile network providers who power the listeners’ cell phones, and other unnamed business partners.

This has some security experts worried, for obvious reasons. But even more alarming is the numbers of internet and mobile device users who blindly press “accept” on terms of service, then don’t follow up to see what information is gathered, how it’s stored, who can access it, and how it will be protected. Unfortunately, this behavior also carries over into everyday “real” life when individuals don’t question why the registration form calls for so much information, or why the Little League coach needs their son’s Social Security number.

Experts have cautioned for quite some time that data security is a personal matter, meaning that it cannot be left solely to businesses and organizations to protect themselves and their customers’ from hacking events and data breaches. As individuals, we must take responsibility for securing our data and knowing where it will end up. An important first step is to read the terms of service and discover exactly what permission we’re granting where our personal data is concerned.