This policy explains how Musik Sto collects, uses, stores, and protects your personal data. It applies to all users of our website and services. We process personal data in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation, GDPR).
Data controller: Musik Sto
Contact: hello@musiksto.org
Data we collect
- Account data: name, email address, username, and a hashed version of your password when you register.
- Order and basket data: the items you add to your basket and the preorders you place, along with dispatch and delivery records.
- Communication data: messages you send us by email or through the contact form.
- Technical data: IP address, browser type, and server access logs collected automatically for security and operational purposes.
We do not collect or store payment card details directly. Payments are handled by a third-party processor operating under its own terms and privacy policy.
Legal basis for processing
We rely on the following legal bases under GDPR Article 6:
- Contract performance (Article 6(1)(b)): processing your account and order data to deliver the service and fulfil your orders.
- Legal obligation (Article 6(1)(c)): retaining transaction records as required by applicable tax and accounting law.
- Legitimate interests (Article 6(1)(f)): maintaining security, preventing fraud, and improving the service. These interests do not override your rights and freedoms.
- Consent (Article 6(1)(a)): sending marketing communications where you have opted in. You may withdraw consent at any time.
How we use your data
- To create and manage your account.
- To process and fulfil your preorders and purchases.
- To send order confirmations, dispatch notifications, and preorder updates.
- To respond to your enquiries and support requests.
- To comply with legal and regulatory obligations.
- To protect against fraud, abuse, and unauthorised access.
Retention periods
- Account data: kept for as long as your account is active. On account deletion, personal data is removed within 30 days, subject to any legal retention requirements.
- Transaction records: retained for the period required by applicable tax and accounting law in our country of establishment (up to 10 years in most EU member states).
- Communication data: kept for up to 2 years, or longer if needed to resolve a dispute.
- Technical logs: kept for up to 90 days for security and diagnostic purposes.
Who we share data with
We do not sell, rent, or trade your data. We share it only where necessary:
- Shipping carriers and fulfilment partners: your name, delivery address, and order details to fulfil your order.
- Payment processors: billing details to process your payment. We do not store card numbers.
- Hosting providers: our infrastructure provider processes data on our behalf under a data processing agreement that meets GDPR requirements.
- Authorities: where required by law, court order, or to protect the safety of users or others.
All third-party processors are bound by contractual obligations to handle your data securely and only for the purposes we specify.
Cookies and local storage
We use browser local storage to maintain your session, keep you logged in, and remember your basket between visits. We do not use tracking, advertising, or analytics cookies. No cookie consent is required for these strictly necessary storage operations under the ePrivacy Directive.
Your rights
Under the GDPR (Chapter III), you have the following rights:
- Access (Article 15): request a copy of the personal data we hold about you.
- Rectification (Article 16): ask us to correct inaccurate or incomplete data.
- Erasure (Article 17): request deletion of your data where there is no overriding reason to retain it.
- Restriction (Article 18): ask us to restrict how we process your data in certain circumstances.
- Portability (Article 20): receive your data in a structured, machine-readable format.
- Objection (Article 21): object to processing based on legitimate interests or for direct marketing.
- Withdraw consent (Article 7(3)): withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.
To exercise any of these rights, email hello@musiksto.org. We will respond within one calendar month. If you believe we have not handled your data correctly, you have the right to lodge a complaint with your national data protection authority (Article 77 GDPR).
Security
We apply appropriate technical and organisational measures to protect your data, including encrypted data transmission (TLS), hashed password storage, and access controls. If you have reason to believe your account has been compromised, contact us immediately.
Changes to this policy
We may update this policy from time to time. Material changes will be communicated to registered users by email before they take effect. Continued use of the service after the effective date constitutes acceptance of the updated policy.