Overview
Here at Laterna Records we believe in the principle for treating you with respect, care and honesty. This also applies to the way we are processing your personal data and adhering to the legal provisions for that processing. Below we would like to share more information about that. Along with additional information required by the law this privacy notice is explaining how we collect, process, use, share and hold your personal data when you purchase an item from us, contact us, or otherwise use our services through our site (https://www.laternarecords.com), the https://www.discogs.com marketplace (further referred to as “Discogs”), our social media channels or via other acceptable means like email or phone. It will also remind you about your rights in regard to your personal data.
Laterna Records is a trading name of LATERNA EOOD. We operate in accordance with the applicable data protection law and Regulation (EC) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as “GDPR”).
This Privacy Policy was first published in November 2018.
How and What Data do we Collect and Process
Automatically collected data when visiting our website
Every time you visit the https://www.laternarecords.com website (hereafter referred to as “the site”), technical information about the visit that is available to the Administrator is automatically recorded. This is done by automatically logging into log files the following information (or some of it):
- IP address of the device used to visit the site
- type and version of the used Internet browser
- the date and time of the site visit, and the time zone of the device
- the names and addresses of the files you read from the site
- the names and addresses of the pages you visit on the site
- access status code / HTTP status code
- size of the served files/resources
The collection and processing of these general data and information does not make any conclusions about individuals, do not create profiles of individuals, do not merge the individual data with other data sources for the purpose of identifying individuals, no other activities are carried out for the identification of natural persons.
The collection and processing of these data is intended to ensure the unobstructed connection and use of the site, ensuring comfortable use, improving the functionality of our site as well as system security and stability, and other administrative purposes. Collecting these data serves to increase the level of data protection in our company and to allow a retrospective review in case of unlawful attacks against the site system.
The legal basis for this data processing is based on Article 6 (1) of the CPA. The aforementioned objectives represent a legitimate interest within the meaning of the GDPR.
These data are usually stored for several hours and after that they are deleted.
Under the provisions of GDPR, you have the right to object to this processing.
The source of these data are the technical means of establishing an Internet protocol connection – a web server, a browser, the device you use, and the like.
These available data will not be transmitted to another recipient or used for purposes other than those described above.
Automatically collected data from the web hosting provider when visiting our website
The hosting provider for the site is SiteGround Spain S.L., which processes and stores traffic information similar to the above and for similar purposes. We cannot not access these data. The collection and processing of these data is usually within the range of 90-180 days. More information on how Siteground stores and processes these data can be found in the Data Processing Agreement, which is available at the following Internet address: https://www.siteground.com/term/301.htm.
Data collected when making a payment through our website
When you are making a payment though our website we and/or our payments processors obtain personal data such as:
- cardholder name
- email address
- unique customer identifier
- order ID
- bank account details
- payment card details
- billing address
- card expiration date
- CVC code
- location country
The legal basis for processing these personal data is the fulfilling of the contractual obligations about your order and our legitimate interest to
manage the electronic commerce platform and to process payment transactions in a safe and compliant way.
Our payment processors are PayPal and Stripe Payments Europe, Ltd and we operate on a data processing agreement with them. How they are processing the data they collect during the checkout / payment process you can read in the “Links to Other Sites and Privacy Policies of Other Organizations” section at the end of this document.
Information processed for the fulfilment of your order
To fulfil your order, we must be provided with certain information such as your names, email address, postal address, phone number, or eventually will receive some payment account information (like your PayPal account email address, bank card type or bank account number). You may also have to provide us with additional personal information (for a customized delivery, for example). Here is a more detailed breakthrough.
When you place an order via this site or Discogs, or using other acceptable means to make an order, we receive personal data including your name, email address, postal address and other details like your phone number.
When paying for your order with PayPal we also receive information about your postal and/or shipping address and email information. We do not receive any information about your bank or card details.
If you decide to pay via bank transfer the bank will certainly make us know your Bank Account Number (IBAN) and your name(s).
Names and contact information obtained in a question or other type of inquiry sent to us via Discogs, phone or mail/email or other publicly available channel will be used to reply to your inquiry and afterwards will be disposed of in a secure manner.
The legal basis for processing these personal data is the fulfilling of the contractual obligations about your order or product enquiry.
Data obtained when communicating with us
You have the possibility to contact us directly at the specified e-mail address(es) or telephone numbers, as you can provide us with your e-mail address or phone number and other information to help with your inquiry.
The legal basis for this data processing when contacting us is based on Article 6 (1) of the GDPR. When you contact us through the contact form, you provide us with a voluntary agreement within the meaning of this provision.
Data deletion takes place immediately after processing the query you have made. These data will not be shared with third parties or used for any purpose other than those for which consent has been given.
Data obtained when following us/contacting us on social media
When following or contacting us via our social media presence we only process the obtained data to answer your enquiry (if any). Unless otherwise stated in this privacy policy, the legal basis for processing of these personal data is our legitimate interest to be able to provide the functionality of the social media channel or the responsibility to fulfil an obligation to answer your product/order enquiry.
The provider of the social media is also processing your personal information when you use our social media page. For additional information refer to see the privacy policy of the respective social media provider.
Data obtained when subscribing to our newsletter
When you have confirmed your subscription for our newsletter we start to process your email address and IP address and, optionally, name, for the purposes of sending you a periodical newsletter.
Unless otherwise stated in this privacy policy, the legal basis for processing of these personal data is your voluntary agreement.
To ensure the proper sending of email newsletter we use a third-party service, MailPoet, operated by Wysija SARL, France. We will share with them the above data for sub-processing under a strict Data Processing Agreement.
Automated decision making and Profiling
We will not use the data we hold about you to make automated decisions or profiling.
Information Sharing and Disclosure
We will share your personal information when required to fulfil your order only to the extent necessary to perform these service. For example, your phone number is not provided to the postal service because it is not required for the delivery, but a courier delivery requires in most times both a phone number and/or an email address. We use the following delivery service providers, with whom, depending on your shipping preferences for the respective order/country, your personal data required for the order delivery, is shared:
- Bulgarian Posts (Postal Delivery Service)—https://bgpost.bg/bg/529
- Speedy (Courier delivery to Bulgaria, Greece and Romania, EU)—https://www.speedy.bg/en/gdpr
- Rapidо (Courier Delivery to EU)— https://www.rapido.bg/information/conditions/poveritelnost
Econt Express (domestic deliveries in Bulgaria)—https://www.econt.com/econt-express/privacy-policy
We may share your personal data in other cases like adhering to a tax audit or court appeal or in other case that is legally justified (like, for example, responding to a legal process, government request, prevent a fraud or protect the rights or safety of an individual). In such case, before sharing any personal data, we will duly investigate the lawful basis of doing or not doing so.
International Transfer of Personal Data
A transmission and transfer of your data outside of the European Union and European Economic Area does not take place.
Transfer of your data to international organizations does not take place.
Data Retention
We process your personal information only for as long as necessary to complete your order or answer your enquiry and as further described in this Privacy Policy.
We always minimize the amount of data we will retain only to the required minimum and keep it for the required minimum of time. Once this time period has expired, these data will be disposed of or deleted in a safe and secure manner.
As required by the Bulgarian tax legislation we are obliged to keep the records (like invoice, delivery order, payment check, etc.) for your order for a period of 5 (five) years.
Please note that the order information that resides in Discogs or the transaction information in PayPal (and similar information for the order and the payment history in a banking or delivery organization) is something we cannot delete and may continue to be technically available to us even after the above period expires. We will, however, minimize and/or stop processing these data after your order is completed.
Security of Data Processing
For the overall security of your personal data, either in electronic or physical (paper) form, we add the reasonable amount of security measures like limited access, encryption, strong passwords, two-factor authentication, physical security, verified hardware and software. We also limit the actual information that we have to process to the bare minimum required by law or to fulfil our obligations.
The electronic copies, if any, of all eligible for retention order documents are stored in secure form on our server based in the Netherlands. It is maintained by the company Siteground as per the applicable Data Processing Agreement that can be found here—https://www.siteground.com/term/301.htm.
Personal data transferred in email communication (like in the email messages sent from PayPal and Discogs) is minimised whenever possible and such communication (and therefore processing) may not happen at all. After the information in that email is processed (to reply the email or fulfill the order) it is disposed. The email server is also operated and maintained by the company mentioned above.
Paper documents (if any) will be stored in a secured storage with no access by external people and accessed only by the authorised company personnel per the according procedures.
The above information does not cover the way Discogs or other third parties are storing similar information.
Your Data Protection Rights
You have rights outlined in the data protection legislation that we need to make you aware of.
The right of access—You have the right to request from us a copy of the personal information we hold about you.
The right to rectification—You have the right to request that we correct any information we hold about you that you believe is inaccurate. You also have the right to request us to complete the information you believe is incomplete.
The right to restrict—You have the right to ask us to restrict the processing of your information in certain circumstances.
The right to erasure—You have the right to request that we erase your personal information in certain circumstances.
The right to object—You can object to our processing of some of your information based on our legitimate interests.
The right to data portability—You have the right to request that we transfer the data you have given to us to another organization, or directly to you.
The right to complain—You have the right to complain about the way we process your personal data to a data protection authority. The list of the data protection authorities in the European countries is available at that page of the European Data Protection Board—https://edpb.europa.eu/about-edpb/board/members_en
Links to Other Sites and Privacy Policies of Other Organizations
This Privacy Policy does not cover how your personal data is processed by other parties that we do not own or control, including Discogs, any third party services you access through Discogs, or the websites you have followed through the links from this page. We encourage you to read the privacy notices on the other websites you visit or use.
We have also placed, for your convenience, here and in the text of this Privacy Policy links to the privacy policies of other organizations that are relevant to the processing of your personal data when interacting with us. These links are valid at the time of writing but we urge you to always consult the most recent versions of the respective privacy policies.
You can find the Discogs Privacy Policy at the following link—https://support.discogs.com/hc/en-us/articles/360009334513-Privacy-Policy.
You can find the PayPal Privacy Policy in the Privacy section at https://www.paypal.com/.
You can find the Stripe Privacy Policy at the following link—https://stripe.com/en-bg/privacy
You can find the MailPoet Privacy Notice at the following link—https://www.mailpoet.com/privacy-notice/
Contact Information
For any questions or concerns about this Privacy Policy, the data we hold about you, or in case you would like to exercise one of your data protection rights, please do not hesitate to contact us in writing at office@laternarecords.com or call +359892772039, Monday till Friday, 10:00-19:00 (GMT+2).
The organisation thats is issuing this privacy policy and responsible for processing your personal data as explained here is:
Laterna EOOD, c/o Anton Dobrev, 1164 Sofia, Bulgaria
Bulgarian Commercial Registry number: 205365389
VAT number: BG 205365389
Tel: +359892772039
E-Mail: office@laternarecords.com
Changes to the Privacy Policy
We keep this Privacy Policy under regular review and place any updates on this web page. We reserve the right to change our security and data privacy measures, provided that this is required based on legal and/or technical developments. In these cases, we will also adapt our information regarding the data privacy accordingly. Therefore, please observe the current version of our Privacy Policy.
This privacy policy was updated on 20 October 2020 in regard to the information for online payments processing by Stripe.
This privacy policy was updated on 11 November 2020 in regard to the information for the email newsletter subscriptions and MailPoet.