Facebook-f X-twitter Youtube

PRIVACY POLICY

pursuant to Articles 13 and 14 of EU Regulation 2016/679 (GDPR)

and Italian Legislative Decree no. 196/2003 as amended by Legislative Decree no. 101/2018

Last updated: April 2026

1. Data Controller

The Data Controller for the personal data collected through the website www.coronerrecords.net is:

Company Name: RPG MUSIC S.A.S.

Registered Office: Via Michele Ponza 4, 10121, Italy

VAT / Tax Code: IT10028890019

E-mail: privacy@coronerrecords.net

For any enquiry regarding the processing of personal data, the data subject may contact the Data Controller using the details provided above.

2. Types of Data Collected

2.1 Data provided voluntarily by the user

During browsing and use of the website, the user may voluntarily provide the following personal data:

  • Personal details: first name, last name, date of birth;
  • Contact information: e-mail address, phone number;
  • Address details: shipping and billing address (street, house number, postcode, city, province/state, country);
  • Account credentials: username and password for the creation and management of a personal account;
  • Order information: products purchased, quantities, shipping preferences;
  • Payment data: processed exclusively through PayPal and Advanced Card Processing (see section 5); the Data Controller never accesses or stores the user’s credit/debit card details;
  • Contact form submissions: content of messages sent via the website’s contact forms or by e-mail, stored in the website’s internal database hosted on Aruba servers;
  • Marketing preferences: consent to or opt-out from newsletters and commercial communications.

2.2 Data collected automatically

During website navigation, certain technical data necessary for the operation of the service are collected automatically:

  • IP address of the device;
  • Browser type and operating system;
  • Pages visited and navigation path;
  • Date, time and duration of the visit;
  • Referring URL.

These data are processed in aggregated and anonymised form for statistical and security purposes only.

2.3 Cookies and tracking technologies

The website uses technical cookies that are strictly necessary for the correct functioning of the e-commerce platform (e.g. shopping cart, login session, language preferences). Cookie consent management is handled by the Complianz | GDPR/CCPA Cookie Consent plugin. For detailed information on the use of cookies, please refer to the Cookie Policy available on the website.

3. Purposes and Legal Bases of Processing

Personal data are processed for the following purposes, each grounded on a specific legal basis pursuant to Article 6 of the GDPR:

3.1 Performance of a contract (Art. 6(1)(b) GDPR)

  • Management of orders, processing of payments and organisation of shipments;
  • Creation and management of the user account;
  • Communications relating to order status, shipping and returns;
  • After-sales customer support and complaint handling.

3.2 Compliance with a legal obligation (Art. 6(1)(c) GDPR)

  • Issuance of invoices and tax documents in accordance with Italian tax law;
  • Accounting, anti-money laundering and customs compliance for shipments outside the EU;
  • Data retention for the periods required by applicable law.

3.3 Legitimate interests of the Data Controller (Art. 6(1)(f) GDPR)

  • Prevention of fraud and unlawful activities, including through Google reCAPTCHA;
  • IT security and integrity of the website;
  • Aggregated statistical analysis of user behaviour to improve the services offered;
  • Protection of the Data Controller’s rights in legal or pre-legal proceedings.

3.4 Consent of the data subject (Art. 6(1)(a) GDPR)

  • Sending of newsletters, promotional communications and commercial offers relating to music products and merchandise, subject to the user’s explicit consent;
  • Use of non-essential cookies and statistical analysis tools.

Consent may be withdrawn at any time without prejudice to the lawfulness of processing carried out prior to withdrawal.

4. Methods of Processing

Personal data are processed by means of IT and electronic tools, adopting appropriate technical and organisational security measures to prevent unauthorised access, loss, disclosure or accidental destruction of data, in accordance with Article 32 of the GDPR.

The website is built on the WordPress platform using the WooCommerce and Elementor plugins, and is hosted by Aruba S.p.A. (registered office: Via Circumvallazione 24, 52011 Bibbiena AR, Italy), with infrastructure entirely located in Italy and within the European Union. Access to data is restricted to authorised personnel on a need-to-know basis.

5. Payments and Payment Processors

The website uses the following services for the management of financial transactions:

5.1 PayPal

The website uses the PayPal payment service (PayPal Holdings, Inc. / PayPal (Europe) S.à r.l. et Cie, S.C.A., registered in Luxembourg) for payments made via PayPal accounts.

When the user makes a payment through PayPal, data are transmitted directly to PayPal and are never accessible to or stored by the Data Controller. All transactions are processed through encrypted connections in compliance with PCI-DSS standards.

PayPal acts as an independent data controller. Users are invited to consult PayPal’s privacy policy at: https://www.paypal.com/en/webapps/mpp/ua/privacy-full

5.2 Advanced Card Processing (via PayPal)

For credit and debit card payments, the website uses the Advanced Card Processing gateway, integrated within PayPal’s infrastructure. Supported card networks include Visa, Mastercard, American Express, Discover and other international circuits. In all cases, card data are transmitted directly to PayPal and are never accessible to the Data Controller. All transactions are protected by SSL/TLS encryption and comply with PCI-DSS standards.

6. Third-Party Services

6.1 Google Fonts (Google Ireland Limited)

The website uses Google Fonts via the Elementor plugin to render typographic characters. This service is provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). When a user visits the website, the browser establishes a direct connection to Google’s servers to download the fonts, transmitting the user’s IP address. Google may transfer such data to the United States under the EU-US Data Privacy Framework.

Google privacy policy: https://policies.google.com/privacy

6.2 Google reCAPTCHA (Google Ireland Limited)

The website uses Google reCAPTCHA to protect registration, login and checkout forms from automated access and spam. The service is provided by Google Ireland Limited and analyses user behaviour (mouse movements, device data, IP address) to determine whether the interaction originates from a human or a bot. Data collected by reCAPTCHA are transmitted to Google and may be processed in the United States under the EU-US Data Privacy Framework.

The legal basis for this processing is the Data Controller’s legitimate interest in the IT security of the website (Art. 6(1)(f) GDPR).

Google privacy policy: https://policies.google.com/privacy

6.3 Newsletter and Amazon SES

The website uses the Newsletter plugin (The Newsletter Team) for managing subscriptions and sending commercial communications. Emails are delivered via Amazon Simple Email Service (Amazon SES), a service provided by Amazon Web Services, Inc. (AWS). Subscriber data (e-mail address, preferences) may be processed on AWS servers located within the European Union or, in some cases, in the United States, under Standard Contractual Clauses (SCCs) approved by the European Commission.

Subscription to the newsletter requires the user’s explicit consent, which may be withdrawn at any time via the unsubscribe link included in every email or by contacting the Data Controller.

AWS privacy policy: https://aws.amazon.com/privacy/

6.4 Complianz (Complianz B.V.)

The website uses the Complianz | GDPR/CCPA Cookie Consent plugin for managing cookie consent and tracking technologies. Complianz is provided by Complianz B.V. (Kalmarweg 14-5, 9723 JG Groningen, the Netherlands). The plugin records and manages the user’s cookie preferences without collecting additional personal data.

Complianz privacy policy: https://complianz.io/privacy-statement/

7. Data Sharing and Recipients

Personal data may be shared, to the extent strictly necessary, with the following categories of recipients, who act either as data processors (Art. 28 GDPR) or as independent data controllers:

  • Aruba S.p.A. — hosting and server infrastructure (Italy/EU);
  • PayPal — payment processing via PayPal accounts and Advanced Card Processing;
  • Google Ireland Limited — Google Fonts and Google reCAPTCHA;
  • Amazon Web Services (Amazon SES) — email and newsletter delivery;
  • Complianz B.V. — cookie consent management;
  • Couriers and shipping companies for order delivery;
  • Accountants and tax advisors for accounting and tax compliance;
  • Public, judicial or supervisory authorities, where required by applicable law.

Personal data are not sold or transferred to third parties for their own commercial purposes.

8. International Transfers of Personal Data

The website accepts orders from users residing outside the European Union. Some technical service providers may transfer data outside the European Economic Area (EEA). In such cases, the Data Controller ensures that transfers comply with Articles 44 et seq. of the GDPR:

  • Google Ireland Limited (Google Fonts, reCAPTCHA): transfers to the USA covered by the EU-US Data Privacy Framework;
  • Amazon Web Services (Amazon SES): transfers to the USA covered by Standard Contractual Clauses (SCCs) approved by the European Commission;
  • PayPal (Europe) S.à r.l.: registered in Luxembourg (EU); any transfers to the USA covered by the EU-US Data Privacy Framework.

The hosting infrastructure (Aruba S.p.A.) is entirely located in Italy and within the European Union, with no extra-EU data transfers.

Users may request further information on international transfers and the safeguards adopted by contacting the Data Controller at the address indicated in section 1.

9. Data Retention Periods

Personal data are retained for no longer than is necessary for the purposes for which they were collected, in accordance with the principle of storage limitation (Art. 5(1)(e) GDPR):

  • Order and billing data: retained for 10 years, in compliance with Italian tax law (Art. 2220 of the Italian Civil Code);
  • User account data: retained for the duration of the contractual relationship and for 2 years following its termination, subject to longer statutory retention obligations;
  • Marketing data (newsletter): retained until withdrawal of consent by the data subject;
  • Contact form submissions (stored by Elementor): retained for a maximum of 12 months from receipt, unless required for legal proceedings;
  • Navigation data and system logs: retained for a maximum of 12 months, unless longer retention is required for ongoing investigations or by applicable law.

Upon expiry of the applicable retention period, data are permanently deleted or irreversibly anonymised.

10. Rights of the Data Subject

Pursuant to Articles 15 to 22 of the GDPR, the data subject has the right to:

  • Access (Art. 15): obtain confirmation as to whether personal data concerning him or her are being processed and, where that is the case, access to the data and related processing information;
  • Rectification (Art. 16): obtain the correction of inaccurate or incomplete personal data;
  • Erasure (Art. 17): obtain the deletion of personal data (‘right to be forgotten’), in the cases provided for by applicable law;
  • Restriction of processing (Art. 18): obtain restriction of processing in the cases provided for by law;
  • Data portability (Art. 20): receive personal data in a structured, commonly used and machine-readable format;
  • Object (Art. 21): object at any time to the processing of personal data for direct marketing purposes or based on legitimate interest;
  • Withdrawal of consent (Art. 7(3)): withdraw consent at any time without prejudice to the lawfulness of processing carried out prior to withdrawal.

To exercise any of the above rights, the data subject may submit a written request to: [privacy@yourdomain.com], or by post to the Data Controller’s address indicated in section 1. The Data Controller will respond without undue delay and, in any event, within 30 days of receipt of the request, extendable by a further 60 days in cases of particular complexity.

11. Right to Lodge a Complaint with a Supervisory Authority

The data subject has the right to lodge a complaint with the competent data protection supervisory authority. In Italy, the relevant authority is the Garante per la protezione dei dati personali (www.garanteprivacy.it).

12. Legal Action

The Data Controller may use the user’s personal data for legal purposes in court or in the preliminary stages of legal action arising from improper use of this website or its related services. The user acknowledges that the Data Controller may be required to disclose personal data upon request of public authorities.

13. Data of Minors

This website is intended exclusively for persons aged 18 years or over. The Data Controller does not knowingly collect personal data from individuals under the age of 18. Should the Data Controller become aware of having inadvertently collected data from a minor, it will proceed to their immediate deletion. Parents or legal guardians who become aware of personal data of a minor being processed are invited to contact the Data Controller at the address indicated in section 1.

14. Data Security

The Data Controller adopts appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration or accidental destruction, in accordance with Article 32 of the GDPR. Security measures include:

  • Data transmission via HTTPS protocol with SSL/TLS encryption;
  • Access to systems restricted to authorised personnel with individual credentials;
  • Regular updates to software, plugins and security measures;
  • Regular backup procedures to ensure data availability;
  • Form protection via Google reCAPTCHA against automated access.

In the event of a personal data breach presenting a risk to the rights and freedoms of individuals, the Data Controller will notify the Garante within 72 hours of becoming aware of it, pursuant to Art. 33 GDPR, and will communicate the breach to affected data subjects where required under Art. 34 GDPR.

15. Cookie Policy

The website uses technical cookies that are strictly necessary for the correct functioning of the e-commerce platform, including session cookies, shopping cart cookies and authentication cookies. Cookie consent management is handled by the Complianz plugin, which allows users to accept or refuse individual cookie categories via a dedicated banner.

Should the website use non-essential cookies (e.g. analytical or profiling cookies), the user will be able to grant or refuse consent on a granular basis. For further information, please refer to the full Cookie Policy available on the website.

16. Applicable Law and Jurisdiction

This Privacy Policy is governed by Italian law and by EU Regulation 2016/679 (GDPR), which applies directly in all EU Member States. For users residing outside the European Union, the GDPR applies insofar as the processing of their personal data is related to the offering of goods or services to them (Art. 3(2) GDPR).

Any dispute arising from or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of [Città], Italy, without prejudice to the right of the data subject to bring proceedings before the courts of his or her habitual place of residence.

17. Definitions

Personal Data: any information that directly, indirectly, or in connection with other information allows for the identification or identifiability of a natural person.

Processing: any operation or set of operations performed on personal data, whether or not by automated means (collection, recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, erasure, etc.).

Data Controller: the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data Processor: the natural or legal person which processes personal data on behalf of the Data Controller.

Data Subject: the natural person to whom the personal data refer.

Cookie: small text files stored on the user’s device by the browser during navigation.

Tracker: any technology (cookies, unique identifiers, web beacons, embedded scripts, e-tags, fingerprinting) that enables the tracking of users.

18. Changes to this Privacy Policy

The Data Controller reserves the right to amend this Privacy Policy at any time, in particular following regulatory, technological or organisational changes. Any amendments will be published on this page with an updated date. In the event of material changes, registered users will be notified by e-mail. Users are encouraged to check this page periodically.

This Privacy Policy is effective as of April 2026.

RPG MUSIC S.A.S. — Via Michele Ponza 4, 10121, Italy

VAT :  IT10028890019 — E-mail: privacy@coronerrecords.net