Privacy Policy

This Privacy Policy explains how GG Labs d.o.o. (“we”, “us”, “our”), operating the Velvet Vinyl service at velvetvinyl.org, collects, uses, stores, and protects your personal data. We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) and applicable data protection laws.

1. Data Controller

GG Labs d.o.o. · OIB: 89285769328
Email: support@velvetvinyl.org

2. Data We Collect

3. Legal Basis for Processing

Contract performance (Art. 6(1)(b)): Processing your name, email, shipping address, audio content, and artwork is necessary to fulfill your order.

Legitimate interest (Art. 6(1)(f)): Technical data processing for website security, fraud prevention, and service improvement.

Consent (Art. 6(1)(a)): Where applicable, such as optional Spotify account connection. You may withdraw consent at any time.

4. Payment Processing

All payments are processed by Stripe, Inc. We do not store, collect, or have access to your full credit card details. Stripe is PCI DSS Level 1 certified. See Stripe’s Privacy Policy.

5. Spotify Integration

If you connect your Spotify account, we access your playlists solely for browsing and selecting tracks. We do not store Spotify credentials. Access tokens are temporary (1 hour) and automatically deleted. We do not access or transmit any Spotify audio content.

6. How We Use Your Data

Your data is used exclusively for order fulfillment, communication (confirmations, updates, support), providing your personal dashboard, and service improvement in aggregate. We do not use your data for marketing, sell it to third parties, or create advertising profiles.

7. Data Sharing

We share data only with: Stripe (payment processing), shipping carriers (delivery), and our hosting provider (server infrastructure). We do not sell, rent, or trade your personal data.

8. Data Retention

9. Data Security

We implement HTTPS encryption (TLS 1.2+), PCI-compliant payment handling via Stripe, restricted access controls, cryptographic dashboard tokens, and isolated browser sessions.

10. Your Rights (GDPR)

You have the right to: access your data, request rectification, request erasure, restrict processing, data portability, object to processing, and withdraw consent. Contact us at support@velvetvinyl.org. We respond within 30 days.

11. Cookies & Local Storage

We use only a localStorage session ID for ordering functionality. No advertising cookies, tracking pixels, or third-party analytics. WordPress session cookies are set only for logged-in administrators.

12. International Data Transfers

Data may be processed by Stripe in the United States under the EU-US Data Privacy Framework. Our servers are located within the European Union.

13. Children’s Privacy

Our service is not directed at individuals under 16. We do not knowingly collect data from children.

14. Changes to This Policy

We may update this policy periodically. Changes are posted on this page with an updated date. Continued use constitutes acceptance.

15. Supervisory Authority

You may lodge a complaint with the Croatian Personal Data Protection Agency:
AZOP · Selska cesta 136, 10000 Zagreb, Croatia
azop.hr · +385 1 4609 000

16. Contact

Velvet Vinyl — a service by GG Labs d.o.o.

Email: support@velvetvinyl.org