Gültig ab 10. Oktober 2023
Dieses Dokument ist momentan nur in Englisch vorhanden. Wir danken für Ihr Verständnis.
-------------
Your privacy and protection of Your data is important to Zink Media, LLC (d/b/a Discogs) and Discogs B.V., as well as our affiliates (collectively, “We”, “Our”, “Us” or “Discogs”) and this Discogs App Privacy Policy (the “Policy”) represents Our commitment to care for Your “personal information” (includes “personal data” and similar terms to describe the data about You as defined by various domestic/international regulations). This Policy applies to the personal information We collect, use, disclose, and sell via Our mobile applications (the “Service”). Privacy-related information specific to Our web applications (websites) can be found in Our main Privacy Policy.
This Policy does not apply to personal information collected by or through any other online or offline sites, applications, products, or services not controlled by Us. When You use third party sites, applications, products, or services, You are subject to those third parties’ policies. In addition, this Policy does not cover personal information You independently disclose to other users of the Service. Disclosure of personal information to buyers, sellers, contributors, or other users (collectively, “Other Users”) outside of disclosure to Us should be discussed with those Other Users prior to providing such information. We are not responsible for the privacy or data protection processes of any Other Users of Our Service.
By using Our Service, You confirm that You have read and agree to abide by the terms of this Policy, Our Terms of Service, and other applicable policies found on Our Service. You acknowledge that We will process Your information in the United States, the Netherlands, Japan and any other country where We or Our service providers/processors operate. If You fail to provide certain information required by Discogs or withdraw Your consent to processing of Your personal information, including where applicable to this Policy (by closing Your account, if any, and/or disabling SDKs), then You may not have access to certain portions of the Service, including the benefits of membership, buying and selling options, language preferences, etc. In certain cases, We may continue to process Your personal information, but only if We have a legal basis to do so.
We encourage You to review the entire Policy. For quick access to a particular Policy section, click on the desired link below:
GENERAL PRIVACY AND DATA PROTECTION INFORMATION
INFORMATION SHARING AND DISCLOSURE
TRANSFER OF PERSONAL INFORMATION
PERSONALLY-IDENTIFIABLE INFORMATION SUBMITTED BY CHILDREN
ADDITIONAL U.S. STATE LAW DISCLOSURES
NOTIFICATION AND OTHER PRIVACY PREFERENCES
YOUR PERSONAL INFORMATION RIGHTS
General Privacy And Data Protection Information
We are committed to complying with applicable privacy and data protection laws and regulations designed to protect Your personal information, including, but not limited to, both of the European Union (“EU”) and United Kingdom (“UK”) versions of the General Data Protection Regulation ("GDPR"), the UK Data Protection Act of 2018, the California Privacy Rights Act, the Act on the Protection of Personal Information (Japan), the Privacy Act 1988 (Australia), the Lei Geral de Proteção de Dados (Brazil), the Colorado Privacy Act, the Connecticut Data Privacy Act, and other applicable current or future regional, national and state privacy and data protection laws and regulations worldwide as they become effective and are amended. Additional details about the information We collect, the purpose of collection, Your rights, and how to contact us are provided in detail within this Policy.
Data Controller: If You are an EU or UK citizen or You are accessing our Services from within the European Economic Area (“EEA”) or UK and You provide Personal Information to Us, the Personal Information provided to Us in connection with the Service is controlled and processed by Discogs B.V., located at Keizersgracht 555, 1017 DR, Amsterdam, the Netherlands.
Personal Information provided to Us from anywhere outside the EEA or by non-EU citizens in connection with the Service or otherwise is controlled and processed by Zink Media, LLC (d/b/a Discogs), 4145 SW Watson Avenue, Suite 350, Beaverton, Oregon, USA 97005.
Our privacy team can be contacted at privacy [at] discogs [dot] com.
Data Protection Officer:
- Our global Data Protection Officer (HewardMills) can be contacted at dpo [at] discogs [dot] com, by mail to 77 Farringdon Rd, London ECIM 3JU, United Kingdom, or by phone to +44 20 4540 5853.
- Our Data Protection Representative in the UK (DPO Consultancy Limited) can be contacted at ukdpr [at] discogs [dot] com.
EU-U.S. and Swiss-U.S. Data Privacy Frameworks: Zink Media, LLC (d/b/a Discogs) and its holding company, Meta Zink Corporation, comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Zink Media, LLC (d/b/a Discogs) and its holding company, Meta Zink Corporation have certified to the U.S. Department of Commerce that We adhere to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Zink Media, LLC (d/b/a Discogs) and its holding company, Meta Zink Corporation have certified to the U.S. Department of Commerce that We adhere to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view Our certification, please visit https://www.dataprivacyframework.gov/.
Information Collected
We practice privacy by design and only collect and process that information which is necessary to provide the Service or meet Our legitimate business needs. We conduct risk assessments on Our processing activities to ensure they do not cause undue harm to individuals. Generally, We collect the following categories of personal information from Service users:
|
Category of Information |
Description |
Source of Information |
Purpose |
Information Shared With |
|---|---|---|---|---|
|
Identity and Contact Information |
Identifiers such as a real name, alias, username, gravatar, postal address (shipping), unique personal identifier, online identifier, Internet Protocol address, Session ID (SSID), email address, account name, or other similar identifiers, information submitted on webforms, and information contributed to forums. Additional identifiers including identification number or beneficiary information as it relates to employee benefits and obligations. |
Consumer (User) |
To provide the Service, including account registration, buying, selling, contributing, etc.; When provided with a job application, it is used to consider Your employment with Us or, if employed, to provide benefits or comply with legal reporting obligations |
Operating Systems and platforms; Email service providers; Parties to a transaction (if using the marketplace); Job application information is not shared; Employee benefit information is shared with benefits providers and regulators, as applicable |
|
Personal and Company Information, Contact Information, Bank Details and Commercial Information |
We are required to process some or all of the following information from sellers that meet requirements of specific laws and regulations: full name, primary address, photo identification (selfie), government ID, date of birth, bank account details, tax identification number (TIN), place of birth (if You do not have TIN), VAT identification number, if available, as well as the existence and location of a permanent establishment through which the business activities are carried out, if and as applicable. Refer to Everything You Need to Know About Seller Account Identification for additional information. |
Seller (User) |
For legal purposes, to report Your taxpayer information to relevant tax authorities and comply with Our tax obligations, as well as to reduce the risk of fraud on Discogs marketplace platform and subsequent financial and personal data losses that users / buyers may experience |
Tax authorities and regulators, as applicable; and Seller Verification Service Providers |
|
Commercial Information |
Records of products or services purchased, obtained, or considered, other purchasing or consuming histories or tendencies, or financial identifier (i.e., PayPal ID). |
Consumer (User) |
To provide the Service related to transactions |
Operating Systems and platforms; Email service providers; Parties to a transaction (if using the marketplace) |
|
Technical Information |
Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding Your interaction with the Service or marketing materials, operating systems and other technology used on Your devices to access the Service. |
Consumer (User); User Device |
To provide the Service, including personalization and performance/ analytics to improve the Service |
Operating Systems and platforms |
|
Geolocation Information |
Non-precise geolocation data based on Your IP address or other analytics tools. |
Consumer (User); User Device |
To provide the Service, including personalization |
Operating Systems and platforms *Analytics (if You allow performance or social media SDKs, this constitutes a “sale” or "sharing" under California Privacy Rights Act) |
|
Professional Information |
Prior work and other related information provided to Us if You apply for a job with Us |
Consumer (User) |
To consider Your employment with Us |
Not shared |
|
Educational Information |
Education information provided to Us if You apply for a job with Us |
Consumer (User) |
To consider Your employment with Us |
Not shared |
|
Inferred Information |
Inferences drawn from any of the information identified above reflecting the Your preferences, behavior, and interests. |
Consumer (User); User Device |
To provide the Service, including personalization |
Operating Systems and platforms *Analytics (if You allow performance, or social media SDKs, this constitutes a “sale” or "sharing" under California Privacy Rights Act) |
|
Browsing Information |
Browsing data collected via SDKs, such as page/screen viewed and events (e.g., clicks) |
User Device |
To provide the Service, including personalization and performance/ analytics to improve the Service |
Analytics (if You allow performance or social media SDKs, this constitutes a “sale” or "sharing" under California Privacy Rights Act) |
|
Contest and Giveaway Contact Information |
Contact information such as name, email, address, and other identifiers depending on the contest or giveaway type |
Consumer (User) |
To provide contests and giveaways |
Not shared unless explicitly disclosed in contest or giveaway terms, in which case information may be shared with disclosed partners supplying the prizes |
We may collect biometric personal data for the purpose of uniquely identifying a natural person, in the form of facial pictures of Sellers to compare them against government ID as a part of the seller verification process. We would collect this data for the purpose of fraud prevention only upon Your explicit consent as the legal basis. You have the right to withdraw Your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
We do not collect any other sensitive personal information, such as information about users’ race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, health data, genetic data, biometric data, or any other protected classes of information. We do not collect any information about criminal convictions and offenses unless such information is surfaced in a job application. Please see California Employees, Contractors, and Job Applicants and Our website Privacy Policy for additional information about data collected for employment purposes.
We rely on the following lawful bases to collect and process personal information based on the EU and UK versions of the General Data Protection Regulation (“GDPR”):
- Consent: use for a specific purpose based on Your clear consent. Article 6(1)(a) GDPR.
- Contract: use to provide the Service to You pursuant to Our policies or taking steps at the request of the data subject prior to entering into a contract. Article 6(1)(b) GDPR.
- Legal Obligation: use is necessary for Us to comply with the laws in the EEA. Article 6(1)(c) GDPR.
- Legitimate interests: use is necessary for Our legitimate interests that are not overridden by Your personal information protection interests or fundamental rights and freedoms. Article (6)(1)(f) GDPR.
In the case the Personal Data is collected and processed under the California Privacy Rights Act (“CPRA”), We rely on the following legal grounds:
- Business: use by Our or Our service provider’s/processor’s operational purposes that is reasonable and necessary to provide the Service. Section 1798.140(e) CPRA.
- Commercial: use by Us to increase Our revenue, such as by encouraging transactions through the marketplace or user subscriptions to marketing-related emails. Section 1798.140(g) CPRA.
More specifically, Our basis for collecting and using the personal information described will depend on the portion(s) of the Service utilized:
|
Service |
Personal Information Collected |
Purpose of Collection |
Basis for Use |
|---|---|---|---|
|
Browsing |
SDK-based information related to browsing, Your device, and IP address. Depending on Your jurisdiction, SDKs may only be placed with Your consent. |
Analytics (Service health, usability, etc.) |
GDPR: Consent CPRA: Commercial purpose |
|
Account Registration via Discogs application |
Username, email address, SSID, IP address, geolocation, browser type/version, and operating system |
Verification of Your identity when You access Our Service, fraud prevention, communication with You, and customization of certain aspects of Your visits, such as language. Registration also allows You to list or purchase items for sale, contribute to the catalogue, build a collection and wantlist, and participate in forum discussions. |
GDPR: Contract, Legitimate Interest; CPRA: Business purpose |
|
Selling on discogs.com |
We are required to process some or all of the following information from sellers that meet requirements of specific laws and regulations: Full name, primary address, PayPal Account Name, photo identification (selfie), date of birth, government ID, bank account details, tax identification number (TIN), place of birth (if You do not have TIN), and VAT identification number, if available, as well as the existence and location of a permanent establishment through which the business activities are carried out, if and as applicable. Refer to Everything You Need to Know About Seller Account Identification for additional information. |
Use of the marketplace to engage in transactions with purchasers, and for legal purposes, to report Your taxpayer information to relevant tax authorities and comply with Our tax and fraud prevention obligations. |
GDPR: Contract, Legitimate Interest, and Legal Obligation; CPRA: Business purpose |
|
Shipping Labels Service |
Address and phone number |
Population of shipping label(s) on Your behalf |
GDPR: Contract CPRA: Business purpose |
|
Third Party Payment Services |
1. Depending on whether You are a business or individual: name, date of birth, email address, phone number, company name, tax identification number, bank account information, government issued photo identification, and bank statement or voided check. 2. Username, account creation date, IP address and email address |
1. Identity verification (per financial regulations) - this information is required by Our third party payment processor(s). 2. Fraud review for accounts. |
GDPR: Contract; CPRA: Business purpose |
|
Purchasing |
Full name, address, and phone number (optional) |
To complete transaction shipping from seller. We do not collect or store any purchaser payment information, such as credit card information. Such information is provided directly to the seller by the purchaser with no interaction by or through Us. Depending on Your payment option selection, certain third parties may have access to such information (i.e., PayPal, Inc.) |
GDPR: Contract CPRA: Business purpose |
|
Registration for NearMint |
Email address, name, address, username |
Inventory management service |
GDPR: Contract; CPRA: Business purpose |
|
Marketing Emails |
Email address |
Some countries require that We obtain Your explicit consent (opt in) to send You marketing-related emails, while other countries do not require express consent. In all cases, You may opt out from receiving marketing-related emails in the notification preferences within Your account settings or from within the email messages themselves. |
GDPR: Consent CPRA: Business purpose, Commercial purpose |
|
User Support |
Email address, username (if registered) and other information You provide for the purpose of responding to Your question or concern, including information submitted to Us to make a valid copyright claim, such as name and contact information. |
Reviewing Your questions/concerns and responding to You. We ask that You do not submit any information to Us that is not absolutely necessary for Us to assist You. |
GDPR: Legal Obligation; CPRA: Business purpose |
|
Error Reporting |
Username, email address, IP address, device information |
Reviewing errors or issues with the Service reported by You directly |
GDPR: Contract; CPRA: Business purpose |
|
Recruitment |
Name and email address, may also include postal address and professional and education history if provided by applicant |
To consider Your employment with Us |
GDPR: Contract; CPRA: Business purpose
|
|
Surveys and Research |
May include username, email address, IP address, device information, some of which is optional dependent on the survey type |
Service improvements (surveys are always optional and subject to consent) |
GDPR: Consent; CPRA: Business purpose, Commercial purpose
|
|
Contests and Giveaways |
Name, email, address, other identifiers dependent on the contest or giveaway type |
Participation in contests and giveaways, including winner selection, notification, and delivery of prizes |
GDPR: Consent; CPRA: Business purpose
|
SDKs and Our Service: Refer to the section below titled “SDKs” for additional information about how We use identifiers within Our Service.
Information Sharing And Disclosure
We share personal information with service providers (processors) that act as an agent to perform tasks on Our behalf and under Our instructions. Examples include providers that assist with payment processing (i.e., PayPal), shipping (i.e., USPS), or providers that We contract with to send emails on Our behalf (i.e., HubSpot). This information is limited only to the information needed to perform the tasks. If certain SDKs are enabled on Your device, then We may also share SDK-related information with related service providers, such as analytics or social media companies. Additional information about the service providers/processors We use to support delivery of Our Service is set forth on our Processors List. All service providers/processors are subject to Our ongoing due diligence reviews for compliance with privacy and data protection requirements, as well as contractual terms. For additional information about service provider (processor) and third party privacy practices, please review those partes’ privacy policies and notices.
We will provide You with notice and obtain Your consent, where applicable, in the event We intend to share Your information with a third party (other than as described above) or for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by You. Prior to sharing such information, You will be provided with clear, conspicuous, and readily available mechanisms to opt in or out of such sharing, as required by applicable laws and regulations. Except as described in this Policy, We do not otherwise share Your information with any third parties without Your consent or other legitimate basis. We do not provide or sell email addresses or collection/wantlist information to any third party without Your consent. Registered users can control the public availability of their collection/wantlist information in the account settings. Please see “Notification and Other Privacy Preferences” below for additional information on limiting the sharing of Your information.
Affiliates : We may share information within our network of affiliated companies, including Zink Media, LLC, Discogs B.V., and Discogs G.K., in order to provide the Service. Each of Our affiliated companies is subject to the terms of this Policy and follow the same privacy practices. All sharing among affiliates is subject to appropriate documentation and risk assessments.
SDKs : We may share information with analytics providers or social media providers. This sharing is considered a “sale” or "sharing" under the California Privacy Rights Act. We do not provide targeted advertising within our mobile application service. You must be 16 years of age or older, depending on Your jurisdiction’s minimum age requirements, to use the Service. As a result, We do not sell personal information of consumers under 16 years of age. The information is sourced from SDKs placed on Your device. The categories of information shared include:
- Geolocation Information: Non-precise geolocation data based on Your IP address or other analytics tools.
- Inferred Information: Inferences drawn from Your online activities reflecting Your preferences, behavior, and interests.
Depending on Your location, You may need to opt in/consent to the placement of these and other SDKs or You may have the option to opt out of these and other SDKs. Please see “SDKs” below for additional information about controlling SDKs.
In addition to the above SDK-related actions, California consumers may select the “Do Not Sell or Share My Personal Information” link, which has been included on Our Service as a component of California Privacy Rights Act compliance to block analytics and social media SDKs upon Your request. See “California Disclosures” below for additional information. See “Additional U.S. State Law Disclosures” below for additional information.
Other Sharing: We may share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of Our Terms of Service, or as otherwise required by law enforcement or national security requirements. We may also disclose information when requested to comply with a court order, regulatory investigation, or governmental request.
Sensitive/Protected Information: We do not currently collect or process sensitive, special, or protected information except in the employment context and if You are a seller on the Website with affirmative and explicit express consent. If You are a seller on the website, please refer to the Information Collected section for more information. In the event We decide to collect sensitive, special, or protected categories of information (i.e., personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, information specifying the sex life of the individual, genetic data, or biometric data for the purpose of uniquely identifying a natural person) from users or business partners, We will first obtain affirmative and explicit express consent (opt in) from You (Article 9[2][a] GDPR) if We intend such information to be collected, processed or disclosed to a third party. In addition to consent, We perform risk assessments on any processing involving sensitive data. In the event that the legal basis for collection or processing (Article 9[2] GDPR) has changed, We will inform You of the change prior to collection or processing.
Nevada, United States, Residents: We do not sell Your personal information for monetary consideration as set forth in Nevada Senate Bill 220. If We change this practice in the future, We will obtain affirmative express consent (opt in) from You before taking any such action. You can write to Us at Our Help Center to add Your email address to a “do not sell” list. Please note that You are responsible for updating Us in the event that You need to change Your email address on file.
Mobile Devices: You may choose not to provide information related to Your mobile devices. Information on disabling device location permissions can generally be found in Your device settings or by contacting Your carrier or device manufacturer.
Retention And Storage
We retain Your personal information only as long as it is reasonably necessary to provide You the Service and as required by applicable laws and regulations. This includes maintaining and improving the performance of Our Services, keeping Our Services secure, and maintaining appropriate business and financial records. For example, if You register for an account, but do not activate Your account in the following 14 days, then We will automatically delete Your registration information. If You otherwise use Our Service via Your account without activation in the following 14 days, then We will retain Your registration information.
If We process Your personal data on the basis of consent, then We will retain the data for as long as necessary in order to process it according to Your consent or until You withdraw Your consent. For example, We will retain Your email address related to Your consent to receive marketing-based emails only so long as You are opted-in to receive those emails. When You unsubscribe or opt-out, then We no longer use Your email address for marketing-based emails.
We may keep the minimal necessary personal information about You after You have deactivated Your account for the period of time needed for Us to pursue legitimate business interests, conduct audits, comply with (and demonstrate compliance with) legal obligations, resolve disputes and enforce Our agreements. For example, We may be required to retain Your information to comply with applicable tax/revenue laws or our Know Your Customer (“KYC”) obligations.
Information submitted to or obtained via Our Service is maintained on secure servers and cloud platforms in the United States. We work with third parties to deliver the Service, most of which are also located within the United States. Please see our Processors List for details about the third parties that help us deliver the Service to You.
Safeguarding Your Information
The security of Your Data is of utmost importance to us. Therefore, We have implemented the following technical and organizational measures to ensure the required level of security to protect Your Personal Data:
Physical Security:
- We use secure facilities by preventing unauthorized persons from access to personal information, and ensuring that off-site data centers and server facilities adhere to similar appropriate controls.
- Our off-site data centers and servers are locked with Radio Frequency ID badges.
Data and Network Security:
- Our internal teams ensure We follow industry best practices for monitoring and maintaining data center firewalls and authentication via hashed and salted passwords.
- We ensure personal information is accessible and manageable only by properly authorized staff, including restricted catalogue query and application access, need-to-know access restrictions, and restrictions on the personal information that can be read, copied, modified and/or removed.
- We use encryption of data residing on off-site backup tapes and data residing on servers at drive level.
- We use encrypted data transfer over SSL and other controls to ensure that personal information cannot be read, copied, modified or removed without authorization during external electronic transmission or transport.
- We maintain full disk encryption of all employee issued laptops.
- We encrypt all data before disposal and/or deletion.
- We vet vendors that process Your data on an ongoing basis for compliance with applicable laws and regulations.
- We use logical separation to ensure that personal information is only processed per the terms of this Privacy Policy and the privacy settings selected by You.
- We utilize input controls to ensure that any personal information is provided and edited by You or by Us at Your direction.
Vulnerability Management:
- Our servers are patched regularly, and critical vulnerabilities are patched as soon as possible.
- We routinely engage third parties to run penetration tests against our system.
Data Backup and Recovery:
- We maintain appropriate contingency plans and data backups in the event of a data loss.
- Data backups are taken on a regular basis, and are secured and encrypted.
- Our backup systems are designed to backup site data regularly.
- We maintain emergency and contingency plans for various systems.
- Our data centers have committed to maintaining SSAE 18 SOC 1 and SSAE SOC2 certifications, which We review on an ongoing basis.
Data Resilience:
- Your data is stored on servers located in the United States.
- We utilize a worldwide CDN of 20+ edge data centers. These data centers provide routing as well as data caching, which helps Us reduce latency and improve the performance of Our network.
Compliance Certifications:
- We are certified under the EU-U.S. Data Privacy Framework,the Swiss-U.S. Data Privacy Framework, and the UK-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce.
Data Breach Notification:
- Upon awareness and/or discovery of a breach involving Your data, We will contact appropriate regulators, and if deemed appropriate, will notify You directly.
Despite Our efforts, no security measure can be absolute, and there can be no guarantee that Your personal information will not be accessed through malicious means, inadvertent disclosure, or mistake.
Transfer Of Personal Information
Privacy and data protection laws and regulations and their associated transfer requirements vary by location (state, country and region). We strive to comply with transfers of personal information under these laws and regulations by ensuring transfer is made under an appropriate legal basis. We only transfer personal information to those parties that act as service providers or processors with respect to the Service We provide to You, with Your consent, or under a legitimate interest or business, or commercial purpose, as described in this Policy. We may also transfer personal information if required to do so by other applicable laws and regulations, including those related to criminal or civil matters.
Our technical infrastructure is located in the United States. If You choose to use the Service, You agree to Our Terms of Service which states that Your personal information will be hosted within Our United States infrastructure and Your personal information is required to be transferred to the United States as a result. We work with third parties to deliver the Service, most of which are also located within the United States. We conduct risk assessments and require additional contractual requirements where the third parties We work with are located outside of the United States. Please see our Processors List for details about the third parties that help us deliver the Service to You and the locations of those parties.
To the extent that We transfer Your personal information outside of Your country of residence, We rely on the following types of mechanisms to ensure the security of that information:
- Data Processing Agreements
- Model Clauses (i.e., EU standard contractual clauses and jurisdictional amendments), found here.
- EU Adequacy Decisions, found here.
- Risk Assessments (i.e., data transfer risk assessments, processing activity risk assessments)
- Ongoing monitoring of recipient country’s personal information protection systems
In the event that We go through a business transfer such as a consolidation, merger, restructuring, acquisition, or sale of part or all of Our assets, We will obtain Your consent to the transfer of Your information as permitted by law and to the continued use of Your information by the recipient following the transfer so long as they comply with this Policy.
Personally-Identifiable Information Submitted By Children
The Service is not intended for use by children under 16 years of age in the United States. Please consult local laws for age restrictions in additional jurisdictions. IF YOU ARE UNDER THE MINIMUM AGE FOR YOUR JURISDICTION, DO NOT USE OR ACCESS THE SERVICES AT ANY TIME OR IN ANY MANNER. If We determine that personally-identifiable information of children under the minimum age has been collected, We will remove the information from the Service. If You are a parent or guardian and learn that a child under the minimum age has created an account, You may contact Us and request that the information be removed from the Service at privacy [at] discogs [dot] com.
California Disclosure
The following disclosures are required for California consumers.
If You are a seller on the Website, with Your explicit and express consent, Our third party identification provider may process biometric data (“selfie”) and personal identification numbers (social security number, drivers license, passport, or state ID card numbers) to determine Your identity, which is considered “Sensitive Personal Information” as defined in California Civil Code Section 1798.140 of the California Privacy Rights Act of 2020. The information will not be used for any other purposes other than to verify Your identity. This information is kept on file for up to seven years depending on the applicable regulation pursuant to which it was obtained.
Right to Know About Personal Information Collected
Please refer to the “Information Collected” and “Information Sharing and Disclosure” sections above.
Do Not Sell or Share My Personal Information/Notice of Right to Opt-Out of Sale or Sharing of Personal Information
We allow performance and social media SDKs to be placed on Our Service by third parties for other valuable consideration for the purpose of analytics for Service performance reviews and improvements and social media interactions. These third parties use information from SDKs, such as Your geolocation and browsing behavior to serve You personalized advertisements. We do not otherwise “sell” or "share" (as defined by the California Privacy Rights Act) any personal information. We only share Your personal information with others for the limited purpose of providing the Service to You. If You are a California Service visitor or user, then You must select the “Do Not Sell or Share My Personal Information” link available on the Service to block (opt out of) all analytics and social media SDKs from Our Service on Your device. Opting out via the link will place a strictly necessary SDK on Your device to identify You in future interactions with Our Service so that performance and social media SDKs are not placed during those subsequent interactions. Since this action must be performed by a person using Your device, We do not conduct any identity verification with respect to Your exercise of this right. You may contact Us at privacy [at] discogs [dot] com for additional information about Your opt out rights.
Right to Know, Right to Correct, and Right to Delete
You may submit a request for the categories and specific information that We have collected about You, request correction of Your information, or request that We delete any personal information about You that We have collected, subject to certain exceptions. Refer to Your Personal Information Rights section below for information on submitting requests regarding Your rights.
Information Submitted by Minors under 18 in California
If You are a minor under the age of 18 residing in the State of California, United States, You have additional rights under California law. You may request removal of any information or content You posted while under the age of 18. We cannot ensure that removal of information You provided to the Service will be complete or comprehensive (i.e., information posted to public groups and forums that may be accessed by non-users) but it will be complete and comprehensive on Our part (i.e., user account information). In addition, if at any time You delete Your account, We will remove Your information from the Service. Deletion and removal of information is subject to exceptions to maintain certain information as described in the “Retention and Storage” section of this Policy.
Your California Privacy Rights (Shine the Light Law)
We do not share personal information as defined by California Civil Code Section 1798.83 (“Shine The Light law”) with third parties for their direct marketing purposes absent Your consent. If You are a California resident, You may request information about Our compliance with the Shine the Light law by contacting Us by email to privacy [at] discogs [dot] com or by sending a letter to Zink Media, LLC (d/b/a Discogs), 4145 SW Watson Avenue, Suite 350, Beaverton, Oregon, USA 97005. Any such request must include "California Privacy Rights Request" in the first line of the description and include Your name, street address, city, state, and ZIP code. Please note that We are only required to respond to one request per user each year, and We are not required to respond to requests made by means other than through this email address or mail address.
Additional U.S. State Law Disclosures
The following disclosures are required for Virginia, Connecticut, and Colorado consumers.
Right to Know Categories of Personal Data Processed by Us
Please refer to the “Information Collected” and “Information Sharing and Disclosure” sections above. You may submit a request for the categories that We have processed about You, subject to certain exceptions. Refer to the “Your Personal Information Rights to Access, Alter, or Erase Your Personal Information” section below for information on submitting requests regarding Your rights pursuant to Your Right to Know under various U.S. state laws and regulations.
If You are a seller on the Website, with Your explicit and express consent, Our third party identification provider may process biometric data (“selfie”) to determine Your identity, which is considered “Sensitive Personal Information” pursuant to Virginia, Connecticut and Colorado privacy laws. The information will not be used for any other purposes other than to verify Your identity. This information is kept on file for up to seven years depending on the applicable regulation pursuant to which it was obtained.
Right to Know the Purpose of Processing
Please refer to the “Information Collected” and “Information Sharing and DIsclosure” sections above regarding Your right to know purposes of processing.
Right to Know Categories of Personal Data Shared with Third Parties and the Categories of Third Parties
Please see Our Processors List for details about the third parties that help Us deliver the Service to You.
Do Not Sell My Personal Information/Notice of Right to Opt-Out of Sale of Personal Information
We do not provide for targeted advertising by programmatic advertisers on our mobile applications. We only share Your personal information with others for the limited purpose of providing the Service to You. If You are a Virginia, Colorado, or Connecticut mobile application user, then You must select the “Reject All” or “Opt Out of Sale of Personal Data or Targeted Advertising” link available in the mobile application to block (opt out of) performance and social media SDKs. Opting out via the link will place a strictly necessary SDK on Your device to identify You in future interactions with Our Service so that performance and social media SDKs are not placed during those subsequent interactions. Since this action must be performed by a person using Your device, We do not conduct any identity verification with respect to Your exercise of this right. You may contact Us at privacy [at] discogs [dot] com for additional information about Your opt out rights.
How to Exercise Your Rights and Appeal
Please refer to “Your Personal Information Rights” on how to exercise Your Rights and how to appeal.
Notification And Other Privacy Preferences
We do not send spam and do not permit spam on or through Our Service. We comply with the CAN-SPAM Act of 2003 (US) and applicable international anti-spam regulations. Access to certain portions of Our Service include account registration or consent. We may send You marketing-related email upon Your express opt-in, making a purchase through Our Service, or by registering for Our Service, depending on Your jurisdiction. You may opt out of those portions at any time. Information about privacy and notification preferences within the Service, including opt in and opt out settings, can be found in Our How To Adjust Account, Notification & Other Privacy Preferences help document.
Public Groups & Forums
You must be registered on the Site in order to post on the forum. Information You post to the public areas of the Service (groups / forums / searchable catalog) is not private, and is not protected under this Policy. Please exercise caution when disclosing Your information in these areas. You acknowledge that Other Users and the public, in general, not covered by this Policy will have access to Your public postings and We cannot be responsible for any subsequent use of personal information contained in Your public postings.
SDKs
What are SDKs?
SDK stands for “Software Development Kit”. These are collections of software development tools that We use to provide products and services to You. Some SDKs are required for App software development. For example, the iOS SDK is required for any iOS Application. One SDK that our Android and iOS Applications both use is the Firebase Analytics SDK. This allows for Us to track App performance metrics and usage. This data is anonymized and provides guidance on what to improve in future App Versions. Privacy policies and contact information for third parties that place SDKs via the Discogs App can be found in Our Processors List.
SDKs have different lifespans:
- Persistent: these files remember certain information about Your preferences for viewing mobile apps, and allows the mobile app manager to recognise You each time You return. These are stored on Your mobile device until You choose to delete them.
- Session: these files are specific to a particular visit to a mobile app that carry information as You view different pages on a mobile app so You don’t have to re-enter information.
How We Use SDKs
Our SDKs: We use Our mobile app specific SDKs to uniquely identify You after You access Our Service. Upon successfully logging in, Our server will generate a unique and random token. A copy of the token is saved on Our server, and a copy is sent to Your mobile app as a login token. Your mobile device sends this token back to Our server each time it requests a resource from Our server, such as a new page to which You are navigating. Our servers then look up Your secure profile using this token.
Our SDKs are required to enable certain features that relate to Your personal account. These include:
- Buying & Selling
- Adding items to a Wantlist or Collection
- Making Lists
- Participating in Forums
- Saving preferences
- Submitting to the Database
- Messaging other users
- Social Sharing Your Collection or Wantlist
We also use Our own domain specific SDKs to assist with:
- Login information (note: the SDK stores a unique value that identifies You after You log in, but does not store Your actual login information such as username and password)
- Buying and selling preferences
- General device and application setting preferences, such as language, login status and shopping cart details
- User interaction and behavior analytics
- Service security
Third-party SDKs: Our mobile applications use third-party SDKs to anonymously track mobile usage and analytics, such as: Firebase (https://firebase.google.com/support/privacy)
Many third-party SDKs are not essential to user experience on Our Service other than collecting data on how We can improve Our Service based on anonymous browsing behaviors.
We also partner with others, who may use various tracking technologies to provide certain services or features, including cross-device tracking, which allows us to recognize users across multiple devices or browsers.
Please see Our Processors List for additional information about parties that use tracking technologies on Our Service.
Some of these parties may provide Us with information about You (such as inferred demographic information, cross-device information, or interest categories) so that We may improve Our Service.
We do not allow third parties to access personally identifiable information from Us via SDKs or any other tracking technology. However, these technologies may allow Us or a third party to recognize You, either across devices or over time. We do not have control over third-party technologies, which maintain their own privacy policies, and they are not covered by Our Privacy Policy or this Policy.
Current SDKs
The below link provides detailed information about the SDKs available through our Discogs App. This list will change from time to time, so please check back often for updates. In addition, third parties not associated with us may also place SDKs on Your mobile device from time to time.
Your Personal Information Rights
Identity Verification and Authorized Agents
If You submit a request to exercise Your rights under any privacy or data protection law and regulation, We will need to verify Your identity prior to complying with Your request. We verify requests by confirming the email address that sent the request is attached to a registered account on Our system. Erasure/Deletion requests include a second verification from the user sending the request. If You do not have an account with Us the only data We collect and process is (i) made available via SDKs as allowed by law or regulation, which You can manage via Your “SDK Settings” or “Manage Preferences” link on the Service in applicable jurisdictions, or (ii) any email address and country (as applicable) that You provide when signing up for Our email subscriptions and You may unsubscribe via the email links at any time.
Your authorized agent may be able to make a request to exercise Your rights on Your behalf. Please contact Us at privacy [at] discogs [dot] com to do so.
Consent
Where You have provided Your consent to any part of the Service, You may withdraw that consent at any time. To withdraw Your consent to Our policies in their entirety, You must cease using the Service. You may also withdraw Your consent to certain processing activities within the Service within Your account settings. Finally, You may withdraw Your consent to marketing-related email using the “unsubscribe” button found in those emails and, in some cases, within Your account settings.
Automated Decision Making
If You complete the “seller settings” within Your account, indicating a desire to sell through Our Service, You will undergo an automated assessment of Your email address to verify its validity. Such assessment amounts to email address profiling and will result in an automated decision regarding Your ability to sell through Our Service. The assessment results in a risk rating of the email address and higher risk email addresses may not be granted the ability to sell through Our Service. In addition, as part of Our seller verification process, We may conduct facial cross-checks of identity cards, and photos or video selfies, uploaded by You to our identity verification provider’s platform. This process is completed solely through automated means and results in profiling. Both of these assessments could impact You financially if You are not eligible to sell through Our Service as a result. We do not otherwise participate in any automated decision making.
You have the right to obtain human intervention, express your point of view and contest the outcome of these assessments by contacting Us at privacy [at] discogs [dot] com.
Access
You have a right to access Your personal information that We collect/process/store or personal information that We “sell” or "share". Personal Data We “sell” or "share" (as defined by various U.S. State privacy laws and regulations) is limited to information generated by SDKs related to analytics and social media.
Other than Your IP address, geolocation, SSID, device information and operating system (collected when You access the Service), information collected via SDKs (with Your consent, as applicable), and information that You provide to Us in Your support requests, all personal information We collect from registered users can be found in Your user profile by reviewing Your User Profile Settings and the additional settings noted in the menu on the left side of the page (i.e., Notification, Privacy, Buyer, Seller, etc.).
In addition,
- We offer email subscription services available to both registered and non-registered users that collect only an email address provided directly by the user.
- For those jurisdictions where We provide a SDK banner, SDK settings specific to Your device can be viewed via the “SDK Settings” or “Manage Preferences” links located on Our Service.
Additional information about privacy and notification preferences within the Service, including opt in and opt out settings, can be found in Our How To Adjust Account, Notification & Other Privacy Preferences help document.
You may also access Your personal information and how it is used and shared by completing the Request Access of Data form in Our Help Center. We will comply with Your request within 30 days, unless a shorter time period is required by local laws and regulations, and if permitted by law. Additional questions may be submitted to privacy [at] discogs [dot] com.
Rectification, Restriction, and Objection
We want to make sure that Your personal information is accurate and up to date. Information within the Services is limited to that information that You have provided directly. If You would like to rectify personal information that You have previously provided to Us and are unable to do so using the How To Adjust Account, Notification & Other Privacy Preferences instructions, then please contact Us through Our Help Center. In Your request, please make clear what information You would like to have changed, whether You would like to have Your personal information suppressed from Our catalog or otherwise let Us know what limitations You would like to put on Our use of Your personal information that You have provided to Us. Some portions of Our Service may no longer be available if You request that We restrict processing or if You object to the processing of certain information.
If You would like to restrict or object to the processing of personal information that You have previously allowed by Us and are unable to do so using the How To Adjust Account, Notification & Other Privacy Preferences instructions, then please contact Us through Our Help Center. In Your request, please make clear what information You would like to restrict or object, or otherwise let Us know what limitations You would like to put on Our use of Your personal information that You have provided to Us. Some portions of Our Service may no longer be available if You object or request that We restrict processing of certain information.
If You would like to object to the processing of personal information that You have previously allowed by Us and are unable to do so using the How To Adjust Account, Notification & Other Privacy Preferences instructions, then please contact Us through Our Help Center. In Your request, please make clear what processing You would like to object or otherwise let Us know what limitations You would like to put on Our use of Your personal information that You have provided to Us. Some portions of Our Service may no longer be available if You object to the processing of certain information.
In all cases, We will comply with Your request within 30 days, unless a shorter time period is required by local laws and regulations, and if permitted by law. In the event that this time period needs to be extended, We will comply with applicable laws or regulations when it comes to notifying You of such an extension and reason for the extension. Additional questions may be submitted to privacy [at] discogs [dot] com.
Erasure/Deletion
You have a right to obtain erasure or deletion of the personal information You have provided to Us related to Your use of the Service. Exercising this right will result in closure of any account You have opened and removal of any items You have listed in Your collection, wantlist or for sale in the Marketplace. In addition, exercising this right will impact certain functionality of the Service available to You online. If You request erasure or deletion, pursuant to the Terms of Service, (i) Your user-generated content contributions will be anonymized by having the user name replaced by a generic term (i.e., "previous user1234" or simply "anonymous1234"), and (ii) We are entitled to continue using this anonymized user-generated content. We cannot guarantee that Your username as associated with any information You posted in public forums and discussions will be fully erased as Other Users have access to those portions of Our Service and may have used or republished such information, including Your username, subject to Our Terms of Service, prior to the time of Your request. We will comply with Your request within 30 days, unless a shorter time period is required by local laws and regulations, and if permitted by law or as set forth below. We may need to maintain certain information for additional days in order to carry out Our contractual obligations to You. For example, We provide support for transaction disputes for 90 days following the date of transaction. In addition, We may maintain minimal personal information on You for a reasonable period of time if You have violated the Terms of Service resulting in an account suspension or ban in order to protect other users or pursuant to any regulatory or legal exceptions allowing Us to maintain the information. You may submit a request for erasure or deletion by completing the Request Erasure of Data form in Our Help Center. Additional questions may be submitted to privacy [at] discogs [dot] com.
Human Intervention
Under various data protection regulations, You have a right to not be subjected to a decision that produces legal or significant effects on You, and is based solely on automated processing, including profiling. This means that You have a right to human intervention in processing activities, express Your point of view, obtain an explanation of the decision reached after such assessment and challenge that decision. Outside of facial identification verification and email verification, We do not conduct any processing activities where Your data is processed based solely on automated decision-making (including profiling). If We consider using automated decision-making for additional processing activities in the future, this Policy will be updated and We will provide additional notification to You when required.
Portability
You have a right to receive the personal information concerning You, which You have provided to Us, in a structured, commonly used and machine-readable format and You have the right to transmit those data points to another controller where Our processing is based on Your consent or any contract You have with Us and the processing is carried out by automated means. You may submit a request for portability by completing the Request Portability of Data form in Our Help Center. Additional questions may be submitted to privacy [at] discogs [dot] com.
Appeal
If We are unable to fulfill Your request, You may formally appeal the action by contacting Us at privacy [at] discogs [dot] com. We will respond to Your appeal within required time frames outlined by the privacy and data protection laws of Your jurisdiction. U.S.-based individuals may contact their state Attorney General if they have concerns about the result of an appeal.
Non-Discrimination Policy
We do not discriminate against users of Our Service, whether You use the Service without incident or choose to exercise Your rights under any applicable laws or regulations.
Complaints
If You believe that Your privacy rights have been breached or that Your personal information has been compromised as a result of using Our Service, please contact Us via the Help Center or at privacy [at] discogs [dot] com. We may ask for additional information to confirm Your identity prior to assisting with Your complaint. We will respond to Your complaint within 30 days of receipt, unless a shorter time period is required by local laws and regulations, if permitted by law and may request additional information from You to complete Our investigation. You may also contact us as follows:
- Our global Data Protection Officer in the EU (HewardMills) can be contacted by email at dpo [at] discogs [dot] com, by mail to 77 Farringdon Rd, London ECIM 3JU, United Kingdom, or by phone to +44 20 4540 5853.
- Our Data Protection Representative in the UK (DPO Consultancy Limited) can be contacted at ukdpr [at] discogs [dot] com.
If You are a resident of the EU or EEA and feel that Your privacy has been infringed by Our Service or practices, You have the right to lodge a complaint directly with a supervisory authority in Your member state of residence, place of work or place of the alleged infringement. The name and contact details of the Data Protection Authorities in the European Union can be found here. Our lead supervisory authority is Autoriteit Persoonsgegevens (The Netherlands).
If You are a resident of the UK and feel that Your privacy has been infringed by Our Service or practices, You have the right to lodge a complaint directly with the UK Information Commissioner’s Office (ICO).
U.S.-based users may submit complaints directly to their state’s Attorney General. Connecticut-based users may submit complaints directly to the Connecticut Attorney via the forms located at: https://portal.ct.gov/AG.
For complaints about content users or We have added to Our Service or items listed for sale through the marketplace that relate to the Digital Millennium Copyright Act or other copyright laws and regulations, please review the How Do I Report Copyright Infringement information documentation.
Dispute Resolution
In the event that We are unable to resolve any complaint or dispute that You bring to Our attention, You may contact an independent dispute resolution body free of charge. We have chosen JAMS as Our independent recourse mechanism. You can file a claim with JAMS at the following website: https://www.jamsadr.com/eu-us-data-privacy-framework. Under certain conditions, You may invoke binding arbitration for complaints regarding EU-U.S. DPF compliance not resolved by any EU-U.S. DPF mechanism. For more information, please visit: https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2.
General
We may amend this Policy at any time by posting the amended terms on Our Service and notifying You of material changes to the Policy along with an opportunity to opt in to changes that require Your consent by law or regulation or to opt out of any changes that decrease Your rights under this Policy. All non-material changes to Our terms are effective on the effective date of the Policy. We encourage You to review this Policy from time to time. By continuing to use the Service after non-material changes are effective, or after being notified of a material change, You will be deemed to have accepted the changes.
We are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission in connection with Our EU-U.S. DPF,Swiss-U.S. DPF, and UK-U.S. DPF compliance. Notwithstanding any language to the contrary in this Privacy Policy, in cases of onward transfers to third parties of personal data of individuals received pursuant to the EU-U.S. DPF,Swiss-U.S. DPF, and UK-U.S. DPF, We are potentially liable.
Contact Us
- You can contact Us about this Policy and Our practices via Our Help Center or at privacy [at] discogs [dot] com.
- Our global Data Protection Officer (HewardMills) can be contacted by email at dpo [at] discogs [dot] com, by mail to 77 Farringdon Rd, London ECIM 3JU, United Kingdom, or by phone to +44 20 4540 5853.
- Our Data Protection Representative in the UK (DPO Consultancy Limited) can be contacted at ukdpr [at] discogs [dot] com.