Discogs App Privacy Policy

Last Updated: October 18, 2024 

Your privacy and protection of Your data is important to Zink Media, LLC (d/b/a Discogs) and Discogs B.V., as well as our affiliates (collectively, “We”, “Our”, “Us” or “Discogs”) and this Discogs App Privacy Policy (the “Policy”) represents Our commitment to care for Your “personal information” (includes “personal data” and similar terms to describe the data about You as defined by various domestic/international regulations). This Policy applies to the personal information We collect, use, disclose, and sell via Our mobile applications (the “Service”). Privacy-related information specific to Our web applications (websites) can be found in Our main Privacy Policy.
 

This Policy does not apply to personal information collected by or through any other online or offline sites, applications, products, or services not controlled by Us. When You use third party sites, applications, products, or services, You are subject to those third parties’ policies. In addition, this Policy does not cover personal information You independently disclose to other users of the Service. Disclosure of personal information to buyers, sellers, contributors, or other users (collectively, “Other Users”) outside of disclosure to Us should be discussed with those Other Users prior to providing such information. We are not responsible for the privacy or data protection processes of any Other Users of Our Service.

By using Our Service, You confirm that You have read and agree to abide by the terms of this Policy, Our Terms of Service, and other applicable policies found on Our Service. You acknowledge that We will process Your information in the United States, the Netherlands, Japan and any other country where We or Our service providers/processors operate. If You fail to provide certain information required by Discogs or withdraw Your consent to processing of Your personal information, including where applicable to this Policy (by closing Your account, if any, and/or disabling SDKs), then You may not have access to certain portions of the Service, including the benefits of membership, buying and selling options, language preferences, etc. In certain cases, We may continue to process Your personal information, but only if We have a legal basis to do so.

We encourage You to review the entire Policy. For quick access to a particular Policy section, click on the desired link below:

GENERAL PRIVACY AND DATA PROTECTION INFORMATION

INFORMATION COLLECTED

INFORMATION SHARING AND DISCLOSURE

RETENTION AND STORAGE

SAFEGUARDING YOUR INFORMATION

TRANSFER OF PERSONAL INFORMATION

PERSONALLY-IDENTIFIABLE INFORMATION SUBMITTED BY CHILDREN

CALIFORNIA DISCLOSURES

ADDITIONAL U.S. STATE LAW DISCLOSURES

NOTIFICATION AND OTHER PRIVACY PREFERENCES

PUBLIC GROUPS & FORUMS

CHATBOT

SDKS

YOUR PERSONAL INFORMATION RIGHTS 

NON-DISCRIMINATION POLICY

COMPLAINTS

DISPUTE RESOLUTION

GENERAL

CONTACT US

General Privacy And Data Protection Information

We are committed to complying with applicable privacy and data protection laws and regulations designed to protect Your personal information, including, but not limited to, both of the European Union (“EU”) and United Kingdom (“UK”) versions of the General Data Protection Regulation ("GDPR"), the UK Data Protection Act of 2018, the California Privacy Rights Act, the Act on the Protection of Personal Information (Japan), the Privacy Act 1988 (Australia), the Lei Geral de Proteção de Dados (Brazil), the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, the Oregon Consumer Privacy Act, the Texas Data Privacy and Security Act, the Montana Consumer Data Privacy Act and other applicable current or future regional, national and state privacy and data protection laws and regulations worldwide as they become effective and are amended. Additional details about the information We collect, the purpose of collection, Your rights, and how to contact us are provided in detail within this Policy.

Data Controller: If You are accessing our Services from within the European Economic Area (“EEA”) or UK and You provide Personal Information to Us, the Personal Information provided to Us in connection with the Service is controlled and processed by Discogs B.V., located at Keizersgracht 555, 1017 DR, Amsterdam, the Netherlands.

Personal Information provided to Us from anywhere outside the EEA or by non-EU citizens in connection with the Service or otherwise is controlled and processed by Zink Media, LLC (d/b/a Discogs), 4145 SW Watson Avenue, Suite 350, Beaverton, Oregon, USA 97005. 

Our privacy team can be contacted at privacy [at] discogs [dot] com.

Data Protection Officer:

  • Our global Data Protection Officer (HewardMills) can be contacted at dpo [at] discogs [dot] com, by mail to 77 Farringdon Rd, London ECIM 3JU, United Kingdom, or by phone to +44 20 4540 5853.
  • Our Data Protection Representative in the UK (DPO Consultancy Limited) can be contacted at ukdpr [at] discogs [dot] com.

EU-U.S. and Swiss-U.S. Data Privacy Frameworks: Zink Media, LLC (d/b/a Discogs) and its holding company, Meta Zink Corporation, comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.  Zink Media, LLC (d/b/a Discogs) and its holding company, Meta Zink Corporation have certified to the U.S. Department of Commerce that We adhere to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.  Zink Media, LLC (d/b/a Discogs) and its holding company, Meta Zink Corporation have certified to the U.S. Department of Commerce that We adhere to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.   To learn more about the Data Privacy Framework (DPF) program, and to view Our certification, please visit https://www.dataprivacyframework.gov/

Information Collected

We practice privacy by design and only collect and process that information which is necessary to provide the Service or meet Our legitimate business needs. We conduct risk assessments on Our processing activities to ensure they do not cause undue harm to individuals. Generally, We collect the following categories of personal information from Service users:

Category of Information Description Source of Information Purpose Information Shared With
Identity and Contact Information

Identifiers such as a real name, alias, username, gravatar, postal address (shipping), unique personal identifier, online identifier, Internet Protocol address, Session ID (SSID), email address, account name, or other similar identifiers, information submitted on webforms, and information contributed to forums.

Additional identifiers including identification number or beneficiary information as it relates to employee benefits and obligations.

Consumer (User) To provide the Service, including account registration, buying, selling, contributing, etc.; When provided with a job application, it is used to consider Your employment with Us or, if employed, to provide benefits or comply with legal reporting obligations Operating Systems and platforms; Email service providers; Parties to a transaction (if using the marketplace); Job application information is not shared; Employee benefit information is shared with benefits providers and regulators, as applicable
Personal and Company Information, Contact Information, Bank Details and Commercial Information  We are required to process some or all of the following information from sellers that meet requirements of specific laws and regulations: full name, primary address, photo identification (selfie), government ID, date of birth, bank account details, tax identification number (TIN), place of birth (if You do not have TIN), VAT identification number, if available, as well as the existence and location of a permanent establishment through which the business activities are carried out, if and as applicable. Refer to Everything You Need to Know About Seller Account Identification for additional information. Seller (User) For legal purposes, to report Your taxpayer information to relevant tax authorities and comply with Our tax obligations, as well as to reduce the risk of fraud on Discogs marketplace platform and subsequent financial and personal data losses that users / buyers may experience Tax authorities and regulators, as applicable; and Seller Verification Service Providers
Commercial Information Records of products or services purchased, obtained, or considered, other purchasing or consuming histories or tendencies, or financial identifier (i.e., PayPal ID). Consumer (User) To provide the Service related to transactions Operating Systems and platforms; Email service providers; Parties to a transaction (if using the marketplace)
Technical Information Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding Your interaction with the Service or marketing materials, operating systems and other technology used on Your devices to access the Service. Consumer (User); User Device To provide the Service, including personalization and performance/ analytics to improve the Service Operating Systems and platforms
Geolocation Information Non-precise geolocation data based on Your IP address or other analytics tools. Consumer (User); User Device To provide the Service, including personalization

Operating Systems and platforms

*Analytics (if You allow performance SDKs, this constitutes a “sale” or "sharing" under California Privacy Rights Act)

Professional Information Prior work and other related information provided to Us if You apply for a job with Us Consumer (User) To consider Your employment with Us Not shared
Educational Information Education information provided to Us if You apply for a job with Us Consumer (User) To consider Your employment with Us Not shared
Inferred Information Inferences drawn from any of the information identified above reflecting the Your preferences, behavior, and interests. Consumer (User); User Device To provide the Service, including personalization

Operating Systems and platforms

*Analytics (if You allow performance SDKs, this constitutes a “sale” or "sharing" under California Privacy Rights Act)

Browsing Information Browsing data collected via SDKs, such as page/screen viewed and events (e.g., clicks) User Device To provide the Service, including personalization and performance/ analytics to improve the Service Analytics (if You allow performance SDKs, this constitutes a “sale” or "sharing" under California Privacy Rights Act)
Contest and Giveaway Contact Information Contact information such as name, email, address, and other identifiers depending on the contest or giveaway type Consumer (User) To provide contests and giveaways Not shared unless explicitly disclosed in contest or giveaway terms, in which case information may be shared with disclosed partners supplying the prizes

 

We may collect biometric personal data for the purpose of uniquely identifying a natural person, in the form of facial pictures of Sellers to compare them against government ID as a part of the seller verification process. We would collect this data for the purpose of fraud prevention only upon Your explicit consent as the legal basis. You have the right to withdraw Your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

We do not collect any other sensitive personal information, such as information about users’ race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, health data, genetic data, biometric data, or any other protected classes of information. We do not collect any information about criminal convictions and offenses unless such information is surfaced in a job application. Please see California Employees, Contractors, and Job Applicants and Our website Privacy Policy for additional information about data collected for employment purposes. 
 

We rely on the following lawful bases to collect and process personal information based on the EU and UK versions of the General Data Protection Regulation (“GDPR”):

  • Consent: use for a specific purpose based on Your clear consent. Article 6(1)(a) GDPR.
  • Contract: use to provide the Service to You pursuant to Our policies or taking steps at the request of the data subject prior to entering into a contract. Article 6(1)(b) GDPR.
  • Legal Obligation: use is necessary for Us to comply with the laws in the EEA. Article 6(1)(c) GDPR.
  • Legitimate interests: use is necessary for Our legitimate interests that are not overridden by Your personal information protection interests or fundamental rights and freedoms. Article (6)(1)(f) GDPR.  

In the case the Personal Data is collected and processed under the California Privacy Rights Act (“CPRA”), We rely on the following legal grounds:

  • Business: use by Our or Our service provider’s/processor’s operational purposes that is reasonable and necessary to provide the Service. Section 1798.140(e) CPRA.
  • Commercial: use by Us to increase Our revenue, such as by encouraging transactions through the marketplace or user subscriptions to marketing-related emails. Section 1798.140(g) CPRA. 

More specifically, Our basis for collecting and using the personal information described will depend on the portion(s) of the Service utilized:

Service Personal Information Collected Purpose of Collection Basis for Use
Browsing SDK-based information related to browsing, Your device, and IP address. Depending on Your jurisdiction, SDKs may be activated with Your consent.
 
Analytics (Service health, usability, etc.)

GDPR:

Consent

CPRA:

Commercial purpose

Account Registration via Discogs application Username, email address, SSID, IP address, geolocation, browser type/version, and operating system Verification of Your identity when You access Our Service, fraud prevention, communication with You, and customization of certain aspects of Your visits, such as language.  Registration also allows You to list or purchase items for sale, contribute to the catalogue, build a collection and wantlist, and participate in forum discussions.

GDPR:

Contract, Legitimate Interest;

CPRA:

Business purpose

Selling on discogs.com We are required to process some or all of the following information from sellers that meet requirements of specific laws and regulations: Full name, primary address, PayPal Account Name, photo identification (selfie), date of birth, government ID, bank account details, tax identification number (TIN), place of birth (if You do not have TIN), and VAT identification number, if available, as well as the existence and location of a permanent establishment through which the business activities are carried out, if and as applicable. Refer to Everything You Need to Know About Seller Account Identification for additional information. Use of the marketplace to engage in transactions with purchasers, and for legal purposes, to report Your taxpayer information to relevant tax authorities and comply with Our tax and fraud prevention obligations.

GDPR:

Contract, Legitimate Interest, and Legal Obligation;

CPRA:

Business purpose

Shipping Labels Service Address and phone number Population of shipping label(s) on Your behalf

GDPR:

Contract

CPRA:

Business purpose

Third Party Payment Services

1. Depending on whether You are a business or individual: name, date of birth, email address, phone number, company name, tax identification number, bank account information, government issued photo identification, and bank statement or voided check.

2. Username, account creation date, IP address and email address

1. Identity verification (per financial regulations) - this information is required by Our third party payment processor(s).

2. Fraud review for accounts.

GDPR:

Contract;

CPRA:

Business purpose

Purchasing Full name, address, and phone number (optional)  To complete transaction shipping from seller. We do not collect or store any purchaser payment information, such as credit card information. Such information is provided directly to the seller by the purchaser with no interaction by or through Us. Depending on Your payment option selection, certain third parties may have access to such information (i.e., PayPal, Inc.)

GDPR:

Contract

CPRA:

Business purpose

Registration for NearMint Email address, name, address, username Inventory management service

GDPR:

Contract;

CPRA:

Business purpose

Marketing Emails Email address Some countries require that We obtain Your explicit consent (opt in) to send You marketing-related emails, while other countries do not require express consent. In all cases, You may opt out from receiving marketing-related emails in the notification preferences within Your account settings or from within the email messages themselves.

GDPR:

Consent

CPRA:

Business purpose, Commercial purpose

Abandoned Cart Messaging Username, email address Messaging You about items that You added to your shopping cart but You did not complete Your purchase during the same session

GDPR:

Legitimate Interest or Consent (as applicable);

CPRA:

Commercial purpose

User Support Email address, username (if registered) and other information You provide for the purpose of responding to Your question or concern, including information submitted to Us to make a valid copyright claim, such as name and contact information. Reviewing Your questions/concerns and responding to You. We ask that You do not submit any information to Us that is not absolutely necessary for Us to assist You.

GDPR:

Contract, Legal Obligation;

CPRA:

Business purpose

Error Reporting Username, email address, IP address, device information Reviewing errors or issues with the Service reported by You directly

GDPR:

Contract;

CPRA:

Business purpose

Recruitment Name and email address, may also include postal address and professional and education history if provided by applicant To consider Your employment with Us

GDPR:

Contract;

CPRA:

Business purpose

 

Surveys and Research May include Discogs registration status, username, email address, IP address, device information, Discogs user ID, country, activity counts (transactions, submissions, and collection), some of which is optional dependent on the survey type
 
Service improvements (surveys are always optional and subject to consent)

GDPR:

Consent;

CPRA:

Business purpose, Commercial purpose

Contests and Giveaways Name, email, address, other identifiers dependent on the contest or giveaway type Participation in contests and giveaways, including winner selection, notification, and delivery of prizes

GDPR:

Consent;

CPRA:

Business purpose

 

SDKs and Our Service: Refer to the section below titled “SDKs” for additional information about how We use identifiers within Our Service.

Information Sharing And Disclosure

We share personal information with service providers (processors) that act as an agent to perform tasks on Our behalf and under Our instructions. Examples include providers that assist with payment processing (i.e., PayPal), shipping (i.e., USPS), or providers that We contract with to send emails on Our behalf (i.e., HubSpot). This information is limited only to the information needed to perform the tasks. If certain SDKs are enabled on Your device, then We may also share SDK-related information with related service providers, such as analytics companies. Additional information about the service providers/processors We use to support delivery of Our Service is set forth on our Processors List.  All service providers/processors are subject to Our ongoing due diligence reviews for compliance with privacy and data protection requirements, as well as contractual terms. For additional information about service provider (processor) and third party privacy practices, please review those partes’ privacy policies and notices.

We will provide You with notice and obtain Your consent, where applicable, in the event We intend to share Your information with a third party (other than as described above) or for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by You. Prior to sharing such information, You will be provided with clear, conspicuous, and readily available mechanisms to opt in or out of such sharing, as required by applicable laws and regulations. Except as described in this Policy, We do not otherwise share Your information with any third parties without Your consent or other legitimate basis. We do not provide or sell email addresses or collection/wantlist information to any third party without Your consent.  Registered users can control the public availability of their collection/wantlist information in the account settings. Please see “Notification and Other Privacy Preferences” below for additional information on limiting the sharing of Your information.

Affiliates : We may share information within our network of affiliated companies, including Zink Media, LLC, Discogs B.V., and Discogs G.K., in order to provide the Service. Each of Our affiliated companies is subject to the terms of this Policy and follow the same privacy practices. All sharing among affiliates is subject to appropriate documentation and risk assessments. 

Software Development Kits (SDKs): Please see the section entitled “SDKs” below on what SDKs means for you. We may share information with analytics providers. This sharing is considered a “sale” or "sharing" under the California Privacy Rights Act. Targeted advertisements are considered a “sale” under other US state privacy laws and regulations. We do not provide targeted advertising within our mobile application service. You must be 18 years of age or older to use the Service in any manner. As a result, We do not sell personal information of consumers under 18 years of age. The information is sourced from SDKs placed on Your device. The categories of information shared include:

  • Geolocation Information: Non-precise geolocation data based on Your IP address or other analytics tools.
  • Inferred Information: Inferences drawn from Your online activities reflecting Your preferences, behavior, and interests.

Depending on Your location, You may need to opt in/consent to the placement of these and other SDKs or You may have the option to opt out of these and other SDKs. Please see “SDKs” below for additional information about controlling SDKs. See “California Disclosures” below for additional information. For residents of Virginia, Colorado, Connecticut, Utah, Oregon, Texas and Montana please see “Additional U.S. State Law Disclosures” below for additional information.

Other Sharing: We may share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of Our Terms of Service, or as otherwise required by law enforcement or national security requirements. We may also disclose information when requested to comply with a court order, regulatory investigation, or governmental request.

Sensitive/Protected Information: We do not currently collect or process sensitive, special, or protected information except in the employment context and if You are a seller on the Website with affirmative and explicit express consent. If You are a seller on the website, please refer to the Information Collected section for more information. In the event We decide to collect sensitive, special, or protected categories of information (i.e., personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, information specifying the sex life of the individual, genetic data, or biometric data for the purpose of uniquely identifying a natural person, and any other personal data specified by applicable law or regulation) from users or business partners, We will first obtain affirmative and explicit express consent (opt in) from You (Article 9[2][a] GDPR) if We intend such information to be collected, processed or disclosed to a third party.  In addition to consent, We perform risk assessments on any processing involving sensitive data. In the event that the legal basis for collection or processing (Article 9[2] GDPR) has changed, We will inform You of the change prior to collection or processing.

Nevada, United States, Residents: We do not sell Your personal information for monetary consideration as set forth in Nevada Senate Bill 220. If We change this practice in the future, We will obtain affirmative express consent (opt in) from You before taking any such action. You can write to Us at Our Help Center to add Your email address to a “do not sell” list. Please note that You are responsible for updating Us in the event that You need to change Your email address on file. 

Mobile Devices: You may choose not to provide information related to Your mobile devices. Information on disabling device location permissions can generally be found in Your device settings or by contacting Your carrier or device manufacturer.

YouTube API Client: The Service uses YouTube API Services to provide access to YouTube content. When using the YouTube player on Our Service, You are agreeing to be bound by the YouTube Terms of Service.

Retention And Storage

We retain Your personal information only as long as it is reasonably necessary to provide You the Service and as required by applicable laws and regulations. This includes maintaining and improving the performance of Our Services, keeping Our Services secure, and maintaining appropriate business and financial records. For example, if You register for an account, but do not activate Your account in the following 14 days, then We will automatically delete Your registration information. If You otherwise use Our Service via Your account without activation in the following 14 days, then We will retain Your registration information.

If We process Your personal data on the basis of consent, then We will retain the data for as long as necessary in order to process it according to Your consent or until You withdraw Your consent. For example, We will retain Your email address related to Your consent to receive marketing-based emails only so long as You are opted-in to receive those emails. When You unsubscribe or opt-out, then We no longer use Your email address for marketing-based emails.

We may keep the minimal necessary personal information about You after You have deactivated Your account for the period of time needed for Us to pursue legitimate business interests, conduct audits, comply with (and demonstrate compliance with) legal obligations, resolve disputes and enforce Our agreements. For example, We may be required to retain Your information to comply with applicable tax/revenue laws or our Know Your Customer (“KYC”) obligations.

Information submitted to or obtained via Our Service is maintained on secure servers and cloud platforms in the United States. We work with third parties to deliver the Service, most of which are also located within the United States.  Please see our Processors List for details about the third parties that help us deliver the Service to You.

Safeguarding Your Information

The security of Your Data is of utmost importance to us. Therefore, We have implemented the following technical and organizational measures to ensure the required level of protection for Your Personal Data:

Physical Security

  • We use secure facilities by to prevent unauthorized persons from access to personal information. 
  • Cloud service provider data center facilities adhere to appropriate controls.

Data and Network Security

  • Our internal teams ensure We follow industry best practices for monitoring and maintaining data center firewalls and authentication via hashed and salted passwords. 
  • Personal information is accessible and managed only by properly authorized staff.
  • We use encryption for data residing on off-site backup tapes and server storage volumes. 
  • Encrypted data transfer over SSL and other controls to prevent unauthorized access during electronic transmission.
  • Full disk encryption  is maintained for all laptops issued to employees
  • Data is encrypted before disposal and deletion. 
  • Vendors that process Your data are vetted for compliance with applicable laws and regulations.
  • Logical separation to ensure that personal information is only processed per the terms of this Privacy Policy and your chosen privacy settings.
  • Input controls to ensure that  personal information is provided and edited by You or by Us at Your direction.

Vulnerability Management:

  • We regularly patch our servers and address critical vulnerabilities immediately. 
  • Third parties are engaged in running penetration tests against our system. 

Data Backup and Recovery:

  • Appropriate contingency plans and data backups are maintained during data loss.
  • Data backups are taken regularly, secured and encrypted.
  • Backup systems are designed to regularly backup site data. 
  • Emergency and contingency plans are maintained for various systems. 
  • Our cloud service provider is committed to maintaining SSAE 18, SOC 1, and SOC2 certifications, which We continuously review.

Data Resilience:

  • Your data is stored on servers in the United States. 
  • We utilize a worldwide CDN of 20+ edge data centers for routing latency and improve network performance.

Compliance Certifications:

  • We are certified under the EU-U.S. Data Privacy Framework,the Swiss-U.S. Data Privacy Framework, and the UK-U.S. Data Privacy Framework  set forth by the U.S. Department of Commerce.

Data Breach Notification:

  • Upon awareness and/or discovery of a breach involving Your data and if deemed appropriate, We will contact appropriate regulators and You directly. 

Despite Our efforts, no security measure can be absolute, and there can be no guarantee that Your personal information will not be accessed through malicious means, inadvertent disclosure, or mistake.

Transfer Of Personal Information

Privacy and data protection laws and regulations and their associated transfer requirements vary by location (state, country and region). We strive to comply with transfers of personal information under these laws and regulations by ensuring transfer is made under an appropriate legal basis. We only transfer personal information to those parties that act as service providers or processors with respect to the Service We provide to You, with Your consent, or under a legitimate interest or business, or commercial purpose, as described in this Policy. We may also transfer personal information if required to do so by other applicable laws and regulations, including those related to criminal or civil matters.

Our technical infrastructure is located in the United States. If You choose to use the Service, You agree to Our Terms of Service which states that Your personal information will be hosted within Our United States infrastructure and Your personal information is required to be transferred to the United States as a result. We work with third parties to deliver the Service, most of which are also located within the United States.  We conduct risk assessments and require additional contractual requirements where the third parties We work with are located outside of the United States. Please see our Processors List for details about the third parties that help us deliver the Service to You and the locations of those parties.

To the extent that We transfer Your personal information outside of Your country of residence, We rely on the following types of mechanisms to ensure the security of that information:

  • Data Processing Agreements
  • Model Clauses (i.e., EU standard contractual clauses and jurisdictional amendments), found here.
  • EU Adequacy Decisions, found here.
  • Risk Assessments (i.e., data transfer risk assessments, processing activity risk assessments)
  • Ongoing monitoring of recipient country’s personal information protection systems

In the event that We go through a business transfer such as a consolidation, merger, restructuring, acquisition, or sale of part or all of Our assets, We will obtain Your consent to the transfer of Your information as permitted by law and to the continued use of Your information by the recipient following the transfer so long as they comply with this Policy. 

Personally-Identifiable Information Submitted By Children

The Service is not intended for use by children under 18 years of age. Please consult local laws for age restrictions in additional jurisdictions. IF YOU ARE UNDER 18, DO NOT USE OR ACCESS THE SERVICES AT ANY TIME OR IN ANY MANNER. If We determine that personally-identifiable information of children under the age of 18 has been collected, We will remove the information from the Service. If You are a parent or guardian and learn that a child under the age of 18 has created an account, You may contact Us and request that the information be removed from the Service at privacy [at] discogs [dot] com.  

California Disclosures

The following disclosures are required for California consumers.

If You are a seller on the Website, with Your explicit and express consent, Our third party identification provider may process biometric data (“selfie”) and personal identification numbers (social security number, drivers license, passport, or state ID card numbers) to determine Your identity, which is considered “Sensitive Personal Information” as defined in California Civil Code Section 1798.140 of the California Privacy Rights Act of 2020. The information will not be used for any other purposes other than to verify Your identity. This information is kept on file for up to seven years depending on the applicable regulation pursuant to which it was obtained.

Right to Know About Personal Information Collected

Please refer to the “Information Collected” and “Information Sharing and Disclosure” sections above.

Do Not Sell or Share My Personal Information/Notice of Right to Opt-Out of Sale or Sharing of Personal Information

By default, only strictly necessary SDKs are placed on California site visitor devices until the visitor actively opts into additional SDK types.

  • If You take no action on the SDK banner, all SDKs (except for strictly necessary SDKs) will continue to be blocked. 
  • If You select “Accept SDKs” in the SDK banner, (i) strictly necessary SDKs will still be placed, (ii) You explicitly consent to the placement of functional SDKs and (iii) You explicitly consent to targeting and performance being placed on Our Service by third parties for other valuable consideration for the purpose of (a) targeting for collecting data for email, onsite and in-app messages, and coordinating data across marketing channels, and (b) analytics for Service performance reviews and improvements. Targeting SDK providers may use information from SDKs, such as Your non-precise geolocation and inferred interests based on Your browsing behavior to serve You personalized messages. We do not otherwise “sell” or "share" (as defined by the California Privacy Rights Act) any personal information. We only share Your personal information with others for the limited purpose of providing the Service to You.
  • If You click “Accept SDKs” and subsequently click “Do Not Sell or Share My Personal Information”, (i) this has the effect of placing strictly necessary SDKs and functional SDKs on your device for website functionalities (functional SDKs), but (ii) prevents Our Services from sharing or selling Your personal information from SDKs with third parties for the purpose of targeting and analytics.

Since the SDK consent actions must be performed by a person using Your device, We do not conduct any identity verification with respect to Your exercise of this right.  We also honor opt-out preference signals as discussed above under “Opt-out Preference Signals.” You may contact Us at privacy [at] discogs [dot] com for additional information about Your opt out rights.  Please see “SDKs” below for additional information about controlling SDKs.


Right to Know, Right to Correct, and Right to Delete

You may submit a request for the categories and specific information that We have collected about You, request correction of Your information, or request that We delete any personal information about You that We have collected, subject to certain exceptions. Refer to Your Personal Information Rights section below for information on submitting requests regarding Your rights.

Information Submitted by Minors under 18 in California

You must be at least 18 years old to use or access the Service in any manner. If You are a minor under the age of 18 residing in the State of California, United States, You have additional rights under California law. If You posted any information or content in violation of our minimum age policy of 18 years old, You may request removal of any information or content. We cannot ensure that removal of information You provided to the Service will be complete or comprehensive (i.e., information posted to public groups and forums that may be accessed by non-users) but it will be complete and comprehensive on Our part (i.e., user account information). In addition, if at any time You delete Your account, We will remove Your information from the Service. Deletion and removal of information is subject to exceptions to maintain certain information as described in the “Retention and Storage” section of this Policy.

Your California Privacy Rights (Shine the Light Law)

We do not share personal information as defined by California Civil Code Section 1798.83 (“Shine The Light law”) with third parties for their direct marketing purposes absent Your consent. If You are a California resident, You may request information about Our compliance with the Shine the Light law by contacting Us by email to privacy [at] discogs [dot] com or by sending a letter to Zink Media, LLC (d/b/a Discogs), 4145 SW Watson Avenue, Suite 350, Beaverton, Oregon, USA 97005. Any such request must include "California Privacy Rights Request" in the first line of the description and include Your name, street address, city, state, and ZIP code. Please note that We are only required to respond to one request per user each year, and We are not required to respond to requests made by means other than through this email address or mail address.

Additional U.S. State Law Disclosures

The following disclosures are required for Virginia, Connecticut, Colorado, Utah, Oregon, Texas and Montana consumers.

Right to Know Categories of Personal Data Processed by Us

Please refer to the “Information Collected” and “Information Sharing and Disclosure” sections above. You may submit a request for the categories that We have processed about You, subject to certain exceptions. Refer to the “Your Personal Information Rights to Access, Alter, or Erase Your Personal Information” section below for information on submitting requests regarding Your rights pursuant to Your Right to Know under various U.S. state laws and regulations. 

If You are a seller on the Website, with Your explicit and express consent, Our third party identification provider may process biometric data (“selfie”) to determine Your identity, which may be considered “Sensitive Personal Information” pursuant to applicable U.S. state laws and regulations privacy laws. The information will not be used for any other purposes other than to verify Your identity. This information is kept on file for up to seven years depending on the applicable regulation pursuant to which it was obtained.

Right to Know the Purpose of Processing 

Please refer to the “Information Collected” and “Information Sharing and DIsclosure” sections above regarding Your right to know purposes of processing.

Right to Know Information About Our Third Party Processors

Depending on Your jurisdiction, You have a right to request from Us the categories of personal data shared with third parties, the categories of third parties, or a list of specific third parties to which We have disclosed personal data. Please see Our Processors List for details about the third parties that help Us deliver the Service to You. 

Do Not Sell My Personal Information/Notice of Right to Opt-Out of Sale of Personal Information

We do not provide for targeted advertising by programmatic advertisers on our mobile applications. We do allow targeting SDKS for collecting data for email, onsite and in-app messages, and coordinating data across marketing channels. We also allow performance SDKs for the purpose of analytics for Service performance reviews and improvements. We only share Your personal information with others for the limited purpose of providing the Service to You. If You are a Virginia, Colorado, Connecticut, Utah, Oregon, Texas, or Montana mobile application user, then You must select the “Reject All” or “Opt Out of Sale of Personal Data or Targeted Advertising” link available in the mobile application to block (opt out of) SDKs labeled as targeting and performanc. Opting out via the link will have the effect of only activating strictly necessary and functional SDKs on Your device and preventing targeting and performance SDKs from activation on current and future interactions with Our Service. Since this action must be performed by a person using Your device, We do not conduct any identity verification with respect to Your exercise of this right. You may contact Us at privacy [at] discogs [dot] com for additional information about Your opt out rights. Please see “SDKs” below for additional information about controlling SDKs.

How to Exercise Your Rights and Appeal

Please refer to “Your Personal Information Rights” on how to exercise Your Rights and how to appeal. 

Notification And Other Privacy Preferences

We do not send spam and do not permit spam on or through Our Service. We comply with the CAN-SPAM Act of 2003 (US) and applicable international anti-spam regulations. Access to certain portions of Our Service include account registration or consent. We may send You marketing-related email upon Your express opt-in, making a purchase through Our Service, or by registering for Our Service, depending on Your jurisdiction. You may opt out of those portions at any time. Information about privacy and notification preferences within the Service, including opt in and opt out settings, can be found in Our How To Adjust Account, Notification & Other Privacy Preferences help document.   

Public Groups & Forums

You must be registered on the Site in order to post on the forum. Information You post to the public areas of the Service (groups / forums / searchable catalog) is not private, and is not protected under this Policy. Please exercise caution when disclosing Your information in these areas. You acknowledge that Other Users and the public, in general, not covered by this Policy will have access to Your public postings and We cannot be responsible for any subsequent use of personal information contained in Your public postings.

Chatbot

We offer a chatbot on our support.discogs.com pages to assist You in finding policies and guidance documents. We do not solicit You to provide any personal information in this chatbot and do not recommend that You provide any personal information in this chatbot. All chatbot conversations are recorded for use by Us to improve our user support processes. Therefore, We only collect information that You voluntarily provide during chat conversations. We do not gather any additional personal information beyond what is explicitly shared by You in these chat conversations. By entering information into the Discogs chatbot, You consent to this recording. If the chat conversation directs You to the “Submit a Request” form available on Our website, You will be asked to provide personal information in order for Us to contact You.

SDKs 

What are SDKs?

SDK stands for “Software Development Kit”. These are collections of software development tools that We use to provide products and services to You. Some SDKs are required for App software development. For example, the iOS SDK is required for any iOS Application. One SDK that our Android and iOS Applications both use is the Firebase Analytics SDK. This allows for Us to track App performance metrics and usage. This data is anonymized and provides guidance on what to improve in future App Versions. Privacy policies and contact information for third parties that place SDKs via the Discogs App can be found in Our Processors List.

SDKs have different lifespans:

  • Persistent: these files remember certain information about Your preferences for viewing mobile apps, and allows the mobile app manager to recognise You each time You return. These are stored on Your mobile device until You choose to delete them.
  • Session: these files are specific to a particular visit to a mobile app that carry information as You view different pages on a mobile app so You don’t have to re-enter information.

How We Use SDKs

Our SDKs: We use Our mobile app specific SDKs to uniquely identify You after You access Our Service. Upon successfully logging in, Our server will generate a unique and random token. A copy of the token is saved on Our server, and a copy is sent to Your mobile app as a login token. Your mobile device sends this token back to Our server each time it requests a resource from Our server, such as a new page to which You are navigating. Our servers then look up Your secure profile using this token.

Our SDKs are required to enable certain features that relate to Your personal account. These include:

  • Buying & Selling
  • Adding items to a Wantlist or Collection
  • Making Lists
  • Participating in Forums
  • Saving preferences
  • Submitting to the Database
  • Messaging other users
  • Social Sharing Your Collection or Wantlist

We also use Our own domain specific SDKs to assist with:

  • Login information (note: the SDK stores a unique value that identifies You after You log in, but does not store Your actual login information such as username and password)
  • Buying and selling preferences
  • General device and application setting preferences, such as language, login status and shopping cart details
  • User interaction and behavior analytics
  • Service security

Third-party SDKs: Our mobile applications use third-party SDKs to anonymously track mobile usage and analytics, such as: Firebase (https://firebase.google.com/support/privacy)

Many third-party SDKs are not essential to user experience on Our Service other than collecting data on how We can improve Our Service based on anonymous browsing behaviors.

We also partner with others, who may use various tracking technologies to provide certain services or features, including cross-device tracking, which allows us to recognize users across multiple devices or browsers.

Please see Our Processors List for additional information about parties that use tracking technologies on Our Service.

Some of these parties may provide Us with information about You (such as inferred demographic information, cross-device information, or interest categories) so that We may improve Our Service.

We do not allow third parties to access personally identifiable information from Us via SDKs or any other tracking technology. However, these technologies may allow Us or a third party to recognize You, either across devices or over time. We do not have control over third-party technologies, which maintain their own privacy policies, and they are not covered by Our Privacy Policy or this Policy.

Current SDKs

The below link provides detailed information about the SDKs available through our Discogs App. This list will change from time to time, so please check back often for updates. In addition, third parties not associated with us may also place SDKs on Your mobile device from time to time.

Your Personal Information Rights 

Identity Verification and Authorized Agents

If You submit a request to exercise Your rights under any privacy or data protection law and regulation, We will need to verify Your identity prior to complying with Your request. We verify requests by confirming the email address that sent the request is attached to a registered account on Our system. Erasure/Deletion requests include a second verification from the user sending the request. If You do not have an account with Us the only data We collect and process is (i) made available via SDKs as allowed by law or regulation, which You can manage via Your “SDK Settings” or “Manage Preferences” link on the Service in applicable jurisdictions, or (ii) any email address and country (as applicable) that You provide when signing up for Our email subscriptions and You may unsubscribe via the email links at any time.

Your authorized agent may be able to make a request to exercise Your rights on Your behalf. Please contact Us at privacy [at] discogs [dot] com to do so.

Consent

Where You have provided Your consent to any part of the Service, You may withdraw that consent at any time. To withdraw Your consent to Our policies in their entirety, You must cease using the Service.  You may also withdraw Your consent to certain processing activities within the Service within Your account settings. Finally, You may withdraw Your consent to marketing-related email using the “unsubscribe” button found in those emails and, in some cases, within Your account settings.

Automated Decision Making

If You complete the “seller settings” within Your account, indicating a desire to sell through Our Service, You will undergo an automated assessment of Your email address to verify its validity. Such assessment amounts to email address profiling and will result in an automated decision regarding Your ability to sell through Our Service. The assessment results in a risk rating of the email address and higher risk email addresses may not be granted the ability to sell through Our Service. In addition, as part of Our seller verification process, We may conduct facial cross-checks of identity cards, and photos or video selfies, uploaded by You to our identity verification provider’s platform. This process is completed solely through automated means and results in profiling. Both of these assessments could impact You financially if You are not eligible to sell through Our Service as a result. We do not otherwise participate in any automated decision making.

You have the right to obtain human intervention, express your point of view and contest the outcome of these assessments by contacting Us at privacy [at] discogs [dot] com.

Access

You have a right to access Your personal information that We collect/process/store or personal information that We “sell” or "share". Personal Data We “sell” or "share" (as defined by various U.S. State privacy laws and regulations) is limited to information generated by SDKs related to analytics.

Other than Your IP address, geolocation, SSID, device information and operating system (collected when You access the Service), information collected via SDKs (with Your consent, as applicable), and information that You provide to Us in Your support requests, all personal information We collect from registered users can be found in Your user profile by reviewing Your User Profile Settings and the additional settings noted in the menu on the left side of the page (i.e., Notification, Privacy, Buyer, Seller, etc.).

In addition,

  • We offer email subscription services available to both registered and non-registered users that collect only an email address provided directly by the user.
  • For those jurisdictions where We provide a SDK banner, SDK settings specific to Your device can be viewed via the “Settings,” “Manage Preferences,” or “Manage Privacy” links located on Our Service.

Additional information about privacy and notification preferences within the Service, including opt in and opt out settings, can be found in Our How To Adjust Account, Notification & Other Privacy Preferences help document.  

You may also access Your personal information and how it is used and shared by completing the Request Access of Data form in Our Help Center. We will comply with Your request within 30 days, unless a shorter time period is required by local laws and regulations, and if permitted by law. Additional questions may be submitted to privacy [at] discogs [dot] com.

Additionally, depending on Your jurisdiction, You also have a right to access a list of specific third parties to whom We have disclosed Your personal data. Please see Our Processors List for details about the third parties that help Us deliver the Services to You.

Rectification, Restriction, and Objection 

We want to make sure that Your personal information is accurate and up to date. Information within the Services is limited to that information that You have provided directly.  If You would like to rectify personal information that You have previously provided to Us and are unable to do so using the How To Adjust Account, Notification & Other Privacy Preferences instructions, then please contact Us through Our Help Center. In Your request, please make clear what information You would like to have changed, whether You would like to have Your personal information suppressed from Our catalog or otherwise let Us know what limitations You would like to put on Our use of Your personal information that You have provided to Us. Some portions of Our Service may no longer be available if You request that We restrict processing or if You object to the processing of certain information. 

If You would like to restrict or object to the processing of personal information that You have previously allowed by Us and are unable to do so using the How To Adjust Account, Notification & Other Privacy Preferences instructions, then please contact Us through Our Help Center. In Your request, please make clear what information You would like to restrict or object, or otherwise let Us know what limitations You would like to put on Our use of Your personal information that You have provided to Us. Some portions of Our Service may no longer be available if You object or request that We restrict processing of certain information. 

If You would like to object to the processing of personal information that You have previously allowed by Us and are unable to do so using the How To Adjust Account, Notification & Other Privacy Preferences instructions, then please contact Us through Our Help Center. In Your request, please make clear what processing You would like to object or otherwise let Us know what limitations You would like to put on Our use of Your personal information that You have provided to Us. Some portions of Our Service may no longer be available if You object to the processing of certain information.

In all cases, We will comply with Your request within 30 days, unless a shorter time period is required by local laws and regulations, and if permitted by law. In the event that this time period needs to be extended, We will comply with applicable laws or regulations when it comes to notifying You of such an extension and reason for the extension. Additional questions may be submitted to privacy [at] discogs [dot] com.

Erasure/Deletion

You have a right to obtain erasure or deletion of the personal information You have provided to Us related to Your use of the Service. Exercising this right will result in closure of any account You have opened and removal of any items You have listed in Your collection, wantlist or for sale in the Marketplace. This will impact certain functionality of the Service available to You online. In addition to user-shared information, We process certain personal information automatically or indirectly, such as through SDKs, analytics, tracking technologies, or data obtained from third parties. Upon Your request for erasure or deletion, We will take reasonable steps to remove, anonymize, or cease processing such data, in accordance with applicable laws and regulations. If You request erasure or deletion, pursuant to the Terms of Service, (i) Your user-generated content contributions will be anonymized by having the user name replaced by a generic term (i.e., "previous user1234" or simply "anonymous1234"), and (ii) We are entitled to continue using this anonymized user-generated content. We cannot guarantee that Your username as associated with any information You posted in public forums and discussions will be fully erased as Other Users have access to those portions of Our Service and may have used or republished such information, including Your username, subject to Our Terms of Service, prior to the time of Your request. In addition, Artists whose information is contributed to Our Service by Our registered users may submit a request for erasure or deletion. We will comply with Your request within 30 days, unless a shorter time period is required by local laws and regulations, and if permitted by law or as set forth below. We may need to maintain certain information for additional days in order to carry out Our contractual obligations to You in certain situations. For example, We provide support for transaction disputes for 90 days following the date of transaction. In addition, We may maintain minimal personal information on You for a reasonable period of time if You have violated the Terms of Service resulting in an account suspension or ban in order to protect other users or pursuant to any regulatory or legal exceptions allowing Us to maintain the information. You may submit a request for erasure or deletion by completing the Request Erasure of Data form in Our Help Center. Additional questions may be submitted to privacy [at] discogs [dot] com.

Human Intervention

Under various data protection regulations, You have a right to not be subjected to a decision that produces legal or significant effects on You, and is based solely on automated processing, including profiling. This means that You have a right to human intervention in processing activities, express Your point of view, obtain an explanation of the decision reached after such assessment and challenge that decision. Outside of facial identification verification and email verification, We do not conduct any processing activities where Your data is processed based solely on automated decision-making (including profiling). If We consider using automated decision-making for additional processing activities in the future, this Policy will be updated and We will provide additional notification to You when required.

Portability

You have a right to receive the personal information concerning You, which You have provided to Us, in a structured, commonly used and machine-readable format and You have the right to transmit those data points to another controller where Our processing is based on Your consent or any contract You have with Us and the processing is carried out by automated means. You may submit a request for portability by completing the Request Portability of Data form in Our Help Center. Additional questions may be submitted to privacy [at] discogs [dot] com.

Appeal

If We are unable to fulfill Your request, You may formally appeal the action by contacting Us at privacy [at] discogs [dot] com.  We will respond to Your appeal within required time frames outlined by the privacy and data protection laws of Your jurisdiction. U.S.-based individuals may contact their state Attorney General if they have concerns about the result of an appeal.

Non-Discrimination Policy

We do not discriminate against users of Our Service, whether You use the Service without incident or choose to exercise Your rights under any applicable laws or regulations.

Complaints

If You believe that Your privacy rights have been breached or that Your personal information has been compromised as a result of using Our Service, please contact Us via the Help Center or at privacy [at] discogs [dot] com. We may ask for additional information to confirm Your identity prior to assisting with Your complaint. We will respond to Your complaint within 30 days of receipt, unless a shorter time period is required by local laws and regulations, if permitted by law and may request additional information from You to complete Our investigation. You may also contact us as follows:

  • Our global Data Protection Officer in the EU (HewardMills) can be contacted by email at dpo [at] discogs [dot] com, by mail to 77 Farringdon Rd, London ECIM 3JU, United Kingdom, or by phone to +44 20 4540 5853.
  • Our Data Protection Representative in the UK (DPO Consultancy Limited) can be contacted at ukdpr [at] discogs [dot] com.

If You are a resident of the EU or EEA and feel that Your privacy has been infringed by Our Service or practices, You have the right to lodge a complaint directly with a supervisory authority in Your member state of residence, place of work or place of the alleged infringement. The name and contact details of the Data Protection Authorities in the European Union can be found here. Our lead supervisory authority is Autoriteit Persoonsgegevens (The Netherlands).

If You are a resident of the UK and feel that Your privacy has been infringed by Our Service or practices, You have the right to lodge a complaint directly with the UK Information Commissioner’s Office (ICO)

U.S.-based users may submit complaints directly to their state’s Attorney General. Connecticut-based users may submit complaints directly to the Connecticut Attorney via the forms located at: https://portal.ct.gov/AG

For complaints about content users or We have added to Our Service or items listed for sale through the marketplace that relate to the Digital Millennium Copyright Act or other copyright laws and regulations, please review the How Do I Report Copyright Infringement information documentation.

Dispute Resolution

In the event that We are unable to resolve any complaint or dispute that You bring to Our attention, You may contact an independent dispute resolution body free of charge. We have chosen JAMS as Our independent recourse mechanism. You can file a claim with JAMS at the following website: https://www.jamsadr.com/DPF-Dispute-Resolution. Under certain conditions, You may invoke binding arbitration for complaints regarding EU-U.S. DPF compliance not resolved by any EU-U.S. DPF mechanism. For more information, please visit: https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2.

General

We may amend this Policy at any time by posting the amended terms on Our Service and notifying You of material changes to the Policy along with an opportunity to opt in to changes that require Your consent by law or regulation or to opt out of any changes that decrease Your rights under this Policy. All non-material changes to Our terms are effective on the effective date of the Policy. We encourage You to review this Policy from time to time. By continuing to use the Service after non-material changes are effective, or after being notified of a material change, You will be deemed to have accepted the changes.

We are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission in connection with Our EU-U.S. DPF, Swiss-U.S. DPF, and UK-U.S. DPF compliance. Notwithstanding any language to the contrary in this Privacy Policy, in cases of onward transfers to third parties of personal data of individuals received pursuant to the EU-U.S. DPF, Swiss-U.S. DPF, and UK-U.S. DPF, We are potentially liable.

This Policy has been drawn up in the English language. In case of discrepancies between the English text version of this Policy and any translation, the English version shall prevail.

Contact Us

  • You can contact Us about this Policy and Our practices via Our Help Center or at privacy [at] discogs [dot] com. 
  • Our global Data Protection Officer (HewardMills) can be contacted by email at dpo [at] discogs [dot] com, by mail to 77 Farringdon Rd, London ECIM 3JU, United Kingdom, or by phone to +44 20 4540 5853.
  • Our Data Protection Representative in the UK (DPO Consultancy Limited) can be contacted at ukdpr [at] discogs [dot] com or by mail to Office 5, REC 2, Enterprise Centre, Randall Way, Retford, Nottinghamshire, DN22 7GR, United Kingdom.

                                                                                                                                               

Still have questions?

Submit a request.