PRIVACY POLICY
Rhythms & Roots — www.rythmesroots.com
Rhythms & Roots attaches the utmost importance to the protection of your personal data and the respect of your privacy. This Policy informs you of how we collect, use, protect and share your data, in accordance with the General Data Protection Regulation (GDPR).
Table of contents
- Data controller
- Data collected
- Purposes and legal bases
- Retention periods
- Recipients of data
- Transfers outside the EU
- Your rights
- Data security
- Cookies
- Minors
- Amendments
- Contact and complaints
1. DATA CONTROLLER
Trading name: Rhythms & Roots
Legal form: Sole trader
VAT number: LU35615162
Business licences: 10164582/0, 10164582/1, 10164582/2
Email: contact@rythmesroots.com
Your data is processed in compliance with:
- Regulation (EU) 2016/679 of 27 April 2016 (GDPR)
- The Luxembourg law of 1 August 2018 on data protection
- Directive 2002/58/EC (ePrivacy)
2. DATA COLLECTED
2.1 Categories of data
| Category | Type of data | Required |
|---|---|---|
| Identity | Last name, first name, title | Yes to purchase |
| Contact | Email, phone number | Yes to purchase |
| Postal address | Delivery and billing | Yes to purchase |
| Account | Username, password (encrypted) | Yes to create an account |
| Transaction | Order history, amounts, invoices | Yes to purchase |
| Payment | Card type, last 4 digits (via secure provider) | Yes to purchase |
| Browsing | IP address, logs, cookies, pages visited | No (except essential cookies) |
| Preferences | Language, currency, favourites, wish list | No |
| Communications | History of exchanges with customer service | No |
| Reviews and content | Product reviews, comments | No |
2.2 Collection methods
Direct collection
- Account creation, placing an order, contact forms, newsletter sign-up, customer reviews
Automatic collection
- Cookies and trackers, server logs (IP, date/time, pages visited), behavioural analysis
Indirect collection
- Social networks (with your consent), commercial partners (in strict compliance with the GDPR)
2.3 Sensitive data
We do not collect any sensitive data within the meaning of Article 9 of the GDPR (ethnic origin, political opinions, religious beliefs, health data, sexual orientation, biometric or genetic data).
3. PURPOSES AND LEGAL BASES FOR PROCESSING
| Purpose | Legal basis | Data concerned |
|---|---|---|
| User account management | Performance of contract | Identity, contact, account |
| Order processing and delivery | Performance of contract | Identity, contact, address, transaction, payment |
| Invoicing and accounting | Legal obligation | Identity, address, transaction |
| Customer service and returns management | Performance of contract / Legitimate interest | Identity, contact, orders, communications |
| Fraud prevention | Legitimate interest / Legal obligation | Transaction, browsing, IP |
| Statistics and website improvement | Legitimate interest | Browsing (anonymised) |
| Newsletter and marketing | Consent | Identity, contact, preferences |
| Targeted advertising | Consent | Browsing, preferences, history |
| Customer review management | Legitimate interest | Identity, reviews |
3.1 On consent
Where processing is based on your consent, that consent must be freely given, specific, informed and unambiguous. You may withdraw it at any time, as easily as you gave it, without this affecting the lawfulness of processing carried out prior to withdrawal.
4. RETENTION PERIODS
| Type of data | Retention period | Basis |
|---|---|---|
| Active account | Duration of account activity | Performance of contract |
| Inactive account | 3 years after last activity | Legitimate interest |
| Order data | 5 years (commercial limitation period) | Legal obligation |
| Invoices | 10 years (tax and accounting obligation) | Legal obligation |
| Payment data | 13 months maximum | CNIL/CNPD recommendation |
| Connection logs | 12 months | Legal obligation |
| Analytical cookies | 13 months maximum | CNIL/CNPD recommendation |
| Newsletter (active consent) | 3 years after last contact | CNIL/CNPD recommendation |
| Customer service complaints | 5 years after case closure | Legitimate interest |
At the end of these periods, data is either permanently deleted or irreversibly anonymised for statistical purposes.
5. RECIPIENTS OF DATA
5.1 Data minimisation principle
Only strictly necessary data is shared with recipients, and solely for the defined purposes.
5.2 Processors
| Type of provider | Purpose | Data shared |
|---|---|---|
| Host (LWS) | Website hosting | All data stored on the website |
| Payment providers | Secure payment processing | Banking details, amounts |
| Carriers | Order delivery | Name, address, phone, email |
| Email services | Newsletters and communications | Email, name, preferences |
| Analytics tools (Google Analytics, etc.) | Traffic statistics | Browsing data (anonymised) |
| Security services | Fraud prevention | IP, logs, transaction data |
| Social networks (with consent) | Advertising, content sharing | Browsing, preferences |
All our processors are bound by contracts compliant with Article 28 of the GDPR, guaranteeing confidentiality, security and non-use of data for their own purposes.
5.3 No sale of data
Commitment: We never sell, rent or share your personal data with third parties for marketing purposes without your prior explicit consent.
6. TRANSFERS OF DATA OUTSIDE THE EU
We endeavour to keep your data within the European Economic Area (EEA). Where a transfer outside the EU is necessary (cloud services, analytics tools, social networks, international payments), we put in place the safeguards provided for by the GDPR:
- Adequacy decisions by the European Commission
- Standard Contractual Clauses (SCCs) approved by the Commission
- EU-US Data Privacy Framework for transfers to the United States
You can obtain information on the safeguards in place by contacting: contact@rythmesroots.com
7. YOUR RIGHTS
In accordance with the GDPR and the Luxembourg law of 1 August 2018, you have the following rights:
🔍 Right of access (Art. 15 GDPR)
Obtain confirmation that we are processing your data and receive a copy, together with information on the purposes, categories, recipients and retention periods.
✏️ Right to rectification (Art. 16 GDPR)
Have inaccurate or incomplete data about you corrected.
🗑️ Right to erasure (Art. 17 GDPR)
Request deletion of your data when it is no longer necessary, when you withdraw your consent or when processing is unlawful. This right does not apply where retention is required by a legal obligation or for the establishment, exercise or defence of legal claims.
⏸️ Right to restriction (Art. 18 GDPR)
Request suspension of processing where you contest the accuracy of the data, where processing is unlawful or where you need the data for a legal claim.
📦 Right to data portability (Art. 20 GDPR)
Receive your data in a structured, machine-readable format (CSV, JSON) and transmit it to another controller, where processing is based on consent or a contract.
🚫 Right to object (Art. 21 GDPR)
Object to processing based on our legitimate interest, and unconditionally to direct marketing (including associated profiling).
🔙 Right to withdraw consent
Withdraw your consent at any time for processing that depends on it, without this affecting the lawfulness of processing carried out prior to withdrawal.
🕊️ Directives regarding data after death
In accordance with Article 32-1 of the Luxembourg law of 1 August 2018 and the recommendations of the EDPB, you have the right to define directives relating to the retention, erasure and communication of your personal data after your death.
These directives may be:
- General: entrusted to a trusted third party designated by you
- Specific: sent directly to contact@rythmesroots.com, indicating how you wish your data to be handled after your death
In the absence of directives, your heirs may exercise your rights to the extent necessary to settle your estate or obtain the closure of your account.
7.1 How to exercise your rights
By email: contact@rythmesroots.com
Via your personal account: section "My personal data"
Please attach a copy of your identity document for verification. We will respond within 1 month (extendable by 2 months in complex cases).
7.2 Complaint to the CNPD
Commission Nationale pour la Protection des Données (CNPD)
15, boulevard du Jazz — L-4370 Belvaux — Luxembourg
Tel.: (+352) 26 10 60 - 1 | Email: info@cnpd.lu
www.cnpd.lu | Online complaint form
You may also contact the data protection authority of your country of residence: List of European supervisory authorities
8. DATA SECURITY
We implement appropriate technical and organisational measures in accordance with Article 32 of the GDPR:
🔐 Technical measures
- HTTPS/TLS: encryption of all communications
- Passwords: stored in hashed form (bcrypt/Argon2)
- Firewall (WAF), IDS/IPS, antivirus and regular security patches
- Access control based on the principle of least privilege, with multi-factor authentication for administrators
- 24/7 monitoring and access logging
🏦 Payment protection
Our payment providers are PCI-DSS certified. We never store your full banking details on our servers.
🚨 Data breach
In the event of a breach likely to result in a risk, we undertake to notify the CNPD within 72 hours and to inform the individuals concerned as soon as possible if the risk is high.
Your role
To help keep your account secure: choose a strong and unique password, never share it, and log out on shared devices. Contact us immediately at contact@rythmesroots.com if you notice any suspicious activity.
9. COOKIES
For full information on the use of cookies and other trackers on our Website, please consult our dedicated Cookie Policy.
In summary: the Website uses strictly necessary cookies (no consent required), as well as analytical, functional and advertising cookies (consent required). You can manage your preferences via the banner displayed on your first visit, or at any time via the "Manage my cookies" link at the bottom of each page.
10. MINORS
Our Website is not intended for persons under the age of 18. We do not knowingly collect data relating to minors without the consent of their parents or legal guardians. If you are a parent and discover that your child has provided us with data without your consent, please contact us immediately at contact@rythmesroots.com to exercise your rights (access, rectification, deletion, objection).
11. AMENDMENTS
We reserve the right to amend this Policy at any time to reflect changes in our practices or applicable regulations. In the event of a material change, you will be informed by a notice on the Website and, for registered users, by email. Amendments take effect upon publication.
12. CONTACT AND COMPLAINTS
By email: contact@rythmesroots.com
Response time: acknowledgement within 48 hours, full response within 1 month maximum.
RELATED DOCUMENTS
LEGAL SOURCES
- Regulation (EU) 2016/679 of 27 April 2016 (GDPR)
- Luxembourg law of 1 August 2018 on data protection
- Directive 2002/58/EC (privacy and electronic communications)
- Recommendations of the Luxembourg CNPD and the European Data Protection Board (EDPB)
Privacy Policy
Last updated: March 2026
Version: 1.0
© Rhythms & Roots — All rights reserved