PRIVACY POLICY

Personal Data Protection - Rhythms & Roots - La Petite Lutherie - www.rythmesroots.com

Rhythms & Roots attaches the utmost importance to the protection of your personal data and the respect of your privacy. This Privacy Policy informs you of how we collect, use, protect and share your data in accordance with the General Data Protection Regulation (GDPR).

Table of Contents

1. Data Controller
2. Data Collected
3. Purposes and Legal Bases of Processing
4. Retention Period
5. Data Recipients
6. Transfers of Data Outside the EU
7. Your Rights
8. Data Security
9. Cookies and Trackers
10. Minors
11. Policy Amendments
12. Contact and Complaints

1. DATA CONTROLLER

1.1 Identity of the Controller

Company name: La Petite Lutherie
Legal form: Sole trader
VAT number: LU35615162
Business authorisations: 10164582/0, 10164582/1, 10164582/2

Email: contact@rythmesroots.com

1.3 Legal Framework

The processing of your personal data is carried out in compliance with:

• Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (GDPR)
• The Luxembourg law of 1 August 2018 on the protection of natural persons with regard to the processing of personal data
• Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector

2. DATA COLLECTED

2.1 Categories of Data

We collect and process different categories of personal data depending on your interactions with our Site:

2.2 Methods of Collection

Your data is collected in various ways:

Direct collection

• Account creation: information you provide during registration
• Placing an order: delivery and billing details
• Contact forms: enquiries, complaints
• Newsletter: voluntary subscription to our communications
• Customer reviews: product comments and ratings

Automatic collection

• Cookies and trackers: browsing and Site usage data
• Server logs: IP address, date and time of connection, pages viewed
• Behavioural analysis: browsing path, products viewed

Indirect collection

• Social media: if you interact with our pages (with your consent)
• Business partners: in strict compliance with the GDPR

2.3 Mandatory or Optional Nature

Mandatory information: Fields marked with an asterisk (*) are required for the processing of your request or order. Failure to provide this information will prevent the processing of your request.

Optional information: Other information is optional and allows us to improve your experience or offer you personalised services.

2.4 Sensitive Data

We do not collect any sensitive data within the meaning of Article 9 of the GDPR (racial or ethnic origin, political opinions, religious beliefs, health data, sexual orientation, biometric or genetic data).

3. PURPOSES AND LEGAL BASES OF PROCESSING

3.1 Summary Table

Your data is processed for the following purposes, on the basis of the legal grounds set out by the GDPR:

3.2 Details of Legal Bases

Performance of contract

Processing is necessary for the performance of the sales contract concluded between you and us, or for the implementation of pre-contractual measures taken at your request (account creation, quote, etc.).

Legal obligation

Processing is necessary to comply with our legal obligations, in particular:

• Retention of invoices (10 years - tax law)
• Anti-fraud and anti-money laundering measures
• Compliance with accounting obligations
• Retention of connection data (1 year - electronic commerce law)

Legitimate interest

Processing is necessary for the purposes of our legitimate interests, provided they do not override your rights and freedoms. Our legitimate interests include:

• Improving our services and your user experience
• Ensuring security and preventing fraud
• Carrying out statistics and analyses (anonymised data)
• Managing customer service and responding to your requests
• Defending our rights in court

Consent

For certain processing activities, we ask for your explicit and prior consent:

• Sending newsletters and marketing communications
• Non-essential cookies (analytical, advertising)
• Targeted and personalised advertising
• Sharing data with marketing partners

Your consent:

• Must be freely given, specific, informed and unambiguous
• Can be withdrawn at any time as easily as it was given
• Withdrawal of consent does not affect the lawfulness of processing based on consent carried out prior to its withdrawal

4. RETENTION PERIOD

4.1 General Principles

Your personal data is kept for a period that does not exceed what is necessary for the purposes for which it is processed, in accordance with applicable legal and regulatory provisions.

4.2 Detailed Retention Periods

4.3 Intermediate Archiving

At the end of the periods mentioned above, certain data may be kept in intermediate archiving for periods strictly necessary for compliance with legal obligations or for the purpose of legal defence. Access to this data is strictly limited to authorised persons.

4.4 Permanent Deletion

At the end of the retention periods, your data is either:

• Permanently deleted from our systems
• Irreversibly anonymised for statistical purposes

4.5 Deleted Account

Upon deletion of your account:

• Your account data is immediately deleted
• Data required to comply with our legal obligations is retained (invoices, etc.)
• Transaction data is retained in accordance with the applicable legal periods
• You may request the deletion of your customer reviews

5. DATA RECIPIENTS

5.1 Minimisation Principle

We apply the minimisation principle: only strictly necessary data is shared with recipients, and solely for the defined purposes.

5.2 Internal Recipients

Within our company, only authorised personnel have access to your data within the scope of their duties:

• Sales and commercial department
• Customer service and support
• Accounting and invoicing department
• Logistics and delivery department
• IT department (maintenance and security)
• Management (within the scope of their responsibilities)

5.3 Service Providers (Sub-processors)

We use trusted service providers to help us deliver and improve our services. These providers act as sub-processors and are contractually bound to protect your data.

5.4 Contractual Guarantees

All our sub-processors are carefully selected and bound by contracts compliant with Article 28 of the GDPR, which guarantee:

• Processing of data only on documented instructions
• Confidentiality of processed data
• Implementation of appropriate security measures
• Assistance in responding to data subject rights requests
• Deletion or return of data at the end of the contract
• Notification of any data breach

5.5 Authorities and Authorised Third Parties

In certain cases, we may be required to communicate your data to:

• Judicial and administrative authorities: in response to a valid legal request
• Tax authorities: as part of our legal obligations
• Anti-fraud bodies: in cases of suspected fraudulent activity
• Legal officers: lawyers, bailiffs (in the event of a dispute)
• Supervisory bodies: CNPD, statutory auditors

5.6 No Sale of Data

⚠ Important commitment: We never sell, rent or share your personal data with third parties for marketing purposes without your prior explicit consent.

6. TRANSFERS OF DATA OUTSIDE THE EU

6.1 Principle

We endeavour to keep your data within the European Economic Area (EEA). The GDPR guarantees a high level of data protection within the EEA.

6.2 Possible Transfers

In certain limited cases, your data may be transferred outside the EEA, in particular to the United States, when we use services such as:

• Cloud hosting (servers located outside the EU)
• Analytics and statistics tools (Google Analytics, etc.)
• Social media platforms
• International payment services

6.3 Appropriate Safeguards

When a transfer outside the EU is necessary, we put in place the appropriate safeguards provided for by the GDPR:

Adequacy decisions

Transfers to countries recognised by the European Commission as providing an adequate level of protection (e.g. Switzerland, post-Brexit United Kingdom, countries under an adequacy agreement).

Standard Contractual Clauses (SCC)

Use of Standard Contractual Clauses approved by the European Commission, which impose strict contractual obligations on the data recipient.

Privacy Shield successors

For transfers to the United States: participation of providers in certified mechanisms (EU-US Data Privacy Framework) or use of SCCs with supplementary measures.

Certification and codes of conduct

Some providers hold recognised certifications (Privacy Shield, ISO 27001, etc.) guaranteeing an adequate level of protection.

6.4 Your Rights

You have the right to:

• Obtain a copy of the appropriate safeguards put in place
• Obtain information about the transfers of your data
• Object to the transfer under certain conditions

For any request for information on international transfers: [your email]

7. YOUR RIGHTS

7.1 Rights Guaranteed by the GDPR

In accordance with the GDPR and Luxembourg law, you have the following rights regarding your personal data:

🔍 Right of access (Article 15 GDPR)

You have the right to obtain:

• Confirmation of whether or not we are processing your personal data
• A copy of your personal data in our possession
• Information on the purposes of processing, categories of data, recipients, and retention period

✏️ Right of rectification (Article 16 GDPR)

You have the right to obtain the rectification of inaccurate or incomplete data relating to you. You may also complete incomplete data.

🗑️ Right to erasure / "Right to be forgotten" (Article 17 GDPR)

You have the right to obtain the erasure of your data in the following cases:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw your consent (where processing is based on consent)
• You object to the processing and there are no overriding legitimate grounds
• The data has been unlawfully processed
• The data must be erased to comply with a legal obligation

Limitations: This right does not apply where retention is necessary to comply with a legal obligation, or for the establishment, exercise or defence of legal claims.

⏸️ Right to restriction of processing (Article 18 GDPR)

You may request restriction of processing in the following cases:

• You contest the accuracy of the data (during verification)
• The processing is unlawful but you prefer restriction to erasure
• We no longer need the data but you need it for a legal claim
• You have objected to the processing (during verification of legitimate grounds)

📦 Right to data portability (Article 20 GDPR)

You have the right to:

• Receive your data in a structured, commonly used and machine-readable format (CSV, JSON, etc.)
• Transmit this data to another data controller

Conditions: Processing must be based on consent or a contract, and carried out by automated means.

🚫 Right to object (Article 21 GDPR)

You have the right to object at any time to the processing of your data:

• General objection: For processing based on our legitimate interest
• Absolute objection: For direct marketing (including related profiling)

In the event of a general objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.

🔙 Right to withdraw consent

Where processing is based on your consent, you have the right to withdraw it at any time, as easily as it was given. Such withdrawal does not affect the lawfulness of processing carried out prior to its withdrawal.

👤 Right to define post-mortem directives (Article 85 Data Protection Act)

You have the right to define directives relating to the retention, erasure and communication of your personal data after your death.

7.2 How to Exercise Your Rights?

Methods of exercise

To exercise your rights, you may contact us:

By email: contact@rythmesroots.com

Via your personal account: "My Personal Data" section

Information to provide

To process your request, please provide:

• Your first and last name
• Your email address associated with your account
• A copy of your identity document (for verification)
• A precise description of your request
• The right(s) you wish to exercise

Response times

We undertake to respond to your request within 1 month of receipt. This period may be extended by a further 2 months in cases of complexity or a high volume of requests. We will inform you within the initial 1-month period.

Free of charge

The exercise of your rights is free of charge. However, in the event of manifestly unfounded or excessive requests (in particular due to their repetitive nature), we may charge a reasonable fee or refuse to act on the request.

7.3 Right to Lodge a Complaint with the Supervisory Authority

If you believe that the processing of your personal data constitutes a violation of the GDPR, you have the right to lodge a complaint with the competent supervisory authority:

Commission Nationale pour la Protection des Données (CNPD)
15, boulevard du Jazz
L-4370 Belvaux
Luxembourg

Telephone: (+352) 26 10 60 - 1
Email: info@cnpd.lu
Website: www.cnpd.lu
Online form: Lodge a complaint

8. DATA SECURITY

8.1 Our Commitment

The security of your personal data is an absolute priority. We implement all appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR.

8.2 Technical Security Measures

🔐 Encryption and cryptography

• HTTPS/SSL: All communications between your browser and our servers are encrypted using the TLS protocol
• Passwords: Stored in encrypted and hashed form using robust algorithms (bcrypt, Argon2)
• Sensitive data: Encryption at rest (AES-256) for particularly sensitive data
• Backups: Encrypted backups stored in separate secure environments

🛡️ Infrastructure protection

• Firewalls: Application and network firewalls (WAF) to filter malicious access
• Intrusion detection: Intrusion detection and prevention systems (IDS/IPS)
• Antivirus and anti-malware: Real-time protection against threats
• Updates: Regular application of security patches
• Isolation: Environment segmentation (production, development, testing)

🔑 Access control

• Least privilege principle: Access limited to only the necessary data
• Strong authentication: Robust passwords, multi-factor authentication (MFA) for administrators
• Access management: Regular review of access permissions
• Traceability: Logging of all data access
• Sessions: Automatic expiration of inactive sessions

📊 Monitoring and detection

• 24/7 monitoring: Continuous system surveillance
• Alerts: Automatic notifications in the event of suspicious activity
• Log analysis: Regular review of event logs
• Security testing: Regular audits and penetration tests

8.3 Organisational Measures

Training and awareness

• Regular staff training on security best practices and the GDPR
• Awareness of phishing and social engineering risks
• Documented and accessible procedures

Sub-processor management

• Rigorous selection of providers
• Contracts compliant with Article 28 of the GDPR
• Regular audits of sub-processors
• Verification of certifications (ISO 27001, SOC 2, etc.)

Security policy

• Formalised information security policy
• Incident management procedures
• Business continuity and disaster recovery plan
• Ongoing review and improvement of measures

8.4 Payment Protection

PCI-DSS standard: Our payment providers are PCI-DSS certified (Payment Card Industry Data Security Standard), guaranteeing the highest level of security for your banking transactions.

⚠ Important: We never store your complete banking details on our servers. Payment data is processed directly by our certified providers via secure connections.

8.5 Data Breach

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we undertake to:

• Notify the CNPD: Within 72 hours of discovering the breach
• Inform affected individuals: As soon as possible if the risk is high
• Documentation: Record all incidents in a register
• Corrective measures: Immediate implementation of actions to limit the impact

8.6 Your Responsibilities

Your contribution to security:

• Choose a strong and unique password (minimum 12 characters, combining uppercase, lowercase, numbers and special characters)
• Never share your login credentials
• Log out after each session, especially on a shared computer
• Regularly check your account activity
• Keep your devices and software up to date
• Be wary of suspicious emails (phishing)
• Contact us immediately if you detect any suspicious activity on your account

8.7 Reporting a Security Vulnerability

If you discover a security vulnerability on our Site, we encourage you to report it to us responsibly:

Security email: contact@rythmesroots.com

We undertake to handle your report seriously and confidentially, and to keep you informed of the measures taken.

9. COOKIES AND TRACKERS

9.1 Reference to the Cookie Policy

For detailed information on the use of cookies and other trackers on our Site, please refer to our dedicated Cookie Policy.

9.2 Essential Information

What is a cookie?

A cookie is a small text file placed on your device (computer, tablet, smartphone) when you visit a website. It allows the site to remember information about your visit.

Types of cookies used

• Strictly necessary cookies: Essential for the operation of the Site (shopping cart, authentication, security). Do not require consent.
• Performance cookies: Collect information about the use of the Site (Google Analytics, etc.). Require your consent.
• Functional cookies: Remember your preferences (language, currency, etc.). Require your consent.
• Advertising cookies: Personalise the advertisements displayed. Require your consent.

Cookie management

You can manage your cookie preferences:

• Via the cookie management banner displayed on your first visit
• At any time via the "Manage my cookies" link at the bottom of each page
• Via your browser settings

Retention period

Cookies have a limited lifespan, generally a maximum of 13 months in accordance with CNIL recommendations. Your consent is requested again beyond this period.

⚠ Impact of refusing cookies: Disabling certain cookies may affect the operation of the Site and limit access to certain features.

10. MINORS

10.1 Protection of Minors

Our Site is not intended for persons under the age of 18. We do not knowingly collect personal data relating to minors without the consent of their parents or legal guardians.

10.2 Parental Consent

If you are under 18 years of age, you must obtain the authorisation of your parents or legal guardians before:

• Creating an account on the Site
• Placing an order
• Providing personal information

10.3 Discovery of Minors' Data

If we discover that we have collected personal data from a minor without appropriate parental consent, we will take steps to delete this information as soon as possible.

10.4 Parental Rights

If you are a parent or legal guardian and discover that your child has provided us with personal data without your consent, please contact us immediately at: [your email]

You may exercise the following rights regarding your child's data:

• Access the data collected
• Request its rectification or deletion
• Object to its processing
• Withdraw your consent

11. POLICY AMENDMENTS

11.1 Right to Amend

We reserve the right to amend this Privacy Policy at any time in order to:

• Reflect changes in our data practices
• Comply with legislative or regulatory changes
• Incorporate new features or services
• Improve clarity and transparency

11.2 Notification of Amendments

In the event of a material change to this Policy, we will notify you by:

• A prominent notice on the Site's homepage
• An email to registered users (if the changes significantly affect your rights)
• A notification at your next login

11.3 Acceptance of Amendments

Amendments take effect upon their publication on the Site. Continued use of the Site after an amendment constitutes acceptance of the new Policy.

If you do not accept the amendments, you must stop using the Site and may request the deletion of your account and data.

11.4 Version History

We archive previous versions of this Policy and can provide them upon request. The date of the last update is always indicated at the top of this document.

11.5 Regular Consultation

We encourage you to consult this Policy regularly to stay informed about how we protect your personal data.

12. CONTACT AND COMPLAINTS

12.1 General Contact

For any questions concerning this Privacy Policy or the processing of your personal data, you may contact us:

By email: contact@rythmesroots.com

12.2 Exercising Your GDPR Rights

Dedicated GDPR email: contact@rythmesroots.com

12.3 Response Times

We undertake to:

• Acknowledge receipt of your request within 48 hours
• Respond in full within a maximum period of 1 month
• Inform you if an additional period is required (maximum 2 months in cases of complexity)

12.4 Complaint to the CNPD

If you believe that your rights are not being respected or that the processing of your data does not comply with the GDPR, you have the right to lodge a complaint with the supervisory authority:

Commission Nationale pour la Protection des Données (CNPD)
15, boulevard du Jazz
L-4370 Belvaux
Luxembourg

Telephone: (+352) 26 10 60 - 1
Email: info@cnpd.lu
Website: www.cnpd.lu
Online complaint form: Lodge a complaint

12.5 European Supervisory Authorities

You may also contact the data protection authority in your country of residence. List of authorities: European Data Protection Board

12.6 Mediation

In the event of a dispute relating to the use of your personal data, we encourage you to contact us first to find an amicable solution. If the dispute persists, you may refer the matter to a mediator.

ADDITIONAL INFORMATION

Related Documents

This Privacy Policy supplements and should be read in conjunction with:

• General Terms of Use (GTU)
• General Terms and Conditions of Sale (GTC)
• Cookie Policy
• Legal Notice

Legal Sources

This Policy complies with the following texts:

• Regulation (EU) 2016/679 of 27 April 2016 (GDPR)
• Luxembourg law of 1 August 2018 on data protection
• Directive 2002/58/EC (privacy and electronic communications)
• Recommendations of the Luxembourg CNPD
• Guidelines of the European Data Protection Board (EDPB)

Language

This Policy may be translated into other languages to facilitate understanding. In the event of any discrepancy between versions, only the French version shall prevail.

Privacy Policy

Last updated: March 2026

Version: 1.0

© La Petite Lutherie - Rhythms & Roots - All rights reserved

GTC | GTU | Privacy Policy | Cookies | Legal Notice