This policy was last modified on 16th Feb 2022
At ADD SOME MUSIC, we are committed to maintaining the trust and confidence of visitors to our website, and users of our products and services. In particular, we want you to know that ADD SOME MUSIC is not in the business of buying, selling, renting or trading email lists with other companies and businesses for marketing purposes.
In this Privacy Policy, we’ve provided lots of detailed information on when and why we collect your personal information, how we use it, the limited conditions under which we may disclose it to others and how we keep it secure.
You can contact us with data information requests by emailing James Bellamy on dataprotection@addsomemusic.de, or alternatively get in touch via our support page, who can pass on your request to the right person.
Cookies policy
What are cookies?
Like most websites, addsomemusic.de uses cookies to collect information. Cookies are small data files which are placed on your computer or other devices (such as smartphones or tablets) as you browse this website. They are used to remember when your computer or device accesses our website, and also help us keep track of information needed as you move from page to page (for example, the contents of your shopping cart).
Cookies are essential for the effective operation of our websites and to help you shop with us online. They are also used to tailor the products and services offered and advertised to you, both on our websites and elsewhere.
Information collected
Some cookies collect information about browsing and purchasing behaviour when you access this website via the same computer or device. This includes information about pages viewed, products purchased or added to your cart and your journey around a website. We do not use cookies to collect or record information on your name, address or other contact details. ADD SOME MUSIC can use cookies to monitor your browsing and purchasing behaviour.
How are cookies managed?
The cookies stored on your computer or other device when you access our websites are designed by:
ADD SOME MUSIC, or on behalf of ADD SOME MUSIC, and are necessary to enable you to a make purchases on our website.
Third parties who collect analytical data (namely Google Analytics, Facebook Pixel and Zendesk).
What are cookies used for?
The main purposes for which cookies are used are:
For technical purposes essential to effective operation of our website, particularly in relation to online transactions and site navigation.
To enable ADD SOME MUSIC to collect information about your browsing and shopping patterns, including to monitor the success of campaigns, competitions etc.
How do I disable cookies?
If you want to disable cookies you need to change your website browser settings to reject cookies. How you can do this will depend on the browser you use. Further details on how to disable cookies for the most popular browsers are set out below:
For Microsoft Internet Explorer
For Google Chrome
For Safari
For Mozilla Firefox
For Opera
For Safari on iPhone
For Chrome on iPhone
For Android Browser
What happens if I disable cookies?
This depends on which cookies you disable, but in general the website will not operate properly if cookies are switched off. If you only disable third party cookies, you will not be prevented from making purchases on our sites. If you disable all cookies, you will be unable to complete a purchase on our site, some buttons will become inactive, and some navigation functionality will be lost.
Our customer database
We are a data controller as defined by the GDPR (“A controller determines the purposes and means of processing personal data”). We are registered with the UK Information Commissioner’s Office (https://ico.org.uk/) with registration number ZA170164.
We have our own customer database which is stored on servers inside the EU (Ireland), and is never transferred, duplicated or backed up outside of the EU. Stringent measures are in place to prevent unauthorised access to this database, including IP locking and strong “need to know basis” access policies.
Who has access?
Access to the raw data is limited to a very small handful of people who legitimately need to use it within ADD SOME MUSIC, as well as senior partners at our third party web development company, Switchplane, who administer the database for us (you can read their privacy policy at https://www.switchplane.com/privacy/).
Our customer experience team and finance teams, via the administration section of our website, have access to all customer details including name, postal address, email address, order history, transaction and stored wish list items. Only the head of department can access the raw underlying data.
Our web development teams, both internally, and employed by our third party provider work with an anonymised copy of the live database (the same underlying data, but with all references to identifiable personal information scrambled, including names, email addresses, postal addresses, & phone numbers).
Access keys for our various third party services are stored securely external to the code to which developers have access.
Marketing
Signing up for our mailing list
Our home page contains a form you can use to sign up to our mailing list (sometimes known as our newsletter). In using it you’ll be opting in to receiving all 3 categories of emails we send (explained below), however you can update your preferences at any time using this link (which will also be included in every email we send you). You can unsubscribe altogether in the same place.
After you’ve given us your email using this form, we’ll send you a confirmation email, and you’ll need to click the confirm button to affirm that you opt in and that the email address you used is valid.
At this point we’ll ask you for your name, but giving it to us is optional. The single piece of mandatory information we need from you in order to subscribe you is a valid email address.
Products
If you opt in to this category we’ll tell you about new and upcoming products and significant updates or changes to existing products. We’ll also use this category to send messages about upcoming promotional pricing events in our shop (such as the promotions we run for Black Friday or our Wish List campaigns).
Community
With this, we’ll keep you abreast of our editorial and educational Journal content including Quick Tips, Creative Cribs, Ones to Watch, and much more. We’ll also announce all the exclusive events and competitions we’re planning, and share social media activity we think might interest you.
Your data may also have been provided to us by a third-party, where you have expressly given consent for that third-party to share your data with us. We only process such data in accordance with the instructions given to us by the third-party. You can always update your preferences on how we use your data and please refer to the section on how you can keep your data up to date.
You can also opt to join our mailing list during the process of creating an account. You will be opted into all 3 categories above if you opt in, but you can update your preferences at any time (using this form).
Where we keep our mailing list
We use Drip to host our mailing list. This is a US-based company whose data protection policies comply with GDPR. Their privacy policy is here. They store our data outside the EU.
Apart from your email address and (optionally) your name, Drip also tracks your interactions with our campaigns (opens, clicks) as well as detecting if the email is marked as spam or doesn’t get delivered (bounces). They also track whether or not you have unsubscribed.
Every message we send from this platform has an unsubscribe button, and the option to update your mailing preferences.
Additionally, we send some promotional email campaigns via our own website, usually where the message relies on us knowing more information about you. Examples of this include our wish list campaign emails (for which we need to know which products are in your wish list) or “affiliation” messages (e.g. to let ADD SOME MUSIC Symphonic Strings owners know that we have released an Expansion Pack).
We maintain synchronicity between your preferences in our own database, and your preferences on Drip (whichever way round you choose to edit them).
One caveat you should note is that if you change your email address directly using Drip’s supplied form, and don’t make the same adjustment on your ADD SOME MUSIC account, we will be unable to maintain sync between both sets of preferences, and you may receive emails you don’t expect.
How long we’ll keep you on our mailing list
We’ll keep you on our mailing list until you unsubscribe so long as you occasionally open our messages.
Once a year we’ll remove people from our list who have not opened any of our emails in the previous 12 months.
The legal basis we use for marketing messages we send
Where we have not obtained explicit consent from our customers for sending of marketing messages, we may still use the legitimate interests legal basis to send direct messages. We’ve conducted a comprehensive legitimate interests assessment to justify this which you can read here.
Creating a ADD SOME MUSIC account
Certain activities you might perform on our website require you to have a ADD SOME MUSIC account. These include:
Buying products
Downloading and installing products
Storing a personal “wish list” of products you are interested in
Submitting a customer service request (* see Zendesk section below)
Applying for a student discount
When you create an account, we ask for your first and last names, your email address and a password, and also ask whether you’d like to opt in to our mailing list (more above).
Your password is stored encrypted using an industry standard password hashing mechanism which isn’t reversible, so nobody, including us, can find out what your password is in plain text. We encourage our customers to use difficult to guess passwords or passphrases, and to use a password manager to discourage password sharing between websites (we use Lastpass at ADD SOME MUSIC).
How you can keep your data up to date
You will find a comprehensive suite of pages which you can use to update your data on our website. Alternatively, if you create a support ticket we can update it for you.
How you can find out what data we hold
Known under the GDPR as a “Subject Data Access Request,” you can request that we supply you with all the data we hold on you at any time. To make this easy for you, we have created a page in your account area here: http://www.addsomemusic.de/my-account/my-information/. A print optimised version is available on the same page.
How long do we keep your data
We will retain your ADD SOME MUSIC account indefinitely unless you ask us to delete it (which you can do by submitting a support ticket).
If you have ever bought anything from us we are required by law to retain financial records for at least 6 years, so we will not be able to completely remove you if you have made any orders more recently than this (see our shop section below).
Our shop
If you buy something from us, we will ask for some additional information from you in order to process your payment, deliver you your purchases and continue to support them in future. This is to enable us to fulfill our contractual obligation to you which begins at the point of sale.
What data do we collect
We ask for your name, email address, company name (if applicable), your registered card billing address, your delivery address (only if you ordered a hard drive), your phone number (which we use as part of our fraud checking process), your credit card number (unless you use Paypal), expiry date and CVS code (“the last 3 digits on the back of the card”).
Who deals with our payments
Our principal Payment Service Provider is Opayo (formerly Sage Pay) – the largest independent payment service provider (PSP) in the UK and Ireland.
Opayo provides a secure payment gateway (Level 1 PCI DSS), processing payments for thousands of online businesses, including ours. It is Opayo’s utmost priority to ensure that transaction data is handled in a safe and secure way.
Opayo uses a range of secure methods such as fraud screening, IP address blocking and 3D secure. Once on the Opayo systems, all sensitive data is secured using the same internationally recognised 256-bit encryption standards.
Opayo is PCI DSS (Payment Card Industry Data Security Standard) compliant to the highest level and maintains regular security audits. They are also regularly audited by the banks and banking authorities to ensure that their systems are impenetrable.
Opayo is an active member of the PCI Security Standards Council (PCI SSC) that defines card industry global regulation.
All data transfer between ADD SOME MUSIC’s servers and Opayo is over HTTPS which means it is encrypted in transit, and can only be unencrypted by the intended recipient.
Opayo retain your card information in order that we can refund all or part of your transaction in future, but we only have access to the last 4 digits, card name and CVS code.
During checkout we offer the option to securely store your credit card details so as to allow “one click” payment at a later date. If you accept this option, your card details are stored securely on Opayo’s level 1 PCI compliant systems, and are never stored, even temporarily, on any ADD SOME MUSIC server. We save a token representing the stored card which is only usable by ADD SOME MUSIC. Nobody at ADD SOME MUSIC or at Opayo has unencrypted access to the full credit card details at any time.
After a payment is successful, Opayo provide us with an automated fraud score which combined with other measures of our own, we use to make an automated decision to either process the order immediately or hold for investigation by one of our customer experience team.
We also take payments using Paypal (whose GDPR compliant privacy policy is here), though Opayo act as an intermediary for these transactions, so your data is passed to Paypal using Opayo’s fully PCI compliant systems, rather than directly from our servers.
After a successful transaction, we have access to the billing address, name and email address of the Paypal account which was used to make the transaction, which we recognise may not be the same as the ADD SOME MUSIC account holder. We don’t make use of this information for anything. We use the transaction references for accounting purposes.
If you choose Apple Pay during checkout, we will take your payment using the payment gateway Stripe. They are also fully PCI DSS Level 1 compliant. More details of their security policies are available here. With Apple Pay, no credit card details are entered in full at any time during the transaction with us. You will have entered your credit card details when you set up your device to support Apple Pay.
Who has access to financial data?
Access to our Sage Pay and Paypal data is restricted to our customer experience and finance teams (both of whom legitimately need it to be able to carry out their jobs). The heads of our web and operations teams (including at our external partners Switchplane) also have access in order to be able to manage the integration with our site, and act as tier 3 level support in case of unusually problematic transactions. The Customer Experience team has access to Paypal principally so that they can request and confirm manual payments.
Transactional emails
Order confirmation
Confirms that we have received your order and the amount you spent
Includes link to your invoice
Legal basis: Contractual obligation – we need to confirm your order has been successful
Purchase is ready
After fraud checking has finished and your order has been fully processed, we’ll send this message to let you know it is ready to be downloaded. This email also contains your serial number(s), if applicable.
Legal basis: Contractual obligation – this is part of us delivering the product to you.
Hard drive in progress
If you’ve ordered a hard drive, we’ll send you a quick email to let you know we’ve started to build it.
Legal basis: Legitimate interests – we think it polite and reasonable to let you know your order is in progress
Hard drive dispatched
When your hard drive is shipped we’ll let you know, and give you a shipping tracking reference.
Legal basis: Legitimate interests – we think it is reasonable for us to let you know that your order is on its way
Product Updates
We typically offer free updates to products during their lifetime. This message is to let you know when one is available for something you own.
Legal basis: Legitimate interests – we think you’ll want to know that there have been improvements to a product you own. This is part of our ongoing commitment to our customers.
Logging
We ask for consent to receive diagnostic information from you when you first open the ADD SOME MUSIC app. This will help improve the quality and performance of both the app and our plugins as well as dramatically improve our ability to help fix an issue for you if you contact our support team.
All data is sent only with your consent and is anonymised such that even ADD SOME MUSIC staff cannot access your specific data unless you provide us with your identifier in the event of a technical support intervention.
If you agree to send diagnostics information to ADD SOME MUSIC, it may contain the following:
Details about app or plugin crashes, freezes or errors.
Usage information, for example, data about how you use the app and our plugins.
Analytics data contains your computer’s hardware and software specifications, including information about devices connected to your computer and the versions of the operating system and DAWs you’re using. Personal data is either not logged at all in the reports generated, is subject to privacy preserving techniques such as differential privacy or is removed from any reports before they’re sent to ADD SOME MUSIC.
Information is sent to ADD SOME MUSIC using your internet connection. If your computer is not connected to the internet, the data is saved and sent the next time you connect to the internet.
Customer experience
At ADD SOME MUSIC we want happy customers. To help us to help you, we will often need to know a little bit about you.
Phone
If you call us, we will collect your caller ID (ie. phone number) if available, and store a recording of the call against this phone number. During the call we will ask for your name and account details (if applicable), and will add all this information into your account. If you call us from the same number at a later date, we can retrieve this account information the next time you call.
If you block the sending of your caller ID, and don’t tell us who you are during the call, only the recording will be saved against an anonymous ID number.
Creating a support ticket
In order to be able to create a support ticket in our system, we ask you to log in to your ADD SOME MUSIC account. We can then log you into Zendesk using a process called Single Sign On. With this, we confirm to Zendesk that you have a valid account with us via a secure exchange of tokenised data. There’s no need for you to have a separate password to access Zendesk. They don’t have any record of your ADD SOME MUSIC password, even in encrypted form.
You can see all your own activity on Zendesk at the following URL (you will be redirected to the addsomemusic.de website to log in first if necessary): https://ADD SOME MUSICaudio.zendesk.com/hc/en-us/requests
In the process of servicing your request, we may ask for additional personal or financial information or details of your order history or your hardware and software, and all such information will be retained with the ticket for future reference.
How long we keep your data for
We retain all customer service tickets indefinitely. This is to ensure that we have a full case history of any problems you may have experienced in the past, and can refer back to these when necessary. We are happy to delete your full Zendesk history upon request. Please create a support ticket and ask.
Analytics and statistics
We use a few different technologies to track behaviour on our site:
Google Analytics
When someone visits addsomemusic.de we use a third party service, Google Analytics, to collect standard internet log information (e.g. geographical location, OS and browser information, and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website.
Besides members of our own internal marketing team, the other third parties who have access to Google Analytics information are:
Switchplane, who administer the analytics service integration on our behalf.
Facebook Pixel
When someone visits addsomemusic.de we use a third party service, Facebook Pixel, to collect standard internet log information and details of visitor behaviour (e.g. which pages they visit, whether they add something to their cart or their wish list). We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make any attempt to find out the identities of those visiting our website.
Our data breach policy
What is a data breach?
We consider a data breach to be one or more of the following:
Loss or theft of confidential or sensitive data or equipment on which such data is stored (e.g. loss of laptop, USB stick, iPad / tablet device, or paper record)
Equipment theft or failure
System failure
Unauthorised use of, access to or modification of data or information systems
Attempts (failed or successful) to gain unauthorised access to information or IT system(s)
Unauthorised disclosure of sensitive / confidential data
Website defacement
Hacking attack
Human error
‘Blagging’ offences where information is obtained by deceiving the organisation who holds it.
Investigation and containment
If we discover or are notified of any of the above, we will firstly determine whether the breach is ongoing, and if so, take immediate measures to stop it and minimise its impact. Secondly, we will investigate the extent and severity of the breach and assess the risks associated with it, for example, the potential adverse consequences for individuals, how serious or substantial those are and how likely they are to occur.
This investigation will consider the following:
The type of data involved
Its sensitivity
The protections which are in place (e.g. encryptions)
What has happened to the data (e.g. has it been lost or stolen)
Whether the data could be put to any illegal or inappropriate use
Data subject(s) affected by the breach, number of individuals involved and the potential effects on those data subject(s)
Whether there are wider consequences to the breach
Notification
After investigating the breach, we will determine whether it is necessary to report it to the Information Commissioner’s Office (ICO), and if so, will do so within a maximum of 72 hours of becoming aware of the breach, if possible.
Every incident will be assessed on a case by case basis. The following will be considered:
Whether the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms under Data Protection legislation
Whether notification would assist the individual(s) affected (e.g. could they act on the information to mitigate risks?)
Whether notification would help prevent the unauthorised or unlawful use of personal data
Whether there are any legal / contractual notification requirements
The dangers of over notifying. Not every incident warrants notification and over notification may cause disproportionate enquiries and work.
Individuals whose personal data has been affected by the incident, and where it has been considered likely to result in a high risk of adversely affecting that individual’s rights and freedoms will be informed without undue delay. Notification will include a description of how and when the breach occurred and the data involved. Specific and clear advice will be given on what they can do to protect themselves, and include what action has already been taken to mitigate the risks. Individuals will also be provided with a way in which they can contact us for further information or to ask questions on what has occurred.
We will consider notifying third parties such as the police, insurers, banks or credit card companies. This would be appropriate where illegal activity is known or is believed to have occurred, or where there is a risk that illegal activity might occur in the future.
We will consider whether our marketing team should be informed regarding a press release and to be ready to handle any incoming press enquiries.
An internal record will be kept of any personal data breach, regardless of whether notification was required.
Evaluation and response
Once the initial incident is contained, we will carry out a full review of the causes of the breach, the effectiveness of the response(s) and whether any changes to systems, policies and procedures should be undertaken.
Existing controls will be reviewed to determine their adequacy, and whether any corrective action should be taken to minimise the risk of similar incidents occurring.
The review will consider:
Where and how personal data is held and where and how it is stored
Where the biggest risks lie including identifying potential weak points within existing security measures
Whether methods of transmission are secure; sharing minimum amount of data necessary
Staff awareness
If deemed necessary, a report recommending any changes to systems, policies and procedures will be considered by the ADD SOME MUSIC board.