Last Updated on October 15, 2020 by Bruno Lauris

What is a Privacy Policy?

A privacy policy is a document that states some or all of the ways a party gathers, uses, discloses, and manages user, customer, and client data.

Personal information can be anything that can be used to identify an individual, not limited to the person’s name, address, contact information, etc.

Who are we?

Our website is https://darkfolklore.com/ (hereinafter ”we” or ”darkfolklore.com”) and it is was created, is owned and managed by Bruno Lauris.

You can use our Privacy Center to automatically resolve issues relating to privacy by yourself or by contacting us.

1. What personal data we collect, and why we collect it?

We use your data for the purposes set out in this Privacy Policy and to enforce or defend legal claims. For this reason, your data is processed to protect and enforce your rights and the rights of third parties.

We may also process your data if it is necessary to fulfill our obligations or to protect the vital interests of you or another individual.

Dataset	Legal basis	Use, reasoning, and storage
First name, surname, delivery address, billing address, and contact information	Consent, Contract or Legal obligation	We use this data to get in touch with you and to help complete the ordering, payment, or donating process and to provide advice on any issues that may arise. You can object to the use of your data in such a way by contacting us from the Privacy Center. Storage: No longer than 2 (two) years starting from the last time we communicated with you about this data.
		To fulfill our contractual obligations to you, we will need you to provide your name, address, and contact information. Otherwise, we would not be able to deliver the goods you have purchased or the donation reward to the billing or delivery address specified by you. We also need this data to prepare the order for receipt at the place of delivery and issuing an invoice, etc. Storage: For no longer than 10 (ten) years, starting from the date we executed the transaction.
		We will send you information about our updates and news by e-mail, Facebook, e-mail/regular mail, or by calling the phone number provided by you. By using your data in this way, we try to keep you up to date with all the latest information surrounding darkfolklore.com and the processes you are involved with us. We provide this information only with your consent. You can revoke your consent to such use of your data at any time by using the revocation link available to you in the e-mail we send out or by using our Privacy Center. Storage: No longer than 1 (one) year starting from the date you have given your consent or until you withdraw this consent for us to manage this data.
		We conduct surveys (by sending SMS, e-mails, or by asking to fill out a form) for research purposes and to assess the quality of our services so that we can improve the quality of our work. The easiest way to cancel the acquisition of such surveys is to contact us from the Privacy Center. Storage: No longer than 2 (two) years starting from the last time we communicated with you to accomplish this goal.
		If we cannot use this data, you will not be able to participate in any of the competitions that we organize. Also, in the event of a prize, we need to process personal data to meet the requirements of the law applicable to us. Storage: No longer than 2 (two) years from the end of the competition but in case of winning prizes - for no longer than 10 (ten) years from the award ceremony or after we publish the list of winners on our website.
		We use this data to prevent and to detect fraud attempts. Storage: No longer than 2 (two) years from the date you last connected to your account or for a maximum of 10 (ten) years from the date of a transaction (whichever is the latest event).
Information about your interests and opinions, place of residence, gender, and your date of birth	Consent, Contract, or Legal obligation	We use this data to ensure that the services provided on our website are used only by persons at least 18 years of age (minors need to acquire their parents or legal guardian permission as stated in our Terms). If a service is ment for persons that are 18+ years old and we have reasonable doubt that we are processing a person`s data that is younger than specified in this section without the permision of their parent or legal guardian, we will delete that personal data from the databases. Storage: Indefinite date or until you revoke our access to your data.
		With this info, to better understand and to satisfy your interests, we can organize customer segmentation, allowing us to provide you with personalized offers. With your consent, only direct marketing offers tailored to you will be sent to you. You can revoke your consent at any time by using the revocation link available to you in the e-mail notification or by contacting us by using our Privacy Center. Storage: A maximum of 2 (two) years from the date of you giving us your consent or until you withdraw this consent.
		We conduct surveys (by sending SMS, e-mails, or by asking to fill out a form) for research purposes and to assess the quality of our services so that we can improve the quality of our work. The easiest way to cancel the acquisition of such surveys is to contact us from the Privacy Center. Storage: No longer than 2 (two) years starting from the last time we communicated with you to accomplish this goal.
Payment and donation information	Contract or Legal obligation	We need this information to process your payments or donations and to refund your money back if you are unsatisfied with the quality of the transaction. Storage: No longer than 10 (ten) years from the date of the transaction.
Payment and donation information	Contract or Legal obligation	We use this data for fraud detection and prevention and to legally protect you and darkfolklore.lv. Storage: A maximum of 2 (two) years from the date you last connected to your account or for a maximum of 10 (ten) years from the date of the transaction (whichever is the latest event).
Your communication with us	Consent, Contract, Legal obligation, Vital interests, Public task or Legitimate interests	This data type consists of records with the information provided by you. For example, e-mails - sent by you using the forms found on the Privacy Center on our website. We need this information to be informed about the concerns you have with darkfolklore.com. We need this data to keep track of general inquiries. These records will be used to both protect your and our interests. Records of such information will also bee used to provide services if they contain information relating to them. A concrete example: When you leave comments on the website, we collect the data shown in the comments form, and also your IP address and browser user agent string to help spam detection. The comment and its metadata are stored indefinitely, allowing us to recognize and approve any follow-up comments automatically instead of holding them in a moderation queue. Before you submit your comment, we will ask you to provide your consent to our Privacy Policy in the form of a checkbox. Storage: No longer than 2 (two) years starting from the last time we communicated with you.
Purchase and donation history, and a log of activities on the site	Consent, Contract, Legal obligation, Legitimate interests	This data consists of but isn`t limited to the purchases and donations you have made, items stored in your cart, your wishlists, and the amount of premium content that you have downloaded through our site. We use an activity log plugin to log all the actions that our website`s users perform. In case of a data breach, this allows us to pin-point who and how they were able to accomplish the data breach. Storage: No longer than 2 (two) years from the date you last connected to your account or from the date of the last transaction (whichever is the latest event). Also, we will store information about the goods you are viewing for 30 (thirty) days. The activity log is stored for no longer than 6 months.
Social platform account	Consent	To make it easier to connect to our website and applications, we allow users to log in by using their social networking accounts. The social platforms will provide us with the necessary connection data to ensure this option. Storage: No longer than 2 (two) years from the date you last connected to your account or until you remove such consent by deleting or disconnecting your social account from your profile.
Personal account, cookie and other preferences	Consent or Legal obligation	Our website saves information about your chosen preferences. For example, the settings that you have set on your account page and your chosen cookie settings on the cookie bar found at the bottom right half on your screen. Many of these preferenced can be updated on your profile page if you have one. On the other hand, if you wish to change your cookie preferences, you should go to our Privacy Center. If there are any other preferences that you think you should be able to change, contact us through the Privacy Center. You can read more about how we handle cookies in particular on our Privacy Policy`s appendix - Cookie Policy. Storage: Indefinite date or until you revoke our access to your data.
Analytics packages	Consent, Contract or Legal obligation	For example, we use JetPack and Cloudflare to strengthen the security of our site. For example, we use JetPack to monitor brute force attack attempts, allowing us to protect your data from different kinds of cyberattacks. Some of these services are necessary for our site to function and thus can`t be turned off, but some of them (the analytics packages we use for marketing analytics) can be easily opted-out of by going to our Privacy Policy > Privacy Settings. Storage: Indefinite date or until you revoke our access to your data.
Uploaded media files	Consent or Contract	Users can upload media files on our website or send them to us, For example, by uploading an account avatar that will represent them in the comments sections. All uploaded files are usually publicly accessible unless you have revoked such use of your data. We do not take responsibility for the data uploaded by our users. If you believe that any of your copyrights have been violated then please send us a DMCA notice by using our Privacy Center. Storage: Indefinite date or until you update/delete them, or submit a Forget Me application from the Privacy Policy.
Embedded content from other websites	Consent	Content on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website. These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

2. Who we share your data with?

We may transfer your data to the following categories of data recipients:
We can disclose your personal information to companies in our group, for example, our subsidiaries and our parent company, as well as all its subsidiaries.
We may transfer your data to our insurers and professional advisers in connection with risk management, professional consultations, or to raise, enforce, and defend legal claims.
Financial transactions related to the purchase of goods or donating on the website can be processed by our payment service providers. We disclose your financial transaction data to our payment service providers to the extent necessary for the execution of payment transactions, refunds, and the review of complaints.
To provide specific services, we may transfer your data to other service providers, such as website hosting service providers, courier services, server maintenance providers, e-mail service providers, newsletter, survey, and data protection service providers.
We will only engage service providers who have put in place/undertake to put in place appropriate technical and organizational measures that will ensure an appropriate level of security of data processing.
We may transfer your data not only in the cases specified above but also in fulfillment of our legal and contractural obligations, as well as if there is a need to protect the interests of you or other third parties.
For marketing purposes, we may transfer personal data with your consent to our partners who provide us with marketing services.

The recipients of the data specified in this Chapter may also be located outside the borders of the Republic of Latvia, the European Union, or the European Economic Area. We will only transfer your data to third parties who have put in place/undertake to put in place appropriate technical and organizational measures that will ensure an appropriate level of security of data processing.

3. How long we store your data?

In all cases, we protect your data for no longer than it is necessary to achieve our goals. You can find more information about the terms of storage of your data in the “What personal data we collect, and why we collect it?” section of this Privacy Policy.

4. What rights do you have over your data?

This section of the Privacy Policy discusses your rights under data protection law.

1. The right to restrict processing:

You can restrict the processing of your data, by contacting us through our Privacy Center. We will have one calendar month to respond to such a request, but this right can be exercised only in the following cases:

You challenge the accuracy of personal data;
Personal data is processed unlawfully, but you do not want it deleted;
Personal data is no longer required for our processing, but you request it in connection with legal proceedings, enforcement or defense, or
You do not consent to the processing being based on a legitimate interest of us or a third party until the grounds for your disagreement have been verified.
By restricting the processing of personal data, we may continue to store your data, but will not continue to process it, except: (i) with your consent; (ii) in connection with the bringing, enforcement, and defense of legal claims; (iii) to protect the rights of other natural or legal persons; or (iv) in the overriding public interest.

2. The right to erasure:

We will have one calendar month to respond to such a request. You can request the deletion of your data by sending us a Forget Me application from the Privacy Center. This right can be exercised if:

The personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
You withdraw your consent, and there is no other legal basis for processing the data;
You do not consent to the processing of personal data for the legitimate interests of us or a third party;
Personal data is processed for direct marketing purposes;
Personal data have been processed unlawfully;
Please note that in some cases you will not be able to exercise this right due to applicable exceptions. These exceptions include cases, where the personal data processed, are necessary to (i) exercise freedom of expression and information; (ii) exercise our legal obligations; or (iii) raise, enforce or defend legal claims.

3. The right to rectification:

You have the right to correct any inaccurate personal data and, taking into account the purposes of the processing, to supplement any incomplete personal data by sending us a Data Rectification application from the Privacy Center. We will have one calendar month to respond to such a request.

4. The right of access:

You have the right to receive confirmation from us whether we process your data or not. When we process your data, you have the right to get acquainted with the data to be processed and information about their processing, for example, the purpose of personal data processing, categories of personal data, etc. We will provide you with a copy of your data if you submit a Request Data application from the Privacy Center. You have the right to receive your data in a systematic and computer-readable format. We will have one calendar month to respond to such a request. However, you cannot exercise this right in cases where it may adversely affect the rights and freedoms of others.

5. The right to be informed:

We provide information on the processing of your data at the time of data collection. You can always find it in this Privacy Policy (and at the moment when we ask for this data) or receive it by contacting us through the Privacy Center.

6. The right to object to the processing of your data:

You may exercise this right for any purpose related to your particular situation, but only to the extent that we use the data in connection with our or a third party’s legitimate interests. If you object, we will not continue to process personal data unless we can prove that the data is being processed for compelling legitimate reasons beyond your interests, rights, and freedoms, or to bring, pursue and protect claims and/or legal proceedings. We will have one calendar month to respond to such a request.

7. The right to data portability:

Allowing you to obtain and reuse your data for your own purposes across different services. The right only applies to information an individual has provided to a controller and the legal basis for the processing of personal data is Your consent or Performance of the contract or actions taken at your request before the conclusion of the contract.

8. The right to withdraw consent for the processing of your data:

In cases where the legal basis for the processing of your data is consent, you have the right to withdraw the consent at any time. Withdrawal of consent will not affect the lawfulness of the data processing during the period leading up to the withdrawal.

9. The right to submit a complaint to the supervisory authority:

If you believe that we are violating personal data protection legislation by processing your data, you have the right to submit a complaint to the State Data Protection Inspectorate, located at Blaumana Street (Blaumaņa iela) 11/13-11, Riga, LV-101111, https://www.dvi.gov.lv/en/.

In all cases, please contact us before making a complaint so that we can work together to find a suitable solution.

If you want to exercise your rights, or in case of questions about the processing of personal data or the exercise of rights, contact us by using the Privacy Center.

5. Changes to the Privacy Policy

We may periodically change this Privacy Policy to better reflect on how we process your personal information.

We will notify you of any significant changes in our website or by using other appropriate means of communication, such as by e-mail, so that you may review the changes before continuing to use our website.

6. Our contact information

You can contact us by using our Privacy Center. Please, do not hesitate to contact us if:

You have any questions or comments regarding this Privacy Policy;
You want us to stop using your data;
You wish to exercise your rights under this Privacy Policy or file a complaint.

Additional information

Security through obscurity would be like burying your money under a tree. The only thing that would make such a hiding spot safe would be the fact that no one knows where the money is.

Kerckhoffs’s principle is one of the basic principles of modern cryptography. It was formulated at the end of the 19th century by Dutch cryptographer Auguste Kerckhoffs and goes as follows: A cryptographic system should be secure even if everything about it, except the key, is public knowledge. Or Claude Shannon`s maxim that “one ought to design systems under the assumption that the enemy will immediately gain full familiarity with them”.

These concepts are widely embraced by cryptographers, in contrast to “security through obscurity”, which is not.

Based on these principles, real security would be putting the money behind a locked safe. Afterward, you could put the safe on a public street, and the money would still be safe because what makes it secure is that no one can get inside it rather than mere obscurity.

Even though we believe in Kerckhoffs`s principle and the GDPR`s “Data protection by design and default” principle, we do not wish to potentially incriminate the strength of our security by unnecessary revealing too much information about it.

Thus in this section, we will reveal only as much as s needed to demonstrate that the security of our website is a priority for us and that we actively take steps to keep it that way.

1. How we protect your data?

Below are some, but not all of the things that we do to improve your data`s security:

We keep our website updated: More than 50%of websites are still running on an older version of WordPress, but not ours. We always keep our website up-to-date.
We use secure admin login credentials: One of the most recurring mistakes in website administration is using common usernames and passwordssuch as “admin” or “administrator”, and “password” or “1234” rather than using and frequently updating hard to guess usernames and passwords.
We backup our website frequently: Our hosting provided provides us with regular backups of our website so that in case of, for example, data loss we could restore both our website and your data.
We remove unused themes and plugins. Plus, we do not use nulled themes or plugins: Nulled WordPress themes/plugins are pirated versions of the original premium versions. Furthermore, having outdated yet active plugins increases the risk of cyberattacks, as hackers can use them to gain access to the site.
We use an SSL certificate to encrypt data: SSL Certificates are small data files that digitally bind a cryptographic key to an organization. When installed on a web server, it activates the padlock and the https protocol, allowing secure connections from a web server to a browser. Typically, SSL is used to secure credit card transactions, data transfer, and logins, and more recently is becoming the norm when securing browsing of social media sites.
Using Content Delivery Networks like JetPack and Cloudflare: A CDN uses a group of servers to provide fast content delivery, managing traffic by handling user requests much faster. Utilizing CDN servers can improve security, reduce bandwidth, and increase speed.

2. What data breach procedures do we have in place?

A personal data breach – is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.

In terms of specific procedures for mitigating a data breach:

We have analytics enabled ono our website. For example, JetPack that monitors our website and notifies the website`s administrator if the website has gone offline.
Stripe is managing our payments, and if there are any problems with this process, then we will acquire a notification and will be able to start tackling the issue.
Our administrators keep a log of everything that happens on the website to make sure that only the authorized users access sensitive data
We have a communication system that can quickly notify our users about data breaches.

When a personal data breach could occur, we will notify the Information Commissioner’s Office (ICO) in due time, but no later than 72 hours after becoming aware of it. If we take longer than this, we must give reasons for the delay.

Yet, but if the breach is unlikely, then we are allowed not to report it as long as we can justify this decision by documenting it.

If a breach is likely to result in a high risk to the rights and freedoms of individuals, the GDPR says we must inform those concerned directly and without undue delay.

4. What third parties we receive data from?

Generally, we do not receive information about you from third parties. , Unless you have consented to such transactions.

It is also possible that third parties with whom we have had no prior contact may provide us with information about you.

If we receive information about you from a third party in error and/or we do not have a legal basis for processing that information, we will delete that data.

5. What automated decision making and/or profiling we do with user data?

Automated data processing systems are systems that exclude any human influence on the outcome. We do not use such systems to manage personal data.

Disclaimer

This Privacy Policy must be read in conjunction with this website’s Terms and Conditions and Cookie Policy.

Privacy Policy