Privacy Policy

Data Controller

Legal Bases for Processing

Under GDPR Article 6, we process personal data based on the following legal grounds:

• Consent (Art. 6(1)(a)): For loading third-party content from YouTube and Spotify. You may withdraw consent at any time via our cookie settings.
• Contractual necessity (Art. 6(1)(b)): For processing your contact form inquiries and donation transactions you initiate.
• Legitimate interest (Art. 6(1)(f)): For essential website security (Cloudflare), bot protection (Turnstile), and core website functionality. Our legitimate interest is providing a secure, functional website.

Data We Collect

We collect personal data only when you voluntarily provide it:

• Contact form: your name, email address, and message, used solely to respond to your inquiry.
• Newsletter: your email address, used to send you concert announcements and updates. You can unsubscribe at any time.
• Language preference: automatically detected from your browser's language settings on first visit, then stored locally in your browser.
• IP address: temporarily collected for security purposes (rate limiting). IP addresses are held in memory for a maximum of 10 minutes and are not stored long-term.

Cookies

This website uses cookies and similar technologies. Essential cookies are always active. Third-party cookies are only set when you give consent via our cookie banner.

Essential Cookies (always active)

Third-Party Cookies (require consent)

The following cookies may be set by third-party services when you consent to load embedded content:

Third-Party Services

This website uses the following third-party services. Embeds from YouTube and Spotify are only loaded after you give consent via our cookie banner:

• YouTube (Google LLC) — Video embeds on our media page. When loaded, your IP address and browsing data are transmitted to Google servers. Google's privacy policy: https://policies.google.com/privacy
• Spotify AB — Audio player embeds on our media page. When loaded, your IP address and data are transmitted to Spotify servers. Spotify's privacy policy: https://www.spotify.com/privacy
• Cloudflare, Inc. — Infrastructure provider for security, performance, and content delivery. Cloudflare processes minimal data (IP address, security tokens) as a data processor on our behalf. Cloudflare's privacy policy: https://www.cloudflare.com/privacypolicy/
• Google Calendar (Google LLC) — Calendar embed used exclusively in the password-protected members area. When loaded, data is transmitted to Google servers. Google's privacy policy: https://policies.google.com/privacy
• Cloudflare Turnstile — CAPTCHA alternative on our contact form for bot protection. Processes browser data and IP address to verify you are human. Strictly necessary for security. Turnstile's privacy policy: https://www.cloudflare.com/turnstile-privacy-policy/
• Resend — Email delivery service for our contact form and newsletter. Your name, email, and message are transmitted to Resend for delivery. Newsletter email addresses are stored in a Resend contact list until you unsubscribe. Resend's privacy policy: https://resend.com/legal/privacy-policy

International Data Transfers

Some of the third-party services we use are based in the United States. When you consent to load YouTube content, or when you submit a contact form or donation, your data may be transferred outside the European Economic Area (EEA). Note: Spotify AB is headquartered in Sweden (EU) and does not require cross-border transfer safeguards. These transfers are protected by:

• The EU-US Data Privacy Framework (adequacy decision of July 2023) for certified US companies
• Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by technical safeguards such as encryption of data in transit

Data Security

We implement appropriate technical and organizational measures to protect your personal data, including HTTPS encryption for all data in transit, Cloudflare DDoS protection and Web Application Firewall, HMAC-signed authentication cookies with HttpOnly and Secure flags, Content Security Policy headers, and minimal data collection following the principle of data minimization.

Automated Decision-Making

We do not use automated decision-making or profiling as defined in GDPR Article 22. Cloudflare Turnstile performs automated bot detection on our contact form, but this does not produce legal effects or similarly significant effects on you.

Your Rights Under GDPR

As a data subject under the General Data Protection Regulation (GDPR), you have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data
• Request restriction of processing
• Data portability
• Object to processing

To exercise any of these rights, please contact us at intercontinental.ensemble@gmail.com.

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

Data Retention

We retain your personal data only for as long as necessary. Contact form messages are kept for up to 12 months. Newsletter subscriptions are maintained until you unsubscribe. Donation records are retained for 7 years in accordance with Dutch accounting obligations (Boekhoudbesluit).

Data Protection Officer

As a small foundation with fewer than 250 employees and without large-scale personal data processing as a core activity, Stichting Intercontinental Ensemble is not required to appoint a Data Protection Officer (DPO) under GDPR Article 37. For all data protection inquiries, please contact us directly at intercontinental.ensemble@gmail.com.

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay.