This policy was last modified on 12th October 2021.
At Pianobook, we are committed to maintaining the trust and confidence of visitors to our website, and users of our products and services. In particular, we want you to know that Pianobook and Spitfire Audio are not in the business of buying, selling, renting or trading email lists with other companies and businesses for marketing purposes.
WHAT ARE COOKIES?
For example, without cookies you would have to enter your password each time you tried to download a Sample Pack, even if you had just downloaded one moments before.
HOW ARE COOKIES MANAGED?
The cookies stored on your computer or other device when you access our websites are designed by:
- Pianobook, or on behalf of Pianobook, and are necessary to enable you to make downloads on our website.
- Third parties who collect analytical data (namely Google Analytics).
WHAT ARE COOKIES USED FOR?
The main purposes for which cookies are used are:
- For technical purposes essential to effective operation of our website, particularly in relation to online transactions and site navigation.
- To enable Pianobook to collect information about your browsing and shopping patterns, including to monitor the success of campaigns, competitions etc.
HOW DO I DISABLE COOKIES?
If you want to disable cookies you need to change your website browser settings to reject cookies. How you can do this will depend on the browser you use. Further details on how to disable cookies for the most popular browsers are set out below:
- For Microsoft Internet Explorer
- For Google Chrome
- For Safari
- For Mozilla Firefox
- For Opera
- For Safari on iPhone
- For Chrome on iPhone
- For Android Browser
WHAT HAPPENS IF I DISABLE COOKIES?
This depends on which cookies you disable, but in general the website will not operate properly if cookies are switched off. If you only disable third party cookies, you will not be prevented from downloading files from our site(s).
OUR CUSTOMER DATABASE
We are a data controller as defined by the GDPR (“A controller determines the purposes and means of processing personal data”). Pianobook’s parent company, Spitfire Audio, are registered with the UK Information Commissioner’s Office (https://ico.org.uk/) with registration number ZA170164.
We have our own customer database which is stored on servers inside the EU (Ireland), and is never transferred, duplicated or backed up outside of the EU. Stringent measures are in place to prevent unauthorised access to this database, including IP locking and strong “need to know basis” access policies.
WHO HAS ACCESS?
Our Pianobook team (made up of Pianobook staff and affiliates, as well as Spitfire Audio staff), via the administration section of our website, have access to all user details including name, email address, order history, transaction and submitted items (files).
Our web development teams, both internally, and employed by our third party provider work with a copy of the live database.
Access keys for our various third party services are stored securely external to the code to which developers have access.
SIGNING UP FOR OUR MAILING LIST
When you log into the website for the first time, you will be prompted to sign up to our Newsletter. The single piece of mandatory information we need from you in order to subscribe you is a valid email address.
The Newsletter includes monthly highlights and goings on within the Pianobook community. This Newsletter may include links and advertisements to Spitfire Audio campaigns that relate closely to Pianobook.
You can unsubscribe at any time by clicking the unsubscribe link at the bottom of the email.
WHERE WE KEEP OUR MAILING LIST
Apart from your email address and (optionally) your name, Drip also tracks your interactions with our campaigns (opens, clicks) as well as detecting if the email is marked as spam or doesn’t get delivered (bounces). They also track whether or not you have unsubscribed.
Every message we send from this platform has an unsubscribe button, and the option to update your mailing preferences.
We maintain synchronicity between your preferences in our own database, and your preferences on Drip (whichever way round you choose to edit them).
One caveat you should note is that if you change your email address directly using Drip’s supplied form, and don’t make the same adjustment on your Pianobook account, we will be unable to maintain sync between both sets of preferences, and you may receive emails you don’t expect.
HOW LONG WE’LL KEEP YOU ON OUR MAILING LIST
We’ll keep you on our mailing list until you unsubscribe so long as you occasionally open our messages.
Once a year we’ll remove people from our list who have not opened any of our emails in the previous 12 months.
THE LEGAL BASIS WE USE FOR MARKETING MESSAGES WE SEND
Where we have not obtained explicit consent from our customers for sending of marketing messages via our newsletter, we may still use the legitimate interests legal basis to send direct messages.
CREATING A PIANOBOOK ACCOUNT
Certain activities you might perform on our website require you to have a Pianobook account. These include:
- Uploading a sample pack
- Downloading a sample pack
- Accessing other content on our website
When you create an account, we ask for your first and last names, your email address and a password, and also ask whether you would like to opt in to our mailing list.
Your password is stored encrypted using an industry standard password hashing mechanism which isn’t reversible, so nobody, including us, can find out what your password is in plain text. We encourage our community to use difficult to guess passwords or passphrases, and to use a password manager to discourage password sharing between websites..
HOW YOU CAN KEEP YOUR DATA UP TO DATE
You can update your details from your account page at any time. If you cannot make a change, or wish for your data to be deleted, please contact us via the Contact Form.
HOW YOU CAN FIND OUT WHAT DATA WE HOLD
Known under the GDPR as a “Subject Data Access Request,” you can request that we supply you with all the data we hold on you at any time. To make this easy for you, we have created a page in your account area here: http://www.spitfireaudio.com/my-account/my-information/. A print optimised version is available on the same page.
HOW LONG DO WE KEEP YOUR DATA
We will retain your Spitfire Audio account indefinitely unless you ask us to delete it (which you can do by contacting us via our Contact Form.
WHAT DATA DO WE COLLECT
We ask for your name and email address only. You can optionally provide us with a photo/ image as part of your profile, as well as links to your website and/or social media pages. We will also hold, as part of a downloadable package, any personal data you include within files submitted to the site.
Your comments and posts will be visible to anyone on the internet, and we will publish your account name and image (if one is uploaded) alongside your comment. You can delete your own comments at any time.
HOW LONG WE KEEP YOUR DATA FOR
We retain all Forum related data indefinitely. You can request for you data to be deleted via our Contact Form.
Reviews and ratings are displayed on the sample pack page and can be viewed by anyone who has access to our website, including visitors who do not have registered accounts and the community member who submitted the sample pack that is reviewed.
Sample Pack ratings, reviews, and downloads affect the position of the sample pack on the Sample Pack Page.
The Pianobook Admins reserve the right to delete and remove any reviews we feel are inappropriate, false or misleading, or include abuse and/ or other illicit behavior that is in contradiction to our EULA/ Terms.
ANALYTICS AND STATISTICS
We use a few different technologies to track behaviour on our site.
When someone visits pianobook.co.uk we use a third party service, Google Analytics, to collect standard internet log information (e.g. geographical location, OS and browser information, and details of visitor behaviour patterns). We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website.
Besides members of our own internal team, the other third parties who have access to Google Analytics information is our independent website developer.
OUR DATA BREACH POLICY
WHAT IS A DATA BREACH?
We consider a data breach to be one or more of the following:
- Loss or theft of confidential or sensitive data or equipment on which such data is stored (e.g. loss of laptop, USB stick, iPad / tablet device, or paper record)
- Equipment theft or failure
- System failure
- Unauthorised use of, access to or modification of data or information systems
- Attempts (failed or successful) to gain unauthorised access to information or IT system(s)
- Unauthorised disclosure of sensitive / confidential data
- Website defacement
- Hacking attack
- Human error
- ‘Blagging’ offences where information is obtained by deceiving the organisation who holds it.
INVESTIGATION AND CONTAINMENT
If we discover or are notified of any of the above:
- We will firstly determine whether the breach is ongoing, and if so, take immediate measures to stop it and minimise its impact.
- Secondly, we will investigate the extent and severity of the breach and assess the risks associated with it, for example, the potential adverse consequences for individuals, how serious or substantial those are and how likely they are to occur. This investigation will consider the following:
- the type of data involved
- its sensitivity
- the protections which are in place (e.g. encryptions)
- what has happened to the data (e.g. has it been lost or stolen)
- whether the data could be put to any illegal or inappropriate use
- data subject(s) affected by the breach, number of individuals involved and the potential effects on those data subject(s)
- whether there are wider consequences to the breach
After investigating the breach, we will determine whether it is necessary to report it to the Information Commissioner’s Office (ICO), and if so, will do so within a maximum of 72 hours of becoming aware of the breach, if possible.
Every incident will be assessed on a case by case basis. The following will be considered:
- Whether the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms under Data Protection legislation
- Whether notification would assist the individual(s) affected (e.g. could they act on the information to mitigate risks?)
- Whether notification would help prevent the unauthorised or unlawful use of personal data
- Whether there are any legal / contractual notification requirements
- The dangers of over notifying. Not every incident warrants notification and over notification may cause disproportionate enquiries and work.
Individuals whose personal data has been affected by the incident, and where it has been considered likely to result in a high risk of adversely affecting that individual’s rights and freedoms will be informed without undue delay. Notification will include a description of how and when the breach occurred and the data involved. Specific and clear advice will be given on what they can do to protect themselves, and include what action has already been taken to mitigate the risks. Individuals will also be provided with a way in which they can contact us for further information or to ask questions on what has occurred.
We will consider notifying third parties such as the police, insurers, banks or credit card companies. This would be appropriate where illegal activity is known or is believed to have occurred, or where there is a risk that illegal activity might occur in the future.
We will consider whether our marketing team should be informed regarding a press release and to be ready to handle any incoming press enquiries.
An internal record will be kept of any personal data breach, regardless of whether notification was required.
EVALUATION AND RESPONSE
Once the initial incident is contained, we will carry out a full review of the causes of the breach, the effectiveness of the response(s) and whether any changes to systems, policies and procedures should be undertaken.
Existing controls will be reviewed to determine their adequacy, and whether any corrective action should be taken to minimise the risk of similar incidents occurring.
The review will consider:
- Where and how personal data is held and where and how it is stored
- Where the biggest risks lie including identifying potential weak points within existing security measures
- Whether methods of transmission are secure; sharing minimum amount of data necessary
- Staff awareness
If deemed necessary, a report recommending any changes to systems, policies and procedures will be considered by the Spitfire Audio board.