Data Protection Information

We, XLN Audio AB, Årstaängsvägen 21C, 117 43 Stockholm, Sweden (hereafter "XLN Audio" or "we") , operate the website www.xlnaudio.com including the webshop integrated into the Website (together hereafter the "Website"), where we sell our music software. We attach great importance to protecting your personal data and will collect, process and use your personal data solely in line with the principles described below and observing the applicable data protection legislation.

In the following, we provide information on the processing of personal data in context with the Website and the provision of the services offered on our Website pursuant to Art. 13 and 14 of the European General Data Protection Regulation ("GDPR"). Below you also find information on the use of cookies (Section H) in context with the Website and the services provided on the Website.

The terms used in the following, such as e.g. "controller", have the meaning as defined in Art. 4 GDPR.

Table of contents

  1. IDENTITY AND CONTACT DETAILS OF THE CONTROLLER
  2. CATEGORIES AND SOURCES OF PERSONAL DATA
  3. INTENDED PURPOSES OF PROCESSING AND LEGAL BASIS FOR PROCESSING
  4. RECIPIENTS OF PERSONAL DATA
    1. Internal recipients (recipients within the controller)
    2. External recipients (recipients outside the controller) which receive personal data as processors
  5. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES AND / OR INTERNATIONAL ORGANIZATIONS
  6. PERIOD FOR WHICH PERSONAL DATA WILL BE STORED
  7. REQUIREMENT OR OBLIGATION TO PROVIDE PERSONAL DATA AND CONSEQUENCES OF FAILURE TO PROVIDE SUCH DATA
  8. INFORMATION ON THE USE OF COOKIES
    1. General information on cookies
      1. First-party and third-party cookies
      2. Transient and persistent cookies
      3. Consent-free cookies and cookies requiring consent
    2. Management of the cookies used on this website
    3. Cookies used on this website
  9. RIGHTS OF THE DATA SUBJECT
    1. Access, rectification, erasure, restriction, data portability
    2. Right to object
    3. Right to withdraw consent
    4. Right to lodge a complaint
  10. EFFECTIVE DATE OF CHANGES TO THIS DATA PROTECTION INFORMATION
  1. Identity and contact details of the controller
  2. The controller for this Website is:

    XLN Audio AB
    Årstaängsvägen 21C
    117 43 Stockholm
    Sweden
    VAT Number: SE556680144401

    support@xlnaudio.com

  3. Categories and sources of personal data
  4. We process the following (categories of) personal data:

    Categories of personal data processed Types of personal data within category Source of personal data
    (and if applicable, whether source is publicly accessible)

    Protocol data which accrues due to technical reasons when requesting a website via the Hypertext-Transfer- Protocol ("HTTP-Data").

    IP-address, Type and version of the user‘s internet-browser, User’s operating system, URL of the requested webpage, URL of the previously visited webpage (Referrer URL), Date and time of the request. User of the Website (automated transmission by the user’s browser).
    Data stored on the user’s end device in strictly necessary Session Cookies* (Information on the use of cookies) for providing the Login and Cart functions on our Website ("Website Functions Cookie-Data"). XSRF-Token for preventing cross-site request forgery, information to check if user is logged in and to get user’s cart. User of the Website (automated transmission by the user’s browser).
    Data on individual inquires transmitted to us via our Website ("Inquiry-Data"). E-Mail Address, Category of inquiry, individual inquiry/message. User of the Website.
    Information about the customer that we collect for the purposes of entering into or performing a contract on the purchase of XLN products and to create an account on our Website ("Customer Master Data"). Mandatory information to create an account (First Name, Last Name, E-Mail Address, Country, Password).
    Additional mandatory information to place an order (Address, City, Zipcode, State).
    Optional information (Company Name, VAT Number)
    User of the Website.
    Data on contracts concluded on our Website that we generate to process an order ("Contract Data"). Order ID, Parent Order ID, Transaction Number, Cart ID, Currency, Created Date, Paid Date, Refunded Date, Settled Date, Canceled Date, Discount Code ID, Discount Amount, Product ID / Bundle ID, Row Total, Row VAT Total, Row VAT Rate, Row Discount Total, IP Address. Optional: Selectable content (deals), Product keychain, Licenses. Generated by us.
    Authentication information used for logging into an account created on our Website ("Authentication Data") Email address, Password (stored only in an encrypted format). User of the Website.
    Data used for providing the "My Account" – function on our Website ("Account Data"). Data stored under "My Profile" (Customer Master Data provided by the User, Username (used for preset sharing), Newsletter opt in/opt out)
    Data stored under "My Products" (XLN products and/or third party products ordered on our Website, Registered product key (regarding products not ordered on our Website))
    Data stored under "My Computers" (Type of computer (PC or Mac), Operating system and version, CPU Model, Amount of RAM)
    Data stored under "My Orders" (Details regarding orders placed by the User: Order number, Date of order, Total amount, Status, "View").
    Data stored under "My Files" (Files saved by the User, such as: Preset, Memo, Favorites)
    User of the Website; some information generated by us on the basis of your orders placed on our Website.
    Information provided to us in customer surveys carried out for market research purposes ("Survey Data"). Relevant information provided to us for research purposes. Survey Participants.

    * Cookies are small text files containing information which are stored on the user’s device. When the user visits the Website again, the contents of the cookie are sent to the server by the user’s browser helping us to recognize your browser. There are two types of cookies. One type is called a permanent cookie and stores a file on the user’s computer subject to a long expiry date. Such cookies are deleted when the expiry date is passed. The second type of cookie is called a session cookie and will be deleted when the web browser (or other type of browser) is closed.

  5. Intended purposes of processing and legal basis for processing
  6. We process the (categories of) personal data (indicated above in section Categories and sources of personal data) for the following purposes and on the following legal basis.

    Where the processing is based on Art. 6 (1) (f) GDPR, the legitimate interests pursued by us or by a third party are indicated as well.

    No automated decision-making referred to in Art. 22 (1) and (4) GDPR takes place.

    Intended purpose of processing
    (and, where applicable, legitimate interests pursued with the processing)
    (Categories of) personal data
    (for details of specific categories refer to section Categories and sources of personal data above)
    Legal basis for processing (Categories of) recipients
    (for details refer to section Recipients of personal data below)
    Provision of the publicly accessible part of the Website upon user’s request. HTTP-Data. Art. 6 (1) (f) GDPR (balancing of interests). Our legitimate interest is the provision of the website content requested by the user. Hosting Provider.
    Handling of user’s inquiries. HTTP-Data, Inquiry Data. If your request concerns a contract to which you are party or the performance of pre-contractual measures: Art. 6 (1) (b) GDPR (performance of a contract). Otherwise: Art. 6 (1) (f) (balancing of interests). In this case, our legitimate interest is the processing of your request. Customer Support Provider
    Entering into and fulfilling a contract with customers, including registration of user accounts. HTTP-Data, Customer Master Data, Contract Data, Authentication Data, Account Data. Art. 6 (1) (b) GDPR (performance of a contract). Hosting provider, Payment Service Provider, Customer Support Provider.
    Provision of the "My Account" – function on our Website. HTTP-Data, Customer Master Data, Contract Data, Authentication Data, Account Data. Art. 6 (1) (b) GDPR (performance of contracts) Hosting Provider.

    Sending direct marketing emails for promoting our own similar products or services to existing customers who provided their E- Mail addresses in context with the sale of a product or a service.

    We are giving the opportunity to object, free of charge and in an easy manner, to such use of customers’ E-Mail addresses when they are collected and on the occasion of each message. Customers can opt out from receiving such direct marketing emails by changing their email settings on their customer account page.

    E-Mail Address that Customers provide to us in context of the sale of a product or a service. Balancing of interests (Art. 6 (1) (f) GDPR). Our legitimate interest is sending direct marketing emails to existing customers who are given the opportunity to object, free of charge and in an easy manner, to such use of their E-Mail addresses as provided by Art. 13 (2) E- Privacy Directive (2002/58/EC) / applicable national laws transposing this provision. E-Mail Service Provider.
    Running competitions. Account Data. Art. 6 (1) (a) GDPR (Consent)
    Conducting market research by carrying out customer surveys. Survey Data. Art. 6 (1) (a) GDPR (Consent) Customer Surveys Provider.
    Storage and processing of data for evidence purposes and for any assertion, exercise or defence of legal claims. Customer Master Data, Contract Data, Account Data. Balancing of interests (Art. 6 (1) (f) GDPR). Our legitimate interest is assertion, exercise or defence of legal claims. Hosting Provider.

    Storage of data in order to meet statutory document retention obligations, in particular commercial and tax law document retention obligations.

    Depending on the document type, commercial and tax law document retention obligations require us to store Contract Data for a minimum of seven years.

    Customer Master Data, Contract Data Compliance with a legal obligation (Article 6 (1) (c) GDPR).
  7. Recipients of personal data
  8. For the purposes indicated under section Intended purposes of processing and legal basis for processing above, we disclose personal data to the following recipients or categories of recipients:

    1. Internal recipients (recipients within the controller)
      Web Development, Sales & Marketing, Customer Support
    2. External recipients (recipients outside the controller) which receive personal data as processors
      The following recipients process personal data on our behalf:
      Processor Scope of Engagement
      Amazon Web Services Inc / USA Server Hosting, email service, data storage, content storage
      Groove Networks LLC / USA Customer Support System
      Survey Monkey Inc / USA Customer Surveys
      Adyen B.V. / Netherlands Payment Service Provider

    support@xlnaudio.com

  9. Transfer of personal data to third countries and / or international organizations
  10. Having our principal place of business in Sweden, we collect data described in section Categories and sources of personal data above from Sweden and generally perform the processing operations stated in section Intended purposes of processing and legal basis for processing above in Sweden.

    However, we intend to transfer personal data to the following third countries (countries outside the European Economic Area) and / or international organisations:

    Third country / international organisation Recipient(s)
    (for details refer to section E above)
    Existence or absence of adequacy decision / appropriate or suitable safeguard
    (and, if applicable, the means by which to obtain a copy of them or where they have been made available)
    USA
    • Amazon Web Services Inc
    • SurveyMonkey Inc
    • Groove Networks LLC
    EU-U.S. Privacy Shield Certification of Amazon Web Services Inc
    EU-U.S. Privacy Shield Cerfitication of SurveyMonkey Inc
    The transfer of personal data to Groove Networks LLC is subject to standard data protection clauses pursuant to Art. 46 (2) (c) GDPR. A copy of the standard data protection clauses can be obtained from our Customer Service (see contact details in Section Identity and contact details of the controller above.)
  11. Period for which personal data will be stored
  12. The period for which personal data will be stored is listed in the following or is determined by the following criteria:

    (Categories of) personal data
    (for details of specific categories refer to section Categories and sources of personal data above)
    Period for which personal data will be stored / criteria determining time period
    HTTP-Data

    Data are stored in server log files in a form allowing the identification of data subject for a maximum period of 7 days, unless any security related event occurs (e.g. a DDoS attack).

    If there is a security related event, server log files are stored until the security relevant event has been eliminated and clarified in full.

    Inquiry-Data During session.
    Customer Master Data

    As long as the customer wants to have an account. We also store these data for evidence purposes for the assertion, exercise or defence of any legal claims for an interim period of three years commencing at the end of the year in which an order has been placed and in the event of any legal disputes until such have been concluded.

    Depending on the document type, commercial and tax law document retention obligations also require us to store Customer Master Data for a minimum of seven years.

    Contract Data

    As long as the customer wants to have an account to the extent such data are displayed in the customer account. Otherwise we store Contract Data as long as the order has been fulfilled. We also store these data for evidence purposes for the assertion, exercise or defence of any legal claims for an interim period of three years commencing at the end of the year in which the order has been placed and in the event of any legal disputes until such have been concluded.

    Depending on the document type, commercial and tax law document retention obligations also require us to store Contract Data for a minimum of seven years.

    Authentication Data As long as the customer wants to have an account.
    Account Data As long as the customer wants to have an account.
    Survey Data As long as we need the data for market research purposes. Specific time period will be communicated to the participants in context with the respective customer survey.
  13. Requirement or obligation to provide personal data and consequences of failure to provide such data
  14. The provision of the following personal data is a statutory or contractual requirement/obligation, or a requirement necessary to enter into a contract:

    (Categories of) personal data
    (for details of specific categories refer to section Categories and sources of personal data above)
    Requirement/obligation Possible consequences of failure to provide such data
    • HTTP-Data
    • Customer Master Data
    • Contract Data
    • Authentication Data
    Requirement necessary to enter into a contract. We will not enter into an agreement where this data is not provided to us.
  15. Information on the use of cookies
  16. We use cookies in connection with our Website. We use the processing and storage functions of your end device’s browser and collect information from the memory of your end device’s browser. You will find more detailed information on this below.

    1. General information on cookies

      Cookies are small text files with information that can be placed on a user’s end device through its browser when a website is visited. When the website is visited again with the same end device, the cookie and the information it contains can be retrieved.

      1. First-party and third-party cookies

        Depending on where a cookie comes from, a distinction can be made between first-party cookies and third-party cookies:

        First-party cookies Cookies that are placed and accessed by the operator of the website as the controller or a processor engaged by it.
        Third-party cookies Cookies that are placed and accessed by controllers other than the operator of the website that are not processors engaged by the operator of the website.
      2. Transient and persistent cookies

        A distinction can be made between transient and persistent cookies depending on how long they remain active:

        Transient cookies (session cookies) Cookies that are automatically deleted when you close your browser.
        Persistent cookies Cookies that remain stored on your end device for a certain period of time after the browser is closed.
      3. Consent-free cookies and cookies requiring consent

        Users’ consent is required for some cookies depending on their function and purpose of use. Thus, a distinction can be made between cookies that require users’ consent and those that do not:

        Telephone: Cookies that have as their sole purpose to transmit a message using an electronic communication network
        Cookies that have as their sole purpose to transmit a message using an electronic communication network
        Cookies requiring consent Cookies for all purposes of use other than the abovementioned.
      4. Management of the cookies used on this website

        You can manage cookies using your browser’s settings. Different browsers have different ways to configure cookie settings.

        However, we would like to point out that some functions of the website may not work properly or at all if you deactivate cookies in general in your browser.

      5. Cookies used on this website

        The following cookies may be used on this website:

        Designation First-party / third-party Purpose of use and content Effective term Consent necessary?
        Strictly necessary cookies
        Laravel_session First-party Strictly necessary cookie to provide the Login function on our Website. Transient: Session. No.
        Laravel_session First-party Strictly necessary cookie to provide the Shopping Cart function on our Website Transient: Session. No.
        XSRF-Token First-party Strictly necessary cookie to prevent cross-site request forgery Transient: Session. No.
  17. Rights of the data subject
    1. Access, rectification, erasure, restriction, data portability

      With regard to the processing of personal data, you have the following rights:

      • Request from us access to your personal data pursuant to Art. 15 GDPR.
      • Request from us rectification of your personal data pursuant to Art. 16 GDPR
      • Request from us erasure of your personal data pursuant to Art. 17 GDPR
      • Request from us restriction of processing pursuant to Art. 18 GDPR
      • Right to data portability pursuant to Art. 20 GDPR
    2. Right to object

      You have the right to object on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6(1) (e) or (f) GDPR (see section Intended purposes of processing and legal basis for processing above).

      Where personal data are processed for direct marketing purposes (see section Intended purposes of processing and legal basis for processing above), you have the right to object at any time to processing of personal data concerning you for such marketing. You can opt out from receiving such direct marketing emails by changing your email settings on your customer account page.

    3. Right to withdraw consent

      Where the processing is based on your consent (Art. 6(1) (a) or Art. 9(2) (a) GDPR (see section Intended purposes of processing and legal basis for processing above), you have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

    4. Right to lodge a complaint

      You have the right to lodge a complaint with a supervisory authority pursuant to Art. 57 (1) (f) GDPR.

  18. Effective date of changes to this Data Protection Information
  19. The effective date of this Data Protection Information is June 5, 2018.

    It may be necessary to modify this Data Protection Information due to technical developments and/or amendment of statutory or official requirements.

    An up-to-date version of this Data Protection Information can be retrieved at any time at www.xlnaudio.com.