Privacy Policy

Last updated: 11 February 2026

ALEJAM RECORDS ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website at alejamrecords.com ("the Site"), including our online store and artist portal.

ALEJAM RECORDS is operated as a sole trader based in the United Kingdom. For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, we are the data controller.

1. Data We Collect

1.1 When You Place an Order

• Name — to process and deliver your order
• Email address — for order confirmations and customer service
• Shipping address — to deliver your order
• Payment information — processed securely by Stripe; we do not store your full card details

1.2 When You Use the Artist Portal

• Name and email address — for account creation and login
• Password — stored as a one-way cryptographic hash (bcrypt); we cannot see your password
• Profile information — biography, images, social media links you choose to provide
• Login activity — timestamps and actions for security auditing

1.3 When You Submit an Artist Application

• Artist/band name, biography, genre, location
• Contact email
• Images and social media links you choose to provide

1.4 Automatically Collected Data

• Session cookies — essential for site functionality (login state, CSRF protection)
• Server logs — IP address, browser type, pages visited (standard web server logs)

2. How We Use Your Data

We use your personal data for the following purposes:

• Order processing — to fulfil and deliver your purchases
• Customer service — to respond to queries about your order or account
• Artist portal — to manage artist profiles and provide account access
• Commission tracking — to calculate and pay artist royalties on merchandise sales
• Legal compliance — to meet our legal and regulatory obligations (e.g. tax records)
• Site security — to detect and prevent fraud or unauthorised access

We do not use your data for automated decision-making or profiling. We do not send unsolicited marketing emails unless you have explicitly opted in.

3. Legal Basis for Processing

Under the UK GDPR, we process your personal data on the following legal bases:

• Contract — processing necessary to fulfil orders you have placed (Article 6(1)(b))
• Legitimate interest — processing necessary for site security, fraud prevention, and business administration (Article 6(1)(f))
• Legal obligation — processing required to comply with UK law, such as tax record-keeping (Article 6(1)(c))
• Consent — where applicable, such as for optional marketing communications (Article 6(1)(a))

4. Third-Party Services

We share your personal data with the following third-party services only as necessary to operate the Site and fulfil orders:

• Stripe (payment processing) — processes your payment securely. Stripe's privacy policy: stripe.com/privacy
• Printful (order fulfilment) — prints and ships your order. We share your name and shipping address with Printful to deliver your products. Printful's privacy policy: printful.com/policies/privacy
• Cloudflare (DNS and security) — provides DNS resolution and DDoS protection. Cloudflare's privacy policy: cloudflare.com/privacypolicy
• WHUK (web hosting) — hosts the Site and stores data on UK-based servers

We do not sell, rent, or trade your personal data to any third parties for marketing purposes.

5. International Transfers

Some of our third-party service providers (Stripe, Printful) may process data outside the UK. Where this occurs, appropriate safeguards are in place, including Standard Contractual Clauses and adequacy decisions, in compliance with the UK GDPR.

6. Data Retention

We retain your personal data only for as long as necessary:

• Order data — retained for 6 years to comply with UK tax and accounting requirements (HMRC)
• Artist portal accounts — retained for the duration of your association with ALEJAM RECORDS, plus 12 months after account closure
• Artist submissions (rejected) — deleted within 90 days of rejection
• Server logs — retained for up to 90 days

7. Data Security

We take appropriate technical and organisational measures to protect your personal data, including:

• HTTPS/SSL encryption on all pages
• Passwords stored using bcrypt hashing (one-way, irreversible)
• CSRF token protection on all forms
• Session tokens with secure, HTTP-only cookies
• Access to personal data restricted to authorised personnel only

While we take every reasonable precaution, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security of your data.

8. Your Rights

Under the UK GDPR, you have the following rights regarding your personal data:

• Right of access — request a copy of the personal data we hold about you
• Right to rectification — request correction of inaccurate or incomplete data
• Right to erasure — request deletion of your data (subject to legal retention requirements)
• Right to restrict processing — request that we limit how we use your data
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interests
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time

Artist portal users can exercise data access, export, and deletion rights directly via the Settings page in their portal account. For all other requests, contact us at the address below.

We will respond to all data rights requests within 30 days as required by law.

9. Children's Privacy

The Site is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. We encourage you to review this page periodically.

11. Complaints

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Helpline: 0303 123 1113

12. Contact Us

For any privacy-related queries or data rights requests: