Data Protection
Privacy Policy
This policy explains how personal data is processed in connection with the Nothing Else Records website, in accordance with Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 on Data Protection (LOPDGDD).
Controller
Ali Benmoussa El Omari, acting as a natural person.
Address: Manresa, Barcelona, Spain.
Privacy contact: [email protected]
No Data Protection Officer has been designated. None of the three criteria of Article 37(1) GDPR apply to this controller: (a) the controller is not a public authority or body; (b) the core activities do not consist of processing operations requiring regular and systematic monitoring of data subjects on a large scale (the website does not run analytics, tracking, profiling or behavioral advertising); (c) the controller does not process special categories of personal data under Article 9 GDPR or data relating to criminal convictions under Article 10 GDPR on a large scale.
Data we process
Two categories of data are processed:
- Contact data. The content of messages you voluntarily send to [email protected], including your email address and any information you choose to include.
- Infrastructure data. Technical logs generated automatically when you visit the website: IP address, user agent, request path, response code and timestamp.
The website does not offer forms, newsletters, accounts, checkout or any other mechanism that would collect additional data.
Purposes and legal basis
Contact data is processed to read and reply to your message. Infrastructure data is processed to deliver the website, protect it from abuse and keep it available.
Contact data is processed under Article 6(1)(a) GDPR — consent manifested through your voluntary act of sending a message after access to this Privacy Policy linked from the footer. Alternatively, Article 6(1)(f) GDPR — the legitimate interest of the publisher in receiving, reading and responding to public communications directed to a clearly published contact channel. Infrastructure data is processed under Article 6(1)(f) GDPR — the legitimate interest of the controller in delivering, securing and maintaining the website against abuse. Where a legal obligation applies (for example, a supervisory-authority request), Article 6(1)(c) GDPR is the applicable basis.
Additionally, on the first visit to the website from the root URL, Cloudflare communicates to the system the country code associated with your IP address (header cf-ipcountry) for the sole purpose of automatically serving the most likely Spanish or English language version. The country code is not stored in any record held by the controller; it is used only in the memory of the request and is discarded when the response is served. Legal basis: Article 6(1)(f) GDPR — legitimate interest in offering the language version expected by the user. You may override this automatic detection at any time by clicking the language selector; your choice will then be persisted through the technical cookie lang_pref (see the Cookie Policy).
“Friends” promotional game
When the “Friends” promotional game is active, it will collect data to manage your participation. This is the essential information (first layer); the full processing detail will be incorporated into this policy before it goes live.
Controller: Ali — Nothing Else Records.
Data: your email (required); your first and last name (optional, only if you give them). Nothing else — no IP, no tracking, no profiling.
Why your name? Optional. If you give it, we use it to recognise you across the riddles, to personalise the emails we send you, and — only if you tick the optional box — the label’s news.
Purpose: to send your game reward and the next riddles; and, only if you tick the optional box, news from the label.
Legal basis: Article 6(1)(b) GDPR (performance of what you request by claiming your reward) for the core participation data; and Article 6(1)(a) GDPR — consent — for the optional label news, which you may withdraw at any time.
Recipients: the game emails are sent through the processor Scaleway TEM (Scaleway SAS, Paris region “fr-par”, European Union). Data stays within the European Economic Area — no transfer outside the EEA.
Retention: until you unsubscribe or ask us to erase your data. One click is enough.
Your rights: access, rectify, erase and withdraw consent at any time.
No IP, no tracking. The only proof of consent is the date, the version of this text and your email confirmation.
Providing your data is voluntary
Under Article 13(2)(e) GDPR: providing your data when you contact us is entirely voluntary. The only consequence of not providing it is that we will not be able to respond.
Information received through infrastructure providers
Under Article 14 GDPR: when you visit this website, Cloudflare — our hosting and security provider — automatically processes technical data including your IP address, user agent, request path and timestamp, for delivery, security and abuse prevention. This information is not supplied by you directly but collected via the infrastructure required to serve the site. It is handled under Cloudflare’s own privacy policy (cloudflare.com/privacypolicy) and may, depending on the service configuration, also be made available to the controller through operational logs or dashboards used to secure and operate the site.
Recipients (processors)
Two processors access data on our behalf:
- Cloudflare, Inc. — hosting, content delivery, TLS termination and security (Cloudflare Pages). It processes infrastructure data described above.
- Google LLC — Google Workspace email for the [email protected] mailbox. It processes contact data when you email us.
Data is not sold, rented or shared for unrelated commercial purposes.
International transfers
This website is served through Cloudflare Pages (Cloudflare, Inc., San Francisco, CA, United States). Technical and security logs, including the visitor’s IP address, may be processed by Cloudflare in data centers located both inside and outside the European Economic Area, including the United States.
Cloudflare is self-certified under the EU–U.S. Data Privacy Framework (DPF), the UK Extension to the EU–U.S. DPF, and the Swiss–U.S. DPF. For transfers outside the frameworks, Cloudflare relies on the European Commission’s Standard Contractual Clauses (SCCs) as set out in its Data Processing Addendum.
Emails sent to [email protected] are processed by Google Workspace (Google LLC, Mountain View, CA, United States), which is also self-certified under the EU–U.S. Data Privacy Framework and relies on Standard Contractual Clauses where applicable.
References:
- Cloudflare DPF participation: dataprivacyframework.gov/participant/5666
- Cloudflare DPA and SCCs: cloudflare.com/cloudflare-customer-dpa
- Cloudflare Privacy Policy: cloudflare.com/privacypolicy
- Google DPF participation: dataprivacyframework.gov/participant/5780
- Google Cloud Data Processing Addendum (applicable to Google Workspace): cloud.google.com/terms/data-processing-addendum
A copy of the applicable safeguards can be requested via the contact email above.
Retention
- Contact emails: kept for up to 12 months from the last exchange, then deleted unless a legal obligation or live legal claim requires longer retention.
- Cloudflare infrastructure logs: standard Cloudflare HTTP request log retention applies (3-7 days by default in absence of Logpush configuration, per Cloudflare Logs documentation). The controller does not operate Logpush to external storage. After Cloudflare’s automatic deletion, no further copy is retained.
- Mailbox backups: retained for a maximum of 90 days as part of Google Workspace backup cycles.
Automated decision-making and profiling
This website does not carry out automated decision-making or profiling as defined in Article 22 GDPR.
Audience measurement
No web analytics or audience-measurement tool is used — neither Cloudflare Web Analytics, nor Google Analytics, nor any equivalent. The site does not track its visitors. Should it become necessary to measure site performance in the future, this would be done from aggregated server-side logs, which do not access or store information on your device, and this policy would be updated accordingly.
Your rights
Under GDPR Articles 15 to 22 and LOPDGDD, you may exercise the following rights free of charge by writing to [email protected]:
- Access — confirm whether we hold data about you and obtain a copy.
- Rectification — correct inaccurate or incomplete data.
- Erasure — request deletion where legally applicable.
- Restriction — limit processing in the cases foreseen by law.
- Objection — object to processing based on legitimate interest.
- Portability (Article 20 GDPR) — applicable only when processing is based on consent or on a contract performed by automated means. Given the nature of the processing described here (contact emails read manually and technical infrastructure logs), the conditions of Article 20.1 GDPR do not apply; however, upon request we will provide you with a machine-readable copy of the data the controller retains.
You may also lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD) at aepd.es if you consider that your rights have not been properly addressed.
Changes to this policy
This policy may be updated to reflect changes in the website, its providers or applicable law. Substantive changes will be reflected in the last-updated date below.
Last updated: 2 July 2026.