Privacy & Cookie Policy
Last updated: 23 June 2026
This Privacy & Cookie Policy (“Policy”) explains how ChordsAround.com (“we”, “us”, “our”) collects, uses, shares and protects personal data when you visit and use the website https://chordsaround.com (the “Website”). It also explains your rights under the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the ePrivacy Directive 2002/58/EC as implemented in Italy (Italian Personal Data Protection Code, Legislative Decree 196/2003 as amended by Legislative Decree 101/2018, and the Garante’s “Guidelines on cookies and other tracking tools” of 10 June 2021), and applicable UK privacy law.
Please read this Policy carefully. By using the Website you acknowledge that you have read and understood it. Where we rely on your consent (for example, for non-essential cookies), we only process the relevant data after you have given that consent through our cookie banner.
1. Who is responsible for your data (Data Controller)
The data controller responsible for your personal data is:
ChordsAround.com — Giovanni Lucifero Strada Baganzola 84, Parma, Italy Email: [email protected]
The controller is established in Italy. As a result, the GDPR and Italian data-protection law apply to this processing, regardless of where the servers are physically located (see Section 8).
We have not appointed a Data Protection Officer (DPO), because our processing does not meet the thresholds of Art. 37 GDPR. You can contact us about any privacy matter using the details above.
2. What personal data we collect, why, and on what legal basis
Under Art. 13 GDPR we must tell you, for each purpose, what we collect, why, the legal basis, and how long we keep it. The table below sets this out.
| Data we collect | Why we collect it (purpose) | Legal basis (Art. 6 GDPR) | Retention |
|---|---|---|---|
| Comments: name, email, website (optional), comment text, IP address, browser user-agent | To publish your comment and detect spam | Consent for publishing; legitimate interest (Art. 6(1)(f)) for spam prevention | Comment and metadata retained indefinitely unless you ask us to delete them |
| Contact form / email: name, email, message content | To answer your question or request | Legitimate interest (Art. 6(1)(f)) in responding to you, or consent | Until your request is resolved; a copy is also delivered to, and retained in, the administrator’s email inbox |
| Contact / other forms (Ninja Forms): the fields you fill in (e.g. name, email, message) plus, where stored, the submission’s IP address and date/time | To receive and respond to your form submission | Consent (Art. 6(1)(a)) by submitting the form, and/or legitimate interest (Art. 6(1)(f)) in responding | Submissions stored in our WordPress database are set to auto-expire after 90 days; copies sent to us by email are kept until your request is resolved |
| Server logs: IP address, browser type, operating system, referring page, date/time of request | To deliver, secure and troubleshoot the Website | Legitimate interest (Art. 6(1)(f)) in security and reliability | Short-term (typically up to a few weeks/months) |
| Cookies & similar technologies (see Section 5) | Site functionality and analytics | Consent for non-essential cookies; legitimate interest only for strictly necessary cookies | See the cookie panel / your CMP |
| Account data (only if user registration is enabled): username, email, profile data | To provide and manage your account | Contract (Art. 6(1)(b)) / consent | While the account is open |
We collect personal data directly from you (when you fill in a form, comment, subscribe, or contact us) and automatically (server logs and cookies) when you browse.
We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects on you. We do not display third-party advertising and do not use advertising or interest-based tracking cookies.
3. Children’s data
The Website is intended for a general audience of music and chord enthusiasts and is not directed at children. Where we rely on consent for an information-society service, the minimum age is 16 (the threshold set in Italy under Art. 8 GDPR). If you are under 16, please do not leave comments or otherwise submit personal data without the consent of a parent or guardian. If you believe a child has provided us with personal data, contact us and we will delete it.
4. Who we share your data with (recipients)
We do not sell your personal data, and we do not share it with advertisers. We share it only with the categories of recipients needed to run the Website:
- Hosting provider — InterServer, Inc. (servers located in the United States) hosts and serves the Website (see Section 8 on the international transfer this involves).
- WordPress / Gravatar (Automattic) — comment functionality and avatars. An anonymised hash of your email may be sent to Gravatar to check whether you have an account. See Automattic’s privacy policy: https://automattic.com/privacy/
- Analytics provider — Google Analytics (see Section 5), only after you consent.
- Spam-detection service — comments may be checked automatically for spam.
- Form submissions (Ninja Forms) are stored in our own WordPress database on our hosting (Section 8); they are not sent to the Ninja Forms company. A copy of each contact-form message is also emailed to our administrator inbox (delivered via Google — see the next bullet).
- Email delivery — Google (Gmail / Google Workspace API) sends the Website’s outgoing email (such as contact-form notifications) on our behalf via the WP Mail SMTP plugin. A copy of these messages is delivered to and stored in our administrator email inbox. Google is based in the USA (see Section 8 on international transfers).
- Authorities or legal advisers — only where we are legally required to disclose data, or to establish, exercise or defend legal claims.
These third parties act either as our processors (under a data-processing agreement, on our instructions) or as independent controllers for their own purposes. Please review their own privacy policies for details.
5. Cookies and similar technologies
5.1 What cookies are
Cookies are small text files placed on your device when you visit a website. We also use “similar technologies” such as pixels and local storage — under EU law these are treated the same way as cookies. We use both session cookies (deleted when you close your browser) and persistent cookies (which remain until they expire or you delete them), and both first-party and third-party cookies.
5.2 Consent — how we handle it
In line with the ePrivacy Directive (Art. 5(3)) and the Italian Garante’s guidelines, non-essential cookies (analytics and any functional/preference cookies) are blocked until you give consent through our cookie banner / Consent Management Platform (CMP). When you first arrive you will see a banner that lets you Accept all, Reject all, or manage your choices by category, with reject being as easy as accept. Strictly necessary cookies do not require consent but are listed for transparency.
You can change or withdraw your consent at any time, as easily as you gave it, by reopening the cookie settings from the link/icon in the footer (e.g. “Cookie settings”). Withdrawing consent does not affect processing carried out before withdrawal.
We use the CookieYes — GDPR Cookie Consent plugin as our Consent Management Platform. Google Analytics is loaded only after you accept analytics cookies; if you reject them, Analytics is not activated. You can reopen your choices at any time from the “Cookie settings” link in the footer (the CookieYes consent-renew control).
5.3 Categories of cookies we use
- Strictly necessary / essential cookies — required for the site to work (e.g. security, load balancing, remembering your cookie choices, and the temporary cookie that checks whether your browser accepts cookies on the login page). No consent required.
- Functionality / preference cookies — remember choices such as language or comment details so you do not have to re-enter them (comment-detail cookies last up to one year). Consent required.
- Analytics & performance cookies — Google Analytics, to understand aggregate traffic and improve the site. Google Analytics sets its own cookies; more info: https://policies.google.com/privacy and opt-out plugin: https://tools.google.com/dlpage/gaoptout. Consent required.
A live, itemised list of the specific cookies, their providers, purpose and duration is available in the cookie settings panel of our CMP.
5.4 WordPress login/editing cookies (if applicable)
If you log in, we set cookies to remember your login and screen-display choices (login cookies last 2 days, screen-option cookies 1 year; “Remember Me” extends login to 2 weeks; logging out removes them). Editing or publishing a post sets an additional cookie storing only the post ID, expiring after 1 day. These contain no other personal data.
5.5 Managing cookies in your browser
You can also block or delete cookies through your browser settings. If you block essential cookies, parts of the Website may not work properly.
6. Embedded content from other websites
Articles may include embedded content (e.g. videos, images, social posts). Embedded content behaves as if you had visited the third-party site directly: those sites may collect data about you, set their own cookies, embed additional tracking, and monitor your interaction with that content, especially if you are logged in to them. We do not control these third-party practices.
7. How we keep your data secure
We take reasonable technical and organisational measures to protect your personal data against unauthorised access, loss, misuse or alteration, including HTTPS encryption in transit. No method of transmission or storage is completely secure, so we cannot guarantee absolute security. If you upload images, avoid images containing embedded location data (EXIF GPS), as visitors could extract that data.
8. International data transfers (server located in the USA)
The server that hosts this Website is located in the United States and is provided by InterServer, Inc. (PO BOX 1707, Englewood Cliffs, NJ 07632, USA). When you use the Website, your personal data (for example the IP address in our server logs, or any data you submit through a form) is therefore transferred to and stored in the United States, which is a country outside the European Economic Area (“EEA”).
Under Chapter V of the GDPR, such transfers are only lawful if an appropriate safeguard is in place. For the transfer of data to our hosting provider, that safeguard is an adequacy decision (Art. 45 GDPR):
InterServer, Inc. is an active participant in the EU–U.S. Data Privacy Framework and the UK Extension to the EU–U.S. DPF, self-certified with the U.S. Department of Commerce (original certification 13 January 2026; data category: non-HR data). This transfer is therefore covered by the European Commission adequacy decision of 10 July 2023 (Art. 45 GDPR), whose validity was confirmed by the General Court of the European Union on 3 September 2025. You can verify InterServer’s active certification on the official list: https://www.dataprivacyframework.gov/list (search “InterServer”). As a result, your data receives a level of protection essentially equivalent to that guaranteed within the EU, and no supplementary measures are required.
InterServer’s privacy policy and DPF commitments are available at https://www.interserver.net/privacy-policy.html. Under the Framework, InterServer must respond to privacy complaints within 45 days; the independent recourse mechanism is JAMS (https://www.jamsadr.com/DPF-Dispute-Resolution), with the U.S. Federal Trade Commission as the competent statutory body.
If we use any other US-based provider (such as Google Analytics), that provider likewise self-certifies under the Data Privacy Framework or relies on the Standard Contractual Clauses for the transfers it carries out; details are in its privacy policy.
You have the right to ask us, at any time, which transfer mechanism applies and to obtain information about the safeguards in place, by writing to the contact in Section 1.
9. Your rights under the GDPR
If you are in the EEA or UK, you have the right to:
- Access — obtain a copy of the personal data we hold about you;
- Rectification — correct inaccurate or incomplete data;
- Erasure (“right to be forgotten”) — have your data deleted, subject to legal retention obligations;
- Restriction — limit how we process your data in certain cases;
- Portability — receive certain data in a structured, machine-readable format;
- Object — object to processing based on legitimate interests, and at any time to direct marketing;
- Withdraw consent — where processing is based on consent, withdraw it at any time (without affecting prior processing);
- Lodge a complaint with a supervisory authority (see Section 10).
To exercise any of these rights, contact us using the details in Section 1. We will respond within the time limits required by law (normally one month). If you have an account or have left comments, you can request an exported file of your personal data or its erasure (excluding data we must keep for legal, administrative or security reasons).
10. How to complain
If you believe we have not handled your personal data lawfully, you can lodge a complaint with your local data protection authority. In Italy this is the: Garante per la protezione dei dati personali Piazza Venezia 11, 00187 Roma, Italy Web: https://www.garante.it — Email: [email protected]
You also have the right to complain to the supervisory authority in your own EU/EEA country of residence.
11. Links to other websites
The Website may contain links to third-party sites and resources. This Policy does not cover those third parties. Please read their privacy policies before submitting data to them.
12. Changes to this Policy
We may update this Policy from time to time to reflect changes in our practices, providers or the law. The “Last updated” date at the top shows the latest revision. Where a change materially affects how we use your data, we will take reasonable steps to inform you (for example, via a notice on the Website). Please review this page periodically.
13. Contact
For any question about this Policy or your personal data, contact us at: [email protected] — or via our contact page: https://chordsaround.com/contact/