@2020 - All Right Reserve by Fuzzy Lulu
Home Privacy Policy

Privacy Policy

by Fuzzy Lulu

Effective date: 2025-08-23. Last updated: 2025-08-23.

Plain English summary

We collect personal data to provide our services, process payments, and improve content. You have rights under GDPR to access, correct, and request deletion of your data. Contact [email protected] for requests.

1. Data controller

Controller: Fuzzy Lulu’s Music Garden
Email (privacy): [email protected]

2. Data we collect & categories

  • Account data: name, email, username, password hash — purpose: account management — lawful basis: performance of contract / legitimate interest for account security.
  • Payment data: payment processor tokens, billing info — purpose: payments — lawful basis: performance of contract. We do not store full card numbers.
  • Children’s data: user-generated content from minors (drawings, audio), parental contact details — purpose: parental consent and service delivery — lawful basis: consent (verifiable parental consent).
  • Analytics & usage: IP (anonymized), cookies, device info — purpose: site analytics and improvement — lawful basis: legitimate interest (balancing test) or consent for marketing/analytics where required.
  • Communications: support emails, marketing (if you consent) — lawful basis: consent for marketing; legitimate interest for service messages.

3. Lawful bases & purposes

We rely on one or more lawful bases: (a) performance of a contract; (b) consent (for marketing, profiling, certain cookies); (c) legitimate interest (analytics, fraud prevention). Where we rely on legitimate interest, we perform a balancing test and provide you the right to object.

4. Children & parental consent

We do not knowingly collect personal data from children without verifiable parental consent. Our default child age threshold is 16 unless local law requires a lower age (e.g., 13 in some countries). For children’s accounts or content submission we require parental verification via [email confirmation/ID/consent form]. See our Parental Consent page.

5. Cookies & tracking

See our Cookie Policy. We will not enable analytics/marketing cookies until you give consent (where required under EU law).

6. Data retention

  • Account data: retained while account is active + 3 years after last activity unless deletion requested.
  • Payments & billing: retained for 7 years for tax/accounting and legal obligations (or as required by local law).
  • Analytics: aggregated/anonymized data retained for up to 26 months.
  • Parental consent records: retained for as long as necessary to demonstrate lawful consent + 3 years.
  • User content: retained until removed by user or by us for policy reasons; child content removed upon verified parental request.

7. International transfers

We use third-party processors that may transfer data outside the EU. Where transfers occur, we rely on adequacy decisions, standard contractual clauses (SCCs), and/or other safeguards. You may request details of transfer mechanisms via [email protected].

8. Processors & third parties

We may share data with processors such as YouTube, Google Analytics, Stripe, PayPal, Mailchimp. We require processors to sign a DPA and apply appropriate security measures.

9. Your rights (GDPR)

  • Right to access personal data
  • Right to rectification
  • Right to erasure (“right to be forgotten”)
  • Right to restriction of processing
  • Right to data portability
  • Right to object to processing (including profiling/legitimate interest)
  • Right to withdraw consent at any time

To exercise rights, contact: [email protected]. We will respond within statutory timeframes (generally 1 month; may extend in complex cases).

10. Security

We use reasonable technical and organizational measures (HTTPS, access controls, encryption where appropriate) to protect personal data. No transmission over the internet is 100% secure.

11. Automated decisions & profiling

We do not perform significant automated decision-making that has legal or similarly significant effects. If we introduce such processing we will notify you and obtain consent where required.

12. Contact & supervisory authority

Privacy contact: [email protected]
Complaints: You may lodge a complaint with your local supervisory authority (e.g., Ireland Data Protection Commission).

Template only — have an EU lawyer review.