Privacy policy

PRIVACY POLICY (GDPR)

1. Controller: Legacy Fan [legal name], Dover, Delaware. Contact: info@legacy-fan.com.

2. Data we process. Sign-up and profile data (first name, last name, email, phone, country), purchase and membership data, and technical browsing data. We do not store full card data: payment is processed by the gateway (PayPal).

3. Purposes and legal basis. (a) Manage your account, reservation, payment and membership — contract performance. (b) Service communications — contract performance. (c) Newsletter and marketing — consent. (d) Legal and tax compliance — legal obligation. (e) Fraud prevention and security — legitimate interest.

4. Retention. We keep data while the relationship lasts and, afterwards, for the applicable legal periods (tax, accounting).

5. Recipients and processors. We share data with service providers: payment gateway (PayPal), email delivery (Resend), hosting (Railway) and, where applicable, carriers. They act as processors under contract.

6. International transfers. Some providers may be outside the EEA; in that case appropriate safeguards apply (standard contractual clauses or others).

7. Your rights. Access, rectification, erasure, objection, restriction and portability. To exercise them write to info@legacy-fan.com. You may lodge a complaint with the competent supervisory authority.

8. Security. We apply reasonable technical and organisational measures (hashed passwords, access control, secure connections).

9. Minors. The service is not directed at minors.

10. Changes. We may update this policy; the current version will be published on this page.