1. Introduction
1.1 Privacy of personal data represents one of the main concerns for MASSIF ESTATE SRL. As such, we aspire to provide the highest standards of privacy and transparency for the personal data we’re processing in our current activity.
1.2 Since for conducting our business we are required to process a series of personal data, especially in relation to the specifics of our line of business, we wish to provide assurances that the processing will take place in compliance with the principles of transparency and security of personal data. This privacy policy is meant to help you understand what data we’re collecting, why we’re collecting it and what we’re doing with it.
2. Who are we?
2.1 MASSIF ESTATE SRL is a Romanian company, established in Cluj-Napoca, Eremia Grigorescu, nr. 122A, registered with the Trade Register under no. J12/5924/07.12.2021, VAT number: RO36944344. MASSIF ESTATE SRL acts as operator of personal data collected through the www.bemassif.com website (the "website”), the ticket buying process by the buyer, the means of video monitoring and photo and video image capture within the Festival by persons authorized by MASSIF ESTATE SRL.
2.2 The operator is required to manage safely and solely for specified purposes, the personal data that the users of the website are providing.
3. What kind of data is processed, the purpose of processing and the storage period for and the legal basis for processing for each category of data?
3.1. For the purpose of purchasing a MASSIF product or service.
What data do we process? Name, surname, e-mail, phone, country, town, address.
Storage period: Until the end of the general prescription period of 3 years from the completion of the edition in which the ticket was bought or the edition about which the respective problem was reported.
Legal basis for processing: Art. 6 (1) letter b) - the processing is necessary for the execution of a contract to which the data subject is a party or to take steps at the request of the data subject before concluding a contract.
3.2. For the purpose of returning purchased products or solving a problem addressed to us.
What data do we process? Name, surname, e-mail, telephone number, IBAN and name of the account holder, as well as other information provided by e-mail or on other platforms to describe the problem.
Storage period: Until the end of the general prescription period of 3 years from the completion of the edition in which the ticket was bought or the edition about which the respective problem was reported.
Legal basis for processing: Art. 6 (1) letter b) - the processing is necessary for the execution of a contract to which the data subject is a party or to take steps at the request of the data subject before concluding a contract.
3.3. In order to ensure access to the perimeter of the festival and to provide the services to which the participant is entitled based on the ticket, to inform about the aspects related to the organisation and conduct of the event or any other offers and announcements related to the purchased product, to prevent fraud , abusive use and to check the validity of the ticket or subscription.
What data do we process? Name, surname, e-mail, phone number and ticket / wristband number for access to the festival.
Storage period: The data will be anonymized within 3 years from the last edition in which the person concerned participated in the Festival, if this was not previously requested.
Legal basis for processing: Art. 6 (1) letter b) - the processing is necessary for the execution of a contract to which the data subject is a party or to take steps at the request of the data subject before concluding a contract.
3.4. For internal purposes only, to carry out reports and surveys, organise access areas, create campaigns and dedicated activities, to respond to a request from public authorities, for complaints or complaints.
What data do we process? Sex, country, city, county, date of birth.
Storage period: These data are kept in the Organizer's archive without being associated with a natural person following the irreversible anonymization of personal data.
Legal basis for processing: Art. 6 (a) letter f) the processing is necessary for the purposes of the legitimate interests pursued by the operator or a third party.
3.5. For marketing purposes:
3.5.1. For commercial purposes promoting Massif products and services.
What data do we process? Name, surname, email address, phone number.
Storage period: Data will be anonymized upon withdrawal of consent or within 4 years at most if the data subject no longer reacts to any commercial message.
Legal basis for processing: Art. 6 (a) letter f) the processing is necessary for the purposes of the legitimate interests pursued by the operator or a third party.
3.5.2. In order to carry out surveys to improve the quality of the services we offer, telephone calls may be recorded with the consent of the person concerned.
What data do we process? Voice of the subject.
Storage period: Recorded calls will be deleted within 30 days from the time of recording.
Legal basis for processing: Art. 6 (1) (a) the data subject has given his consent for the processing of his personal data for one or more specific purposes.
3.6. In the REGISTER CAMPAIGN:
3.6.1. For the purpose of registering in the Register Campaign where the persons concerned register in a community where they receive recurring information about the latest promotions, campaigns, announcements, sales of tickets at a promotional price at the Massif Festival editions.
What data do we process? Name, surname, email address, phone number.
Storage period: Data will be anonymized upon withdrawal of consent or at most within 4 years from the last edition in which the person registered for the campaign. If the persons concerned bought a Ticket in this campaign, their personal data will be processed from this step forward in order to be able to ensure the purchased services and access to the Festival.
Legal basis for processing: Art. 6 (1) letter b - the processing is necessary for the execution of a contract to which the data subject is a party or to take steps at the request of the data subject before concluding a contract.
3.6.2. For internal purposes only for making reports and surveys, organizing artistic moments, creating the concept of the annual event, creating campaigns and dedicated activities.
What data do we process? Sex, country, county, date of birth.
Storage period: These data are kept in the Organizer's archive without being associated with a natural person following the irreversible anonymization of personal data.
Legal basis for processing: Art. 6 (a) letter f the processing is necessary for the purposes of the legitimate interests pursued by the operator or a third party.
3.7. In order to ensure the security of goods, premises and people, video monitoring means are used in the perimeter of the festival.
What data do we process? Image of visitors from the event.
Storage period: 20 days. Some data may be retained for a longer period if the retention is necessary for the investigation of fraud, for the defense of the rights in court of any of the Parties or in situations where it is necessary to comply with the requests made by the competent authorities.
Legal basis for processing: Art. 6 (a) letter f the processing is necessary for the purposes of the legitimate interests pursued by the operator or a third party.
3.8. To take photographs and videos during the event, subsequently used for journalistic, informational, commercial, marketing and promotion purposes of the event, Massif products and services or adjacent products and services, in its own name by Massif or by any partner or sponsor of the Massif Festival, as well as for the purpose of making NFT (Non-fungible token) and trading them on the relevant market.
What data do we process? Image of visitors from the event.
Storage period: Until the deletion request from the data subject or no more than 15 years from the time of completion of the edition in which they were made.
Legal basis for processing: Art. 6 (a) letter f the processing is necessary for the purposes of the legitimate interests pursued by the operator or a third party.
3.9. For the purpose of organising promotional campaigns and contests, as well as to ensure the sending of prizes.
What data do we process? Name, surname, e-mail, social media profile (if applicable), information included in comments in campaigns organised by the Organizer or in partnership with other partners.
Storage period: Until the expiry of the general limitation period of 3 years from the end of the campaign or contest.
Legal basis for processing: Art. 6 (a) letter f the processing is necessary for the purposes of the legitimate interests pursued by the operator or a third party.
3.10 In addition to the aforementioned purposes, we process the personal data collected for the following purposes:
For the fulfilment of legal obligations, as a result of the services provided (e.g. accounting, fiscal, audit, etc.), these are always compatible with the main purposes, for which the data was collected.
To the extent that the data subject has given their consent for the processing of their personal data for one or more specific purposes.
For any other purpose auxiliary to the above, or for any other purpose for which we have been provided with personal data, in compliance with the relevant legislation.
To protect our legitimate interests, overriding the interests or rights and fundamental freedoms of the data subject, taking into account their reasonable expectations based on the relationship with the operator:
To conduct market research and analysis that helps improve and customize our products and services.
For direct marketing purposes, to send communications of general interest or messages asking you to rate the quality of our services/products
For the management of the company's activity, the creation of internal reports that are used in the organization of the access and wristband pick-up areas of future editions, to organize dedicated campaigns and activities
To prevent or detect misuse of our intellectual property, fraud or other crimes.
To ensure security within the event, to resolve complaints related to fraud, criminal or contravention complaints, complaints related to the sale of tickets, cases where the Organizer needs to identify a person with the ticket series, to identify if that person entered the perimeter the festival and at what time, or to defend the company's rights in court.
3.11. In the situations in which we will use your data for purposes other than those mentioned in this Policy, we undertake to obtain your consent, unless we have a legal obligation or have a different legal basis for processing the data.
3.12. The Controller does not create individual profiles for those who participate at the Massif Festival.
4. How are we collecting your personal data?
4.1 We are collecting your personal data either directly from you, e.g. when you’re creating an account on our website/App, you’re sending us an e-mail at ask@wintermassif.com, in which you’re requesting us an offer / information, and you’re giving your consent for communication of commercial messages, , etc., or indirectly, e.g. when you’re sending this information to the platforms of other collaborators for our company, in the process of purchasing the ticker/pass.
4.2 We collect your personal data automatically, when you use our services from the website, we collect information through cookies and by logging your activity. For more information on the use of cookies, please refer to Art. 6 of this Policy.
4.3. If you choose to provide us with the personal data of others, such as when you purchase tickets on behalf of others, you are responsible for how you obtained these data and that you have a legal basis for processing them. We cannot be held liable for the violation of the rights of the respective persons.
5. How are we storing the personal data?
5.1 For storing the personal data you're providing as a user of our website / App, a cloud service provided by Amazon Web Services EMEA S.A.R.L. is used.
6. COOKIES
6.1 The website contains cookies (very small files sent to users' computers or other access devices).
6.2 There are two types:
6.2.1 Cookies based on their lifespan:
a) Session cookies
These are stored temporarily in the web browser's cookie folder to keep them until the user leaves the respective site or closes the browser window (for example, when logging in/logging out from an email or social media account).
b) Persistent cookies
These are stored on a computer's hard drive or device (and generally depend on the cookie's default lifespan). Persistent cookies also include those placed by a different website than the one the user is visiting at the moment, known as "third-party cookies," which can be used anonymously to store a user's interests to display the most relevant advertising to users.
6.2.2 Cookies based on their role:
a) Strictly necessary cookies
These types of cookies are required for web pages to function correctly. Strictly necessary cookies allow you to navigate the site and use its features. Without these cookies, certain features, such as automatic redirection to the least congested server or saving your wish list, cannot be provided.
b) Functional cookies
Functional cookies record information about the choices users make and allow website operators to customize the site according to user requirements. For example, cookies can be used to save preferences regarding categories/segments.
c) Performance and analytics cookies
These types of cookies allow website operators to monitor visits and sources of traffic, how users interact with the site or specific sections of the site.
The information provided by analytics cookies helps operators understand how visitors use websites and then use this information to improve how the content provided to users is presented.
d) Advertising cookies
These cookies can provide the ability to track users' online activities and create profiles for users, which can be used later for marketing purposes. For example, cookies can be used to identify products and services approved by a user, and this information is later used to send appropriate advertising messages to that user.
6.3. Accessing the site implies users' consent to the placement of these types of cookies on their device and their access on the next site visit.
6.4. In general, data about internet browsing activity is collected and analyzed anonymously. If this analysis reveals a specific interest, a cookie (a small text file used by most websites to store certain information useful for improving the browsing experience) is placed on the user's computer, and this cookie determines the type of advertising the user will receive, known as interest-based advertising.
6.5. You can see all the cookies used by our website in the Cookies Notice at the bottom of the page. You can withdraw your consent to the use of cookies at any time by changing the options in the appropriate cookie settings available. Blocking necessary cookies in your browser may also affect proper functioning. Disabling other types of cookies (other than necessary) may also affect your experience using the site.
6.6. The site may use or implement third-party social modules. In general, your interaction with such a module allows third parties to collect certain information about you, including your IP address, information from the page header, and information from your browser. The site has implemented the following buttons for social networks:
-> Facebook https://www.facebook.com/privacy
-> Instagram https://help.instagram.com/519522125107875
-> WhatsApp https://www.whatsapp.com/security
7. To whom we’re disclosing your personal data?
7.1 For fulfilling the processing purposes, MASSIF ESTATE SRL may disclose your personal data to partners, third parties or entities supporting MASSIF ESTATE SRL in the conduct of their business, or to central / local public authorities, in the following cases listed as examples:
1. To our service providers and contractual partners, for example: marketing and advertising service providers; to our partner in charge of ensuring access to the Festival venue; to IT service provider; to courier services, payment services, banking services, etc. This data will be provided to the extent necessary and only on the basis of a confidentiality agreement from the contractual partners, which guarantees that this data is kept safe and that its processing is done according to the legislation in force;
2. To the accountants, auditors, lawyers, insurers or other such external advisers Operator might employ. This data will be provided to the extent necessary and only on the basis of a confidentiality agreement from the contractual partners, which guarantees that this data is kept safe and that its processing is done according to the legislation in force;
3. Authorities, institutions and public bodies, if there is a legal request from them or to the extent that there is a legal obligation from us;
4. The operator will be able to disclose this data whenever the law requires it, or in the case in which this action is necessary to allow the exercise of the rights provided by the law and / or to be able to take legal action against any illegal activity;
5. Your personal data may be transferred to third countries, based on the contractual relationships we have with our partners (both affiliates and other entities in the European Union) in order to compile statistics and other types of reports;
8. How long do we store your personal information?
8.1 As a matter of principle, we will process your personal data only to the extent necessary to achieve the processing purposes mentioned above. For more details about our data retention policy for certain specific processing, please review the information from Art.3.

9. Your rights related to personal data processing:
9.1. When the processing is based on consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of the processing carried out on the basis of consent before its withdrawal. You can therefore change or remove consent at any time, and we will act immediately accordingly, unless there is a legal reason or legitimate interest not to do so.

9.2. If we process your data based on our or third parties' legitimate interest, you can object to that processing for reasons related to your particular situation. In some cases, our legitimate interest or that of third parties may outweigh yours and we will not be able to accommodate your request to object to processing.

9.3. As a data subject, you benefit from a series of specific rights guaranteed by the General Data Protection Regulation no. 679/2016 (GDPR) and the legislation in force in Romania regarding the protection of personal data:

9.3.1. The right to information
The persons concerned whose personal data are processed within our specific activities have the right to receive from us information about the processing operations carried out in our capacity as data operator.

9.3.2 Right of access
You have the right to obtain from us a confirmation of whether or not we are processing personal data concerning you.
If we confirm that we have your personal data, you have the right to access it and obtain a series of relevant additional information.

9.3.3. The right to rectification
You have the possibility to obtain from the data operator, the rectification of inaccurate data concerning you or the completion of personal data that are incompletely recorded in our internal records.

9.3.4. The right to data erasure (“the right to be forgotten”)
You have the right to request that we delete the personal data that we process about you. We must comply with this request if:
a) personal data are no longer necessary to fulfill the purposes for which they were collected;
b) you oppose the processing for reasons related to your particular situation;
c) personal data were processed illegally;
d) personal data must be deleted to comply with a legal obligation that rests with us, except for the case where the data is necessary:
• for exercising the right to free expression and information;
• to comply with a legal obligation we have;
• for archiving purposes in the public interest, scientific or for historical studies or for statistical purposes;
• for ascertaining, exercising or defending a right in court.

9.3.5. The right to restriction of processing
You can ask us to restrict the processing of your personal data when:
• contest the accuracy of the personal data that we process, during the period that we check the accuracy of the data;
• data processing is illegal, but instead of requesting the deletion of personal data, you want to restrict their processing;
• the personal data are no longer necessary for us to achieve the purpose for which they were processed, but you request that data from us for ascertaining, exercising or defending a right in court;
• you objected to the processing and request restriction while we check whether it receives our legitimate interest for the processing.

9.3.6. The right to data portability
You have the right to obtain your data from us in a structured, commonly used and machine-readable format.

9.3.7. The right to opposition
At any time, the data subject has the right to object, for reasons related to the particular situation in which he is, to the processing. The operator no longer processes personal data, unless the operator demonstrates that it has legitimate and compelling reasons that justify the processing and that prevail over the interests, rights and freedoms of the data subject or that the purpose is to ascertain, exercise or defend a right in court.
You can object at any time to the processing of your personal data for direct marketing purposes, whatever your reason.

9.3.8. The right not to be the subject of a decision based exclusively on automatic processing, including the creation of profiles
This right is applicable if the automated individual decision-making process produces legal effects that concern or affect you to a significant extent.

9.3.9. The right to file a complaint
If you have a complaint about the way we process your personal data, please contact us in order to solve your problem using the following contact details:
E-mail: ask@wintermassif.com.
Address: str. G-ral Eremia Grigorescu, nr. 122 A, Cluj-Napoca, Cluj County.
You can also file a complaint regarding the processing of your data with the National Authority for the Processing and Supervision of Personal Data (B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, postal code 010336, Bucharest, Romania, www.dataprotection.ro, anspdcp@dataprotection.ro).

Please keep in mind the following aspects of interest, related to the method of analysis and response to the request for the exercise of rights:

We will make every effort to respond to your request within 30 days. This period can be extended due to reasons related to the specific legal right invoked or the complexity of your request with a maximum additional period of two months. In any case, if the legal response deadline will be extended, then we will inform you about the new deadline and the reasons that led to this extension.

10. Information security
10.1 We are working hard to protect our website, App and users, as well as all personal data collected in accordance with this Policy, from any unauthorized access or from the modification, unauthorized disclosure or destruction of the information we hold.
10.2. In this regard:
MASSIF ESTATE SRL certifies that it meets the minimum requirements for the security of personal data, the data being processed in a way that provides protection against unauthorized or illegal processing and against accidental loss, destruction or damage, by taking appropriate technical or organizational measures;
or the data collected through the website and the App, in order to ensure access to the festival, MASSIF ESTATE SRL uses a cloud service provided by Amazon Web Services EMEA SARL. Therefore, the security settings provided by Amazon are used. Access to data is done in a whitelist of security groups, which means that data can only be accessed from certain pre-defined IP addresses. Access is based on username and password, and within MASSIF ESTATE SRL access to the database is allowed to a limited number of persons.
The used data storage systems have implemented back-up mechanisms to ensure the redundancy of the stored data.
We are regularly reviewing the practices for collecting, storing and processing information, including physical information, as well as security measures, to prevent unauthorized access to the systems.
We are restricting the access of our employees and contractors to your personal information, and the contractual relations with these persons are subject to strict rules regarding contractual confidentiality obligations, including under the sanction of termination of contracts.
11. When does this Privacy Policy apply?
11.1. Our privacy policy applies to all services offered by our company and excludes services that have separate privacy policies and do not contain the provisions of this privacy policy.
12. Amendments
12.1 We will post any privacy policy changes on our page, which will take effect within one day and, if the changes are material, we will provide more prominent notice (including, for certain services, email notification of policy changes of confidentiality).
12.2. We will also keep previous versions of this Privacy Policy on file for your review at any time.

The most recent update of this policy was made on the 15th of November, 2023.