Legal

Privacy Policy

Last Updated: May 8, 2025
Effective Date: 25/05/2018

1. Introduction and Scope

This Privacy Policy describes how Good Mood Lda ("Boom Festival," "we," "us," or "our") collects, uses, processes, and protects your personal information. This policy applies to:

  • Our main website (www.boomfestival.org), served by PTISP - Almouroltec - serviços de informática e internet, Lda.
  • Our public mobile application, "Boom Festival."
  • Our crew and staff mobile application, "Boomland Team."
  • All services offered by Boom Festival, including newsletter subscriptions, online application forms, ticket purchases, and participation in the festival.

We are committed to protecting your privacy and handling your data in an open and transparent manner. This policy is intended to comply with the EU General Data Protection Regulation (GDPR).

By using our website, mobile applications, or services, you acknowledge that you have read and understood this Privacy Policy.

2. Data Protection Officer (DPO)

If you have any questions about this Privacy Policy or our data protection practices, or if you wish to exercise your data protection rights, please contact our Data Protection Officer:

Email: dpo@boomfestival.org

3. What Information We Collect and Why

We collect various types of personal information for different purposes, aimed at providing and improving our services and festival experience.

a. Website (www.boomfestival.org)

  • Automatically Collected Data: When you visit our website, we may automatically collect technical data such as your IP address, device type/model, operating system, browser type, and browsing behavior (pages visited, time spent).
    • Purpose: To improve website functionality, user experience, security, and for statistical analysis.
    • Legal Basis (GDPR): Legitimate interest in maintaining and improving our website; Consent for non-essential cookies.

b. Newsletter Subscription

  • Data Collected: Email address.
    • Purpose: To send you regular newsletters with updates, news, and relevant information about Boom Festival and related activities.
    • Consent: We rely on your explicit consent to process your email address for newsletter subscriptions. You provide this consent when you subscribe. If you subscribed before May 25, 2018, and did not re-authorize the use of your data, your subscription was cancelled.
    • Legal Basis (GDPR): Consent. You can withdraw your consent at any time by unsubscribing via the link in our newsletters or by contacting our DPO.

c. Online Application Forms (e.g., for artists, volunteers, workshops, vendors)

  • Data Collected: Name, email address, gender, date of birth, phone number, postal address, country, and any other information relevant to the specific application (e.g., portfolio, experience, project proposals).
    • Purpose: To process and evaluate your application to participate in or contribute to Boom Festival.
    • Legal Basis (GDPR): Necessary for the performance of a contract (or pre-contractual steps) if your application leads to an agreement; Legitimate interest in managing festival participation; Consent for specific data uses if requested.

d. "Boom Festival" Public Mobile Application

  • Data Collected:
    • Device ID, IP address, operating system, app usage data (features used, time spent).
    • Precise location data: This is collected only when you are actively using the map feature within the app and only if you have granted explicit permission through your mobile device's operating system prompts.
    • Information you voluntarily provide within the app (e.g., schedule personalization, feedback).
    • If we implement analytics (e.g., via Google Analytics), anonymized or pseudonymized data about app usage may be collected.
  • Purpose:
    • To provide festival information (schedule, map, artist info).
    • To enhance your festival experience.
    • Precise location: To enable map functionality and help you navigate the festival grounds during active use.
    • To send push notifications (with your consent).
    • If analytics are implemented, to gather anonymous or pseudonymized analytics to improve the app.
    • To facilitate interactive features.
  • Legal Basis (GDPR):
    • Consent: For precise location data (via OS-level permission), push notifications, and any non-essential analytics tracking that may be implemented.
    • Legitimate Interest: For core app functionality and, if implemented, for anonymized/pseudonymized analytics aimed at app improvement (where consent is not the primary basis and an opt-out or user control is provided).
    • Performance of a service: If certain app features are directly linked to services you've requested (e.g., ticket-related features).

e. "Boomland Team" Crew Mobile Application

  • Data Collected:
    • Staff/volunteer ID, name, work and personal phone numbers, work and personal email addresses, job title, department, photo (stored in the employee/volunteer database).
    • Schedule information, task assignments.
    • Precise location data: This is collected only when you are actively using map-related features within the app for operational coordination and only if you have granted explicit permission through your mobile device's operating system prompts.
    • Device information (e.g., OS type for app functionality).
    • Communication logs within the app (if applicable for operational purposes).
  • Purpose:
    • To manage and coordinate festival crew and volunteers effectively.
    • To facilitate essential communication between team members and departments.
    • To ensure operational efficiency, manage schedules, and assign tasks.
    • For identification and access control within restricted areas.
    • Precise location: To enable map functionality for operational coordination and to assist crew members in navigating the site when actively using this feature.
    • To ensure safety and security on site.
  • Legal Basis (GDPR):
    • Necessary for the performance of a contract: For data essential to your employment or volunteer agreement (e.g., name, contact details, role, schedule).
    • Legitimate Interest: For managing festival operations, ensuring safety, and facilitating efficient team coordination (e.g., internal communication logs, operational use of job titles/departments).
    • Consent: For precise location data via OS-level permission, unless its collection is deemed strictly necessary for safety or essential operational duties explicitly covered under the contract and clearly communicated. For use of personal contact details for non-urgent communications where work channels are primary.
    • Legal Obligation: For certain staff data as required by employment or other applicable laws.

f. Ticket Purchases and Payments

  • Data Collected: Name, email address, billing address, payment information (processed by third-party payment providers), ticket type, and purchase history.
    • Purpose: To process your ticket orders, manage payments, issue tickets, and provide customer support related to ticketing.
    • Legal Basis (GDPR): Necessary for the performance of a contract (ticket purchase agreement).

g. Cookies and Tracking Technologies

We use cookies and similar tracking technologies (e.g., pixels, web beacons) on our website and potentially within our apps to obtain information about your visits and the device you use.

  • What are Cookies? Cookies are small text files stored on your device (computer, tablet, mobile) when you visit certain web pages.
  • Types of Cookies We Use:
    • Strictly Necessary Cookies: Essential for the website/app to function (e.g., session cookies, security cookies). These do not require consent but we inform you of their use.
    • Session Cookies: Temporary cookies that exist only while you use the website. They help remember your choices on previous pages, avoiding re-entry of information.
    • Performance/Analytical Cookies: Help us understand how users interact with our website and apps (e.g., Google Analytics). This data is often aggregated and anonymized. They help us learn how well our site and apps perform and how to improve them. We use these for analytics purposes.
    • Functionality Cookies: Allow our website/apps to remember choices you make (e.g., language preference) and provide enhanced, more personal features.
    • Marketing/Targeting Cookies: We use cookies for analytics purposes which may help us understand user engagement and improve our services. Under some privacy law definitions, analytical cookies that track behavior across sites or build profiles could be considered marketing or targeting cookies. We use these to refine our offerings and understand user interaction.
  • Your Choices: Most web browsers allow you to manage your cookie preferences. You can set your browser to refuse cookies or delete certain cookies. We will request your consent for non-essential cookies via a cookie banner or similar mechanism on our website. For information on managing your choices, you can also refer to your browser or device settings, our cookie consent tool, or general consumer choice platforms (e.g., the platform you mentioned, https://choice.inmobi.com/, may offer opt-outs for various third-party ad networks, though its direct applicability depends on the specific services we might use). Please note that if you choose to block or delete cookies, some parts of our website or services may not function properly.
  • Data from Cookies: This may include your IP address, pseudonymous identifiers, operating system, browser type, and statistical data about browsing actions and patterns.

4. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds under GDPR:

  • Consent: Where you have given us explicit consent for a specific processing purpose (e.g., newsletters, non-essential cookies, specific app features like precise location).
  • Contractual Necessity: Where processing is necessary for the performance of a contract with you (e.g., ticket purchase, application to participate, employment/volunteer agreement) or to take steps at your request before entering into a contract.
  • Legal Obligation: Where processing is necessary for compliance with a legal obligation to which we are subject (e.g., financial record keeping, responding to legal authorities, employment law obligations).
  • Legitimate Interests: Where processing is necessary for our legitimate interests or the legitimate interests of a third party, provided these interests are not overridden by your fundamental rights and freedoms (e.g., website security, improving our services, operational management for the crew app, anonymized analytics). We will always balance our legitimate interests against your rights.

5. How We Use Your Information

In addition to the specific purposes mentioned above, we may use your information to:

  • Provide, operate, and maintain our services, website, and apps.
  • Improve, personalize, and expand our services.
  • Understand and analyze how you use our services.
  • Develop new products, services, features, and functionality.
  • Communicate with you, either directly or through one of our partners, including for customer service, to provide you with updates and other information relating to the festival, and for marketing and promotional purposes (where consent is obtained).
  • Process your transactions.
  • Send you emails and notifications.
  • Find and prevent fraud and abuse.
  • Ensure the safety and security of our attendees, staff, and event.
  • Comply with legal obligations.

6. Data Storage and Retention

a. Where We Keep Your Data

All personal data collected is stored in secure data centers. The primary data centers we use are located within the European Union (EU) and are operated by companies complying with GDPR. If data is transferred outside the EU/EEA (e.g., through third-party service providers), we ensure appropriate safeguards are in place (see Section 10: International Data Transfers).

b. How Long We Keep Your Data

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. The retention periods vary depending on the type of data and the purpose of processing:

  • Invoices: Data related to financial transactions (e.g., invoices) is retained for up to 6 years, or as required by Portuguese law.
  • Tickets and Payments: Data related to ticket purchases and payments is retained for 24 months after the festival edition for which the ticket was purchased, or longer if required for dispute resolution or legal reasons.
  • Online Application Forms: Data from online forms (excluding Work and Volunteer applications that result in a contractual relationship) is retained for 24 months after the application period closes for that festival edition.
  • Work and Volunteer Application Data (Successful Applicants): Retained for the duration of the working/volunteering relationship and for a period thereafter as required by employment or contract law.
  • Newsletter Subscriptions: Your email address is retained as long as you remain subscribed. If you unsubscribe, your data will be deleted from our active mailing lists promptly.
  • "Boom Festival" App Data: User-specific data is retained for a maximum of 2 years after the last interaction or festival edition attended. Anonymized or aggregated analytics data (if collected) may be kept longer for statistical purposes. Precise location data is not stored long-term by us; it is used ephemerally to provide map functionality during your active use of that feature and is not retained once the map session ends or the permission is revoked.
  • "Boomland Team" App Data: Data is retained for the period defined in the worker's or volunteer's contract, or as long as necessary for operational, legal, or HR purposes related to their engagement with the festival. This includes contact details, role information, and photos stored in the employee/volunteer database. Specific retention periods for different data categories within this app will adhere to contractual agreements and applicable labor/data protection laws. Precise location data is not stored long-term; it is used ephemerally for map functionality during active use.
  • Cookies: The lifespan of cookies varies. Session cookies are deleted when you close your browser. Persistent cookies have varying expiry dates, detailed in our cookie settings/policy or consent management tool.

Upon expiry of the applicable retention period, your personal data will be securely deleted or anonymized.

7. Data Sharing and Third Parties

We do not sell your personal information. We may share your personal information with trusted third-party service providers to help us operate our services, website, and apps, or to perform services on our behalf. These third parties are contractually obligated to protect your data and use it only for the purposes for which it was disclosed.

a. Newsletter Partner

  • Information collected through Newsletter subscription (email address) is shared with our newsletter platform partner, Sendinblue.

b. Other Third-Party Service Providers

We may share other data with the following categories of organizations or specific services:

  • Social Media and Web Services: Google (Analytics, Cloud Services), Facebook (e.g., pixels for marketing, with consent), Twitter, Amazon Web Services (AWS for hosting/infrastructure), Freshdesk (customer support).
  • Ticketing and Payment Processing: PayPal, Weezevents, and other payment gateways. These providers process your payment information directly and are subject to their own privacy policies. We do not store your full credit card details.
  • Online Forms Management: JotForm.
  • App-Specific Third Parties:
    • "Boom Festival" App: If we choose to implement it, Google Analytics may be used for app usage statistics. Any such integration will be subject to appropriate consent mechanisms.
    • "Boomland Team" App: Currently, no third-party services are integrated for core data processing beyond standard device operating system functionalities that enable app features (like location services if permission is granted).
  • Legal Authorities: We may disclose your information if required by law, subpoena, or other legal process, or if we have a good faith belief that disclosure is reasonably necessary to (i) investigate, prevent, or take action regarding suspected or actual illegal activities or to assist government enforcement agencies; (ii) enforce our agreements with you; (iii) investigate and defend ourselves against any third-party claims or allegations; (iv) protect the security or integrity of our Service; or (v) exercise or protect the rights and safety of Boom Festival, our users, personnel, or others.

8. Data Security

We implement appropriate technical and organizational security measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include data encryption, access controls, secure servers, and regular security assessments.

However, please note that no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.

9. Your Data Protection Rights (GDPR)

If you are within the European Economic Area (EEA), you have the following data protection rights under GDPR:

  • The right to access: You have the right to request copies of your personal data.
  • The right to rectification: You have the right to request that we correct any information you believe is inaccurate or complete information you believe is incomplete.
  • The right to erasure (right to be forgotten): You have the right to request that we erase your personal data, under certain conditions.
  • The right to restrict processing: You have the right to request that we restrict the processing of your personal data, under certain conditions.
  • The right to object to processing: You have the right to object to our processing of your personal data, under certain conditions, particularly where we rely on legitimate interests as our legal basis.
  • The right to data portability: You have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions, in a structured, commonly used, and machine-readable format.
  • The right to withdraw consent: If we are processing your personal data based on your consent (e.g., for precise location, newsletters), you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of processing based on consent before its withdrawal.
  • The right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement if you consider that the processing of your personal data infringes GDPR. In Portugal, the supervisory authority is the Comissão Nacional de Proteção de Dados (CNPD).

To exercise any of these rights, please contact our DPO at dpo@boomfestival.org. We will respond to your request within one month, or provide an explanation if an extension is needed.

10. International Data Transfers

Your personal information may be transferred to, stored, and processed in countries other than your own, including outside the European Economic Area (EEA), where our third-party service providers may be located.

While your data is primarily stored in EU data centers, some third-party services (e.g., Google, Facebook, PayPal, JotForm, AWS, Sendinblue) may be based in countries outside the EEA. When we transfer your data outside the EEA, we ensure a similar degree of protection is afforded to it by implementing appropriate safeguards, such as:

  • Ensuring the country has been deemed to provide an adequate level of protection by the European Commission.
  • Using Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Relying on the third party's Binding Corporate Rules (BCRs).
  • For transfers to countries like the US, we assess the provider's adherence to recognized data privacy frameworks where applicable.

By using our services, you acknowledge that such transfers may occur, and that we have implemented safeguards to protect your data.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will notify you of any material changes by posting the new Privacy Policy on our website and updating the "Last Updated" date at the top of this policy. We may also provide notice through our apps or via email if the changes are significant.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

12. How to Contact Us

If you have any questions, comments, or concerns about this Privacy Policy or our data practices, please contact us:

Data Controller: Good Mood Lda Edifício Incubadora de Empresas Zona Industrial 6060-182 Idanha-a-Nova Portugal

Data Protection Officer: Email: dpo@boomfestival.org

PTISP - Almouroltec - serviços de informática e internet, Lda. is the service provider for the www.boomfestival.org website.