Privacy Policy
Last Updated: April 2026
This Privacy Policy describes how Rocklab One collects, uses, and protects your personal data when you use our membership portal. We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and Luxembourg data protection law.
This Privacy Policy is provided by établissement public Centre de Musiques Amplifiées - Rockhal, 5 Avenue du Rock 'n' Roll, L-4361 Esch/Alzette, Luxembourg.
1. Data Controller
The data controller responsible for your personal data is:
Legal Entity: établissement public Centre de Musiques Amplifiées - Rockhal
Address: 5, Avenue du Rock 'n' Roll, L-4361 Esch/Alzette, Luxembourg
Email: mydata@rockhal.lu
Phone: (+352) 24 555-611
2. Personal Data We Collect
2.1 Information You Provide
When you create an account or use our services, we collect:
- Account Information: Name, email address, password (hashed), phone number, date of birth
- Profile Information: Biography, profile photo, social media links, musical interests
- Artist/Band Information: Band name, role, genre, EPK materials (photos, videos, music samples)
- Membership Details: Membership type, status, subscription information
- Booking Information: Room reservations, dates, times, purposes
- Communication Data: Messages, posts, comments, reactions
- Payment Information: Processed by third-party payment providers (we do not store full card details)
2.2 Information We Collect Automatically
- Usage Data: Pages visited, features used, time spent, clicks
- Device Information: IP address, browser type, operating system, device type
- Session Data: Login times, authentication tokens, session duration
- Cookies: See our Cookie Policy for details
3. Legal Basis and Purposes of Processing
We process your personal data based on the following legal grounds under GDPR Article 6:
Contract Performance (Art. 6(1)(b))
Processing necessary to provide our membership services:
- Account creation and authentication
- Profile and EPK hosting
- Room booking and subscription management
- Event registration, waitlist management, and reminders
- Community directory access
- Support ticket management (we keep the message you send us via the “Contact Support” form, your email address, and any internal notes from our team while we work on your request)
- Post board and community content (including automated content safety screening of submitted posts before publication, see section on Automated Decision-Making)
- Room access via QR code (entry/exit logging)
Legal Obligation (Art. 6(1)(c))
Processing required by law:
- Financial record keeping (10 years under Luxembourg law — Article 16 of the Luxembourg Commercial Code)
- Tax compliance
- Response to legal requests
Legitimate Interests (Art. 6(1)(f))
Processing necessary for our legitimate interests:
- Security and fraud prevention
- System monitoring and troubleshooting
- Service improvement and development
- Recording attendance at Rocklab events and services (registered, attended, cancelled in time, or no-show), based on scanned tickets or manual confirmation, to manage capacity, follow up individually with members where useful, and produce aggregated engagement statistics. No automated exclusion is applied; any restriction on future registrations would be decided case by case after dialogue with the member, as described in the Ticketing Terms.
- Administrative reporting within the admin dashboard (no external BI or analytics tools are used)
- Expert tagging for Rocklab activities (members are notified and may request removal)
- Maintaining a directory of partner organisations (name, contact details, type) so members can identify and contact relevant institutions, venues, and service providers. Listed organisations may request modification or removal at any time by writing to rocklabone@rockhal.lu. Event-level linking is not part of this version.
- Private administrative notes on member profiles (objective, neutral, periodically reviewed)
- Post-event feedback collection
Consent (Art. 6(1)(a))
Processing based on your explicit consent:
- Marketing communications (newsletter)
- Optional analytics cookies
- Public profile visibility settings
- Promotional material usage
- Public-facing EPK pages (disabled by default, member-controlled)
- Image rights for profile photos
- International expert profile creation (non-member experts)
- Public voting for selection programs (artist consent required)
4. Data Sharing and Recipients
We may share your personal data with the following categories of recipients:
4.1 Service Providers (Data Processors)
- Butterfly (Rockhal): Image hosting and content delivery - Internal service
- Ticketmatic: Event ticketing and registration. When you register for events, you may be redirected to Ticketmatic to complete your registration. - Privacy Policy
- Delight: Marketing emails and newsletter delivery. Only members who have explicitly opted in to the Rocklab newsletter are added to Delight; you can withdraw consent at any time from Profile - Settings or via the unsubscribe link in any newsletter email. - Privacy Policy
- Anthropic (Claude API): Automated content moderation of post-board submissions. The text and images of a post are sent to the Claude API to be classified for safety (hate speech, harassment, illegal content, etc.) before the post is published; the API operates under Anthropic's Zero Data Retention arrangement, meaning the content is discarded after the verdict is returned and is not retained or used for training. - Privacy Policy
- Hosting Provider: Server infrastructure and database hosting
- Email Service: Transactional email delivery
4.2 Other Portal Members
Information in your public profile and EPK is visible to other authenticated members according to your privacy settings. You can control profile visibility in your account settings.
4.3 Legal Authorities
We may disclose your data when required by law, court order, or to protect our legal rights.
5. International Data Transfers
Your personal data is primarily stored and processed within the European Economic Area (EEA). However, some of our service providers may process data outside the EEA:
- Data transfers are protected by appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission
- Some providers may be covered by adequacy decisions (e.g., EU-US Data Privacy Framework for certain US companies)
- We ensure all international transfers comply with GDPR Chapter V requirements
For more information about specific safeguards in place, please contact us at mydata@rockhal.lu.
6. Data Retention
We retain your personal data only for as long as necessary for the purposes outlined in this policy:
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Active Account Data | Duration of membership + 3 years | Contract performance, legitimate interests |
| Deleted Account Data | Anonymized immediately, metadata 3 years | Legal obligation, legitimate interests |
| Financial Records | 10 years | Luxembourg legal obligation (Art. 16 Commercial Code) |
| Authentication Sessions | 7-28 days (or until logout) | Security, legitimate interests |
| System Logs | 90 days (security logs: 1 year) | Security, troubleshooting |
| Event Attendance Records | 3 years from the date of the event (aggregated statistics may be retained longer in anonymised form) | Legitimate interests (engagement monitoring, capacity management) |
| Marketing Consent | Until withdrawal or 3 years inactivity | Consent management |
For detailed retention information, see our Data Retention Policy.
7. Your Rights Under GDPR
You have the following rights regarding your personal data:
Right to Access (Art. 15)
You can view your personal data in your profile settings or request a complete copy by using the "Download My Data" feature.
Right to Rectification (Art. 16)
You can update your personal information at any time through your profile settings. Your email address is used as your login identifier and cannot be changed by you directly; to request an email change, please contact us at mydata@rockhal.lu and a Rocklab administrator will update it on your behalf.
Right to Erasure (Art. 17)
You can remove your account at any time through two independent paths, both accessible from Settings → Data & Account:
- Deactivate My Account: your profile is hidden from the community and you are signed out of all devices, but your personal data is preserved for a 6-month grace period. You can reactivate by logging back in during that period. After 6 months of inactivity, your account is permanently anonymised by an automated job.
- Delete My Account: your personal data is anonymised immediately, with no grace period. This action cannot be undone.
In both cases, financial and ticketing records are retained for the period required by Luxembourg law (10 years under Article 16 of the Luxembourg Commercial Code), as set out in our Data Retention Policy.
Right to Data Portability (Art. 20)
You can export your data in JSON format using the "Download My Data" feature in your profile settings.
Right to Restrict Processing (Art. 18)
You can request to restrict processing of your data while we verify accuracy or assess your objection. Use the "Restrict My Account" option in Settings.
Right to Object (Art. 21)
You can object to processing based on legitimate interests. Contact us at mydata@rockhal.lu to file an objection.
Right to Withdraw Consent (Art. 7(3))
You can withdraw consent for marketing communications, analytics cookies, and other consent-based processing at any time through Settings → Privacy & Consent.
Right to Lodge a Complaint
You have the right to lodge a complaint with the Luxembourg National Commission for Data Protection (CNPD):
Commission Nationale pour la Protection des Données (CNPD)
15, Boulevard du Jazz, L-4370 Belvaux, Luxembourg
Website: cnpd.public.lu
Response Time: We will respond to your requests within one month. In complex cases, we may extend this by two additional months and will inform you of any delay.
8. Data Security
We implement appropriate technical and organizational measures to protect your personal data:
- Encryption: HTTPS/TLS for data transmission, bcrypt for password hashing
- Authentication: Secure session management with JWT tokens and CSRF protection
- Access Control: Role-based access, principle of least privilege
- Monitoring: Security logging, intrusion detection, regular security audits
- Incident Response: Documented breach notification procedures
While we strive to protect your data, no internet transmission is completely secure. You are responsible for maintaining the confidentiality of your account credentials.
9. Minors' Privacy
The Portal is reserved to natural persons who have reached the age of majority (eighteen (18) years). We do not knowingly collect or process personal data of persons under the age of eighteen (18). If you believe that personal data of a person under the age of eighteen (18) has been processed through the Portal, please contact us immediately at mydata@rockhal.lu so that we may delete the data and terminate the relevant Account.
10. Automated Decision-Making
We operate one piece of automated decision-making that you should be aware of: post-board content moderation. When you submit a post to the community board, the text and any attached images are sent to the Claude API (Anthropic) for an automated safety check (hate speech, harassment, illegal content, copyright concerns and similar). A post that the classifier identifies as clean is published automatically; a post that the classifier flags is held in a moderation queue and reviewed by a Rocklab administrator before any final decision. Anthropic operates this API for us under a Zero Data Retention arrangement, meaning the content is discarded after the verdict is returned and is not retained or used for training.
The legal basis for this processing is GDPR Art. 22(2)(b): the automated decision is necessary for the performance of the membership contract, since the safety screen is what makes a community board for 1500+ members operationally viable. We have implemented the safeguards required by Art. 22(3): (i) every flagged post is reviewed by a human Rocklab administrator before it can be rejected, so no rejection takes place without human involvement; (ii) you have the right to obtain a copy of the moderation decision and the reason for it; and (iii) you have the right to contest any decision by writing to rocklab@rockhal.lu. If your post is rejected, you will be notified with the category of reason and you can edit and resubmit it.
Beyond post-board moderation, we do not use automated decision-making or profiling that produces legal or similarly significant effects on you within the meaning of Art. 22(1). Other automated processing (such as login rate-limiting, account-lockout protection and basic spam filtering) is subject to human review and you can contest decisions by contacting us.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings. Material changes will be communicated through:
- Email notification to registered members
- Prominent notice on the portal
- Updated "Last Updated" date at the top of this policy
Continued use of the portal after changes constitutes acceptance of the updated policy.
12. Contact Information
For questions about this Privacy Policy or to exercise your rights, please contact us:
Data Protection Contact: mydata@rockhal.lu
General Inquiries: rocklab@rockhal.lu
Phone: (+352) 24 555-611
Address: 5, Avenue du Rock 'n' Roll, L-4361 Esch/Alzette, Luxembourg
Related Policies
The Centre de Musiques Amplifiées is under the patronage of and operates with the financial support of
Rockhal is proud to partner with
Premium partners
Venue partners
Rockhal is member of
Rockhal supports
