go.yamazaki.hu — operated by Quarium Kft. (Yamazaki Entertainment)
Last updated: March 18, 2026
The data controller responsible for the processing of your personal data on this website is:
Throughout this document, "we", "us", "our", and "Yamazaki" refer to Quarium Kft.
This Privacy Policy applies to all personal data processed through the website go.yamazaki.hu and its subpages, including all song landing pages, the bio page, newsletter archives, and any forms or interactive features hosted on the domain.
This policy has been prepared in accordance with:
By using our website, you acknowledge that you have read and understood this policy. Where processing is based on consent, we will request your affirmative, informed, and freely given consent before collecting any non-essential data.
We process personal data under the following legal bases as defined in GDPR Article 6(1):
| Legal Basis | GDPR Article | When We Rely on It |
|---|---|---|
| Consent | Art. 6(1)(a) | Marketing cookies, email subscriptions, Spotify/Discord OAuth connections, ad tracking (Meta, TikTok), browser fingerprinting |
| Contract performance | Art. 6(1)(b) | Shopify order processing and fulfilment |
| Legal obligation | Art. 6(1)(c) | Retention of consent records (Art. 7(1) GDPR), financial/accounting records, audit and deletion logs |
| Legitimate interest | Art. 6(1)(f) | Bot detection and security (IPQS), anonymous aggregate analytics, IP address processing for GeoIP lookup, transactional email delivery |
Where we rely on legitimate interest, we have carried out a balancing test to ensure that our interests do not override your rights and freedoms. You may request a copy of our legitimate interest assessments by contacting us.
When you visit any page on go.yamazaki.hu, we automatically collect the following data:
Subject to your consent (except for the essential consent-state cookie), we set the following identifiers:
See Section 18 (Cookie Policy) for a complete cookie table.
When you actively interact with features on our site, we collect additional data. Each of these requires your explicit consent via our consent banner or an action-specific consent gate.
When you click a Spotify action button (e.g., "Save on Spotify", "Follow on Spotify", "Follow playlist"), you are redirected to Spotify's authorization page. If you grant permission, we receive:
We store OAuth tokens securely in order to execute pre-save actions on your behalf (e.g., automatically saving a track to your library on release day). You can revoke this access at any time through your Spotify account settings at spotify.com/account/apps or by submitting a data request to us.
When you click "Join the Discord", you are redirected to Discord's authorization page. If you grant permission, we receive:
This data is used to add you to the Yamazaki Discord server and to link your Discord identity to your fan profile. You can revoke access through your Discord account settings at any time.
When you purchase merchandise through our Shopify store, Shopify acts as both a joint controller and a processor. We receive the following data from Shopify via webhook:
We do not receive or store your payment card details, billing address, or shipping address. Those are processed exclusively by Shopify. Please refer to Shopify's Privacy Policy for details on their data handling.
For every consent interaction, we record:
Consent records are retained for 5 years as required by GDPR Article 7(1), which obliges us to demonstrate that consent was validly obtained. These records are never deleted upon a standard erasure request, as their retention is a legal obligation.
We process personal data for the following specific purposes:
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Fan engagement analytics (understanding how fans discover and interact with Yamazaki's music) | IP, user agent, device type, geo, page views, clicks, sessions, referrer, UTM, visitor ID, fingerprint hash | Consent (for cookies/fingerprint); Legitimate interest (for anonymous aggregates) |
| Marketing campaign measurement and attribution | Click IDs (fbclid, ttclid), UTM parameters, conversion events, hashed email, hashed IP | Consent |
| Email marketing (newsletters, release announcements) | Email address, subscriber tags, merge fields | Consent |
| Executing pre-saves and actions on Spotify | Spotify OAuth tokens, user ID, email | Consent |
| Discord community management | Discord user ID, username, email, avatar | Consent |
| Merchandise order tracking and attribution | Email, order details, landing site URL | Contract performance; Consent (for attribution) |
| Bot detection and abuse prevention | IP address only | Legitimate interest |
| GeoIP lookup (determining visitor country for analytics) | IP address (processed locally, not shared) | Legitimate interest |
| Transactional email (confirmation messages, data request responses) | Email address | Legitimate interest |
| Compliance with legal obligations (demonstrating consent, financial records) | Consent records, anonymised order totals, audit logs | Legal obligation |
We use cookies and similar technologies to identify visitors, measure engagement, and attribute marketing campaigns. Non-essential cookies are only set after you grant consent through our cookie banner.
A cookie is a small text file placed on your device by a website. Cookies allow the website to recognise your device on subsequent visits. Some cookies are essential for the website to function; others help us understand how you use the site or enable marketing features.
In addition to cookies, we generate a probabilistic browser fingerprint by hashing publicly available browser attributes (such as screen resolution, timezone, installed fonts, and WebGL renderer). The resulting hash (stored in the yz_fp cookie) is used alongside the visitor ID cookie to improve visitor identification accuracy. This technique is subject to the same consent requirements as non-essential cookies. The original browser attributes are not stored; only the one-way hash is retained.
For a complete list of all cookies we set, their purposes, durations, and classification, see Section 18 (Cookie Policy).
You can withdraw your cookie consent at any time by clearing your browser's cookies for go.yamazaki.hu, which will cause our consent banner to reappear on your next visit. You may also manage cookies through your browser settings. Note that blocking essential cookies may prevent the consent mechanism from functioning correctly.
We share personal data with the following third parties, only to the extent necessary for the stated purpose. We do not sell personal data.
| Recipient | Data Shared | Purpose | Legal Basis |
|---|---|---|---|
| Meta Platforms, Inc. (Facebook/Instagram) | Hashed email, IP address, user agent, geographic data, conversion events, click IDs (fbclid) | Conversions API — measuring ad campaign effectiveness | Consent |
| TikTok (ByteDance) | Hashed email, IP address, user agent, geographic data, conversion events, click IDs (ttclid) | Events API — measuring ad campaign effectiveness | Consent |
| Spotify AB | OAuth authorization; Spotify receives confirmation that you authorized our application | Executing saves, follows, and playlist follows on your behalf | Consent |
| Discord Inc. | OAuth authorization; Discord receives confirmation that you authorized our application and bot server join | Adding you to the Yamazaki Discord server; linking your Discord profile | Consent |
| Intuit Inc. (Mailchimp) | Email address, merge fields (name, tags, source) | Email marketing: sending newsletters and release announcements | Consent |
| Shopify Inc. | Order data (email, line items, totals, landing URL) | E-commerce order processing and fulfilment | Contract performance |
| IPQualityScore (IPQS) | IP address only | Bot detection and fraud prevention | Legitimate interest |
| Resend / SMTP provider | Email address | Delivering transactional emails (e.g., data request confirmations) | Legitimate interest |
| MaxMind Inc. | None — GeoIP lookups are performed against a locally hosted MaxMind GeoLite2 database. Your IP address is never sent to MaxMind. | Geographic lookup for analytics | N/A (no data sharing occurs) |
Each third-party processor operates under its own privacy policy. We encourage you to review them:
We retain personal data only for as long as necessary for the purposes stated in this policy or as required by law. The following table specifies our retention periods for each category of data:
| Data Category | Retention Period | Legal Basis for Retention |
|---|---|---|
| Email address, display name, Spotify profile data, Discord profile data | 3 years from last interaction | Consent |
| IP addresses | 1 year | Legitimate interest |
| Consent records (consent state, timestamp, trigger method) | 5 years | Legal obligation (GDPR Art. 7(1)) |
| Anonymous aggregate analytics (no personally identifiable information) | 7 years | Legitimate interest |
| Ad attribution data (non-PII campaign performance) | 7 years | Legitimate interest |
| Follower count snapshots (aggregate, no PII) | Indefinite | Legitimate interest (no personal data involved) |
| Discord member records | 3 years from last interaction | Consent |
| Shopify orders (containing personal data) | 3 years from order date | Consent + Contract performance |
| Shopify order totals (anonymised, financial records) | 7 years | Legal obligation (Hungarian accounting law) |
| Spotify stream records | 3 years | Consent |
| Audit and deletion logs | 7 years | Legal obligation |
When a retention period expires, data is either permanently deleted or irreversibly anonymised so that it can no longer be linked to an identifiable individual. Anonymised data may be retained indefinitely for statistical purposes.
Under the GDPR (Articles 15 through 22) and Hungarian data protection law (Infotv.), you have the following rights regarding your personal data:
You have the right to obtain confirmation as to whether we process your personal data, and if so, to receive a copy of that data along with information about the purposes, categories of data, recipients, retention periods, and the source of the data.
You have the right to request that we correct any inaccurate personal data and complete any incomplete personal data concerning you.
You have the right to request that we delete your personal data when, among other circumstances, the data is no longer necessary for the purpose it was collected, you withdraw your consent, or you object to the processing. Please note that consent records are exempt from erasure requests due to our legal obligation under GDPR Article 7(1) to demonstrate that consent was obtained.
You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or when you have objected to processing pending verification of legitimate grounds.
You have the right to receive the personal data you provided to us in a structured, commonly used, and machine-readable format (JSON), and to transmit that data to another controller without hindrance.
You have the right to object at any time to processing of your personal data that is based on legitimate interest. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for legal claims.
Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. You can withdraw cookie consent by clearing your cookies. For other consent-based processing, submit a request through our self-service portal or contact us directly.
You have the right to lodge a complaint with the competent supervisory authority if you believe that our processing of your personal data violates applicable data protection law. See Section 16 for details on the Hungarian supervisory authority.
We will respond to all data subject requests without undue delay and in any event within one calendar month of receipt. If a request is particularly complex, this period may be extended by a further two months, in which case we will inform you of the extension and the reasons for the delay within the first month.
We provide a dedicated self-service portal where you can exercise your data protection rights without needing to send an email:
Submit a Data Request → go.yamazaki.hu/data-requestThrough this portal, you can request:
Alternatively, you can submit requests by email to yamazaki@yamazaki.hu or by post to our registered address. We will verify your identity before processing any request to prevent unauthorised access to personal data.
Our servers and primary data storage are located within the European Union. However, some of the third-party services we use are operated by companies based in the United States or other countries outside the European Economic Area (EEA).
When personal data is transferred to a country outside the EEA that has not received an adequacy decision from the European Commission, we ensure appropriate safeguards are in place, including:
The following services may involve transfers outside the EEA:
You may request a copy of the applicable safeguards by contacting us.
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include, but are not limited to:
While we take reasonable precautions, no method of transmission or storage is 100% secure. If you become aware of any security issue, please contact us immediately at yamazaki@yamazaki.hu.
We use automated processing in one limited context:
We send visitor IP addresses to IPQualityScore (IPQS) to obtain a fraud/bot risk score. This score is used to filter out automated bot traffic from our analytics data so that we can accurately measure real fan engagement.
This automated process:
We do not engage in automated decision-making or profiling that produces legal effects or similarly significant effects concerning you, as described in GDPR Article 22.
Our website and services are not directed at children under the age of 16. We do not knowingly collect or solicit personal data from anyone under 16 years of age. In accordance with GDPR Article 8 and the Hungarian implementation thereof, the processing of personal data of a child below the age of 16 based on consent is only lawful if and to the extent that consent is given or authorised by the holder of parental responsibility.
If we become aware that we have collected personal data from a child under 16 without verification of parental consent, we will take steps to delete that information as quickly as possible. If you believe we have collected data from a child under 16, please contact us immediately at yamazaki@yamazaki.hu.
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. When we make material changes, we will:
We encourage you to review this page periodically. Continued use of the website after changes are posted constitutes your acknowledgement of the updated policy, except where renewed consent is required.
If you believe that our processing of your personal data infringes data protection law, you have the right to lodge a complaint with the competent supervisory authority. For Hungary, the competent authority is:
You also have the right to lodge a complaint with the supervisory authority in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement.
Before filing a complaint, we encourage you to contact us first so that we can attempt to resolve your concern directly.
For any questions, concerns, or requests relating to this Privacy Policy or our data processing practices, you can reach us through any of the following channels:
We aim to respond to all enquiries within 5 business days, and to all formal data subject requests within 30 calendar days in accordance with GDPR Article 12(3).
This section constitutes our Cookie Policy, which forms part of our Privacy Policy. It describes the specific cookies and similar technologies used on go.yamazaki.hu.
We classify cookies into the following categories:
| Cookie Name | Purpose | Duration | Type | Set By |
|---|---|---|---|---|
yz_consent |
Stores your cookie consent preference (granted, declined, or pending). Required for the consent mechanism to function. | 1 year | Essential | First party |
yz_vid |
A randomly generated unique visitor identifier used to associate page views and actions across sessions for analytics. | 1 year | Functional | First party |
yz_fp |
A SHA-256 hash of browser attributes (browser fingerprint) used as a probabilistic identifier to improve visitor recognition accuracy. | 1 year | Functional | First party |
_fbc |
Stores the Meta (Facebook) click identifier (fbclid) from the URL to attribute conversions to specific ad clicks. | 90 days | Marketing | First party (set by our code for Meta Conversions API) |
_fbp |
A Meta (Facebook) browser identifier used to identify the browser for ad attribution across sessions. | 1 year | Marketing | First party (set by our code for Meta Conversions API) |
_ttclid |
Stores the TikTok click identifier (ttclid) from the URL to attribute conversions to specific TikTok ad clicks. | 90 days | Marketing | First party (set by our code for TikTok Events API) |
When you first visit go.yamazaki.hu, a cookie consent banner is displayed at the bottom of the page. You may:
yz_consent cookie to record your refusal.Certain interactive actions (such as connecting Spotify or Discord) also include an action-specific consent gate. If you have not yet consented via the banner, performing one of these actions will prompt you to provide consent before proceeding.
You can withdraw your cookie consent at any time using any of the following methods:
Withdrawing consent does not affect the lawfulness of data processing that occurred before the withdrawal.
We do not load any third-party cookie scripts (such as the Meta Pixel or TikTok Pixel) in the browser. All marketing data is sent from our server via server-side APIs (Meta Conversions API, TikTok Events API). The marketing cookies listed above (_fbc, _fbp, _ttclid) are set by our own first-party JavaScript code, not by third-party scripts.