Merchant
What personal data we collect, why we collect it, how we use it, who we share it with, how long we keep it, and the rights you have to control any of the above. Plain language up top, full legal text below.
We collect minimal information — essentially your email if you subscribe, and anonymous usage analytics. We use it to send the newsletter and improve the site. We don't sell it, we don't share it with brands, and we don't allow it to be used to train AI. You can access it, correct it, or delete it by emailing us. The detailed text below explains every line of that.
The data controller responsible for the personal data described in this Privacy Policy is:
Anthera Music
Nassau, The Commonwealth of The Bahamas
Privacy contact: antheramusichq@gmail.com
Subject line for privacy matters: “Privacy Request”
Anthera Music operates merchanttunes.com (the “Site”) on behalf of the recording artist Merchant (Ricardo Renford Nicholson) and determines the purposes and means of processing personal data described herein.
GDPR Art. 37 — Data Protection Officer. Under GDPR Art. 37, designation of a formal Data Protection Officer is mandatory only where processing involves regular and systematic monitoring of data subjects on a large scale, or large-scale processing of special-category data. Our processing activities do not meet either threshold, and no DPO is designated under GDPR.
Bahamas Data Protection Act — Designated Data Controller Representative. Anthera Music designates the Privacy Contact at the email address above as the responsible representative for purposes of the Bahamas Data Protection (Privacy of Personal Information) Act, 2003 (the “Bahamas DPA”), including Section 8 (registration and notification obligations) and Section 9 (data-subject rights handling). Inquiries from the Office of the Data Protection Commissioner of The Bahamas should be addressed to that contact.
EU and UK Representative — GDPR Art. 27. Anthera Music is established in The Bahamas. GDPR Art. 27 requires non-EU controllers offering goods or services to data subjects in the European Union, or monitoring their behaviour, to designate a representative in the Union, with a narrow exception for processing that is occasional, does not involve large-scale special-category data, and is unlikely to result in a risk to data subjects.
Anthera Music takes the position that its current processing — limited to a newsletter list and occasional editorial correspondence with a non-targeted, non-tracked audience — falls within the Art. 27(2) exception for processing that is “occasional” and low-risk. We acknowledge this analysis is fact-specific and may change as our subscriber base, marketing reach, or processing activities expand. We will appoint and publicly disclose an EU representative (and a UK representative under the UK GDPR) before crossing into regular, large-scale, or higher-risk processing of EU/UK data subjects, and in any event before launching commerce that ships to the EU or UK. The Privacy Contact above remains the operational point of contact in the interim.
This Privacy Policy applies to:
This Privacy Policy does not apply to:
When you click an outbound link or interact with embedded content on the Site, you may leave the control of Anthera Music and enter the privacy environment of the receiving service. We have no control over the data practices of those services.
Notice format. This Policy is intended to satisfy the information-disclosure requirements of GDPR Articles 13 (data collected from the data subject) and 14 (data collected from third parties), the “notice at collection” requirements of CCPA/CPRA Cal. Civ. Code § 1798.100(b), and analogous transparency requirements of other applicable frameworks.
merchant_cookie_consent — stored in your browser's localStorage records whether you have dismissed or interacted with our cookie banner. This is a browser-side technical mechanism and is not transmitted to our servers.Embedded media — including the Spotify player, embedded YouTube videos, and any future Bandsintown, Instagram, or TikTok embeds — set their own cookies and may collect data when their iframes load on the Site. This data is collected by those third parties under their own privacy policies, not by Anthera Music. We list these in Section 12.
We do not collect: full name (unless you provide it); postal address; telephone number; payment card information; government-issued identification; precise geolocation (GPS-level); biometric data; health data; data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, sex life, or sexual orientation; criminal conviction data; or any other special-category data under GDPR Art. 9.
The Personal Data we hold comes from one of three sources:
We do not purchase, license, or otherwise acquire Personal Data from data brokers, list vendors, or third-party aggregators.
We process Personal Data for the following limited purposes:
We do not use Personal Data for: behavioural advertising; profiling that produces legal effects; automated decision-making; psychometric assessment; or training of AI/ML models.
For visitors in the European Economic Area, the United Kingdom, or jurisdictions applying equivalent frameworks, we rely on the following legal bases under GDPR Art. 6(1):
| Activity | Legal Basis |
|---|---|
| Newsletter subscription and delivery | Consent — Art. 6(1)(a) |
| Responding to inquiries you initiate | Pre-contractual / legitimate interests — Art. 6(1)(b) or 6(1)(f) |
| Fulfilling press requests | Legitimate interests — Art. 6(1)(f) (promotion of editorial coverage) |
| Server logs and Site security | Legitimate interests — Art. 6(1)(f) (network and information security) |
| Aggregated analytics (when activated) | Legitimate interests — Art. 6(1)(f) (Site improvement) |
| Compliance with legal obligations | Legal obligation — Art. 6(1)(c) |
| Future commerce orders | Performance of contract — Art. 6(1)(b) |
| Defence of legal claims, fraud prevention | Legitimate interests — Art. 6(1)(f) |
Where we rely on legitimate interests, we have conducted (or will conduct upon implementation) a Legitimate Interests Assessment balancing our interests against your rights and freedoms. You may request a summary of our balancing test by emailing the privacy contact above.
Where we rely on consent (newsletter), you have the right to withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal. Withdrawal is effected by clicking the one-click unsubscribe link in any newsletter email or by emailing us.
Anthera Music does not knowingly collect, request, or process special-category personal data under GDPR Art. 9, sensitive personal information under CCPA/CPRA Cal. Civ. Code § 1798.140(ae), or equivalent classifications under other applicable laws. This includes: data revealing racial or ethnic origin; political opinions; religious or philosophical beliefs; trade-union membership; genetic data; biometric data for unique identification; health data; data concerning sex life or sexual orientation; precise geolocation; criminal conviction or offence data; or government-issued identifiers.
If you voluntarily disclose such information in email correspondence with us, we will handle it with care, limit access to those who need it to respond to your inquiry, and delete it as soon as the inquiry is closed unless retention is required by law.
In addition to the GDPR/UK GDPR framework governing personal data within cookies, the use of cookies and similar tracking technologies on the Site is governed by the EU ePrivacy Directive (2002/58/EC, as amended) and its national implementations, the UK Privacy and Electronic Communications Regulations 2003 (PECR), and analogous frameworks in other jurisdictions. These laws generally require prior informed consent before storing or accessing non-essential information on a user's device. Our cookie banner and the practices described in this Section are designed to comply with those requirements.
Anthera Music takes a minimal-cookie approach. The Site sets only one persistent client-side storage value, which is strictly necessary to remember your interaction with the cookie banner.
| Name | Type | Purpose | Duration | Category |
|---|---|---|---|---|
merchant_cookie_consent | localStorage | Records cookie banner dismissal | Persistent until cleared | Strictly necessary |
Embedded third-party content sets its own cookies under the providing platform's domain. These typically activate only when the embed is rendered:
Most browsers allow you to refuse cookies, delete cookies, or be alerted when a cookie is set. Disabling cookies on the Site will not impair core functionality. Disabling cookies for embedded third-party services may impair the functionality of those services (e.g., the Spotify player may not load).
We do not use marketing pixels (Meta Pixel, TikTok Pixel, LinkedIn Insight, etc.) on the Site as of the effective date. If we deploy any in the future, we will update this Policy and present a consent prompt prior to activation in jurisdictions requiring consent.
We share data only with the small number of service providers needed to run the site, with legal authorities when required by law, and with potential successors if Anthera Music is ever sold or restructured. We never share for marketing.
We share Personal Data with carefully selected service providers who perform functions on our behalf under contractual obligations to use the data only for the specified purposes and to maintain appropriate security. These are listed in Section 12.
We may disclose Personal Data to law enforcement, courts, regulators, or government authorities when we believe in good faith that disclosure is required to:
We will resist requests we believe are overbroad or improper and, where legally permitted, will notify the data subject in advance of disclosure.
If Anthera Music is involved in a merger, acquisition, sale of assets, financing, restructuring, bankruptcy, or other similar transaction, Personal Data may be transferred to the successor entity or acquirer as part of the transaction. We will require any such successor to honour the commitments in this Privacy Policy or notify affected data subjects with the option to delete their data prior to transfer.
We may share Personal Data for purposes other than those described above only with your prior, specific, informed consent.
Anthera Music has not sold Personal Data in the preceding twelve (12) months and does not sell Personal Data within the meaning of the CCPA/CPRA, GDPR, or any other applicable framework.
As of the effective date of this Policy, Anthera Music engages the following service providers to process Personal Data on our behalf:
| Provider | Function | Data Processed | Location |
|---|---|---|---|
| Vercel Inc. | Site hosting, edge delivery | Server logs, IP addresses, request data | USA / global edge |
| MailerLite (UAB MailerLite) | Newsletter delivery | Email addresses, subscription metadata, open/click events | Lithuania (EU) |
| Email providers (Google Workspace) | Email correspondence handling | Email contents, sender addresses | USA / global |
Future service providers — including a privacy-preserving analytics provider, Shopify (for commerce), and any payment processor — will be added to this Policy upon engagement. We require all processors to:
Where required, we have entered into Data Processing Agreements (DPAs) with these providers including the European Commission's Standard Contractual Clauses (SCCs) for international transfers.
Anthera Music is established in The Bahamas. Our service providers are established in the United States, the European Union, and may operate global infrastructure. As a result, your Personal Data may be transferred to, stored in, and processed in countries other than your country of residence, which may have data-protection laws differing from those of your home jurisdiction.
Where Personal Data of EEA, UK, or Swiss data subjects is transferred to a country that has not received an adequacy decision from the European Commission (or, for UK transfers, the UK ICO), we rely on appropriate safeguards under GDPR Chapter V, including:
We have considered the legal landscape of receiving jurisdictions, including the U.S. surveillance framework relevant under Schrems II, and have determined that the safeguards in place provide adequate protection. You may request a copy of the relevant transfer-mechanism documentation by emailing the privacy contact above.
As Anthera Music operates from The Bahamas, some Personal Data may be processed in The Bahamas. The Bahamas has not received an adequacy decision from the European Commission. Transfers to The Bahamas are protected by SCCs and equivalent contractual safeguards.
We retain Personal Data only for as long as necessary for the purposes for which it was collected or as required by law:
| Data Category | Retention Period |
|---|---|
| Newsletter subscriber email | Until you unsubscribe, plus 30 days suppression list to honour the unsubscribe |
| Email correspondence | For the duration of the inquiry and up to 24 months thereafter for record-keeping; longer if required by law |
| Press request records | Up to 36 months for press-relations history |
| Server access logs | Up to 30 days (per Vercel default), then automatically purged |
| Aggregated analytics | Indefinitely in non-identifying aggregated form |
| Future commerce records | Up to seven (7) years after transaction, or longer where required by tax or commercial law |
Where retention is no longer necessary, Personal Data is securely deleted or anonymised. Backups may persist for up to 90 days after deletion before being overwritten in normal backup-rotation cycles.
We implement appropriate technical and organisational measures to protect Personal Data, including:
No system can be guaranteed completely secure. If you believe your interaction with the Site is no longer secure, or if you become aware of a security incident affecting your Personal Data, please notify us immediately at the privacy contact above.
In the event of a personal-data breach likely to result in risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (where required by GDPR Art. 33) and notify affected data subjects without undue delay where the breach is likely to result in high risk (GDPR Art. 34). For California residents, we comply with Cal. Civ. Code § 1798.82 breach notification requirements.
Depending on your jurisdiction, you may have some or all of the following rights with respect to your Personal Data:
Send an email to antheramusichq@gmail.com with the subject line “Privacy Request” and include:
We will respond within thirty (30) days for GDPR/UK GDPR requests (extendable by two further months for complex requests, with notification to you), forty-five (45) days for CCPA/CPRA requests (extendable by another 45 days with notification), and within statutory periods for other applicable jurisdictions. Where a request is manifestly unfounded or excessive, we may charge a reasonable fee or refuse the request, with explanation.
To protect your data, we will verify your identity before fulfilling rights requests. For email-based interactions, this typically means confirming the request from the email address on record. For more sensitive requests (e.g., deletion of all data), we may request additional verification.
We will not discriminate against you for exercising any privacy right. We will not deny goods or services, charge different prices, or provide a different level or quality of service because of your exercise of rights.
This section provides supplemental disclosures for individuals located in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland.
Anthera Music, contact details in Section 2.
See Section 8.
You have the right to lodge a complaint with the supervisory authority in your member state of residence, place of work, or place of the alleged infringement. A list of EU supervisory authorities is available at the European Data Protection Board: edpb.europa.eu/about-edpb/about-edpb/members_en.
In the United Kingdom, complaints may be lodged with the Information Commissioner's Office: ico.org.uk.
We do not engage in automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of GDPR Art. 22.
Provision of an email address is required only if you wish to subscribe to the newsletter. There is no statutory or contractual requirement to provide it; if you do not, we simply cannot send you the newsletter.
This section provides supplemental disclosures for California residents under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).
In the preceding twelve (12) months, we have collected the following categories of personal information as defined in Cal. Civ. Code § 1798.140(v):
See Section 7 of this Policy.
See Section 6 of this Policy.
We have not sold or shared (within the meaning of CCPA/CPRA) any personal information in the preceding twelve months. We do not knowingly sell or share personal information of consumers under 16 years of age.
We do not collect sensitive personal information as defined in Cal. Civ. Code § 1798.140(ae). Accordingly, we do not use or disclose sensitive personal information for any purpose other than permitted under § 1798.121, and the right to limit use of sensitive personal information does not apply (because we do not collect it).
Email antheramusichq@gmail.com with the subject line “California Privacy Request.” Authorised agents may submit requests on your behalf with written authorisation; we will verify both the agent's authority and your identity.
California Civil Code § 1798.83 permits California residents to request a notice describing what categories of personal information we share with third parties for those parties' direct-marketing purposes. As we do not share personal information for third-party direct marketing, no such notice is required, but you may request confirmation by emailing the privacy contact.
This Privacy Policy serves as our Notice at Collection at or before the point of collection. We will not collect additional categories of personal information or use personal information for additional purposes without providing you with a new Notice at Collection.
Residents of states with comprehensive privacy laws — including but not limited to Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Tennessee (TIPA), Indiana (ICDPA), Delaware (DPDPA), New Hampshire, New Jersey, Maryland, Minnesota, and others — may have rights similar to the California rights described above, including rights to access, correct, delete, port, opt-out of sale/sharing/ targeted advertising, and appeal.
We honour these rights in the manner described in Section 16. To exercise your rights, contact us at the privacy email above. If we deny your request, you have the right to appeal that decision; appeals should be sent to the same email with the subject line “Privacy Appeal.”
Canadian residents have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA) and, for Quebec residents, Quebec's Act respecting the protection of personal information in the private sector (as amended by Law 25). These include rights to access, correction, withdrawal of consent, and to file complaints with the Office of the Privacy Commissioner of Canada (priv.gc.ca) or the Commission d'accès à l'information du Québec (cai.gouv.qc.ca).
Under Quebec Law 25, certain transfers of personal information outside Quebec require a privacy impact assessment. We have considered the relevant safeguards in our processor relationships and apply contractual protections consistent with Law 25 expectations.
As Anthera Music is established in The Bahamas, our processing is subject to the Data Protection (Privacy of Personal Information) Act, 2003 (the “Bahamas DPA”), as amended, and the Electronic Communications and Transactions Act, 2003, which together govern the lawful collection, use, and disclosure of personal data and the formation of electronic agreements with Bahamian and international counterparties.
Anthera Music is a data controller under Section 2 of the Bahamas DPA and has designated the Privacy Contact above as its responsible representative under Section 8 of the Act. We collect, process, and retain personal data only in accordance with the data-protection principles in Section 6, including the principles of fair and lawful obtaining, specified and lawful purposes, proportionality, accuracy, retention only for so long as necessary, and the security obligations of Section 6(g).
Bahamian residents have the following rights under the Bahamas DPA:
Complaints may be filed with the Data Protection Commissioner of The Bahamas, whose office is the designated supervisory authority under the Bahamas DPA. Current contact information for the Commissioner is available through the official portal at bahamas.gov.bs. We cooperate fully with reasonable requests from the Commissioner and will respond to investigations within the periods specified by the Act.
The Site is not directed to children under the age of thirteen (13), and we do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13 without verifiable parental consent, we will delete it promptly.
In the United States, we comply with the Children's Online Privacy Protection Act (COPPA). In the EU/UK, we apply the higher of 16 (default GDPR Art. 8) or the age of digital consent in the relevant member state. In jurisdictions with differing thresholds, we apply the higher protection.
If you are a parent or legal guardian and believe your child has provided personal information to us, please contact us at the privacy email above and we will take prompt action to delete it.
Your data and our content cannot be used to train AI systems, voice clones, or image generators. We expressly reserve all rights and prohibit such use.
Anthera Music expressly reserves all rights to authorise or prohibit the use of Site Content (as defined in our Terms of Use) and any Personal Data processed through the Site for purposes of text and data mining, machine learning training, fine-tuning, embedding, retrieval-augmented generation, or any analogous automated content-generation activity.
This reservation is made in machine-readable form and is intended to constitute an express reservation under Article 4(3) of EU Directive 2019/790 on Copyright in the Digital Single Market, Section 29A of the UK Copyright, Designs and Patents Act 1988 (as may be amended), the doctrine of fair use as relevant under U.S. copyright law, and equivalent provisions of other applicable jurisdictions.
We do not use Personal Data collected through the Site to train, fine-tune, or develop any AI/ML system. We do not authorise our processors to do so. We require contractual prohibitions on such use in our processor agreements where reasonably possible.
Violation of this reservation may give rise to claims under copyright, database rights, contract, trademark, right of publicity, and unfair-competition laws.
EU AI Act. Where Site Content is used in the development, training, or operation of any general-purpose AI model placed on the EU market, we expect compliance with Regulation (EU) 2024/1689 (the EU AI Act), including the copyright and TDM-opt-out compliance obligations on general-purpose AI model providers under Article 53 and the transparency obligations on developers. This reservation is intended to be operative for purposes of those provisions.
Some browsers transmit “Do Not Track” (DNT) signals. There is no industry consensus on how DNT signals should be interpreted. Because we do not engage in cross-context behavioural advertising or profile-based tracking, DNT signals do not affect our processing.
Where browsers transmit a Global Privacy Control (GPC) signal, we treat it as an opt-out preference signal under applicable U.S. state laws (CCPA/CPRA and equivalents). As we do not sell or share Personal Information for behavioural advertising, the GPC signal does not change our processing, but we honour it as an expression of consumer choice.
We may update this Privacy Policy from time to time. When we do:
“Material changes” include changes that expand the categories of Personal Data we collect, the purposes for which we use it, the categories of third parties with whom we share it, or that diminish your rights.
Your continued use of the Site after changes take effect signifies your acceptance of the updated Policy. If you do not agree, you should stop using the Site and unsubscribe from any active communications.
For privacy questions, rights requests, or complaints:
Anthera Music — Privacy
Nassau, The Commonwealth of The Bahamas
Email: antheramusichq@gmail.com
Subject line: “Privacy Request” (or, for California: “California Privacy Request”)
Web: merchanttunes.com
We aim to respond to all privacy inquiries within thirty (30) days. If you are dissatisfied with our response, you may lodge a complaint with the appropriate supervisory authority in your jurisdiction (see Section 17 for EU/UK, Section 20 for Canada, and Section 21 for The Bahamas).
© 2026 Anthera Music. All rights reserved.