General Data Protection Regulation (GDPR)

This page explains how InterSpace Distribution complies with the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679, the “GDPR”) and the equivalent United Kingdom GDPR. It is intended to be read together with our Privacy Policy, which describes in detail the personal data we collect, how we use it, who we share it with, and how long we keep it. Where this page and the Privacy Policy differ, the Privacy Policy contains the operational detail and this page describes your legal rights and our legal commitments under the GDPR.

1. Who this page applies to

The GDPR applies to any individual located in the European Economic Area (EEA), and the UK GDPR applies to individuals located in the United Kingdom, whose personal data we process — whether you are an artist, label, manager, sub-distributor, fan, employee, applicant, prospect or visitor to our websites and apps. The rights and obligations described on this page apply to those individuals. Users outside the EEA and the UK are protected by our Privacy Policy and by any applicable local data-protection law (for example, the Nigeria Data Protection Act 2023, the California Consumer Privacy Act, or Brazil’s LGPD).

2. Who we are (data controller)

The controller of your personal data is:

InterSpace Distribution Ltd
Suite 12, DDS Complex, 24 Airport Road, Rukpokwu
Port Harcourt, Rivers 500102
Nigeria
Email: legal@interspacemusic.com · support@interspacemusic.com

InterSpace Distribution Ltd determines the purposes and means of the processing of personal data through our Services and is therefore the controller for the purposes of the GDPR. For questions about this page or to exercise any of your rights, contact us using the details above. We aim to respond to all data-subject requests within thirty (30) days.

3. Our EU and UK representative

Because InterSpace Distribution is established in Nigeria but offers services to individuals in the EEA and the UK, Article 27 GDPR (and its UK GDPR counterpart) may require us to appoint a representative in the EEA and the UK. Until a dedicated representative is appointed, all enquiries and notices that would ordinarily be sent to such a representative may be addressed to legal@interspacemusic.com, and we will route them to the appropriate person within the company. We will update this section if and when a representative is formally appointed.

4. The personal data we process

The categories of personal data we process are described in section 1 of our Privacy Policy. In summary, they include: identity and contact data, authentication and security data, device and push-notification data, music content uploaded by artists, KYC and regulatory data (only where you request a withdrawal), financial and royalty data, streaming and analytics data, communications data and limited device permissions on our mobile app.

We do not knowingly collect special category data (such as data revealing racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic or biometric data, health, sex life or sexual orientation). If you upload an identity document that incidentally contains such information for KYC purposes, we treat it as confidential and use it solely for identity verification and fraud prevention.

5. Lawful bases on which we rely

We process your personal data only where one of the lawful bases set out in Article 6 GDPR applies:

• Performance of a contract (Article 6(1)(b)). To create your account, to distribute the music you submit to digital service providers, to pay royalties owed to you and to deliver the rest of the Services described in our Terms.
• Legitimate interests (Article 6(1)(f)). To keep our Services secure, to prevent fraud, abuse, copyright infringement and impersonation, to operate audit logs, to detect AI-generated or duplicated content, to administer our business, to communicate with you about service changes and to improve our Services. We balance these interests against your rights and freedoms and document this balance internally.
• Legal obligation (Article 6(1)(c)). To comply with anti-money-laundering, sanctions screening, tax-reporting, accounting and other obligations applicable to a Nigerian-incorporated music-distribution business operating internationally; to respond to lawful requests from courts and regulators; and to enforce takedown obligations under copyright law.
• Consent (Article 6(1)(a)). For optional marketing emails, for non-essential cookies and similar technologies, for any optional integrations you authorise (for example, connecting a third-party social account), and for any other purpose we describe to you at the point of collection. You can withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
• Vital interests (Article 6(1)(d)) and public interest / official authority (Article 6(1)(e)) may apply in narrow circumstances, for example responding to a credible threat to life or co-operating with a court order.

6. Purposes for which we use your data

We use your personal data to: register and authenticate your account; deliver music, music videos and metadata to digital service providers (Spotify, Apple Music, YouTube, TikTok, Audiomack, Boomplay and others); calculate and pay royalties, including automated split payments; provide pre-save links, smart links and other promotional tooling; verify identity and prevent fraud, money laundering and sanctions evasion; provide customer support; send service notifications and, where you have consented, marketing communications; comply with legal obligations; defend, exercise and establish legal claims; and operate, secure and improve our Services. We do not sell personal data and we do not use it for behavioural advertising on third-party platforms.

7. Recipients and processors

We share personal data with the categories of recipient described in section 2 of our Privacy Policy, including digital service providers (DSPs), our cloud and infrastructure providers, payment processors, email and analytics providers, KYC providers, professional advisers and, where required by law, courts and regulators. Each processor acts on our written instructions and is bound by a written contract containing the safeguards required by Article 28 GDPR.

8. International transfers

InterSpace Distribution is headquartered in Nigeria, and many of our processors and DSPs are located in the United States, the United Kingdom, the European Union and elsewhere. As a result, personal data that we process about you may be transferred outside the EEA or the UK.

Where we transfer personal data outside the EEA or the UK to a country that has not received an adequacy decision from the European Commission or the UK Government, we rely on one of the following safeguards under Articles 45 to 49 GDPR:

• Standard Contractual Clauses (SCCs) — the European Commission’s 2021 SCCs and, for UK data, the UK International Data Transfer Agreement or the UK Addendum to the EU SCCs.
• Adequacy decisions where the destination country is recognised as providing an adequate level of protection.
• Derogations under Article 49 GDPR for specific situations (for example, your explicit consent, or transfers necessary for the performance of a contract with you).

We carry out a transfer impact assessment where appropriate and apply additional contractual, organisational and technical measures (such as encryption in transit and at rest, role-based access control and audit logging) to protect transferred data. You can request a copy of the safeguards we use for a specific transfer by emailing legal@interspacemusic.com.

9. Retention

We keep personal data only for as long as necessary for the purposes for which it was collected, including for the purposes of satisfying legal, accounting, tax or reporting requirements. Retention windows for each data category are listed in section 3 of our Privacy Policy. When data is no longer needed we delete it or anonymise it. Backups containing personal data are rotated on a defined schedule and the data is deleted from backups in the ordinary course of backup expiry.

10. Security

We use appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure or destruction. Measures include TLS encryption in transit, encryption at rest for sensitive stores, hashed passwords and bearer tokens, role-based access control, audit logging, network segmentation, rate limiting, automated fraud detection, vendor due diligence and a documented incident-response process. In the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within seventy-two (72) hours where required by Article 33 GDPR, and we will notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Article 34 GDPR).

11. Your GDPR rights

Subject to the conditions and exceptions set out in the GDPR, you have the following rights in respect of your personal data:

• Right to be informed (Articles 13–14). To receive clear information about how we use your data — satisfied by this page and our Privacy Policy.
• Right of access (Article 15). To obtain confirmation of whether we process data about you and a copy of that data.
• Right to rectification (Article 16). To have inaccurate or incomplete personal data corrected or completed.
• Right to erasure (“right to be forgotten”, Article 17). To have personal data deleted where one of the grounds listed in Article 17(1) applies and no exception in Article 17(3) (for example, our need to retain data for tax or legal-claims purposes) overrides it.
• Right to restriction of processing (Article 18). To have processing limited to storage in defined circumstances, for example while we verify the accuracy of contested data.
• Right to data portability (Article 20). To receive the personal data you have provided to us in a structured, commonly used and machine-readable format, and to have it transmitted to another controller where technically feasible.
• Right to object (Article 21). To object at any time to processing carried out on the basis of legitimate interests, including profiling, and absolutely to processing for direct-marketing purposes.
• Rights related to automated decision-making and profiling (Article 22). Not to be subject to a decision based solely on automated processing — including profiling — that produces legal or similarly significant effects on you, except in the narrow cases permitted by Article 22(2).
• Right to withdraw consent (Article 7(3)). Where we rely on your consent, to withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
• Right to lodge a complaint with a supervisory authority (Article 77). See section 13 below.

12. How to exercise your rights

To exercise any of the rights listed above, email legal@interspacemusic.com from the address associated with your account, or contact support@interspacemusic.com. So that we can locate the right records and prevent identity fraud, we may ask you for additional information to verify your identity. There is no fee for exercising your rights, except where your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act in line with Article 12(5) GDPR. We will respond within one month of receiving a valid request and may extend the response period by up to two further months where necessary, taking into account the complexity and number of requests.

13. Right to complain

If you believe our processing of your personal data infringes the GDPR or the UK GDPR, you have the right to lodge a complaint with a supervisory authority. You can complain to the supervisory authority in the EU Member State of your habitual residence, your place of work or the place of the alleged infringement, or to the UK Information Commissioner’s Office for UK personal data. A list of EU data-protection authorities is available at edpb.europa.eu/about-edpb/about-edpb/members_en. The UK ICO can be reached at ico.org.uk. We would, however, appreciate the chance to deal with your concerns directly before you approach a supervisory authority, so please consider contacting us first.

14. Automated decision-making and profiling

We use automated systems to score the risk that a release or account may involve fraud, impersonation, AI-generated content, duplicated audio or other forms of abuse. These scores inform human reviewers who make the final decision; they do not, by themselves, produce a legal or similarly significant effect on you within the meaning of Article 22 GDPR. Where an automated decision is taken without meaningful human involvement — for example, the automatic rate-limiting of an abusive login attempt — you have the right to request human intervention, to express your point of view and to contest the decision by contacting legal@interspacemusic.com.

15. Cookies and similar technologies

Our websites use a small number of cookies and similar technologies. Strictly necessary cookies (for example, those that keep you signed in) are set on the basis of legitimate interests. Non-essential cookies (for example, analytics or marketing cookies) are set only with your consent, which you can give or withdraw at any time through the cookie banner displayed on first visit and through the “Cookie settings” link in our website footer.

16. Children

Our Services are not directed to children under sixteen (16) and we do not knowingly collect personal data from children under that age. If you believe a child has provided us with personal data, please contact legal@interspacemusic.com and we will delete it.

17. Changes to this page

We may update this page from time to time to reflect changes in our practices, in the GDPR or in regulatory guidance. When we make material changes we will update the “Last updated” date at the top and, where appropriate, notify you by email or in-app notice. We encourage you to review this page periodically.

18. Contact

For any question, request or complaint about this page or about our processing of your personal data, please contact:

InterSpace Distribution Ltd — Legal & Data Protection
Suite 12, DDS Complex, 24 Airport Road, Rukpokwu
Port Harcourt, Rivers 500102, Nigeria
Email: legal@interspacemusic.com · support@interspacemusic.com