Privacy Policy

1. Information We Collect

1.1 Information You Provide

• Account Data: Name, email address, company name, phone number, billing address, and payment information when you register for ToneGrid.
• Content Data: Audio files, metadata (artist names, track titles, ISRC codes, UPC codes), and artwork uploaded for distribution.
• Communications: Messages, support tickets, and correspondence you send to us.
• Identity Verification: Government-issued ID or business registration documents where required for fraud prevention or payout processing.

1.2 Information Collected Automatically

• Usage Data: Pages visited, features used, clicks, session duration, and interaction patterns within the Platform.
• Device Data: IP address, browser type and version, operating system, screen resolution, and device identifiers.
• Log Data: Server logs including API request timestamps, endpoints accessed, response codes, and request payloads (excluding sensitive content).

1.3 Information from Third Parties

• DSP Reports: Streaming data, revenue figures, and territory breakdowns provided by digital service providers.
• Payment Processors: Transaction confirmations and fraud screening results from our payment partners.

2. How We Use Your Data

We use personal data for the following purposes:

• Service Delivery: Processing and delivering your music to DSPs, calculating royalties, and managing payouts.
• Account Management: Creating and maintaining your account, authenticating access, and providing customer support.
• Analytics & Improvement: Understanding platform usage to improve features, performance, and user experience.
• Fraud Prevention: Detecting and preventing fraudulent streams, unauthorized access, and content infringement.
• Communications: Sending service updates, royalty notifications, security alerts, and (with consent) marketing communications.
• Legal Compliance: Meeting regulatory requirements, tax obligations, and responding to lawful requests from authorities.

3. Legal Basis for Processing

We process personal data under the following legal bases:

4. Data Sharing & Disclosure

We share personal data only as necessary and with the following categories of recipients:

• DSPs: Metadata and content required for distribution (artist names, track info, ISRC/UPC codes).
• Payment Processors: Billing and payout information necessary to process transactions (e.g., Stripe, Paystack, Flutterwave).
• Cloud Infrastructure: Data stored on secure, certified cloud providers (AWS, GCP) under data processing agreements.
• White-Label Clients: End-user data is shared with the Client operating the Tenant under which the end user registered, subject to the Client’s own privacy policy.
• Legal Authorities: When required by law, court order, or to protect our legal rights.

We do not sell personal data to third parties for advertising purposes.

5. Data Retention

We retain personal data for as long as necessary to fulfill the purposes described in this policy:

• Account data: Duration of your subscription plus 12 months after termination.
• Content data: Duration of distribution plus 60 days after takedown or account termination.
• Royalty & financial records: 7 years, as required by tax and financial regulations.
• Server logs: 90 days for operational purposes; 12 months for security investigations.
• Marketing consent records: Duration of consent plus 3 years after withdrawal.

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure: Request deletion of your data (“right to be forgotten”), subject to legal retention requirements.
• Portability: Receive your data in a structured, machine-readable format (JSON or CSV).
• Restriction: Request that we limit the processing of your data in certain circumstances.
• Objection: Object to processing based on legitimate interest, including profiling.
• Withdraw Consent: Withdraw consent for marketing communications at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact our Data Protection Officer at dpo@tonegrid.pro. We will respond within 30 days (or 72 hours for NDPR requests).

7. NDPR Compliance

As a Nigerian entity, InterSpace Distribution Limited complies with the Nigeria Data Protection Regulation (NDPR) 2019, issued by the National Information Technology Development Agency (NITDA). Specifically:

• We have appointed a Data Protection Officer (DPO) as required by the NDPR.
• We conduct annual Data Protection Audits and file reports with NITDA.
• We obtain lawful consent before processing personal data of Nigerian data subjects and provide clear opt-out mechanisms.
• We maintain a data processing register documenting all processing activities.
• Data breach notifications are issued to NITDA and affected individuals within 72 hours of discovery.

Our NDPR compliance documentation is available upon request from the DPO.

8. Cookies & Tracking

We use the following categories of cookies:

We do not use advertising or cross-site tracking cookies. Analytics data is processed with IP anonymization enabled.

9. Security Measures

We implement industry-standard technical and organizational measures to protect personal data:

• AES-256 encryption at rest and TLS 1.3 in transit for all data
• Multi-tenant data isolation with per-tenant encryption keys
• Regular penetration testing and vulnerability assessments
• Role-based access control (RBAC) with multi-factor authentication
• Automated backup with geographic redundancy
• 24/7 security monitoring and incident response procedures

While we take all reasonable precautions, no system is 100% secure. We encourage you to use strong passwords and enable two-factor authentication on your account.

10. International Data Transfers

As a global platform, data may be transferred to and processed in countries outside Nigeria, including the United States and European Union. We ensure adequate protection through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements with all sub-processors
• Assessment of adequacy of data protection in recipient countries
• Compliance with NDPR cross-border transfer requirements, including NITDA approval where necessary

11. Children’s Privacy

ToneGrid is a business-to-business platform and is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact our DPO immediately.

12. Contact & Data Protection Officer

If you are unsatisfied with our response to a privacy concern, you have the right to lodge a complaint with NITDA (Nigeria) or your local supervisory authority (EU).