Pex privacy notice

Last updated November 2023

We are Pexeso Inc, DBA as Pex, a California company registered in Delaware. If you need to contact us about this privacy notice, please use the details set out in the ‘How to contact us’ section at the end of this notice.
This privacy notice tells you about how and why we use personal data in connection with providing our products and services (Services).

What personal data do we collect?

‘Personal data’ is information about individuals or information from which individuals can be identified. We’ve set out below the broad categories of the personal data that we process in connection with the Services.

User account information:

The Services are used by rightsholders, representatives of rightsholders, creators, and internet platforms on which audio, visual, and/or audio-visual work (Content) is displayed.
In the course of contracting with these customers and granting them (or employees acting on their behalf) access to the Services, we collect the following personal data:

• Contact details: name, email address, job title, company the user works for.
• Account related information: username, password, IP address.
• Correspondence: any information a user provides to us when they communicate with us.

Where we contract with a company, and you are a user accessing the Services on its behalf, we may either collect this information from you directly or from the company that employs you.

Platform visitor information:

In the course of operating the Services we collect the following personal data in connection with individuals that use our customers’ platforms:

• Content usage information: IP address, and information in connection with Content consumed, including what Content is consumed and for how long and/or which parts of Content are consumed.

Due diligence information:

As part of our due diligence processes when contracting with new customers we may need to carry out some “Know Your Customer” (KYC) and “Know Your Business” (KYB) checks. We use a specialist third party providers to carry out these checks. Third party KYC/KYB providers are independently responsible for the processing of any personal data they use or collect in carrying out these checks. We simply receive a notification that you (or the company you work for if you are an employee of one of our customers) has passed or failed these checks. Lastly, if you are an individual rightsholder, the fact that you have or have not passed these checks will constitute your personal data.

Rightsholder information:

The Services facilitate the regulation of Content on online platforms. To do this, we need to collect information on who the rightsholders of that Content are (for example, information on who created, featured in, and owns the Content). The rights landscape in respect of Content is complex and there can be multiple rightsholders in respect of any one piece of Content. Where rightsholders are individuals, this information will constitute personal data.

If our customer is a company that a rightsholder has appointed to represent them and manage their Content and/or associated rights, we collect this information from that company. In some cases, we may collect rightsholder information from other trusted database sources. If you are an individual rightsholder with whom we contract directly, we collect your personal data directly from you.

Platform Content usage information:

The Services process information about the use of Content on internet platforms, which is used to enable rightsholders and platforms to calculate and account for royalties, licensing fees, monitor, identify, or analyze Content in respect of that use. Where this information is linked back to an individual rightsholder, this will constitute personal data.
Similarly, where this information relates to individual users of customer platforms, this will constitute personal data. Please see the ‘What personal data do we collect?’ section above for a description of personal data collected in connection with such Content usage.

Information on Content use is collected by technology incorporated in the Services working in partnership with the internet Platforms on which Content is displayed.

Prospective customers’ data: As part of our marketing campaigns from time to time we may identify potential customers and process their contact details to inform them of the Services or other services we believe may be of interest to them. If you don’t want to receive marketing from us, you can let us know at any time by contacting us or by unsubscribing using the link in marketing emails we send to you.

Why do we use personal data?
The table below shows the various reasons why we use personal data.

Some of our customers are individuals based in the UK and EEA. To comply with data protection laws that apply to our use of their personal data we need to identify the ‘lawful basis’ we rely on for each use of their personal data. We’ve included this in the table, too.

Category of data	Purpose	Lawful Basis
User account information	To set up, administer and manage customer accounts.	Where the customer is an individual rightsholder, necessary for the performance of our contract with the customer. Where the customer is a company, our legitimate interests in fulfilling our contract with the company.
	To respond to any communications from customers (or employees on their behalf), including customer support queries.	Our legitimate interests in maintaining good customer relationships.
	To send customers essential service messages about the Services.	Our legitimate interests and those of our customers, to keep them informed about important information they need to know about the Service they have signed up for.
	To facilitate rights claims.	The legitimate interests of Pex and rightsholders to resolve claims as to rights ownership.
Due diligence Information	To undertake “Know Your Customer”/ “Know Your Business” due diligence.	Our legitimate interests, to prevent fraudulent behavior.
Rightsholder information and Content usage information	To facilitate the regulation of Content on internet platforms.	Where the customer is an individual rightsholder, and we process their data, necessary for the performance of our contract with the customer. Where the customer is a company, and we process the data of rightsowners, our legitimate interests in fulfilling our contract with the company.
	To inform platforms we partner with or who are our customers of Content ownership so they can regulate Content.	The legitimate interests of Pex, rightsholders and platforms, to prevent copyright infringement and to facilitate regulation.
	To inform rightsholders of the use of Content on internet platforms.	Where the customer is an individual and we process their data, necessary for the performance of our contract with the customer. Where the customer is a company and we process the data of rightsowners and/or platform users, our legitimate interests in fulfilling our contract with the company.
	To facilitate licenses for use of Content.
	To identify and report on platform usage of Content.
	To build up a database of Content metadata for ongoing internal analysis and marketing purposes.	Our legitimate interests in developing our business.
	To facilitate rights claims.	The legitimate interests of Pex and rightsholders to resolve claims as to rights ownership.
User account information and prospective customer information	To send customers and potential customers marketing relating to our products and services which we believe may be of interest to them.	Our legitimate interests, to promote our company’s products and services.
All categories of personal data	To share with third party service providers we appoint from time to time.	Our legitimate interests, to produce service efficiencies and to get the benefit of specialist products or services.
All categories of personal data	To administer a sale or possible sale of the whole of or part of our business or the restructuring of our business.	Our legitimate interests in facilitating any such possible or actual transaction or restructuring.

We may also process your personal data (a) to comply with a legal obligation we are under; and (b) for additional purposes in the future, but only if such purposes are compatible with those listed above.

In certain circumstances, you may be obliged to provide us with your personal data under a statutory requirement. This might include, but is not limited to, for tax and accounting purposes; and to enable us to fulfil our compliance and other obligations under relevant legislation or regulation. Failure to provide us with personal data required under a statutory requirement, or where we’ve indicated in the table above that it is necessary for our contract with you, may prevent us from entering into or performing our obligations under a contract with you or your company. 

Who do we disclose personal data to?

Our customers and platform partners:

Where necessary, we disclose:

• Rightsholder information to platforms that we partner with or who are our customers; and
• Platform Content usage information to our customers who are rightsholders or who represent rightsholders.

Service providers:

We may disclose personal data to our service providers who need to process personal data to provide those services to us. Currently, we use a third-party data hosting provider, Microsoft Azure, to store data on our behalf. Azure’s servers are based in the USA and overseas, and we rely on Microsoft’s security arrangements for the security of data transfers.
We may from time to time engage other third-party service providers to act on our behalf. Where we do, and they will have access to personal data, we will include any contractual protections and undertake any due diligence that we deem necessary before disclosing any personal data to them in accordance with the data protection laws that apply to us.

Sale/restructuring:

We may disclose personal data that we process to third parties internationally in the context of a sale or possible sale of the whole of or part of our business or the restructuring of our business.

Other data sharing:

We may also disclose personal data to law enforcement agencies to assist with any investigations, when we bring a claim or defend ourselves against a claim that requires the disclosure of the personal data, and when we engage professional advisors.

International transfers:

We are a California company registered in Delaware, although we operate internationally.

We take steps to ensure personal data is protected irrespective of where in the world it is processed or transferred.

Where we process personal data of individuals based in the UK and EEA, by law we are required to ensure that they are afforded equivalent protection in respect of their personal data as they have in the country in which they are based. On a practical level this means that when we transfer personal data outside a country which is deemed to have an “adequate” data protection regime by the European Commission or UK government, we will put in place appropriate safeguards to protect personal data, such as contractual and other supplementary measures.

Data protection law also allows us to make transfers of personal data internationally without putting in place additional safeguards in certain, specific, limited situations, such as where the transfer is necessary for a contract with the individual concerned or a contract which is in the individual’s interests. The sharing of rightsholder information and platform Content usage information with customers and platforms which is necessary to facilitate licensing falls within that scope.

How long do we keep your personal data for?

We will retain your personal data for the period necessary to fulfil the purposes outlined in this privacy notice unless a longer retention period is required or permitted by law.
We retain user account information for as long as you (or the company you work for) hold an account with us. Once you (or the company you work for) no longer is a customer of ours we delete your account information. If we have reason to suspect a legal claim, we may hold personal data for longer, but in any event for no more than seven (7) years from when you cease being a customer of ours.
Our customers can delete rightsholder information and or platform Content usage information from their accounts. This will be deleted immediately from the live system but retained for up to eight (8) days in our data backups.

Please note that even if a customer deletes rightsholder information or platform Content usage information from its individual account, we will still retain a separate database of certain information. We will retain this information if it is necessary for the purpose of facilitating licensing (so, for the length of time the relevant Content is protected by copyright).

We retain information regarding users of customers’ platforms for as long as it is necessary for purposes of complying with our obligations under our contracts with our customers. We maintain details of customers or potential customers for marketing purposes for as long as there is a reasonable prospect of them benefiting from the services we offer. If you unsubscribe from our marketing communications at any time, we will maintain a record of your unsubscribe request and associate it with your email address to ensure you do not receive future communications.

Cookies:

We make minimal use of cookies – only using those that are necessary to ensure the security and functionality of your visit to our platform. Additionally, we use cookies to provide you, our users, with important notifications that confirm your choices and activity as to the management of your Assets. While we recommend keeping these notifications turned on to ensure a seamless experience, cookies controlling the delivery of these notifications can be disabled when you visit our platform.

UK and EEA citizens’ rights

If you are an individual rightsholder based in the UK or EAA, you have the following rights under data protection legislation.
If you have any questions about your rights, or you wish to exercise any of these rights, please email [email protected]. We may require you to provide forms of identity should you wish to exercise one of your rights below.

Access: You are entitled to confirmation that we process your personal data and a copy of such personal data.

Rectification: If the personal data we hold about you is incorrect, you have the right for this to be rectified. You may also update your personal data through your account settings.

Erasure: You can request us to erase your personal data if there is no compelling reason to continue processing.

Restriction: You may request a restriction on the processing we undertake on your personal data. This will only apply if we have no lawful basis to process your personal data, your personal data is inaccurate or to comply with an objection request (see below).

Objection: You may object to our processing of your personal data if our processing is carried out on the basis of legitimate interests. Please note, however, that if we determine that our interests are so compelling as to override your objection, we may continue to process your personal data.

You may object to receiving direct marketing at any time.

Portability: You have the right to receive some of your personal data in machine readable format. This right extends to you being able to request that such data is sent to a third party.

Withdrawing consent: If the lawful basis we rely on to process your personal data is consent you have the right to withdraw this consent, although please note we generally do not rely on consent to process personal data.

Complaining to a supervisory authority: Further information about your rights can also be obtained from your national data protection regulator – in the UK, this is the ICO. Contact details or supervisory authorities in the EEA can be found here. If you have any cause for complaint about our use of your personal data, you have the right to lodge a complaint with your national data protection supervisory authority, although we would ask that you contact us in the first instance.

Your right to be informed: You can contact us to find out more or to ask any questions you may have about our use of your personal data.

How to contact us

No matter which country you are based in, if you have any questions about this privacy notice, how we use personal data or your rights in respect of your personal data, in the first instance, please contact us at [email protected].

We have representatives in the UK and EAA for data protection purposes. If you are based in the UK, or EEA you should contact our representatives. Their contact details are below.

UK Representative:

DataRep

107-111 Fleet Street

London, EC4A 2AB, United Kingdom

EU Representatives:

Austria	DataRep, City Tower, Brückenkopfgasse 1/6. Stock, Graz, 8020, Austria
Belgium	DataRep, Place de L’Université 16, Louvain-La-Neuve, Waals Brabant, 1348, Belgium
Bulgaria	DataRep, 132 Mimi Balkanska Str., Sofia, 1540, Bulgaria
Croatia	DataRep, Ground & 9th Floor, Hoto Tower, Savska cesta 32, Zagreb, 10000, Croatia
Cyprus	DataRep, Victory House, 205 Archbishop Makarios Avenue, Limassol, 3030, Cyprus
Czech Republic	DataRep, IQ Ostrava Ground floor, 28. rijna 3346/91, Ostrava-mesto, Moravska, Ostrava, Czech Republic
Denmark	DataRep, Lautruphøj 1-3, Ballerup, 2750, Denmark
Estonia	DataRep, 2nd Floor, Tornimae 5, Tallinn, 10145, Estonia
Finland	DataRep, Luna House, 5.krs, Mannerheimintie 12 B, Helsinki, 00100, Finland
France	DataRep, 72 rue de Lessard, Rouen, 76100, France
Germany	DataRep, 3rd and 4th floor, Altmarkt 10 B/D, Dresden, 01067, Germany
Greece	DataRep, 24 Lagoumitzi str, Athens, 17671, Greece
Hungary	DataRep, President Centre, Kálmán Imre utca 1, Budapest, 1054, Hungary
Iceland	DataRep, Kalkofnsvegur 2, 101 Reykjavík, Iceland
Ireland	DataRep, The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland
Italy	DataRep, Viale Giorgio Ribotta 11, Piano 1, Rome, Lazio, 00144, Italy
Latvia	DataRep, 4th & 5th floors, 14 Terbatas Street, Riga, LV-1011, Latvia
Liechtenstein	DataRep, City Tower, Brückenkopfgasse 1/6. Stock, Graz, 8020, Austria
Lithuania	DataRep, 44A Gedimino Avenue, 01110 Vilnius, Lithuania
Luxembourg	DataRep, BPM 335368, Banzelt 4 A, 6921, Roodt-sur-Syre, Luxembourg
Malta	DataRep, Tower Business Centre, 2nd floor, Tower Street, Swatar, BKR4013, Malta
Netherlands	DataRep, Cuserstraat 93, Floor 2 and 3, Amsterdam, 1081 CN, Netherlands
Norway	DataRep, C.J. Hambros Plass 2c, Oslo, 0164, Norway
Poland	DataRep, Budynek Fronton ul Kamienna 21, Krakow, 31-403, Poland
Portugal	DataRep, Torre de Monsanto, Rua Afonso Praça 30, 7th floor, Algès, Lisbon, 1495-061, Portugal
Romania	DataRep, 15 Piaţa Charles de Gaulle, nr. 1-T, Bucureşti, Sectorul 1, 011857, Romania
Slovakia	DataRep, Apollo Business Centre II, Block E / 9th floor, 4D Prievozska, Bratislava, 821 09, Slovakia
Slovenia	DataRep, Trg. Republike 3, Floor 3, Ljubljana, 1000, Slovenia
Spain	DataRep, Calle de Manzanares 4, Madrid, 28005, Spain
Sweden	DataRep, S:t Johannesgatan 2, 4th floor, Malmo, SE – 211 46, Sweden

If you are based anywhere else, please contact us via our email address: [email protected]

Changes to this privacy notice

We may update this privacy notice from time to time to make sure it is up to date. When we do, we will revise the “last updated” date at the top of the privacy notice. We’ll endeavor to make you are aware of material changes, but we suggest you also check this page from time to time to ensure you are up to date with our latest privacy practices.