I. Introduction

At id.MUSIC (“IDM”), data privacy is important to us. This IDM Privacy Policy (“Privacy Policy”) details our privacy practices for the activities described in this Privacy Policy. Please take the time to read this Privacy Policy carefully in order to understand how we collect, share, and otherwise process information relating to individuals (“Personal Data”), and to learn about your rights and choices regarding our processing of your Personal Data.

If you are a California resident, please review the section of this Privacy Policy for California residents.

In this Privacy Policy, “IDM,” “we,” “our,” and “us” each mean DotMusic Foundation and the applicable IDM affiliate(s) involved in the processing activity. The addresses of our offices, where DotMusic Foundation and our affiliates are located, can be found at https://www.id.music.

II. IDM’s Roles & Responsibilities

IDM is the controller of your Personal Data, as described in this Privacy Policy, unless otherwise stated. Please note that this Privacy Policy also applies to the extent that we process Personal Data in the role of a processor (or a comparable role such as a “service provider” in certain jurisdictions) on behalf of our customers, including where we may offer to our customers various cloud products and services that collect, use, share or process Personal Data via our data services.

For detailed privacy information applicable to situations where an IDM customer (and/or a customer affiliate) who uses IDM’s cloud products and services is the controller, please reach out to the respective customer directly. We are not responsible for the privacy or data security practices of our customers, which may differ from those set forth in this Privacy Policy. If not stated otherwise either in this Privacy Policy or in a separate disclosure, we process such Personal Data in the role of a processor or service provider on behalf of a customer (and/or its affiliates), who is the responsible controller of the applicable Personal Data.

If your Personal Data has been submitted to us by or on behalf of an IDM customer and you wish to exercise any rights you may have under applicable data protection laws, please inquire with the applicable customer directly. Because we may only access a customer’s data upon instruction from that customer, if you wish to make your request directly to us, please provide to us the name of the IDM customer who submitted your Personal Data to us. If we are able to verify the IDM customer, we will refer your request to that customer and support them as needed in responding to your request within a reasonable timeframe.

Additional information and safeguards regarding IDM’s data protection obligations (including for international transfers) to our customers are set forth in our subscription agreement form and related documents at https://www.id.music/policies

III. Personal Data We Collect and Data Sources

Covered Data Processing Activities

This Privacy Policy applies to the processing of Personal Data that we collect in the following ways, as detailed in this section.

We collect information about you when you provide it to us, when you interact with our websites, applications and electronic system and when other sources provide it to us, as further described below.

Information you provide to us

Based on our current practices (and including our practices over the last 12 months), we collect the following categories of information about you.

Personal Contact and Professional Data: We collect contact and/or professional data about you when provided through the registration of IDM services and through our website. For example, you provide your contact and professional information to us when you sign up for IDM’s verification process or to provide music community information. Typically, contact data includes your legal name and may include your physical address as well as contact methods, such as telephone number, email address, and office or other mailing address, and professional data includes details such as the organization you are affiliated with, your job title, and industry sector.

Music Community Profile Data: We collect Music Community information and data about you or your organization (bands, group, business, etc.) as you submit to IDM in documenting your nexus to the global music community and industry. For example, you provide your music brand name (professional music brand or band name), various historic or professional information, social media handles, and other music related data to us when you sign up for IDM’s verification services.

We may also collect data from public profiles on social media platforms. This helps us validate whether you or your organization are active participants in the music industry by analyzing relevant content, connections, and engagement specific to your music-related activities. This data assists us in confirming your identity within the music domain and ensures the authenticity of your claim to music domain ownership, thus protecting the integrity of the music community and preventing misuse of our services.

Administrator Data: When you sign up for an account with IDM, subscribe to any IDM service via IDM or another entity, have the ability to submit a support request, or are designated an administrator of any part of the IDM Service, then information is provided to us about you (“Administrator Data”). Administrator Data may include your name, email address, phone number, address, billing information, business contact information, credentials information, subscription and service configurations you select, and other details you may provide to us about you or include in your profile with other IDM customers or members. We may also receive any Personal Data you share via tooling used to provide support or other communication methods you participate in.

Community and Support Data: We may also collect various types of community and support Personal Data from you via our help center and support. IDM may also receive Personal Data and Administrator Data in connection with an qualifying administrator you have designed to act on your behalf, when they contact support for the IDM service related to your account.

Personal Data We Collect From Other Sources

In the course of doing business (and over the 12 months preceding the effective date of this Privacy Policy), we receive Personal Data and other information from other third parties for our business or commercial purposes. This information varies and typically falls into a few categories:

• Business contact information (such as name, job title, business email, phone number, and address), social profile including other details about you, your group, or organization; and
• Third-party platform usernames and identifying information;
• Data used for security purposes to protect our products and services.

We may receive business contact information that contains Personal Data from commercial companies, including details about you and your organization from third parties. Typically, we receive this information about you from a few sources, such as: (i) third-party music industry partners, music community member organizations, and hosted third parties that may provide content; (ii) companies, such as information aggregators and similar entities, from whom we have licensed business contact information; (iii) referrals; or (iv) resellers and channel partners. In some situations, we may combine such business contact information with other non-personal and Personal Data we possess or that you have provided to us.

We also receive Personal Data to help with threat intelligence and to protect the safety and security of our service and our customers’ applications, such as breached website credentials from other entities. We use this Personal Data for various purposes, such as for security and fraud detection purposes and to enable our customers to configure the settings within the IDM products and services to notify their administrators and users if the data that they put into the IDM service is found within this data set.

We also receive information from third-party platforms for various business purposes such as organizational contractual information, program management, or technical reasons. For example, we may receive credit information about an organization that includes the names of individuals. If you participate in an open source project or our bug bounty program, we may receive details about you, such as your username or pull requests, to help us manage your participation in the project or program and provide you with updates.

For our professional services work, as a processor or service provider, IDM may also receive Personal Data about you to perform its obligations under its contract with a third party. IDM partners may also share your business contact information with IDM as part of their recommendation to your organization to become an IDM customer.

Device Data, Usage Data, Metadata, and Diagnostic Data We Collect

Explanation of Device Data, Usage Data, Diagnostic Data, and Other Metadata and Technology Used

Like most websites, applications, and software across the Internet, IDM collects certain Personal Data. This type of data collection allows us to better understand how individuals use and the performance of our websites, products and services. For example, we may collect metadata about you, including technical data about your performance or use of our website, products and services. We may also collect device data about you to help us determine that users from one type of device use our websites, products and services in different ways than users of a different type of device, which in turn allows us to troubleshoot and investigate the performance of our products and services, improve our websites, products, and services, such as through optimizing the screen size of IDM mobile applications, or making sure that our customers’ users have a more efficient user experience. We may collect these types of Personal Data as part of the services we provide to customers as well as in connection with your use of IDM Consumer Products.

One common technology we use to collect metadata that may be considered Personal Data is our use of cookies. Cookies are small text files that are placed on your web browser and that help us recognize your browser or device as a unique visitor in different ways based on the type of cookie. The three main types of cookies are:

Essential cookies. Essential cookies are required for website functionality and security. For example, authentication, security, and session cookies may be required for our website or products to work.

Functional cookies. We use functional cookies to help enhance our websites’ performance, for market research, or other analytics that is not tied to a specific individual. For example, we may use Google analytics to help us track how many individuals visited our websites. We may also utilize HTML5 local storage cookies for the reasons described in this section. These types of cookies are different from browser cookies in the amount and type of data they store and how they store it.

Data Collected from the IDM Service and Ancillary Data and Diagnostic Data

We offer products that collect both Customer Data and Usage Data (as defined in our agreements with customers, including from the IDM Service). Our collection of both types of data enables us to provide and innovate upon the IDM Service, which in turn allows us to act as a service provider to our customers and to continuously improve upon the services we provide to our customers and users. In conjunction with the products we make available to our customers, we may collect additional data, such as user-agent and browser version, IP address, the URLs you visit (such as to determine whether we can help you manage your credentials for such URLs), logs of your usage and click activities, logs about your login history, identity confirmation, and device data (such as whether your device is managed by an administrator, the operating system installed on the device, certain device configurations, and similar device or version information).

Personal Data Collected Through Our Website and Other Engagement

As with most websites, whenever you visit an IDM website or when you interact with IDM informational content, IDM may receive both Personal Data about you from information-gathering tools and passive information collection on our websites, including Personal Data from our websites you visit or emails we send. This information collection typically includes information such as cookies, beacons, demographic information, company and role details, market research and publicly-available information, IP address, device and browser details, usage information, timestamps, pages viewed, searches, interaction with and action taken by you on our websites or content (such as clicks on links and interaction with a webpage), as well as other non-Personal Data.

The Music Verification (nexus verification) service uses information received from Google APIs, specifically YouTube services, for the purposes of validating account ownership and will adhere to Google API Services User Data Policy, including the Limited Use requirements.

IV. How We Use Personal Data

How we use the Personal Data that we collect depends in part on how you choose to communicate with us and how you use our websites and interact with us. In general, we use your Personal Data as is necessary to run our business and carry out our day-to-day activities. In addition to the uses identified elsewhere in this Privacy Policy, we may use your Personal Data to accomplish the following tasks (and we have done so during the 12 months preceding the effective date of this Privacy Policy):

For the purpose of communicating with you about our services and facilitating other interaction. We may use your Personal Data, such as contact data, Ancillary Data, and metadata, to send you transactional communications, notices, updates, security alerts, and administrative messages regarding our products and services that may be useful to you and your organization. We will respond to your questions, provide tailored communications based on your activity and interactions with us, and help you use our products and services effectively. We also use Administrator Data to communicate with you for various purposes, including to provide you with account updates (about your subscription, settings, security, billing, feature and product updates, technical issues, certifications, and other similar content). You cannot unsubscribe from transactional communications. In some situations, we may also share Administrator Data with authorized partners in order to provide you with information relevant to your purchase of IDM or other entities’ tools that may connect to IDM to meet your technical or organizational needs.

For the purpose of supporting safety, security, and managing operations. We use Personal Data, such as contact data, Ancillary Data and other metadata, about you and your use of our products, services, and offices to verify accounts and activity, monitor suspicious or fraudulent activity, assist our customers in their monitoring of suspicious or fraudulent activity, and identify violations of policies regarding the use of our products and services. We may also combine Ancillary Data with other data we receive for safety, security, and to manage our business operations. We also process Personal Data, such as contact data and health data, for security and operations management reasons, such as to register visitors to our offices and carry out related safety measures, including to manage non-disclosure agreements. We also use Administrator Data to provide our customers with the IDM service, complete transactions, provide support and other service to the customer account, detect and prevent fraud, for audit and compliance purposes, and to comply with applicable law.

For the purpose of informing and educating you on our services. We use your Personal Data, such as contact data, Ancillary Data, and other metadata about how you use the products and services to send service communications that may be of specific to you and your organization, including by email. These communications are aimed at encouraging engagement and maximizing the benefits that you and your organization can gain from IDM’s products and services, including information about service features.

For the purpose of analyzing, predicting, and improving results and operations. We use Personal Data to analyze results to improve the performance of our websites, products and services and customer support, identify potential customers, opportunities, and ascertain trends, improve our websites’ functionality, improve our security, and provide us with general business intelligence, including through the use of machine learning technology. We may also combine the metadata and usage information collected from our websites with other information to help further the purposes described in the previous sentence.

We may process Personal Data, such as contact information, contract-related data, financial information, biographical information, and other information to the extent that doing so is necessary to complete a transaction and perform our contract with you or your organization.

Other purposes for our legitimate interests: Where required by law or where we believe it is necessary to protect our legal rights, interests, or the interests of others, we may use your Personal Data in connection with the management of our business, including but not limited to, for operational purposes and workflow automation, business intelligence, website and product improvement, legal claims, compliance, regulatory, and audit functions, protecting against misuse or abuse of our products and services, and protecting personal property or safety. For example, we may review compliance with applicable usage terms in our customer contracts, assess capacity requirements for our products, websites, and offices, improve your user experience, respond to requests by you for support or for contact, or identify customer opportunities. Furthermore, we use Administrator Data to provide technical support as described in our documentation and help center, and to improve our products, services, and processes related to providing such support.

Other purposes with your consent: We may use your Personal Data if you have given us consent to do so for a specific purpose not listed above. If we process your Personal Data for a purpose other than those set out above, we will provide you with information prior to such processing.

Legal Bases for Processing Personal Data (for United Kingdom and European Economic Area and other relevant jurisdictions)

If you are an individual in the United Kingdom, the European Economic Area (EEA), or of another relevant jurisdiction, we collect and process information about you only where we have a legal basis or bases for doing so under applicable laws. The legal bases depend on the products and services that your organization has purchased from IDM, how such products and services are used, and how you choose to interact and communicate with IDM’s websites, systems, and whether you attend IDM events. This means we collect and use your Personal Data only where:

• We need it to operate and provide you with our products and services, provide customer support and personalized features, and to protect the safety and security of our products and services;
• It satisfies a legitimate interest of IDM’s (which is not overridden by your data protection interests and rights), such as for research and development, to provide information to you about our products and services that we believe you and your organization may find useful, and to protect our legal rights and interests;
• You give us consent to do so for a specific purpose; or
• We need to comply with a legal obligation.

If you have consented to our use of Personal Data about you for a specific purpose, you have the right to change your mind at any time, but this will not affect any processing that has already taken place. Where we are using your Personal Data because we or another entity (for example, your employer) have a legitimate interest to do so, you have the right to object to that use; however, in some cases, this may mean that you no longer use our products and services.

In the event that we de-identify any Personal Data for further use, we commit to maintain and use the information in de-identified form and will not attempt to re-identify the information, except for the purpose of determining if our de-identification processes satisfy applicable legal requirements.

V. IDM’s Security Posture & Measures Taken

Security is a critical priority for IDM. We maintain a comprehensive, information security program that follows industry-standard safeguards designed to prevent unauthorized access to Personal Data.

However, no security system is perfect, and due to the inherent nature of the Internet, we cannot guarantee that data, including Personal Data, is absolutely safe from intrusion or other unauthorized access by others. You are responsible for protecting your password(s) and other authentication factors, as well as maintaining the security of your devices.

VI. International Data Transfers

Your Personal Data may be collected, transferred to, processed, and stored by us in the United States, and by our affiliates, service providers, and third parties that are based in other countries.

Some of the countries where your Personal Data may be processed, including the United States, are not subject to an adequacy decision by the European Commission or your local legislature and/or regulator, and may lack data protection laws as comprehensive as or may not provide the same level of data protection as your jurisdiction, such as the European Economic Area, the United Kingdom, or Japan. For example, as of the effective date of this policy, the United States does not have a federal privacy law that covers all types of data; however, privacy is regulated by federal and state agencies and by various state laws. In light of regional differences, IDM has put in place various safeguards and the security measures described above. For example, when we share Personal Data, we take reasonable steps so that the recipient of your Personal Data offers an adequate level of data protection, for example, by entering into the appropriate agreements containing relevant data protection provisions.

VII. Children

IDM’s websites are not directed at children. We do not knowingly collect Personal Data from children under the age of 18, unless such accounts are managed through agencies, labels, or managers who are authoritative representatives of such individuals. If you are a parent or guardian and believe that your child has provided us with Personal Data without your consent, please contact us by using the information in the “How to Contact Us” section, below, and we will take steps to delete such Personal Data from our systems.

VIII. How Long Does IDM Keep Your Data?

We retain your Personal Data for as long as you engage with services that require the use of IDM and its services. Additionally, we will retain your Personal Data for a period of time that is consistent with the original purpose of the data collection, or as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. We determine the appropriate retention period for Personal Data by considering the amount, nature and sensitivity of your Personal Data processed, the potential risk of harm from unauthorized use or disclosure of your Personal Data and whether we can achieve the purposes of the processing through other means, and on the basis of applicable legal requirements (such as applicable statutes of limitation).

IX. Your Information Privacy

Your Privacy Rights

Depending on your jurisdiction, you may have certain rights with respect to your Personal Data that we process in our capacity as a data controller or data processor, subject to applicable law:

Right to Access. You have the right to access your Personal Data held by us.

Right to Rectification. You have the right to rectify inaccurate Personal Data and, taking into account the purpose of processing, to ensure it is complete.

Right to Erasure (or “Right to be Forgotten”). You have the right to have your Personal Data erased or deleted.

Right to Restrict Processing. You have the right to restrict our processing of your Personal Data.

Right to Data Portability. You have right to transfer your Personal Data, when possible.

Right to Object. You have the right to object to the processing of your Personal Data that is carried out on the basis of legitimate interests, such as direct marketing.

Right Not to be Subject to Automated Decision-Making. You have the right not to be subject to automated decision-making, including profiling, which produces legal effects. IDM does not currently engage in the foregoing on our websites or in our products and services.

If you would like to make a request and exercise your rights described above or have questions or concerns, please email us at legal@id.music using the contact information below. You also have the right to act upon your data privacy rights.

X. Information for California Residents / Your California Privacy Rights

Under the California Consumer Privacy Act of 2018 (“CCPA”), California residents have certain rights to understand and request that we disclose details about how we handle your Personal Data. To learn more about how we collect, use, disclose, and share your Personal Data, please see below.

Categories of Personal Data Collected

In the preceding 12 months, we have collected the following categories of Personal Data about California consumers. We may collect this Personal Data directly from you, from third parties, and from your interactions with us. For additional detail about the Personal Data that we collect and the sources from which we collect this Personal Data, please review Section III above. The Personal Data categories are:

• identifiers, such as name, email address, address, and phone number;
• categories of Personal Data described in subdivision (e) of Section 1798.80, such as address, telephone number, employment, and employment history;
• commercial information, such as records of products or services purchased and other transactional data;
• Internet or other network or device activity details, such as technical data about your use of our website, products and services;
• geolocation data, such as your approximate location based on IP address;
• professional or employment-related information, such as your employer and job role;
• education information and details such as education history, certifications and qualifications; and
• inferences drawn from any of the above information.

We may retain this Personal Data for as long as is needed for the purpose(s) for which it was collected and no longer than is relevant and reasonably necessary. Our retention periods vary based on business, legal and regulatory needs. We securely retain records of data requests for at least 24 months as required under the CCPA. For further information on our retention criteria see Section X above.

Business and Commercial Purposes for Collection; Disclosures for a Business Purpose

We may collect all of the above categories of Personal Data to run our business and carry out our day-to-day activities, as described above in Section IV. We have disclosed each of these categories of Personal Data with our service providers for various business purposes, as described above in Section V, in the preceding 12 months.

Sensitive Personal Data

In addition to the categories of Personal Data listed above, we may collect certain categories of Sensitive Personal Data from you as that term is defined under CCPA, if you choose to provide it. In the preceding 12 months, we may have collected the following categories of Sensitive Personal Data from California consumers:

• Social Security Number, driver’s license, state identification card, or passport number;
• account log-In, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
• precise geolocation;
• racial or ethnic origin, religious or philosophical beliefs, or union membership;
• contents of your email and text messages, unless we are the intended recipient of the communication;
• biometric information for the purpose of unique identification;
• health information; and
• sex life or sexual orientation information.

Business Purposes For Which Sensitive Personal Data will be Used or Disclosed. We may collect the categories of Sensitive Personal Data listed for processing described in Section IV above, and to further our legitimate business purposes as outlined under the CCPA:

• performing services, including maintaining or servicing accounts;
• detection and prevention of security incidents;
• protecting against malicious, deceptive, fraudulent or illegal actions and prosecuting those responsible;
• auditing related to consumer interactions;
• short-term, transient use;
• quality and safety maintenance or verification;
• internal research for technological development; and
• debugging to identify and repair functionality.

Your Rights

The CCPA gives you certain rights regarding the Personal Data we collect about you:

Right to Know About Personal Data Collected, Disclosed, or Sold. You have the right to request to know what Personal Data we collect, use, disclose, share and sell about you.

Right to Request Deletion of Personal Data. You have the right to request the deletion of your Personal Data collected or maintained by us as a business.

Right to Opt-Out of the Sharing of Personal Data. You have the right to opt-out of the sale of your Personal Data by us as a business.

Right to Limit the Use and Disclosure of Sensitive Personal Data. In some instances, we may use or disclose your Sensitive Personal Data for the legitimate business purposes as outlined under the CCPA, and for any other purposes as set forth in Section IV, above. If we ever use or disclose your Sensitive Personal Data for a reason other than the legitimate business purposes as outlined under the CCPA and for any other purposes other than those described in Section IV, we will update this Privacy Policy and provide you with instructions to limit the use and disclosure of your Sensitive Personal Data.

Right to Correct Inaccurate Personal Data. You have the right to request the correction of your Personal Data if it is inaccurate and you may submit a request as further described below.

Right to Non-Discrimination for the Exercise of Your Privacy Rights. You have the right not to receive discriminatory treatment by us for the exercise of your privacy rights conferred by the CCPA.

Authorized Agent. You may designate an authorized agent to make a request under the CCPA on your behalf. We may require the agent to demonstrate proof of their authorization by providing us with a signed permission from you or a copy of your power-of-attorney document granting that right. In the case of the former, we may still request that you verify your own identity as described above or directly confirm that you have provided such permission.

Financial Incentives. We do not provide any financial incentives tied to the collection, sale, or deletion of your Personal Data.

XI. How to Contact IDM

If you would like to contact us with questions or concerns about our privacy policies and practices, you may contact us via any of the following methods:

Email: privacy@id.music

Toll-free Number (North America): 866-244-9610

Mailing Address:

DotMusic Foundation
ATTN: IDM Data Protection Officer
#404 – 999 Canada Place
Vancouver, British Columbia
Canada, V6C 3E2

XII. Changes to the Policy

This Privacy Policy may be updated from time to time, to reflect changes in our practices, technologies, additional factors, and to be consistent with applicable data protection and privacy laws and principles, and other legal requirements. If we do make updates, we will update the “effective date” at the top of this Privacy Policy webpage. If we make a material update, we may provide you with notice prior to the update taking effect, such as by posting a conspicuous notice on our website or by contacting you using the email address you provided.