Well Overdue Publishing

Introduction

Well Overdue Publishing Ltd (company number 14985056, registered office at 5 Cheapside Court, Sunninghill Road, Ascot, England, SL5 7RF) ("Well Overdue", "we", "us", or "our") is a UK-based company that operates a global music publishing administration portal used by record labels and rights-holders (the "Service"). We respect your privacy and are committed to protecting your personal information.

This Privacy Policy explains what information we collect, how we use and share it, and the rights you have in relation to your data. It applies to all users of our Service worldwide. We comply with the UK General Data Protection Regulation (UK GDPR) and other applicable data protection laws to safeguard the personal data of our users globally.

By using our Service, you acknowledge that you have read and understood this Privacy Policy.

1. Information We Collect

We collect personal information to provide and improve our Service. This includes:

Information You Provide

When you create an account or use our portal, you provide information such as your name, email address, and password (passwords are stored securely in hashed form, not plain text). You may also provide other details, for example, if you fill out your user profile or contact us for support. Additionally, our Service allows you to upload and manage contracts or other documents (e.g. PDF agreements) which may contain personal data. This can include names and addresses of contracting parties, contract start dates, durations, and other details related to music publishing agreements.

Financial Information

If you are a rights-holder receiving royalty payments, you may submit your banking details (e.g. bank account holder name, account number, sort code, bank name, IBAN, currency) via our portal. We collect these details to process payments but do not store your full bank account information in our systems. Instead, the information is transmitted securely to our payment partner, Wise Payments Ltd ("Wise"), via their API. We then store only the non-sensitive identifiers returned by Wise – specifically, the wise_recipient_id (a unique ID for your payout account) and your wise_account_currency. This allows us to direct payments to you without keeping your actual bank details on our servers.

Information Collected Automatically

When you use the Service, our systems automatically collect certain technical and usage data. This includes your Internet Protocol (IP) address, browser type, device information, and operating system. We log the dates and times you log in, the duration of your sessions, and records of your interactions (such as pages or features used). We utilize a Redis-based session tracking system to monitor user activity levels, which helps us understand engagement and detect unusual behavior. For example, we may record timestamped login events and actions taken within the portal for security and auditing purposes.

Cookies and Similar Technologies

We use cookies strictly as necessary for authentication, session management, and security. When you log into the portal, our Service will set a secure session cookie to keep you logged in. We also use a cookie to help prevent cross-site request forgery (CSRF) attacks and other security-related cookies/tokens to protect your account. These cookies are essential for the Service to function properly. We do not use any non-essential cookies (such as analytics or advertising cookies) that track your behavior outside of the core functionality of the site. For more details, see our Cookies Policy.

2. How We Use Your Information

We use the collected information for the following purposes:

Providing and Maintaining Your Account

We use your personal details to create and maintain your user account, verify your identity when you log in, and provide you with access to the Service. For example, we use your email and password to authenticate you and allow you to use the music publishing administration portal's features.

Contract Administration

The information you provide about contracts (including any personal data contained in those contracts) is used to manage your publishing agreements. We store contract details (such as parties' names, contract start and end dates, duration, etc.) and associated documents so that you and authorized users can review and manage these agreements through the portal. This allows us to help administer royalty arrangements and rights management as per your contracts.

Royalty Payments Processing

We use your financial information to facilitate royalty and payment distributions. Specifically, the bank details you provide are used to create a payment beneficiary via Wise. We then use the wise_recipient_id and currency to initiate transfers of funds (e.g., royalty payouts) to you through Wise's payment system. This ensures you receive payments in your designated account. We only use this information for processing payments you are owed and maintaining records of those transactions.

Security and Fraud Prevention

We monitor user accounts and activities to protect against unauthorized access, fraud, and abuse. For example, we use IP addresses, login timestamps, and activity logs to detect suspicious logins or behavior that might indicate a security threat. Our Redis session tracking and cookie-based security measures (like CSRF tokens) help safeguard your account and our platform. We may use automated tools to flag unusual activity for further investigation. This use of data is necessary to keep the Service safe, secure, and reliable for all users.

Service Operation and Improvement

Internally, we may use usage information (e.g. how often certain features are used) to analyze and improve the Service's functionality and performance. This can include debugging issues, optimizing the user interface, and developing new features that better serve our users. Any analytics we perform on usage are generally done on aggregated or anonymized data, and we do not use personal data for any automated profiling that has legal effects on you.

Legal Compliance and Audit

We may use your information to fulfill our legal obligations. For example, we keep records of payments and contracts as required by tax laws, accounting rules, or regulatory requirements. If necessary, we will use personal data to respond to lawful requests by public authorities (such as court orders or subpoenas) or to establish, exercise, or defend legal claims. We also maintain data to comply with duties under privacy laws – such as keeping records of consents or requests you make regarding your data.

Legal Bases for Processing

We only process your personal data when we have a lawful basis to do so. In most cases, the primary bases are: (a) Contract – we need the data to provide you with the Service and fulfill our contract (e.g., managing your account, contracts, and payments); (b) Legitimate Interests – we use data to secure and improve our platform, in ways that are not overridden by your privacy rights (we perform risk assessments to balance this); (c) Legal Obligation – to comply with laws and regulations (e.g., financial record-keeping, responding to legal processes). We do not ordinarily rely on consent, except for optional uses (and if we ever do, you have the right to withdraw consent at any time).

3. How We Share Your Information

We treat your personal data with care and confidentiality. We do not sell your information to third parties. However, in certain situations we share your information with trusted third parties or others, as outlined below:

Payment Processor (Wise Payments Ltd)

We share necessary information with Wise to execute royalty payments. When you input your banking details in our portal, that information is sent securely to Wise's payment platform to create a beneficiary on their system. We then use Wise to send payments to you. Wise will handle your personal data (such as your bank account details) in accordance with their own privacy policy. We recommend you review Wise's Privacy Policy to understand how they process and protect your financial data. We only retain the minimal data from Wise (recipient ID and currency) needed to reference your account for future payouts.

Cloud Hosting and Storage Providers

We use third-party services to host our application and store data. In particular, our Service is hosted on Heroku (a cloud platform service) and we use Amazon Web Services (AWS) for data storage (for example, storing uploaded contract files and database backups). These providers act as data processors on our behalf. This means they may handle personal data for the purposes of storing it or enabling our application to run, but they are contractually obligated to keep it secure and only use it according to our instructions. Both Heroku and AWS are well-established providers with robust security and privacy practices.

Business Transfers

If Well Overdue (or substantially all of its assets) is involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of assets, or transition of service to another provider, your personal data may be disclosed to a successor or affiliate as part of that transaction. In such cases, we will ensure that the new owner or entity continues to be bound by confidentiality and privacy obligations consistent with this Policy, and we will notify you (for example, via email or notice on our site) of any change in data control or use, if required by law.

Legal Disclosures

We may disclose your personal information when required by law or when we believe in good faith that such disclosure is necessary to (a) comply with a legal obligation, process, or request (such as a law enforcement request, court order, or subpoena); (b) enforce our Terms of Service or other agreements; (c) address or investigate suspected illegal activities, fraud, or security issues; or (d) protect the rights, property, or safety of Well Overdue, our users, or the public. If we receive requests for user data from government or law enforcement, we scrutinize them carefully and only comply if they are legally valid and necessary.

Aside from the scenarios above, we will not share your personal data with third parties without your consent. If in the future we need to share information for any other purpose (such as adding a new service provider), we will update this Privacy Policy and, if required, seek your permission.

4. Data Security

We take extensive measures to protect the confidentiality and integrity of your personal data. These measures include:

Encryption in Transit

Our website and portal use HTTPS (SSL/TLS encryption) for all data transfer. This means that any data you send to us or we send to you is encrypted while in transit, preventing eavesdropping or interception by unauthorized parties.

Secure Authentication

Passwords you set for your account are not stored in plain text. We hash passwords using a strong, industry-standard hashing algorithm (PBKDF2 with a salt and multiple iterations) before saving them. This practice ensures that in the unlikely event of a database breach, your actual password remains protected (since hashing is one-way and very difficult to reverse). We also encourage you to choose a strong, unique password to enhance security.

Session Security

When you log in, our system issues a secure session identifier, which is stored in a cookie on your browser. We flag our session cookies as Secure and HttpOnly, meaning they are only sent over encrypted connections and are not accessible via JavaScript, which helps mitigate risks like XSS (cross-site scripting) attacks. Session data (including your session ID and related info) is stored server-side in a secure Redis store rather than in your browser. This server-side session management adds an extra layer of protection, as sensitive session details are not exposed on the client. We also enforce session timeouts and inactivity logouts according to best practices to reduce the risk from unattended sessions.

CSRF Protection

Our platform employs anti-CSRF (Cross-Site Request Forgery) tokens and same-site cookie attributes. Every form submission or state-changing action you take is validated with a token to ensure that it was initiated by you and not an attacker's script. Additionally, we use the SameSite attribute on cookies where feasible to prevent them from being sent in cross-domain contexts. These measures help prevent malicious sites from tricking your browser into performing actions on our Service without your consent.

Infrastructure Security

We deploy our application on reputable cloud infrastructure (Heroku for application hosting and AWS for data storage). These providers maintain high standards of physical and network security. Our servers are kept up to date with security patches, and we use firewalls and network segmentation to protect against unauthorized access. Data stored in our databases and storage buckets is protected by access controls and encryption at rest (AWS offers robust encryption which we utilize for stored files and backups).

Access Controls and Training

Within Well Overdue, personal data is only accessible to employees or contractors who have a legitimate need to access it in order to operate the Service (for example, support staff assisting you with an issue or technical staff maintaining the system). All such personnel are subject to strict confidentiality obligations. We regularly train our team on data protection best practices and security awareness to ensure your data is handled properly. Access to sensitive systems (like the production database, AWS storage, or the Wise payment dashboard) is logged and restricted to authorized personnel with multi-factor authentication.

Minimization of Sensitive Data

As noted, we deliberately minimize the sensitive financial data we store by offloading payment processing to Wise. We do not keep your raw bank account numbers or other highly sensitive financial information on our systems – such data is handled by Wise's secure platform. By limiting what we store, we reduce the risks to your privacy. Any particularly sensitive data that we do need to hold (for example, contract documents) is handled with extra care (encrypted storage, limited access).

Monitoring and Testing

We monitor our systems for suspicious activity and have alerting in place for potential security issues. We also periodically assess our platform's security (through vulnerability scans, penetration testing, and code reviews) to identify and fix potential weaknesses. In the event of any data breach or security incident, we have an incident response plan to promptly mitigate the issue and notify affected users and regulators as required by law.

While we strive to follow leading security practices and protect your data, it's important to note that no system can be 100% secure. We continuously improve our security measures to adapt to new threats. You can also play a part in security by keeping your login credentials confidential and notifying us immediately if you suspect any unauthorized use of your account.

5. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy or as required by law, whichever is longer. The duration for which we keep different types of data can vary based on legal obligations and our operational needs:

Account Data

If you have an active account with us, we will retain your account information for as long as you continue to use the Service. If you decide to close your account, or if we terminate your account in accordance with our terms, we will delete or anonymize your personal data associated with the account (except for data we must keep for legal reasons, explained below).

In cases where an account is created but never fully activated or verified (for example, a user signs up but does not complete the email verification or onboarding – a "pending" account), we reserve the right to delete that account and associated data after a set period of inactivity. Our system has defined retention settings (e.g. PENDING_EXPIRY_DAYS) that determine how long we keep unconfirmed accounts before removal.

Similarly, if a user account becomes inactive (no logins or activity) for an extended period, we may also remove or anonymize the data after a certain timeframe (as per an internal INACTIVE_EXPIRY_DAYS policy). These measures help us manage data storage and protect privacy by not retaining personal data indefinitely when it is not being used. We will endeavor to notify you (via your registered email) before deleting an inactive account, when practicable.

Contracts and Rights-holder Data

Any contract information, rights-holder details, or related data you have provided or that we manage on your behalf will be kept for the duration of the contract and as long as you retain an account with us. If your contract with us or use of our Service ends, we will retain the relevant contract data for a period necessary to satisfy legal, accounting, or reporting requirements.

For example, we may need to keep records of contracts and royalty calculations for a number of years after a contract ends in case of audits or disputes, or to comply with the statute of limitations for contract claims. Typically, business contract records in the UK are kept for 6 years after the contract ends (since 6 years is a common limitation period for legal claims), though this period may be extended if required by specific regulations or justified by our legitimate interests (such as handling any ongoing issues).

Payment and Financial Records

Records of payments made to you (royalty payout histories, invoices, etc.) and related financial data are retained to fulfill our financial and regulatory obligations. We are required under UK law (and other jurisdictions' laws) to maintain transaction records for a certain period (for instance, HMRC in the UK often requires companies to keep financial records for at least 6 years for tax purposes).

Therefore, even if you delete your account or remove certain information, we will retain payment transaction records, Wise recipient IDs, and associated payout details as part of our business records. We archive this information securely and restrict access to it, using it only for purposes such as audits, accounting, dispute resolution, and legal compliance. We do not retain full bank details (account numbers, etc.) – only the references and records of the transactions.

Logs and Technical Data

Our server logs and database backups that may contain personal data (such as IP addresses or user activity logs) are kept for a limited duration. Logs capturing web requests, login attempts, and similar technical information are generally retained for a few months up to a year for debugging, security analysis (e.g. investigating a security incident), and performance tuning. After that, they are either deleted automatically or anonymized. Database backups are encrypted and rotated on a regular cycle; older backups beyond the retention window are deleted, which means any deleted user data will also be removed from those backups after that period.

Data Deletion and Anonymization

When the retention period for personal data is reached, or if you make a valid request for erasure, we will take steps to securely delete the data from our systems. In cases where deletion is not immediately feasible (for example, data stored in offsite backups), we will instead isolate and protect the data until deletion is possible.

In some scenarios, rather than outright deletion, we may anonymize data (so it can no longer be associated with you). For instance, we might retain aggregate statistics or de-identified information (which is not considered personal data) for research or business analytics. Once data is anonymized, it is no longer subject to deletion requests since it cannot be linked back to any individual.

Please note that certain information may persist for a short time in our caches or logs after deletion, but will be removed in the normal course of operations. Additionally, we may retain information for longer than stated above if we are legally required to do so (for example, due to a court order) or if it's necessary to resolve a dispute, enforce our agreements, or ensure platform safety (in which case, we will retain only what's necessary and for the limited time needed).

6. Your Rights

As an individual using our Service, you have a number of rights under data protection laws in relation to your personal data. We are committed to facilitating your exercise of these rights. These include:

Right to Access

You have the right to request confirmation of whether we are processing your personal data, and if so, to receive a copy of that personal data, as well as supplemental information about how we use it. This is commonly known as a "Data Subject Access Request". Upon verification of your identity, we will provide you with a copy of the information we have about you (in a readily accessible format), subject to certain exceptions (for example, we might redact data that relates to other individuals or is legally privileged). We generally do not charge a fee for this service unless the request is unfounded or excessive, in which case a reasonable fee may be applied as permitted by law.

Right to Rectification

If you believe that any personal data we hold about you is inaccurate or incomplete, you have the right to request that we correct or update it. For instance, if your email address or bank account details change, you can update these via your account settings (where applicable) or by contacting us. We will promptly make the corrections, and if we've shared the incorrect information with any third parties (and it's necessary to notify them), we will do so.

Right to Erasure

This is also known as the "right to be forgotten". You can ask us to delete or remove your personal data in certain circumstances. For example, if you no longer wish to use the Service, you can request that we delete your account and personal information. We will honor this request provided that (a) the data is no longer necessary for the purpose it was collected, (b) we have no overriding legitimate grounds for keeping it, and (c) no legal obligation prevents deletion.

Please note that complete erasure might not be immediate if some data needs to be retained for the reasons outlined in Data Retention above (we'll inform you if that's the case). When we delete data, we will also inform our processors (like AWS or Heroku) to delete the data from their systems as appropriate. If your data has been shared with Wise for payments, Wise will handle deletion in line with their own obligations (you may need to contact Wise separately to exercise rights on data they hold as a controller).

Right to Restrict Processing

You have the right to request that we suspend or limit the processing of your personal data under certain scenarios. This could apply, for example, if you contest the accuracy of the data (you can ask us to pause processing until we verify or correct the data) or if you object to processing and we are evaluating your objection. When processing is restricted, we will still store your information, but not use it further until the restriction is lifted (unless it's to establish or defend legal claims, to protect the rights of another person, or for other limited reasons permitted by law).

Right to Object

You may object to our processing of your personal data when that processing is based on our legitimate interests. If you raise an objection, we will consider whether our legitimate grounds for processing override your personal rights and freedoms. Unless we have a compelling reason to continue processing, or the processing is necessary for legal claims, we will honor your objection and stop the processing in question.

Notably, you have an unconditional right to object to your data being used for direct marketing purposes – however, we do not currently use your data for any marketing or promotional communications. If that changes in the future, we will provide opt-out mechanisms as required. You also have the right to object to any processing for research/statistical purposes in certain circumstances.

Right to Data Portability

This right allows you to receive certain personal data from us in a structured, commonly used, machine-readable format and to transmit that data to another controller. It only applies to information you have provided to us, which we process by automated means, and where the processing is based on your consent or on a contract. In practical terms, this could include basic account information or contract data you gave us, if you needed a copy to import into another system. If you request it, and it's technically feasible, we will directly transfer the data to another organization at your direction.

Right to Withdraw Consent

Where we rely on consent for processing your personal data (which is not common in our operations, but might include, for example, if you agreed to receive an optional newsletter or if we ask your consent to use cookies beyond what is strictly necessary), you have the right to withdraw that consent at any time. If you withdraw consent, we will stop the processing that was based on it. Withdrawal of consent will not affect the lawfulness of any processing carried out before your withdrawal. (Again, note that most of our processing is based on other grounds like contract or legal obligation, not consent, so this right may not apply in many routine scenarios with our Service.)

Right Related to Automated Decisions

You have the right not to be subject to a decision based solely on automated processing, including profiling, if that decision produces legal effects concerning you or similarly significantly affects you. Currently, we do not make any such solely-automated decisions about users of our Service – all major decisions (such as account termination for cause, etc.) involve human review. If that ever changes, we will inform you and ensure appropriate safeguards and rights (like the ability to request human intervention) are in place.

Right to Lodge a Complaint

If you believe we have not complied with applicable data protection laws or have infringed your rights, you have the right to file a complaint with a supervisory authority. In the United Kingdom, our lead supervisory authority is the Information Commissioner's Office (ICO). You can find more information about the ICO and how to report concerns on their website. If you reside in another country, you may contact your local data protection authority – for example, in the EU, you have the right to complain to the authority in the Member State where you live, work, or where the issue occurred. We would, however, appreciate the chance to address your concerns directly before you approach a regulator, so we encourage you to contact us first and we will do our best to resolve any issue.

Exercising Your Rights

You can exercise any of your rights by contacting us at support@welloverdue.co.uk. Please clearly state your request and provide sufficient information for us to verify your identity (for example, by contacting us from the email address associated with your account or providing other identification). This is to ensure we do not disclose data to the wrong person. We will respond to valid requests as soon as possible, and in any event within the timeframe required by law (generally one month, but we may extend this period by an additional two months for complex requests – we will inform you if an extension is needed). There is usually no fee for making a request, although in rare cases we may charge a reasonable fee or refuse to act if a request is manifestly unfounded or excessive, per the law.

7. Cookies

Cookies are small text files placed on your device to store information. As noted above, our Service only uses cookies that are strictly necessary for it to function and to keep your data secure. Here is a recap of our cookie usage:

Essential Cookies for Functionality

When you log in to our portal, we set a session cookie that holds a unique ID tying your browser to your authenticated session on our servers. This cookie (often called something like sessionid or similar) allows you to navigate through different pages without having to log in again on each page. It expires after a certain time or when you log out. We also use a CSRF token cookie (e.g., a cookie containing a random value) to ensure that forms you submit are actually coming from you and not an unauthorized script. These cookies do not collect personal data for any marketing or analytics purposes – they are only used to maintain the state of your session and protect your interactions with the site.

No Analytics or Advertising Cookies

We do not deploy any Google Analytics, Facebook pixels, ad tracking cookies, or any similar technologies that track your activity across other sites or services. This means we're not building marketing profiles about you or showing you targeted ads. Every cookie we use is for an essential reason related to user login, security, or a basic preference. For example, we might use a cookie to remember that you have seen a particular informational banner so it doesn't repeatedly show up – but we won't use cookies to remember what other websites you visited.

Cookie Consent

Because our cookies are only the essential ones, we do not present intrusive cookie consent banners upon entry (under UK and EU law, strictly necessary cookies do not require prior consent, though users must still be informed). However, we want to be transparent. By using our Service and logging in, you are aware of and agree to our use of these essential cookies. If you were to block or delete these cookies via your browser settings, the Service may not function correctly – for instance, you would not be able to stay logged in without the session cookie, or you might be prevented from submitting forms without the CSRF cookie.

Cookie Management

Most web browsers allow you to control cookies through their settings (you can usually find an option to clear cookies, or to block cookies from certain sites). If you choose to disable cookies for our site, please note that some features of our Service will be impaired or unavailable. For example, disabling all cookies would likely prevent you from logging in or maintaining a session. We encourage you to leave cookies enabled for welloverduepublishing.com (or the relevant domain of our portal) to ensure a smooth and secure experience.

For further information, please see our separate Cookies Policy which provides more details on what cookies are used and how they work. If we introduce any new cookies or tracking technologies in the future, we will update that policy and, if required, ask for your consent.

8. Children's Privacy

Our Service is not directed to children under the age of 16, and we do not knowingly collect personal data from anyone under 16. By using the Service, you represent that you are at least 16 years old (or the age of majority in your jurisdiction, if it is higher) or that you are using the Service with the consent and supervision of a parent or guardian.

If we become aware that we have inadvertently collected personal information from a child under 16, we will take immediate steps to delete that information from our records. For example, if a minor registers an account with false age information, once detected, the account will be terminated and any personal data purged.

If you are a parent or guardian and you believe your child under 16 has provided personal information to us, please contact us at support@welloverdue.co.uk. We will investigate and, if applicable, work with you to remove such information and terminate the child's account. Protecting children's privacy is of utmost importance to us, and we comply with all applicable laws aimed at safeguarding children online (such as the UK's Age Appropriate Design Code and similar regulations).

9. International Data Transfers

Because the internet is a global environment and we use cloud-based services, your personal data may be transferred to, stored in, or accessed from countries outside of the United Kingdom (UK) or outside your country of residence. We want to ensure that your data remains protected no matter where it is processed, so we take steps to manage cross-border data transfers in compliance with applicable laws:

Data Hosting Locations

While Well Overdue Publishing Ltd is based in the UK, the data you enter into our Service might be stored on servers located in other countries. For instance, our primary application and database might be hosted by Heroku in a European data center, whereas backups or certain files in AWS could reside in data centers in the United States or another region. Additionally, if you are an international user (e.g., logging in from outside the UK), your data will naturally travel across borders as it reaches you. We strive to use EU/UK data centers for core storage when feasible, but some data processing (especially with global service providers) may occur in the U.S. or other jurisdictions.

Legal Protections for International Transfers

Whenever we transfer personal data from the UK or the European Economic Area (EEA) to a country that is not deemed to have "adequate" data protection laws (for example, the United States currently does not have an adequacy decision from the UK/EU), we implement appropriate safeguards. These typically include Standard Contractual Clauses approved by the European Commission and adopted by the UK ICO, and/or the UK's International Data Transfer Agreement/Addendum. These are legal contracts that oblige the recipient of the data to protect it according to standards essentially equivalent to UK/EU data protection law. In some cases, we may also rely on other permitted transfer mechanisms, such as if the transfer is necessary for the performance of a contract with you, or if you have explicitly consented after being informed of any risks.

Service Providers Abroad

Our third-party processors (like Heroku, AWS, and Wise) may themselves involve international data flows. For example, Wise is a global company – if you receive a payment in a country outside the UK, your data will of necessity cross borders to complete that transaction. Similarly, AWS and Heroku are U.S.-headquartered companies. However, each of these companies publicly commits to strong data protection standards and offers GDPR-compliant terms. We have agreements in place with our service providers to ensure they handle data in compliance with UK/EU data protection requirements. We also monitor developments in international data transfer law (such as new frameworks or legal rulings) to ensure ongoing compliance.

Your Rights and Remedies

Despite differences in privacy laws in other countries, we will ensure your data remains protected as described in this Policy. If we transfer your data internationally, you still enjoy the rights described in the "Your Rights" section above. If you have questions about our international data transfers or want more information about the safeguards we use, you can contact us (see the Contact Information section below). In the event of any planned significant transfer of your personal data to a new third country recipient, we would, if required by law, inform you and ensure lawful bases are in place.

Please note that by using our Service, you understand that your personal data may be transferred to and stored in countries other than your own. Regardless of location, we will take all reasonable measures to protect your personal data.

10. Changes to This Privacy Policy

We may update or modify this Privacy Policy from time to time to reflect changes in our business, changes in technology, legal requirements, or for other reasons. When we make changes, we will take appropriate steps to inform you, consistent with the significance of the changes:

Posting of Updated Policy

We will always indicate the date of the latest revision at the top of the policy (see "Last updated" date). Minor updates (such as clarifications or grammatical corrections) may be made by posting the revised Privacy Policy on our website, after which it will become effective immediately (or as otherwise indicated).

Notification of Major Changes

If we make material changes to how we collect, use, or share your personal information, we will provide a prominent notice to users. This may include, for example, an email notification sent to the address associated with your account, or a pop-up/message within the Service. We might also ask you to review and acknowledge the new Privacy Policy to ensure you are aware of the details.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. If you continue to use the Service after a change to this Policy is in effect, it will constitute your acceptance of the updated terms (to the extent permitted by law). If you do not agree with any changes, you should stop using the Service and you may request that we delete your personal data.

11. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please do not hesitate to contact us:

Well Overdue Publishing Ltd is the data controller responsible for the processing of your personal data in connection with the Service (except in cases where we act as a data processor on your behalf for content you input – but generally, for user account data and portal usage data, we are the controller). Our company is registered in England and Wales under company number 14985056, with the registered office address above.

We are committed to resolving any issues or questions you might have. You can expect a response to email inquiries within a reasonable timeframe. For security and confidentiality reasons, we may need to verify your identity before discussing personal data matters.

Thank you for reading our Privacy Policy. We value your trust and are dedicated to protecting your personal information as you use our music publishing administration portal.