Privacy Policy

01 Who We Are

Decent Music PR Limited is the data controller for the personal data described in this policy. We are a UK-based music marketing and PR agency that works with independent artists to promote their music and careers.

We are registered with the Information Commissioner's Office (ICO) as a data controller.

Our contact details appear at the end of this policy. Any queries relating to how we handle your personal data should be directed to us using those details.

02 Personal Data We Collect

We collect and process only the minimum personal data necessary for the purposes described in this policy. We never process special category data (such as health, ethnic origin, political opinions, or biometric data) or criminal offence data.

Artists We Contact Proactively

When we identify independent artists for potential outreach, we collect the following data from publicly available sources:

• Artist name or professional stage name
• Professional or business email address (publicly listed)
• Publicly available artist metadata (e.g. genre, Spotify profile link)

Website Enquiries & Inbound Contact

When you contact us through our website, Instagram, or are referred to us by another artist, we collect the information you choose to provide, which may include:

• Your name or artist name
• Email address
• Details of the services you are interested in

Clients

If you engage us for our services, we will also process personal data necessary to perform our contract with you, including billing and communication details.

03 How We Collect Your Data

We collect personal data through the following means:

• Publicly available platforms - We identify artist contact details from public-facing profiles, primarily Spotify for Artists and similar professional music platforms, where artists have listed their contact information for industry purposes.
• Our website - When you submit an enquiry or contact form on our website.
• Social media - When you contact us via our business Instagram account.
• Referrals - When an existing client or contact refers you to us.
• Direct contact - When you email or communicate with us directly.

We do not purchase or obtain personal data from third-party data brokers. We do not collect data indirectly from other organisations.

04 How We Use Your Data

We use the personal data we collect for the following purposes:

We do not carry out any automated decision-making or profiling in respect of individuals.

05 Legal Bases for Processing

Where we rely on Legitimate Interests (Article 6(1)(f) UK GDPR) as our lawful basis, we have completed a formal Legitimate Interests Assessment (LIA). The key points of our assessment are summarised below:

You have the right to object to processing based on legitimate interests at any time. See Section 10 for how to exercise this right.

06 PECR Compliance & Electronic Marketing

Our outbound email communications are conducted in compliance with the Privacy and Electronic Communications Regulations 2003 (PECR). Specifically:

• We send marketing emails only to professional or business contact details that artists have made publicly available.
• Every communication includes a clear, functional, and prominent opt-out mechanism.
• Opt-out requests are honoured immediately and permanently - no further marketing is sent once an objection is received.
• We do not send bulk unsolicited messages; outreach is targeted and relevant to the recipient's professional activity.

If you have received an email from us and do not wish to be contacted again, you may use the opt-out link in the email or contact us directly. We will action your request without delay.

07 Sharing Your Data

We do not sell, rent, or trade your personal data to any third parties.

We do not share personal data with third-party marketing companies, data brokers, or advertising platforms.

In limited circumstances, we may share data with:

• Service providers acting as data processors on our behalf (e.g. email platforms, cloud storage providers), who are bound by appropriate data processing agreements and are only permitted to process data on our instructions.
• Legal and regulatory authorities where we are required to do so by law, court order, or for the prevention or detection of crime.
• Professional advisers (e.g. lawyers or accountants) where necessary, under confidentiality obligations.

Any transfers of personal data outside the UK are conducted in compliance with UK GDPR transfer requirements.

08 Data Retention

We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by law.

• Outreach contacts - Retained for the duration of active outreach activity. Contacts are periodically reviewed and deleted when no longer relevant. Contacts who opt out are removed from our active lists immediately and retained on a suppression list to prevent re-contact.
• Client data - Retained for the duration of our engagement and for such period thereafter as is required for legal, tax, and accounting purposes (typically six years in line with UK statutory requirements).
• Enquiry data - Retained for a reasonable period to manage the enquiry and, if relevant, for follow-up purposes, after which it is deleted or anonymised.

We conduct periodic audits of stored data to identify and delete information that is no longer required.

09 How We Protect Your Data

We take information security seriously. We have implemented technical and organisational measures appropriate to the nature of the data we process, including:

Technical Measures

• Multi-factor authentication (MFA) on all key systems and accounts
• Strong password policies and session management controls
• Audit logging on critical systems and platforms
• Secure email infrastructure with SPF, DKIM, and DMARC configuration
• Network and router security hardening
• Encryption of data where appropriate

Organisational Measures

• Documented Information Security Policy
• Completed and reviewed Data Protection Impact Assessment (DPIA)
• ICO registration maintained and kept up to date
• Access to personal data restricted on a need-to-know basis
• Periodic external security reviews conducted by an accredited information security consultant

No method of data transmission or storage is entirely secure. While we take all reasonable steps to protect your personal data, we cannot guarantee absolute security.

10 Your Rights Under UK GDPR

As a data subject, you have the following rights in relation to your personal data. These rights are subject to certain conditions and exemptions under UK data protection law.

To exercise any of these rights, please contact us using the details in Section 13. We will respond to valid requests within one calendar month of receipt, free of charge. We may need to verify your identity before processing your request.

11 Right to Complain

If you are unhappy with how we have handled your personal data, we encourage you to contact us in the first instance so that we can try to resolve your concern.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:

• Website: ico.org.uk
• Helpline: 0303 123 1113
• Address: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

12 Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. The date at the top of this page indicates when the policy was last revised.

We encourage you to review this policy periodically. Where changes are material, we will take reasonable steps to notify affected individuals.

13 Contact Us

If you have any questions about this privacy policy, wish to exercise your data subject rights, or have a concern about how we handle your personal data, please contact us: