Privacy Agreement &
Data Protection Policy

Definitions & Interpretive Terms

The following definitions apply throughout this Agreement and all related MADECX legal documents. Terms defined in the singular shall include the plural, and vice versa, where context requires.

Platform

The MADECX digital infrastructure accessible at made.cx, including all subdomains, APIs, web applications, mobile interfaces, administrative portals, and associated services operated by MADECX, LLC.

Personal Data

Any information that identifies or could reasonably identify a natural person, including but not limited to: full legal name, email address, postal address, telephone number, government-issued identification numbers, payment instruments, and behavioral data tied to an identified individual.

Cultural Property Data (CPD)

All metadata, documentation, registration records, provenance information, valuation assessments, creative asset files, copyright registrations, licensing agreements, cultural lien records, and related materials submitted by Users in connection with cultural IP registration.

CPVE

The Cultural Property Valuation Engine — the proprietary algorithmic framework used by MADECX to score, rank, and assign market value to registered cultural assets. CPVE-generated scores constitute Confidential Platform Data and are not independently licensed to third parties.

BCID

Blackchain Creative ID — the unique registration identifier assigned to each cultural property asset upon successful verification. A BCID constitutes a Platform record and does not in itself constitute legal title or copyright.

Processing

Any operation performed on Personal Data or Cultural Property Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, restriction, erasure, or destruction.

Authorized Third Party

Any vendor, partner institution, or service provider that has executed a Data Processing Agreement (DPA) with MADECX and is permitted to process User data solely in accordance with written instructions and for defined operational purposes.

Scope & Applicability

This Agreement applies to all Users of the MADECX Platform, including but not limited to:

• 2.1Individual creators, artists, musicians, designers, and cultural practitioners who register assets on the Platform.
• 2.2Institutional registrants, including trusts, estates, foundations, and nonprofit organizations acting as custodians of cultural property.
• 2.3Brand partners, corporate licensees, and commercial entities accessing the Platform for licensing, compliance verification, or cultural due diligence.
• 2.4Administrative personnel, staff, contractors, and agents acting on behalf of any of the foregoing.
• 2.5Visitors who access any publicly available portion of the Platform without completing registration.

This Agreement does not apply to third-party platforms, applications, or services that may link to or integrate with the MADECX Platform. Users accessing the Platform through third-party integrations should review those parties' independent privacy policies.

Information We Collect

MADECX collects data through direct User submission, automated platform activity, and, where applicable, authenticated third-party integrations. The categories of data collected are defined below.

Cultural Property Data & Custodial Obligations

Cultural Property Data (CPD) submitted to the MADECX Platform occupies a distinct legal and operational category. MADECX acknowledges its custodial — not proprietary — relationship to all submitted cultural assets and associated metadata.

• 4.1Custodial Relationship. MADECX does not assert ownership over any cultural property registered on the Platform. All intellectual property rights in submitted assets remain exclusively with the rightful creator or rights holder. Registration on the Platform creates a ledger record, not a transfer of title.
• 4.2Ledger Integrity. All Cultural Property Data entered into the MADECX registry is subject to audit controls, version tracking, and tamper-evident logging. Modifications to registered records are recorded with timestamp and accessor attribution.
• 4.3Public Registry Disclosure. Certain Cultural Property Data — including BCID numbers, asset category, creator name, registration date, and verified status — may be published to the MADECX public ledger as part of the Platform's core function. Users consent to this disclosure upon completing asset registration.
• 4.4Confidential Asset Files. Underlying creative asset files, provenance documents, and proprietary documentation submitted for verification are treated as Confidential Platform Data. They are not published publicly and are accessible only to the registrant, designated authorized parties, and MADECX verification personnel under strict access controls.
• 4.5Cultural Lien Records. In the event a Cultural Lien is filed on the Platform, relevant lien metadata (excluding underlying legal documentation) may be disclosed to parties with demonstrable legal standing or in response to valid court orders.
• 4.6CPVE Confidentiality. Cultural Property Valuation Engine scores, methodology parameters, and weighting algorithms constitute proprietary trade secrets of MADECX. They are not disclosed to third parties, including the registrant, except in aggregate or summary form through the Platform dashboard.

How We Use Your Information

MADECX processes User data only for lawful purposes that are proportionate, transparent, and consistent with the legitimate operational objectives of the Platform. The following table enumerates the basis and purpose for each category of data use.

• 5.1Platform Operation. To create, authenticate, and maintain User accounts; to process and record cultural property registrations; to generate and assign BCID identifiers; to operate the CPVE valuation engine; and to administer licensing, lien, and agreement workflows.
• 5.2Transactional Communications. To deliver system-triggered notifications including registration confirmations, status updates, royalty enablement notices, Creator Creditor Agreement confirmations, and license approval communications via the registered email address on file.
• 5.3Financial Processing. To facilitate royalty disbursement, licensing fee collection, subscription billing, and related financial operations through authorized payment processors under applicable payment services law.
• 5.4Security & Fraud Prevention. To monitor Platform activity for unauthorized access, data exfiltration, identity fraud, intellectual property misappropriation, and violations of the MADECX Terms of Service.
• 5.5Legal Compliance. To fulfill statutory obligations under applicable United States and international law, including tax reporting, anti-money laundering (AML) obligations, intellectual property law compliance, and response to valid legal process.
• 5.6Platform Improvement. To analyze aggregated and de-identified usage data for the purpose of improving Platform features, refining the CPVE scoring model, and enhancing User experience. No individually identifiable data is used for model training without explicit written consent.
• 5.7Prohibited Uses. MADECX expressly prohibits the use of User data for the sale of personal data to advertisers, unsolicited commercial solicitation, discriminatory profiling, or any purpose inconsistent with the Platform's stated mission of cultural property protection.

Data Sharing & Third-Party Disclosure

MADECX does not sell, rent, or barter User data. Data sharing with third parties occurs exclusively under the following enumerated conditions:

• 6.1Authorized Service Providers. MADECX engages service providers operating under executed Data Processing Agreements, including Supabase (infrastructure), Resend (transactional email), and payment processing partners. These providers are contractually restricted to processing data solely as directed by MADECX.
• 6.2Licensing Counterparties. When a User executes a Cultural Use License, the licensee (brand or institutional partner) receives access to the specific asset's public ledger record, BCID, and agreed licensing terms. No personal identity data is disclosed to licensees beyond what is explicitly included in the license instrument.
• 6.3Legal Compulsion. MADECX may disclose User data when required by valid subpoena, court order, or regulatory directive from an authority with lawful jurisdiction. MADECX will, to the extent permitted by law, notify affected Users prior to compliance.
• 6.4IP Enforcement Actions. In connection with the enforcement of cultural property rights — including DMCA takedowns, copyright infringement claims, and cultural lien enforcement — limited identifying information may be disclosed to legal counsel, enforcement platforms, or courts as necessary to pursue or defend such actions.
• 6.5Corporate Transactions. In the event of a merger, acquisition, asset sale, or restructuring of MADECX, User data may be transferred to a successor entity, subject to notice to Users and maintenance of materially equivalent data protection obligations.
• 6.6Consent-Based Disclosure. MADECX may share User data for purposes not described herein upon obtaining explicit, informed, and freely given written consent from the User, which may be revoked at any time without detriment to Platform access.

Data Security Standards

MADECX implements institutional-grade technical and organizational measures to protect User data against unauthorized access, loss, alteration, or destruction. These measures include but are not limited to:

• 7.1Encryption in Transit. All data transmitted between User devices and the MADECX Platform is encrypted using TLS 1.3 or higher. Plain-text transmission of sensitive data is prohibited across all Platform endpoints.
• 7.2Encryption at Rest. Personal Data and Cultural Property Data stored in MADECX infrastructure is encrypted at rest using AES-256 encryption. Database-level encryption is implemented across all production environments.
• 7.3Access Controls. Access to User data within MADECX systems is governed by role-based access control (RBAC) with the principle of least privilege. All administrative access events are logged, timestamped, and subject to audit review.
• 7.4Incident Response. In the event of a data breach that creates material risk to User rights or confidentiality, MADECX will notify affected Users within seventy-two (72) hours of confirmed breach detection, in accordance with applicable breach notification law.
• 7.5Vendor Security. All third-party service providers with access to User data are subject to security review, contractual data protection obligations, and periodic compliance attestation.
• 7.6Limitation of Liability. While MADECX employs industry-standard safeguards, no digital infrastructure is unconditionally immune from security incidents. MADECX's liability for data breaches resulting from factors outside its reasonable control is limited as set forth in the MADECX Terms of Service.

User Rights & Data Control

Subject to applicable law and Platform operational requirements, Users retain the following enumerated rights with respect to their Personal Data. Rights requests must be submitted in writing to privacy@made.cx and will be processed within thirty (30) calendar days of verification.

Data Retention Policy

MADECX retains data only for so long as is necessary to fulfill the purposes for which it was collected, to satisfy legal and regulatory obligations, and to resolve disputes and enforce agreements. The following retention schedule governs MADECX data management practices.

Upon expiration of the applicable retention period, MADECX will securely delete or permanently anonymize the relevant data in accordance with its data destruction standards. Requests for early deletion are subject to Section 8 (Right to Erasure) and applicable legal retention obligations.

Third-Party Services & Integrations

The MADECX Platform integrates with the following categories of third-party services, each operating under its own independent privacy framework. MADECX does not assume responsibility for the data practices of third-party platforms accessed through links or integrations.

• 10.1Infrastructure (Supabase / PostgreSQL). Core platform data is hosted on Supabase-managed infrastructure. Supabase operates as a Data Processor under a DPA with MADECX. Data is stored in United States-based data centers.
• 10.2Email Delivery (Resend). Transactional email notifications are delivered via Resend API. Resend processes recipient email addresses, subject lines, and HTML content solely for message delivery. No content is retained beyond delivery confirmation.
• 10.3Payment Processing. All payment transactions are processed by PCI-DSS compliant third-party payment processors. Raw financial credentials are not transmitted to or stored by MADECX infrastructure.
• 10.4Cookie & Analytics Technologies. The Platform may use first-party analytics tools to collect aggregated usage statistics. No cross-site tracking pixels, behavioral advertising cookies, or third-party retargeting technologies are deployed on the MADECX Platform.
• 10.5Social Sharing. The Platform may offer optional social sharing functions (Instagram, TikTok, X/Twitter, LinkedIn) for registered asset announcements. Activation of these features is voluntary and governed by the respective platform's terms.

Cross-Border Data Transfers

• 11.1MADECX primarily stores and processes data within the United States. Where operational requirements necessitate data transfers to jurisdictions outside the User's country of residence, MADECX implements appropriate safeguards in accordance with applicable cross-border transfer law, including Standard Contractual Clauses (SCCs) where required under GDPR.
• 11.2Users located in the European Economic Area (EEA) or United Kingdom acknowledge that data may be transferred to and processed in the United States, a jurisdiction that the European Commission has not designated as providing equivalent data protection. Such transfers are conducted under appropriate legal mechanisms as enumerated in MADECX's supplemental EU/UK Transfer Impact Assessment.
• 11.3Users in jurisdictions with data residency requirements should contact MADECX prior to registration to determine applicable operational constraints.

Minors & Age Restrictions

• 12.1The MADECX Platform is not directed to individuals under the age of eighteen (18). MADECX does not knowingly collect Personal Data from minors.
• 12.2Registration on the Platform constitutes representation by the User that they are at least 18 years of age, or that they are acting as an authorized representative of a legal entity.
• 12.3If MADECX becomes aware that Personal Data has been submitted by or on behalf of a minor without appropriate parental or guardian consent, such data will be deleted from active systems within five (5) business days of confirmed identification.

Amendments & Policy Updates

• 13.1MADECX reserves the right to amend this Agreement at any time in response to changes in law, Platform functionality, or operational practice. Material amendments will be communicated to registered Users via the email address on file no fewer than thirty (30) days prior to the effective date of the revision.
• 13.2Non-material amendments — including typographic corrections, clarifications that do not alter substantive rights, and updates to contact information — may be made without advance notice and are effective upon posting.
• 13.3Continued use of the Platform following the effective date of any amendment constitutes acceptance of the revised Agreement. Users who do not consent to amendments must discontinue Platform use and may submit a deletion request as described in Section 8.
• 13.4All prior versions of this Agreement are archived and available upon written request to legal@made.cx.

Governing Law & Dispute Resolution

• 14.1This Agreement shall be governed by and construed in accordance with the laws of the United States of America and, to the extent applicable, the laws of the state of incorporation of MADECX, LLC, without regard to conflict-of-law principles.
• 14.2Any dispute arising out of or relating to this Agreement that cannot be resolved through good-faith negotiation shall be submitted to binding arbitration under the rules of the American Arbitration Association (AAA), conducted in the English language.
• 14.3Nothing in this section shall preclude MADECX or any User from seeking injunctive or equitable relief in any court of competent jurisdiction in connection with actual or threatened misappropriation of intellectual property, breach of confidentiality, or unauthorized data access.
• 14.4To the extent applicable, MADECX acknowledges obligations under the General Data Protection Regulation (EU) 2016/679 (GDPR), the California Consumer Privacy Act (CCPA), and other applicable privacy frameworks with respect to Users in those jurisdictions.

Contact Information & Complaints

Users may direct privacy inquiries, rights requests, complaints, or legal notices to the following designated points of contact. All communications should include the User's full name, registered email address, and a concise description of the request or matter.

Users located in the European Economic Area retain the right to lodge a complaint with the relevant supervisory authority in their member state if they believe MADECX has processed their data in violation of applicable law.