Law Enforcement Requests Process

Introduction

Tebex is a retailer of digital goods in the video gaming space, and thus interacts with content creators and customers globally. As such, situations may arise where Authorities are seeking account, transaction or personal records from Tebex based on valid legal processes. These guidelines inform Authorities on how to submit such requests for personal data.

Tebex complies with the laws and processes of the relevant jurisdiction (“Laws”) in which it operates, as well as GDPR, UK GDPR and similar laws globally and other data protection obligations of its customers. As such, Tebex will review all requests from Authorities to ensure compliance with Laws, and will only provide responses to such requests where Tebex believes that it is legally required to do so.

In all cases, a request from Authorities will be much more likely to be fulfilled if the request is:

• Necessary - there is a clear relationship between the data being requested and the legitimate outcome sought by the Authority.
• Proportionate - the data is relevant and limited in scope, and timeframes to what is reasonably required to achieve the intended outcome.
• Targeted - the data requested relates only to the individual or entity involved in the specific matter under investigation by the Authority.

In cases where such a request is overbroad, seeks information on a large number of users or otherwise is disproportionate to the risk or outcomes of the request, Tebex will, to the extent permitted according to Laws, seek to limit or object to such requests.

Submitting A Request

Authorities wishing to submit a request shall email the Tebex Compliance Department at compliance@tebex.io, providing their request in the format included below in Annex A. Emails should contain the subject line “Attention: Government & Law Enforcement Information Request.”

If Authorities are required to submit requests via postal mail, such requests shall be sent to Tebex registered office address as set for on the Tebex website.

Please note: Requests received by post are subject to additional processing time. Acceptance of legal process by any of these means is for convenience and does not waive any objections, including, inter alia, lack of jurisdiction, proper service or other substantive defects.

Request Validation

Upon receipt, Tebex will review all requests and will determine their validity. Validation checks will include, but are not limited, to the following:

• The request was sent by relevant Authority via a verified governmental email domain (unless delivered via mail or in person, as stated above) and addressed to compliance@tebex.io.
• The request states what legal process or relevant Law compelling Tebex to comply and fulfill the request being made.
• The request contains the Authority’s name and contact details, together with sufficient information to verify the Authority’s status and authority to make such a request.
• The request identifies, with specificity, the categories of records or personal data sought, and is demonstrably proportionate and targeted to the matter under investigation.
• The request includes sufficient information regarding the data subject, such that Tebex may accurately identify the user’s account without risk of mis-identifying the incorrect user.
• The request indicates the specific time period for which personal data is requested.

Fulfilling Requests

Tebex will only fulfill an Authority’s request if it is determined by Tebex to be valid in accordance with this Policy, and such disclosure is within applicable Laws or legal process. Where applicable Laws do not provide a basis under which disclosure must be made, then a valid legal process appropriate to the jurisdiction in which the data is processed or controlled must be provided such as a Subpoena, Court Order, Search Warrant or similar. In the event of any conflict between the laws of different jurisdictions, Tebex reserves the right to seek independent legal advice and may suspend or decline fulfillment of the request pending resolution.

Obligation to Advise Affected Customers

In certain situations, Tebex may be obligated to provide notice to users when a request for personal data is received. Authorities that wish for such requests to not be notified should include a court order or other legal authority barring Tebex from disclosing the request, even if we would otherwise be compelled to do so. Authorities seeking to prohibit notification must provide Tebex with legal documentation establishing such prohibition; absent such documentation, Tebex reserves the right to notify the affected user(s).

If, in the course of investigating a request, Tebex becomes aware of conduct in violation of Tebex’s Creator Agreement or other terms. In such cases, Tebex may automatically take action to prevent further violation. While not intended, such actions may cause users to gain knowledge of an investigation. If Authorities wish this not to happen, the request should state that no remedial action should take place until after the investigation is complete, with a timescale (not to exceed 90 days) under which the investigation can be assumed complete if no other instruction to the contrary has been received.

Emergency Situations and Child Safety Matters

In accordance with Tebex’s Terms of Service, Privacy Policy, and Laws, Tebex may, in its sole discretion to the extent permitted by Laws disclose personal data to Authorities during an emergency if there is imminent risk of death or serious harm, and where Tebex has personal data that may be able to prevent such death or harm. Tebex will evaluate emergency disclosure requests on a case-by-case basis in compliance with relevant Laws. This may include voluntary disclosures made by Tebex in the case of child exploitation or other harms where such information is detected on Tebex’s platform, either detected by us, or when drawn to attention by Authorities in other jurisdictions.

When making a data request, if the request is urgent please state this directly in the subject-line of the email, and provide a brief explanation to the nature of the emergency, so that Tebex is able to prioritise the handling of such requests.

Data Preservation

Under GDPR other similar laws and our own privacy policy, Users may from time to time request that personal data be deleted from Tebex’s systems, or otherwise such data may be automatically deleted in line with our RoPA. Authorities may make a formal and valid request in the format referenced above that data is to be preserved for a specific time range not to exceed 90 days. Where a valid preservation request has been made, Tebex will retain the specified data despite any deletion request from a user, provided this retention complies with applicable data protection laws.

Such requests can be renewed for a further 90 days by submitting a new valid request.

Reimbursement

While we will take reasonable efforts to handle all received requests using our standard processes and available tools, unusual or burdensome requests may require specialist time, knowledge or tooling to process. Examples of this include but are not limited to forensic analysis, archive retrieval, manual data searches and manual data reconciliation. In such cases.

Tebex reserves the right to seek reimbursement for such costs incurred in processing the request, unless the request is related to child exploitation. If the Authority is required to approve any such costs before they are incurred, this must be clearly stated as part of the initial request. Examples of reimbursable costs may include reasonable legal fees, third-party service provider costs, and expenses incurred for data retrieval.

Response Time

Tebex will use reasonable efforts to confirm receipt of valid requests within 5 business days (not including weekends or public holidays). If, due to the scope or complexity of the request, it is likely to take longer than this, we will exercise reasonable efforts to advise of this fact within the first 5 business days, and provide an estimated timeline for the fulfillment of the request.