keysig
keysigLegal

Privacy Policy

Last updated July 9, 2026

Draft, under legal review. This document is a working draft and has not yet been finalized by counsel. It may change before it takes effect.

This Privacy Policy explains how [KEYSIG ENTITY NAME] ("keysig," "we," "us") collects, uses, shares, and protects information when you use keysig.co (the "Service"). keysig is a platform for drafting, electronically signing, and storing music industry agreements, so the most sensitive thing we handle is the content of your agreements. This policy is written to tell you plainly what we do and, just as importantly, what we do not do.

The short version: we collect what the Service needs to work, we share it only with the service providers that run the platform, we do not sell personal information, we do not run advertising or third-party analytics, and you can delete your account and its data at any time.

1. Who We Are and What This Policy Covers

The Service is operated by [KEYSIG ENTITY NAME], [REGISTERED ADDRESS]. This policy covers information handled through keysig.co, including our public pages, the authenticated app, the label portal, and the emails we send. It covers both keysig account holders and people who are not keysig users but whose information is processed because someone named them in an agreement (see Section 3).

2. Information We Collect

Account information. When you create an account: your name, email address, and a password (stored by our authentication provider in hashed form; we never see or store your plain password).

Profile information ("Legal Key"). Details you choose to add so agreements can be pre-filled: your legal name, artist or professional name, role (such as artist, producer, or manager), mailing address, phone number, performing rights organization (PRO) affiliation, and IPI number. All profile fields are optional; you control what you add.

Agreement content and parties. The agreements you draft, upload, or execute, including all terms you enter, and the parties you name on them: names, email addresses, and, where you choose to add them, details such as splits, roles, PRO and IPI information, and payment terms. Executed agreements are stored as signed PDF files in private storage.

Tracks and collaborators. Information you add to organize your work: track titles and details, and the collaborators you keep on file (names, emails, and optional details such as legal name, address, phone, PRO, and IPI).

Billing information. Your plan, subscription status, and a ledger of usage events (sends, unsigned-draft downloads, and refunds of credits). Payments are processed by Stripe; keysig never receives or stores your card number. We store Stripe customer and subscription identifiers so we can link your account to your subscription.

Marketing consent records. If you tick the optional, unchecked-by-default box on our post-signing page to hear from us, we record your email address, the consent source, a timestamp, and your IP address, so we can prove the consent was real if we ever need to.

Technical information. Standard web server request logs kept by our hosting provider (such as IP address and requested pages) for operating and securing the Service. We do not run analytics scripts, advertising trackers, or session recording of any kind.

3. If You Are Not a keysig User

keysig processes some personal information about people who never signed up, because a keysig user named them in an agreement. If someone named you as a party, we process your name and email address (and any other details the sender entered about you, such as your split on a song) in order to prepare the agreement and, if the sender sends it for signature, to deliver a signing link to your email through our e-signature provider.

We process this information because it is necessary to provide the service our user asked for: preparing a contract that involves you and inviting you to sign it. We use it for nothing else. Specifically, we will not send you marketing unless you separately and explicitly opt in, and we do not sell it.

If you sign a document, our e-signature provider keeps the signing audit trail, and the sender keeps the executed document in their account. If you later create a keysig account using the same email address you signed with, you will automatically see the agreements you are a party to, read-only.

If you believe your information was added to keysig improperly, or you want it removed from a draft that has not been executed, contact us at hello@keysig.co and we will work with you. Note that we cannot unilaterally alter executed contracts, which are legal records between you and the other parties.

4. How We Use Information

We use information only to run keysig:

  • To provide the Service: drafting, pre-filling, rendering, sending, signing, storing, and organizing agreements, and operating your account.
  • To process payments and meter plan usage.
  • To send transactional email: signing invitations and reminders (via our e-signature provider), a welcome email, notices to counterparties that an agreement involving them was prepared, optional track reminders you set, label roster invitations, and password reset emails.
  • To provide support when you contact us.
  • To secure the Service, prevent abuse, and enforce our Terms of Service.
  • To comply with law.

Things we do not do: we do not sell personal information; we do not share it for cross-context behavioral advertising; we do not run third-party analytics or ad trackers; and we do not use your agreement content to train artificial intelligence models. Plain-language definitions shown in the Service come from our own glossary; your agreement content is not sent to any AI service.

5. Who We Share Information With

We share information only with the service providers that operate the platform, each acting on our instructions, plus the recipients you direct us to send things to. Our providers are:

  • Supabase (database, authentication, and file storage): holds account, profile, agreement, party, track, collaborator, billing-ledger, and consent data, and executed PDFs in private storage. Privacy policy at supabase.com/privacy.
  • Vercel (web hosting): serves the website and keeps standard request logs, including IP addresses. Privacy policy at vercel.com/legal/privacy-policy.
  • Stripe (payments): receives the details you enter at checkout, including your card. keysig never sees your card number. Privacy policy at stripe.com/privacy.
  • DocuSeal (electronic signatures): receives the content of agreements sent for signature and each signer's name and email, and maintains signing events and the signature audit trail. Privacy policy at docuseal.com/privacy.
  • Resend (transactional email): receives recipient email addresses and the content of the emails we send. Privacy policy at resend.com/legal/privacy-policy.

Beyond these providers, we share information only: with the people you direct (the signers and parties you add); within a label account as described in Section 7; if required by law, legal process, or to protect the rights, safety, or property of keysig or others; or as part of a merger, acquisition, or sale of assets, in which case this policy continues to apply to your information until you are told otherwise. We have never been subject to such a transaction as of the date above.

6. Electronic Signature Data

When an agreement is sent for signature, our e-signature provider processes it on our behalf: it renders the document, emails each signer a unique signing link, records signing events (such as when a document is viewed, signed, or declined), and produces the executed PDF and its audit trail. Signature audit data, which can include signer IP addresses and timestamps, is collected by the provider as part of making the signature verifiable. keysig receives status updates about these events and stores the executed PDF in your account's private storage.

7. Label Accounts

If your keysig account is part of a record label's roster, the label's staff (its owner and administrators) can see, on a read-only basis, the agreements you send under the label, along with your monthly usage under the label's limits. Label staff cannot edit or delete your agreements, and agreements you do not send under the label are not visible to them. If you leave the roster or the label's plan lapses, this visibility applies only to what was sent under the label while you were a member. Roster invitations are sent by email and include the invitee's email address and inviting label.

8. Cookies and Browser Storage

keysig does not set advertising or analytics cookies, and we do not use third-party tracking of any kind. We use the browser's storage for the Service to function:

  • Sign-in session. Your authentication session token is kept in your browser's local storage by our authentication library so you stay signed in.
  • Access code. During our private preview, the access code you enter is kept in local storage so you are not asked again on that device.
  • Demo drafts. If you try the demo without an account, your draft lives only in your browser's session storage until you create an account and choose to save it. Nothing is written to our servers during the demo.
  • Invitation and preference tokens. Short-lived items such as a pending label invitation token are kept in session storage until used.

Third-party pages you visit as part of a flow, such as Stripe's checkout page or DocuSeal's signing page, are operated by those providers and may set their own cookies under their own policies. Because we do not track you across sites, there is nothing on keysig for a "Do Not Track" or Global Privacy Control signal to disable, though we honor the spirit of those signals by not tracking anyone in the first place.

9. Data Retention and Deleting Your Account

We keep your information for as long as your account exists, so your agreements are there when you need them.

Deleting your account. You can delete your account at any time from the settings page. Deletion is immediate and permanent: your profile, agreements (including executed agreements and stored signed PDFs), parties, tracks, collaborators, notifications, usage ledger, subscription records, and login are all deleted. Because stored signed PDFs are deleted too, counterparties who relied on your account for access will lose it, so download and share final copies first.

What survives deletion. A few narrow records outlive an account, for good reason:

  • Marketing consent records (email, consent timestamp, IP) are kept as an audit trail of consent, and unsubscribes are honored against them.
  • Records our payment processor and e-signature provider are required to keep (such as payment records and signature audit trails) are retained by those providers under their own policies.
  • Copies of executed agreements that other parties already received by email or downloaded are theirs and are outside our systems.
  • Residual copies may persist for a limited time in encrypted backups of our database before being cycled out in the ordinary course.

Non-user information. Information about non-user parties lives inside the owning user's account data and follows it: it is deleted when the agreement or the owning account is deleted, subject to the same carve-outs above.

10. Security

We take the security of agreement data seriously and implement reasonable technical and organizational safeguards, including:

  • Encryption in transit (TLS) for all connections to the Service and between our systems and our providers, and encryption at rest for the database and file storage as provided by our infrastructure provider.
  • Row-level security in our database, so each account can access only its own records, enforced at the database layer rather than only in application code.
  • Executed documents kept in private storage, accessible only through short-lived signed links generated for authorized users.
  • Access controls that keep administrative tooling to account and subscription metadata: keysig's own admin console cannot read the contents of your agreements.
  • Passwords handled by our authentication provider using industry-standard hashing; webhooks verified with signed secrets; payment card data handled entirely by Stripe.

No service can promise perfect security, and we do not. If we learn of a breach affecting your personal information, we will notify you and the relevant authorities as required by applicable law.

11. Your Rights and Choices

Everyone, regardless of location:

  • Access and portability. Your agreements and profile are visible in your account, and you can download your documents as PDFs.
  • Correction. You can edit your profile and drafts directly in the app.
  • Deletion. You can delete individual drafts, or delete your entire account from settings, as described in Section 9.
  • Marketing. Marketing is opt-in only; we do not email marketing to anyone who has not explicitly asked for it. Any marketing email we send will include an unsubscribe link, and you can opt out at any time by emailing hello@keysig.co.
  • Anything you cannot do in the app, you can request by emailing hello@keysig.co. We will verify that the request comes from the email associated with the data before acting on it.

California residents. The California Consumer Privacy Act, as amended by the CPRA, gives you the right to know what personal information we collect, use, and disclose (this policy is that disclosure), to access it, to correct it, to delete it, and to not be discriminated against for exercising those rights. We do not sell personal information and do not share it for cross-context behavioral advertising, so there is nothing to opt out of, and we do not use or disclose sensitive personal information beyond what is necessary to provide the Service. To exercise any right, email hello@keysig.co; you may use an authorized agent if we can verify the request. We will respond within the time set by law.

Outside the United States. keysig is operated from the United States, our templates are built around United States law, and information is processed and stored in the United States. If you use the Service from elsewhere, your information will be transferred to the United States. Where local law grants you rights to access, correct, delete, restrict, or object to processing of your information, or to data portability or to complain to a supervisory authority, you can exercise them by emailing hello@keysig.co and we will honor them as the law requires.

12. Children

The Service is for adults: you must be at least 18 to create an account, and it is not directed to children under 13 (or under 16 where a higher age applies). We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact hello@keysig.co and we will delete it.

13. Changes to This Policy

We may update this policy from time to time. If we make a material change, we will give you reasonable advance notice, such as by email to your account address or a prominent notice in the Service. The "Last updated" date at the top shows when this policy last changed. Continuing to use the Service after a change takes effect means the updated policy applies.

14. Contact Us

Privacy questions and requests: hello@keysig.co

Mail: [KEYSIG ENTITY NAME], [REGISTERED ADDRESS]

If you contact us about your data, we will confirm receipt and respond as quickly as we can, and always within any deadline the law sets.

keysig is not a law firm and does not provide legal advice. Have agreements reviewed by qualified counsel before signing.