← Back to home

Privacy Policy

Last updated: April 12, 2026

Privacy Policy

Effective date: April 12, 2026

Your privacy matters to us. This Privacy Policy explains how Mendy Group LLC, operating as MUSILOCK, collects, uses, stores, and protects your personal information when you use our platform.

MUSILOCK is a legal-tech SaaS platform for independent musicians, producers, and artists. We process personal data as both a data controller and data processor under the European Union's General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable laws.

1. Information We Collect

Information you provide:

  1. Account data: name, email address, and password when you sign up, or your Google public profile if you use OAuth.
  2. Contract data: names, email addresses, roles, and contractual terms of the parties you include in your contracts.
  3. Billing data: processed by our third-party payment provider. We do not store credit card numbers or bank details on our servers.
  4. Communications: messages you send us through email or support channels.

Information collected automatically:

  1. Usage data: pages visited, features used, session frequency and duration.
  2. Device data: browser type, operating system, screen resolution, preferred language.
  3. Network data: IP address, internet service provider, approximate geographic location.
  4. Cookies and similar technologies: see Section 6.

2. Legal Basis for Processing (GDPR Art. 6)

We process your personal data under the following legal bases:

  1. Contract performance (Art. 6.1.b): to create your account, generate contracts, process signatures, and deliver the service.
  2. Consent (Art. 6.1.a): for marketing communications and non-essential cookies. You can withdraw consent at any time.
  3. Legitimate interest (Art. 6.1.f): to improve the platform, prevent fraud, and ensure security. We balance our interests against your fundamental rights.
  4. Legal obligation (Art. 6.1.c): to comply with tax, regulatory, or legal retention requirements.

3. How We Use Your Information

We use your information to:

  1. Create and manage your account.
  2. Generate, store, and facilitate the signing of music contracts.
  3. Process payments and manage subscriptions through our payment provider.
  4. Send transactional notifications (signing confirmations, status changes, account alerts).
  5. Improve and optimize the platform through aggregated usage analytics.
  6. Detect and prevent fraud, abuse, and unauthorized activity.
  7. Comply with legal and regulatory obligations.
  8. Send marketing communications (only with your prior consent; you can unsubscribe at any time).

4. How We Share Your Information

We do not sell or share your personal information as defined under the CCPA/CPRA. We share information only in these cases:

  1. Electronic signature providers: we transmit document and signer data to our electronic signature provider to execute contract signing.
  2. Payment processor: billing data is processed by our third-party payment provider to manage subscriptions and charges.
  3. Cloud infrastructure: we use infrastructure providers to host the platform, store data, and run server functions.
  4. Analytics tools: we use analytics and advertising services to understand platform usage and measure campaign effectiveness (see Section 6).
  5. Legal obligation: we disclose data when required by law, in response to a valid legal process, or to protect our legal rights.
  6. Business transfer: in the event of a merger, acquisition, or asset sale, your data may be transferred to the acquirer.

A list of our current service providers is available upon request by contacting [email protected].

5. International Data Transfers

MUSILOCK operates from the United States. If you are located in the European Economic Area (EEA), the United Kingdom, or any jurisdiction with data transfer restrictions, your information is transferred to the United States.

We protect these transfers through:

  1. Standard Contractual Clauses (SCCs) approved by the European Commission.
  2. Transfer impact assessments when required.
  3. Appropriate technical and organizational measures to safeguard your data.

6. Cookies and Tracking Technologies

We use cookies and similar technologies in the following categories:

  1. Essential: required for the platform to function (authentication, security, language preferences). These do not require consent.
  2. Analytics: we measure explicit product events (sign-up, contract creation, upgrade actions) via PostHog to improve our Services. We do NOT record your browsing sessions, capture your clicks automatically, or collect form-field contents. Any expanded telemetry (session replay, automatic page or click capture) will only be enabled after you grant consent through the cookie banner.
  3. Advertising: allow us to measure marketing campaign effectiveness and deliver relevant content.

You can manage your cookie preferences through the cookie consent banner displayed on your first visit. You can also configure your browser to reject cookies, though some platform features may not work correctly.

7. Data Retention

We retain your personal data as long as your account is active and necessary to provide the service. Specifically:

  1. Account and contract data: for the duration of your account and 1 year after account deletion or erasure request.
  2. Billing data: as required by applicable tax law (typically 3 to 7 years).
  3. Usage and analytics data: maximum 26 months from collection.
  4. Support communications: 2 years from last contact.

After retention periods expire, data is securely deleted or irreversibly anonymized.

8. Your Rights

If you reside in the EEA (GDPR):

  1. Access: request a copy of your personal data.
  2. Rectification: correct inaccurate or incomplete data.
  3. Erasure: request deletion of your data ("right to be forgotten").
  4. Restriction: restrict processing of your data in certain circumstances.
  5. Portability: receive your data in a structured, commonly used, machine-readable format.
  6. Objection: object to processing based on legitimate interest or for direct marketing purposes.
  7. Withdraw consent: withdraw your consent at any time, without affecting the lawfulness of prior processing.
  8. Lodge a complaint: file a complaint with the data protection authority in your country.

If you reside in California (CCPA/CPRA):

  1. Right to know: what personal data we collect, use, and share.
  2. Right to delete: request deletion of your personal data.
  3. Right to non-discrimination: you will not receive different treatment for exercising your privacy rights.
  4. Right to opt out: of the sale of personal data (we do not sell or share your data as defined under the CCPA/CPRA, but we respect this right regardless).
  5. Right to correct: request correction of inaccurate personal information we hold about you.

To exercise any of these rights, contact [email protected]. We will respond within 30 days (extendable to 45 days for complex cases, with prior notice).

9. Security

We implement technical and organizational measures to protect your data, including:

  1. Encryption in transit (TLS/HTTPS) and at rest.
  2. Secure authentication with OAuth support.
  3. Role-based access policies (Row-Level Security).
  4. Access monitoring and audit logging.
  5. Separation of development and production environments.

No system is infallible. If we detect a security breach affecting your personal data, we will notify you in accordance with applicable law — within 72 hours of becoming aware of the breach for EEA users (GDPR Art. 33).

10. Children

MUSILOCK is not intended for anyone under 18 years of age. We do not knowingly collect data from minors. If we discover that we have collected data from a minor, we will delete it promptly. If you believe a minor has provided data to MUSILOCK, contact us at [email protected].

11. Third-Party Links

MUSILOCK may contain links to third-party websites. We are not responsible for the privacy practices of those sites. We recommend reviewing their privacy policies before providing them with personal information.

12. Changes to This Policy

We may update this Privacy Policy periodically. We will post the revised version on the platform with the updated date. For material changes, we will notify you by email or through a prominent notice on the platform.

13. European Economic Area Users

If you are located in the EEA and have data protection inquiries, you may contact us directly at [email protected]. Should we appoint an EU representative under GDPR Article 27, we will publish their contact details in this section.

14. Contact and Data Protection

For any privacy inquiries, rights requests, or complaints:

Mendy Group LLC (operating as MUSILOCK)

Privacy contact: [email protected]

You may request copies of our Standard Contractual Clauses (SCCs) or supplementary measures by writing to [email protected].

If you are not satisfied with our response, you have the right to lodge a complaint with the competent data protection authority in your country of residence.