Beta — This product is in early access
creddid

Privacy Policy

Last updated: April 2, 2025

creddid (“we”, “us”) is operated by Tobias von Dewitz, Adlerweg 6, 90530 Wendelstein, Germany. This policy explains what personal data we collect, why we collect it, and how you can exercise your rights.

1. What data we collect

Account data

When you sign up, we store your email address and a hashed password. We never store passwords in plain text.

Split sheet data

When you create or sign a split sheet, we store the song title, recording date, collaborator names, roles, email addresses, IPI numbers, PRO affiliations, and ownership percentages you provide.

Signature audit data

When you sign a split sheet electronically, we record your typed signature, consent text, IP address, user agent string, and timestamp to comply with ESIGN Act and UETA requirements.

Server logs

Our hosting provider automatically collects IP addresses, browser type, and request timestamps in server access logs. These are used for security and debugging and are deleted automatically after 30 days.

2. Why we process your data

  • Account management — to authenticate you and associate split sheets with your account.
  • Split sheet creation & signing — to provide the core service: creating legally binding split sheets.
  • Legal compliance — to maintain signature audit trails required by electronic signature law (ESIGN/UETA).
  • Email delivery — to send signature request emails on your behalf.
  • Security & abuse prevention — to detect and prevent unauthorized access.

Legal basis under GDPR: contract performance (Art. 6(1)(b)), legal obligation (Art. 6(1)(c)), and legitimate interest in security (Art. 6(1)(f)).

3. Third-party services

Supabase — database & authentication

We use Supabase to store your account data, split sheet data, and signature audit records. Supabase also handles authentication (login sessions, password hashing, session tokens). Data is stored in a PostgreSQL database hosted in the EU.

Privacy policy: supabase.com/privacy

Vercel — hosting

The application is hosted on Vercel. Vercel processes server access logs (IP address, request URL, timestamps) for delivery and security purposes.

Privacy policy: vercel.com/legal/privacy-policy

Resend — email delivery

When configured, we use Resend to deliver signature request emails. Resend processes recipient email addresses and email content for delivery.

Privacy policy: resend.com/legal/privacy-policy

Google Fonts

We use Google Fonts (Geist, Geist Mono) loaded at build time via Next.js font optimization. Fonts are self-hosted after build — no requests are made to Google servers at runtime by your browser.

4. Cookies

We use only essential cookies required for authentication (session tokens set by Supabase Auth). We do not use tracking cookies, analytics cookies, or advertising cookies.

5. Data retention

  • Account data — retained until you delete your account.
  • Split sheet & signature data — retained indefinitely as legal records. Signature audit trails are required for ESIGN/UETA compliance.
  • Server logs — automatically deleted after 30 days.

6. Your rights (GDPR)

If you are in the EU/EEA, you have the right to:

  • Access — request a copy of your personal data.
  • Rectification — correct inaccurate data.
  • Erasure — request deletion of your data (subject to legal retention obligations for signed documents).
  • Restriction — restrict processing in certain circumstances.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interest.

To exercise any of these rights, email us at hello@creddid.com.

You also have the right to lodge a complaint with a supervisory authority. The competent authority in Germany is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA).

7. Changes to this policy

We may update this policy from time to time. The “last updated” date at the top of this page will reflect any changes. Continued use of creddid after changes constitutes acceptance.