Privacy Policy.

1. Who we are

The data controller is [LEGAL ENTITY NAME], registered in [JURISDICTION] at [REGISTERED ADDRESS]. You can reach our data-protection contact at legal@mivia.co.

[If GDPR applies: name of DPO or representative, if appointed.]

2. Data we collect

2.1 Account data

• Email address (used for sign-in, account recovery, and transactional email).
• Display name (visible in your account + in shared manifests at your direction).
• Hashed password (we never see or store the plaintext).
• Account creation timestamp.

2.2 Signed-track manifests

• Track identifier (a hash of the signed file).
• Public signing material used to verify the signature.
• Timestamp and OpenTimestamps Bitcoin-anchor proof.
• Track metadata you voluntarily attach (title, credits, recipient labels for per-recipient signing).

We do not store the original audio file after signing is complete, unless you opt in to Projects storage.

2.3 Usage data

• Quota counters (e.g. number of signs used on Free tier).
• Request logs (IP address, user agent, response status, timestamp) — retained briefly for abuse detection and debugging.
• DAW plugin install metadata (device name, platform, plugin version, last-used timestamp).

2.4 Billing data (Pro plan)

[PLACEHOLDER — pre-launch stub.] Payment details will be collected and processed by [PAYMENT PROCESSOR, e.g. Stripe]. Mivia does not store full card details; we retain only a customer ID, last-four, card brand, and billing country for receipts and tax purposes.

3. Why we collect it

• To provide the service — sign files, verify signatures, manage your account, enforce quotas.
• To secure the service — detect abuse, investigate incidents.
• To communicate with you — password reset, account updates, occasional product news (you can unsubscribe from the last).
• To comply with law — respond to valid legal process, comply with tax / accounting obligations.

4. Legal basis (GDPR / UK GDPR)

Where GDPR or UK GDPR applies, we rely on:

• Contract — processing necessary to provide the service you signed up for.
• Legitimate interests — securing the service, analysing usage in aggregate, preventing fraud. Balancing test on file.
• Consent — optional marketing email, optional analytics cookies. Withdrawable at any time.
• Legal obligation — tax records, responses to lawful requests.

5. Third parties who process data for us

We use a small set of sub-processors to operate the service. Each is bound by a data-processing agreement and we review them periodically.

• Cloudflare — hosting (Pages, Workers, D1 database), CDN, DDoS protection. Data location: global edge. DPA in place.
• [PAYMENT PROCESSOR — Stripe or equivalent] — billing, once real billing ships.
• [EMAIL PROVIDER — e.g. Postmark / Resend / SES] — transactional email (password reset, receipts).
• [OPTIONAL: ANALYTICS — e.g. Plausible, self-hosted] — aggregate, cookie-free usage stats. List removed if not used.

We do not sell personal data. We do not share personal data with third parties for their own marketing purposes.

6. How long we keep it

• Account data: for as long as your account is active. Deleted within [e.g. 30 days] of account closure, except where retention is required by law.
• Signed-track manifests: retained as part of the public verifiability record. These records are cryptographic / pseudonymous and remain valid after account closure — that is the point of the service.
• Bitcoin-anchored timestamps: immutable and public by nature. Cannot be deleted.
• Request logs: [e.g. 30 days], then aggregated / deleted.
• Billing records: retained for [e.g. 7 years] to comply with tax and accounting rules.

7. Your rights

Depending on where you live, you have some or all of the following rights. To exercise them, write to legal@mivia.co — we respond within one month (GDPR) or the equivalent local deadline.

• Access — a copy of the personal data we hold about you.
• Rectification — correct data that is inaccurate.
• Erasure — delete your account and associated personal data. Bitcoin-anchored manifests are excluded for technical reasons (see §6).
• Restriction — pause processing while a dispute is resolved.
• Portability — receive your data in a machine-readable format.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — withdraw any consent you previously gave (e.g. marketing email).
• Complain to a regulator — in the EU / UK, your local data-protection authority; in California, the Attorney General's office.

8. International transfers

Cloudflare and our other sub-processors may store or process data in jurisdictions outside your own, including the United States. Where required, we rely on the European Commission's Standard Contractual Clauses (or the UK IDTA equivalent) and the EU-US Data Privacy Framework where certified.

9. Security

We use TLS for all traffic, hashed passwords via [e.g. Argon2id / bcrypt], HTTP-only session cookies, and principle-of-least-privilege access for our own team. We do not store audio files beyond what is needed to produce the signed output. No system is perfectly secure; please report suspected issues to security@mivia.co.

10. Children

Mivia Sign is not directed at children under the age of digital consent in their jurisdiction. If you believe a child has created an account, contact us and we will delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced by email and in-app banner at least [NOTICE PERIOD, e.g. 14 days] before they take effect.

12. Contact

Privacy enquiries: legal@mivia.co. For all other topics, see our Contact page.

Last updated: 24 April 2026