Privacy Policy

Last updated: June 10, 2026

This policy explains what data Siglock (siglock.dev and auth.siglock.dev - "we", "us") collects, why, and how it is handled. Siglock is a software licensing platform with two kinds of people in it: Vendors (developers with a Siglock account) and the End Users of those Vendors' software.

If you are an End User - someone who bought or activated software made by one of our Vendors - your primary relationship (and your purchase, refund and support questions) is with that Vendor. We process a small amount of your data on the Vendor's behalf so their licensing works; that processing is described in section 3. The Vendor's own privacy policy covers everything else they do.

1. Data we collect from Vendors

Account data: name, email address and a password (stored hashed, never in plain text). Optional two-factor secrets and recovery codes are stored encrypted.
Billing data: payments are processed by Stripe. We never see or store full card numbers - we keep only Stripe references (customer and subscription identifiers) and your plan status.
Configuration and content: your applications, branding, products, webhook endpoints, release links and similar settings you create.
Usage and security logs: sign-ins and administrative activity (with IP address and browser user-agent) for security, audit and abuse prevention.

2. Data we process about End Users (on the Vendor's behalf)

When a Vendor's application verifies a license, or an End User uses a Vendor's customer portal, we process for that Vendor:

License data: license keys, status, entitlements, expiry and seat usage.
Portal accounts (if the Vendor uses them): username, email address and a hashed password.
Device and network data: a device identifier (HWID) supplied by the Vendor's application, IP address, country, and timestamps of license activity.

Why: this is what makes licensing work - activating keys, enforcing seat limits, detecting fraud and abuse (for example one key shared across many devices), and giving Vendors an audit trail. For this data the Vendor decides the purposes; we act as their processor/service provider and use it only to provide the Service.

3. Cookies

We use essential cookies only: a session cookie and a CSRF-protection cookie to keep you signed in to the dashboards and portals. We do not use advertising or cross-site tracking cookies. Our infrastructure provider Cloudflare may set technical cookies needed to protect the sites.

4. Email

We send transactional email only (for example license delivery, receipts, renewal and expiry notices, password resets), delivered by Postmark. Emails sent for a Vendor's customers can carry the Vendor's brand name with replies routed to the Vendor. We do not send marketing email and we do not sell or rent email addresses.

5. Who we share data with

No selling of personal data - sharing is limited to the service providers that run the platform:

Stripe - payment processing.
Postmark - transactional email delivery.
Cloudflare - DNS, CDN, security and email routing for our own mailboxes.
Our hosting provider - the servers the platform runs on.

We may also disclose data if required by law, or to protect the rights, safety and integrity of the Service. If the business is ever transferred, data may move with it under the same protections.

6. Retention

Vendor account data is kept while the account exists, then deleted within a reasonable period after closure (export your data first - closing an account stops license verification for your applications).
End User license data is kept while the Vendor's application and licenses exist; Vendors can delete keys, users and apps from their dashboard, which removes the associated records.
Security and activity logs are retained for a limited operational window and then rotated.

7. Security

License keys are cryptographically signed (per-application RSA keys); private signing keys and two-factor secrets are stored encrypted; passwords are hashed; all traffic is served over HTTPS; access to administrative systems is restricted and audited. No system is perfectly secure - if we learn of a breach affecting your data we will notify affected accounts without undue delay.

8. Your rights

Depending on where you live (for example under GDPR or similar laws), you may have rights to access, correct, export, restrict or delete your personal data.

Vendors: contact us at [email protected] - most data can also be managed or exported directly from the dashboard.
End Users: please contact the Vendor whose software you use (they control your data); we support Vendors in fulfilling such requests.

9. International transfers

The platform is operated from the United States with global infrastructure providers (such as Cloudflare). By using the Service you understand your data may be processed in the United States and other countries via the providers listed above.

10. Children

The Service is for businesses and developers and is not directed at children under 16. We do not knowingly collect data from children.

11. Changes & contact

We will post updates to this policy here and, for material changes, give Vendors notice. Questions or requests: [email protected].