Privacy Policy

1. Introduction

LilyPad ("we," "us," or "our") operates a literary agency management platform at lilypadlit.com (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. By accessing or using the Service, you agree to the terms of this Privacy Policy.

2. Information We Collect

2.1 Account Information

When you create an account or are added to the platform, we collect:

• Full name, legal name, and pen name (if applicable)
• Email address and additional email addresses
• Phone number
• Mailing address (street, city, state, zip code, country)
• Profile image
• Password (stored as a one-way hash, never in plain text)
• Professional details such as website URL, bio, and nationality

2.2 Authentication Data

To secure your account, we process:

• Login credentials (hashed passwords)
• OAuth tokens from Google and Microsoft when you choose to link those accounts (encrypted at rest using AES-256-GCM)
• One-time passwords (OTP) and multi-factor authentication (MFA) codes
• Refresh tokens associated with your sessions

2.3 Financial and Tax Information

For deal management and compliance, we may collect:

• Advance amounts, commission rates, and royalty rates
• Payment records and ledger entries
• Tax forms (W-9, W-8BEN, W-8BEN-E) — stored encrypted
• US tax residency status

2.4 Documents and Files

You may upload manuscripts, contracts, agreements, and other documents (up to 50 MB each). These are stored in your connected cloud storage (Google Drive or OneDrive) or in our secure file storage as a fallback.

2.5 E-Signature Data

When you sign documents electronically, we collect:

• Signature data (typed name, drawn signature image, or uploaded signature)
• IP address and browser/device information at the time of signing
• Timestamps of consent, viewing, and signing actions
• A cryptographic hash (SHA-256) of the signed document for integrity verification

2.6 Automatically Collected Information

When you access the Service, we automatically collect:

• IP address
• Browser type and version (user agent)
• Pages visited and actions performed (for audit logging)
• Timestamps of requests

We do not use third-party analytics or advertising trackers. Automatically collected data is used solely for security, auditing, and service operation.

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service
• Authenticate your identity and manage account access
• Process and track publishing deals, payments, and royalties
• Facilitate document storage, review, and e-signatures
• Send transactional emails (login links, notifications, deal updates)
• Maintain audit logs for compliance and security
• Detect, prevent, and respond to security incidents
• Comply with legal obligations

4. Third-Party Services

We share data with the following third-party service providers, solely to operate the Service:

We do not sell, rent, or trade your personal information to any third party for marketing or advertising purposes.

4.1 Google API Limited Use Disclosure

LilyPad's use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

When you connect your Google account, LilyPad may access the following Google data, solely to provide the features described below:

• Gmail (send & compose) — Used to send emails and save drafts from your Gmail account on your behalf. Email content is composed by you within LilyPad and transmitted directly to Gmail; we do not read or store the body of outgoing messages beyond what is needed to complete the send.
• Gmail (read — metadata only) — Used to search for email threads related to your literary contacts. Only message headers (From, To, Subject, Date) are retrieved; the full body of emails is never accessed or stored.
• Google Drive (app-created files only) — Used to store and retrieve manuscripts, contracts, and other documents that you or LilyPad create within your Drive. We cannot access files not created by LilyPad.
• Google Calendar (read-only) — Used to display your upcoming calendar events within LilyPad. We do not create, modify, or delete calendar events on your behalf.

Google user data obtained through these integrations is:

• Used only to provide and improve features you have explicitly enabled
• Never used to train AI or machine learning models
• Never shared with third parties for advertising, analytics, or any other purpose
• Never transferred to others except as necessary to operate the Service (e.g., storing encrypted tokens on our database servers)

You may revoke LilyPad's access to your Google account at any time from your Google Account permissions page or from the Connected Accounts section in LilyPad Settings.

5. Cookies

We use strictly functional cookies to operate the Service:

• Authentication cookies — Secure, HttpOnly refresh tokens that maintain your login session (expire after 7 days)
• OAuth state cookies — Temporary cookies used during Google and Microsoft sign-in for security (CSRF protection), deleted after authentication completes

We do not use advertising, analytics, or tracking cookies. No data is shared with ad networks.

6. Data Security

We implement the following measures to protect your data:

• Passwords are hashed using bcrypt (never stored in plain text)
• OAuth tokens and sensitive data are encrypted at rest using AES-256-GCM with support for key rotation
• Tax form data and signed documents are stored encrypted
• All connections use HTTPS with HSTS enforcement
• Security headers including Content Security Policy, X-Frame-Options, and X-Content-Type-Options
• Signed documents include SHA-256 cryptographic hashes for tamper detection
• Database connections use TLS encryption

While we take reasonable precautions, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Financial records and audit logs may be retained longer to comply with legal and contractual obligations. When data is no longer required, it is securely deleted or anonymized.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Correct inaccurate or incomplete information
• Delete your personal data (right to erasure)
• Export your data in a portable format
• Object to or restrict certain processing of your data
• Withdraw consent for optional data processing at any time

To exercise any of these rights, contact us at the email address listed below. We will respond within 30 days. Our platform includes a built-in data erasure workflow to process deletion requests.

9. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a child, please contact us and we will promptly delete it.

10. International Data Transfers

Our Service is hosted in the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. By using the Service, you consent to such transfers.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Effective date" at the top of this page and, where appropriate, notify you by email. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:

Email: andrew@lilypadlit.com