These Terms of Service ("Terms") govern your use of Session™ Vault (also referred to as "session.am", the "Service", or the "Platform"), a music catalog and file management service operated by Capiscana, Inc. By creating an account, signing in, uploading content, or otherwise using the Service, you agree to these Terms. If you don't agree, don't use the Service.
The Service is operated by Capiscana, Inc., an Illinois corporation, doing business as TOMMY RUSH ("Capiscana", "we", "us", "our").
SESSION™ is a trademark of Capiscana, Inc. (USPTO Serial No. 99772109, IC 042 SaaS, intent-to-use, filed 2026-04-17).
Session™ Vault is a music catalog and file management service for music creators. The Service helps you organize a catalog of audio files (songs, stems, demos, mixes), tag them with metadata (titles, artists, durations, BPM, key, custom tags), and share them with collaborators or recipients via watermarked, time-limited links.
Audio files are stored on Backblaze B2 object storage operated for us by Backblaze, Inc.
The Service runs on infrastructure provided by Hetzner, fronted by Cloudflare. See Section 7 for the full list of third-party providers and what each one does.
You retain all copyright, ownership, and rights in and to the audio files, artwork, lyrics, metadata, and other material you upload, connect, or otherwise submit to the Service ("Your Content"). We do not claim ownership of Your Content.
You grant Capiscana a limited, non-exclusive, worldwide, royalty-free license to host, store, encode, decode, transcode, transmit, watermark, and deliver Your Content for the sole purpose of operating the Service on your behalf, for example, streaming a track to a recipient with whom you've shared it, generating preview waveforms so the player works, and creating watermarked copies for leak forensics. This license ends when you delete the content or your account, except for backups that age out per our Privacy Policy.
You're solely responsible for Your Content, including ensuring you have all necessary rights to upload and share it. We may, but are not obligated to, screen, monitor, or remove content that we determine, in our sole discretion, may violate these Terms or applicable law.
You agree that you will not, and will not attempt to:
Detailed examples and the full prohibited-conduct list are at Acceptable Use Policy.
You may use the Service for legitimate music-creation and music-business purposes, managing your own catalog, sharing demos with collaborators, sending pitches to A&R or supervisors, archiving your masters, and similar activities. Anything outside that scope is not contemplated by these Terms and may be denied at our discretion.
The full Acceptable Use Policy is at /legal/acceptable-use.html and is incorporated by reference.
To deliver the Service we rely on third-party infrastructure providers. The categories of data shared with each provider, the function performed, and links to each provider's own legal terms are listed below. Each provider operates under its own privacy policy and security practices, which apply to data processed on its systems.
| Provider | Function | Data shared | Their terms |
|---|---|---|---|
| Backblaze, Inc. (Backblaze B2) | Object storage for user audio files and assets. | Audio files, file metadata (filename, size, content-type), encrypted at rest. | Privacy · Terms |
| Hetzner Online GmbH | Server hosting (Ashburn, VA, USA). | Application database, application logs, encrypted backups. | Privacy · Terms |
| Cloudflare, Inc. | CDN, DDoS protection, DNS, tunnel routing, TLS termination. | Request metadata (IP, user-agent, URL), edge-cached static assets. | Privacy · Terms |
| Stripe, Inc. | Payment processing (when paid tiers are used). | Email, billing address, payment-method tokens. We do not store full card numbers. | Privacy · Terms |
| Resend Inc. | Transactional email (sign-in alerts, password resets, verification, share invites). | Recipient email address, message content (in plaintext during transit). | Privacy · Terms |
| Klaviyo, Inc. | Marketing email (only if you opt in to receive it). | Email address, name, opt-in timestamp, engagement events. | Privacy · Terms |
Provider liability disclaimer. Each third-party provider listed above operates under its own security controls, privacy policy, and terms of service. While we vet our providers and apply industry-standard practices on our side, TLS in transit, scoped credentials, principle of least privilege, encryption at rest where the provider supports it, we are not liable for security incidents, data breaches, outages, or other failures originating from these providers' systems, except to the extent caused by our own gross negligence or willful misconduct. Where a breach occurs at a provider, the provider's notification to us governs our notification to you (see Privacy Policy §7).
We may add, remove, or substitute providers from time to time. Material changes to the provider list will be reflected on this page; substantive changes that affect what data is shared or where it lives will be communicated via email to account holders before they take effect.
Some features of the Service require a paid subscription. Pricing and feature scope for paid tiers are presented at sign-up or upgrade time. Payments are processed by Stripe (see Section 7). All fees are in U.S. dollars unless stated otherwise and are non-refundable except as required by law.
Subscriptions auto-renew at the end of each billing period unless cancelled before renewal. You may cancel anytime in account settings; cancellation takes effect at the end of the current billing period. We do not pro-rate partial periods.
If a payment fails, we will retry per Stripe's standard dunning schedule. If we cannot collect, the account may be downgraded to free-tier limits or suspended after a grace period.
We may change pricing on a going-forward basis with at least 30 days' notice via email. Continued use after the change takes effect constitutes acceptance.
Our handling of personal data is described in the Privacy Policy, which is incorporated into these Terms by reference.
Capiscana respects the intellectual property rights of others and complies with the U.S. Digital Millennium Copyright Act (DMCA). Capiscana has registered a designated DMCA agent with the U.S. Copyright Office.
To file a takedown notice or counter-notice, see the DMCA Policy & takedown procedure.
It is our policy to terminate, in appropriate circumstances, the accounts of users who are repeat infringers.
You may stop using the Service and delete your account at any time via account settings or by emailing [email protected]. Account deletion triggers a 30-day grace period during which the account can be restored, after which the data is purged from active systems (see Privacy Policy §8 for backup retention).
We may suspend or terminate your access at any time, with or without notice, for any of the following:
Sections 4 (license to retained content for backup-aging period), 5, 7, 11, 12, 13, 14, 15, 16, and 17 survive termination.
THE SERVICE IS PROVIDED ON AN "AS IS" AND "AS AVAILABLE" BASIS, WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND ANY WARRANTIES ARISING FROM COURSE OF DEALING OR USAGE OF TRADE. CAPISCANA DOES NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED, ERROR-FREE, FREE OF SECURITY VULNERABILITIES, OR THAT THE WATERMARK WILL BE DETECTABLE IN EVERY LEAK SCENARIO. USE OF THE SERVICE IS AT YOUR OWN RISK.
CAPISCANA MAKES NO WARRANTY REGARDING THE PERFORMANCE, AVAILABILITY, OR SECURITY OF ANY THIRD-PARTY PROVIDER LISTED IN SECTION 7. EACH PROVIDER'S OWN TERMS GOVERN ITS SERVICE.
Session™ Vault is a service, not a backup or archival system. You are solely responsible for maintaining your own independent backup copies of any audio files, project data, share manifests, or other content you upload to or store via the Service.
We make commercially reasonable efforts to preserve user data: continuous SQLite WAL replication to off-site object storage (Backblaze B2), tiered point-in-time snapshots (hourly, daily, weekly), and automated weekly restore drills to verify backup integrity. None of these efforts guarantee data preservation against every failure mode.
To the maximum extent permitted by law, Capiscana shall not be liable for any of the following, regardless of cause:
By using the Service, you acknowledge that you assume the risk of any data you entrust to it, and you affirm that you maintain (or will maintain) at least one independent backup of important data outside Session™ Vault. Capiscana strongly recommends downloading your data periodically via the "Export my data" button in Settings → Danger zone (which calls /api/account/export and produces a JSON archive) and storing copies in a system you control independently of any third-party SaaS, including ours.
Account deletion (Section 11) triggers permanent purge from active storage within 30 days; pre-existing backups age out per the retention schedule (up to 12 weeks for weekly snapshots). Once purged from all retention tiers, deleted data cannot be recovered.
If you forget your password, lose your recovery key, and have not opted in to optional key escrow, your encrypted content is permanently inaccessible. We cannot decrypt it. We do not have a backdoor.
Session™ Vault offers end-to-end encryption (E2EE) so that audio bytes and selected metadata are encrypted client-side using keys derived from your password. The tradeoff is that only you hold the key.
Threat-model carve-out (be honest about web E2EE). Because the Service is delivered as JavaScript that runs in your browser, AND because that JavaScript is served by Capiscana's own servers, a server-side compromise that swaps the delivered code or escrow public key (whether by attacker, insider, or coerced operator) could in principle weaken or bypass the encryption for traffic that follows the swap. We mitigate this with restricted deploy access, signed deploys, and (planned) public deploy hashes for transparency, but we do not claim an absolute server-can-never-touch-your-content guarantee. The accurate claim is more limited: data that has already been encrypted and stored at rest cannot be decrypted by us without the user's password / recovery key (unless the user opted in to escrow per Section 12B(opt-in)), and a passive server breach of the storage tier alone does not yield plaintext.
You acknowledge and agree that:
Where local law prohibits a complete waiver of certain claims (for example, claims arising from gross negligence or willful misconduct on our part), this Section 12B is read down to the maximum scope permitted by that law and the rest survives.
Capiscana reserves the right to modify or discontinue the E2EE feature, including escrow, with notice as described in Section 16. If E2EE is discontinued for an existing user, that user will be given a reasonable period (no less than 30 days) to export their data and migrate.
The Service includes one or more AI-powered features (collectively, "AI Features"), which include without limitation: stem separation, automatic BPM and key detection, automatic genre / mood / tag suggestions ("autotag"), lyric transcription, AI Cleans (automatic radio-edit generation via word-level surgical edits), AI Atmos (spatial upmix from stereo to multichannel Atmos), AI cover-art generation, voice substitution / voice clone, AI suggestions, A&R Hot Leads, and analytics insights.
You acknowledge and agree that:
Session™ Vault accepts a wide range of content types, including stereo masters, multichannel masters (5.1, 7.1.4, 9.1.6, etc.), Dolby Digital Plus encoded files, ADM Broadcast Wave files, stems, instrumentals, acapellas, demos, and AI-derived versions thereof. You represent and warrant that, for every file you upload:
Watermark and leak-detection note. Capiscana applies inaudible identifying watermarks to share links generated through the Service, as described in our marketing materials. The watermark is best-effort; we do not warrant detectability under every transcoding, lossy-encoding, or adversarial-removal scenario, and the absence of a detected watermark does not mean a leak did not originate from a particular share. See Section 12 (Disclaimers).
To the maximum extent permitted by applicable law:
Capiscana's total aggregate liability for any claim arising out of or related to the Service or these Terms (whether in contract, tort, statute, or otherwise) is limited to the greater of (a) one hundred U.S. dollars (USD $100), or (b) the fees you paid us for the Service in the 12 months immediately preceding the event giving rise to the claim.
In no event will Capiscana, its officers, directors, employees, contractors, or agents be liable for any indirect, incidental, special, consequential, exemplary, or punitive damages, including without limitation lost profits, lost revenue, lost goodwill, business interruption, lost or corrupted data, cost of substitute services, or loss of opportunity, whether or not we have been advised of the possibility of such damages.
We are not liable for any failure or delay in performance caused by events beyond our reasonable control, including but not limited to: outages, security incidents, or service degradations at any provider listed in Section 7; internet routing failures, BGP hijacks, or backbone outages; denial-of-service attacks at the network edge; acts of God, war, terrorism, civil disturbance, labor disputes; legal or governmental action; pandemic; and similar force-majeure events. Where such an event prevents us from delivering the Service, our sole obligation is to use commercially reasonable efforts to restore service as soon as practicable.
The limitations in this Section 13 reflect a deliberate allocation of risk between you and Capiscana, are an essential part of the bargain, and apply even if a remedy is found to fail of its essential purpose. Some jurisdictions don't allow certain limitations; in those jurisdictions, the limits apply to the fullest extent permitted by law.
You will defend, indemnify, and hold harmless Capiscana, its officers, directors, employees, contractors, and agents from any claim, loss, liability, damage, cost, or expense (including reasonable attorneys' fees) arising out of or relating to: (a) Your Content; (b) your use of the Service in violation of these Terms or applicable law; (c) your violation of any third-party right (including intellectual property, privacy, or publicity rights); (d) any claim by a recipient of a share you sent; (e) your reliance on any AI output from any AI Feature (Section 12C); (f) your loss of access to encrypted content under Section 12B; (g) your use of voice clone, voice substitution, or AI-generated content that allegedly impersonates, defames, or infringes the rights of any third party; (h) your use of the blast email, mailing list, or recipient features in a way that violates the CAN-SPAM Act, GDPR, CASL, or any other applicable email or messaging regulation; or (i) any claim that content you uploaded (including but not limited to multichannel masters, Atmos masters, stems, instrumentals, acapellas, or sample-derived material) infringes any third-party copyright, master-use right, publishing right, performance right, or right of publicity.
Email regulation compliance. If you use the Service to send blast email, newsletters, or any other commercial messages to recipients, you are solely responsible for: maintaining suppression / unsubscribe lists, including a working unsubscribe mechanism in every commercial message, complying with the CAN-SPAM Act of 2003 (US), the General Data Protection Regulation (EU/UK), Canada's Anti-Spam Legislation (CASL), and any other applicable jurisdiction's electronic-marketing rules. The Service provides tooling but does not act as your compliance officer.
These Terms are governed by the laws of the State of Illinois, USA, without regard to conflict-of-laws principles. The United Nations Convention on Contracts for the International Sale of Goods does not apply.
Any dispute arising out of or relating to these Terms or the Service will be resolved exclusively in the state or federal courts located in Cook County, Illinois, and you consent to personal jurisdiction in those courts. You and Capiscana each waive any right to a jury trial.
You and Capiscana each agree to bring claims only on an individual basis, and not as a plaintiff or class member in any class, collective, or representative action.
We may revise these Terms from time to time. For non-material changes (typo corrections, clarifications, formatting), we'll update the "Last updated" date at the top of this page. For material changes — changes that materially affect your rights, obligations, fees, or the categories of data we collect or share — we will give at least 30 days' notice via email to the address on file before the new Terms take effect, and the effective date will be stamped at the top of this page. Your continued use of the Service after the effective date of the change constitutes acceptance.
For DMCA notices: /legal/dmca.html · For privacy requests: /legal/privacy.html