Privacy Policy
Last updated: March 2026 Version: 1.0
1. Data Controller
Identity: DawSync Technologies S.L. (incorporation in progress) Tax ID: [Pending assignment] Address: [Pending] Contact email: [email protected] Data Protection Officer (DPO): Not required (fewer than 250 employees, no large-scale processing)
2. Scope
This Privacy Policy applies to:
- DawSync desktop application (Windows, macOS, Linux)
- DawSync mobile applications (iOS, Android)
- SessionRecorder VST3 plugin
- SnapshotProducer Max for Live device
- dawsync.app website
3. Data We Collect
3.1 Account Data (Legal Basis: Art. 6.1.b GDPR - Contract Performance)
| Data | Purpose | Retention |
|---|---|---|
| Email address | Authentication, service communications | While account is active |
| Username | Platform identification | While account is active |
| Unique identifier (UID) | Cross-device data linking | While account is active |
Processor: Firebase Authentication (Google LLC)
3.2 Music Project Data (Legal Basis: Art. 6.1.a GDPR - Consent)
| Data | Description | Purpose |
|---|---|---|
| Project name | E.g., "My Track - v2" | Organization and search |
| Local path | Location on your disk | Local synchronization |
| XXHash64 fingerprint | Alphanumeric audio hash | Unique identification without storing audio |
| Technical metadata | BPM, duration, clip count | Productivity analysis |
| Tags and labels | User-assigned categories | Organization |
IMPORTANT about XXHash64: Digital fingerprints are 16-character alphanumeric codes generated using the XXHash64 algorithm. It is mathematically impossible to reconstruct the original audio from this fingerprint. It works like a "fingerprint" that identifies the file without revealing its content.
3.3 Audio Snapshots (Premium Only - Legal Basis: Art. 6.1.a GDPR - Consent)
| Data | Description | Storage |
|---|---|---|
| Audio fragments | WAV/MP3 previews | Cloudflare R2 (EU Region) |
| Session metadata | Timestamp, duration, playhead position | Cloudflare D1 / Supabase EU (planned for premium tier) |
User control:
- Audio sync is always opt-in
- You can delete snapshots individually
- Deleting your account removes all snapshots
3.4 Time Intelligence Data (Legal Basis: Art. 6.1.a GDPR - Consent)
This data is used to generate your personal productivity statistics:
| Data | Description | Calculation |
|---|---|---|
| Session hours | Time spent on projects | Local + synced |
| Momentum Score | Creative activity indicator | Calculated locally |
| Session Intent | Classification: Mixing/Arranging/Sound Design | Local heuristic |
| Creative DNA | Productivity patterns | Anonymized aggregate |
| Most productive hours | E.g., "Tuesdays 8PM-11PM" | Calculated locally |
Privacy by design:
- All Time Intelligence calculations are performed locally on your device
- Only aggregated results are synced, never raw behavioral data
- You can disable this feature at any time
3.5 Payment Data (Legal Basis: Art. 6.1.c GDPR - Legal Obligation)
| Data | Processor | Retention |
|---|---|---|
| Payment method | Stripe, Inc. | Per tax obligations |
| Transaction history | Stripe, Inc. | 5 years (legal requirement) |
| Billing address | Stripe, Inc. | 5 years (legal requirement) |
DawSync does NOT store credit card numbers, CVV, or complete banking data on its own servers.
3.6 Community Data — Blog Comments (Legal Basis: Art. 6.1.b GDPR - Contract Performance)
When you create an account to participate in the blog community, we store:
| Data | Description | Visibility | Retention |
|---|---|---|---|
| Comment content | Text of your public comments | Public | Until deletion |
| Display name | Shown next to your comments | Public | While account is active |
| Avatar / photo URL | Profile picture shown on comments | Public | While account is active |
| Email address | Used for account identification | Private | While account is active |
| Comment likes | Which comments you have liked | Private | While account is active |
| Last seen timestamp | Last time you interacted with the platform | Private | While account is active |
Important: Comments and display names are publicly visible on the blog. Do not include personal information in comment content that you do not wish to be public.
4. Processing Purposes
| Purpose | Legal Basis | Data Used |
|---|---|---|
| Provide the service | Contract performance (Art. 6.1.b) | Account, projects |
| Blog community (comments, likes) | Contract performance (Art. 6.1.b) | Community data |
| Cloud synchronization | Consent (Art. 6.1.a) | Snapshots, metadata |
| Productivity statistics | Consent (Art. 6.1.a) | Time Intelligence data |
| Billing | Legal obligation (Art. 6.1.c) | Payment data |
| Service communications | Legitimate interest (Art. 6.1.f) | |
| Product improvement | Legitimate interest (Art. 6.1.f) | Anonymized aggregate data |
5. Data Recipients (Sub-processors)
DawSync shares data with the following providers, all with valid Standard Contractual Clauses (SCCs):
| Provider | Service | Data Location | Legal Mechanism |
|---|---|---|---|
| Firebase (Google LLC) | Authentication | EU/USA | Automatic SCCs |
| Cloudflare, Inc. | Web hosting, API workers, D1 database, R2 storage | USA (GDPR DPA) | Automatic SCCs |
| Supabase, Inc. | Database (planned for premium tier — not currently active) | Frankfurt, EU | EU server |
| Stripe, Inc. | Payments | USA | Automatic SCCs |
We do not sell or share data with advertisers, data brokers, or third parties for commercial purposes.
6. International Transfers
When data is transferred outside the European Economic Area (EEA), we ensure equivalent protection through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Provider certification under recognized privacy frameworks
- Priority EU storage (Cloudflare R2 Frankfurt; Supabase Frankfurt planned for premium tier)
7. Retention Periods
| Data Type | Retention Period |
|---|---|
| Account data | Until account deletion + 30 days |
| Projects and metadata | Until account deletion |
| Audio snapshots | Until manual or account deletion |
| Blog comments | Until deletion or account deletion |
| Comment likes | Until account deletion |
| Time Intelligence data | 2 years from last activity |
| Billing data | 5 years (Spanish legal requirement) |
| Security logs | 12 months |
8. Your Rights (GDPR)
Under GDPR and LOPDGDD, you have the right to:
| Right | Description | How to Exercise |
|---|---|---|
| Access | Obtain a copy of your data | dawsync.app/account → "Download my data" or email [email protected] |
| Rectification | Correct inaccurate data | dawsync.app/account → Profile, or email [email protected] |
| Erasure | Delete your account and all data | dawsync.app/account → "Delete my account" or email [email protected] |
| Restriction | Restrict processing | Email [email protected] |
| Objection | Object to processing | Email [email protected] |
| Portability | Receive data in structured format | dawsync.app/account → "Download my data" or email [email protected] |
Response time: 30 business days (extendable to 60 in complex cases)
Complaint to supervisory authority: Spanish Data Protection Agency (AEPD) C/ Jorge Juan, 6 - 28001 Madrid www.aepd.es
9. Children's Privacy
DawSync is not directed at children under 14 per LOPDGDD (Organic Law 3/2018).
- We do not intentionally collect data from children under 14
- If we detect a minor's account, we will delete it immediately
- Users aged 14-17 may use the service with parental consent
10. Data Security
We implement appropriate technical and organizational measures:
Technical:
- Encryption in transit (TLS 1.3)
- Encryption at rest (AES-256) for snapshots
- Irreversible hashing (XXHash64) for fingerprints
- Two-factor authentication available
Organizational:
- Restricted data access (principle of least privilege)
- Data protection training
- Periodic security audits
11. Cookies and Similar Technologies
See our Cookie Policy for detailed information.
Summary:
- We use essential technical cookies (consent-exempt)
- We do not use advertising or third-party tracking cookies
- Firebase Auth uses session cookies necessary for operation
12. CCPA (California Consumer Privacy Act)
If you reside in California, you have additional rights:
- Right to know what data we collect (see Section 3)
- Right to delete your personal data
- Right to non-discrimination for exercising your rights
DawSync does NOT sell personal information. We do not share data with third parties for direct marketing purposes.
13. Automated Analytics and Heuristics (No AI)
DawSync uses strictly deterministic, rule-based algorithms (heuristics) for:
- Session intent classification (Mixing/Arranging/Sound Design) — based on track activity patterns
- Momentum Score calculation — based on session frequency and duration
- "Zombie" project detection — based on inactivity periods
DawSync does NOT use Artificial Intelligence (AI), Machine Learning, or Neural Networks for these features. Your audio files and project data are never used to train models. All analytics run locally on your machine using standard mathematical logic. You can disable these analytics at any time in Settings > Privacy.
14. Changes to This Policy
We will notify you of material changes via:
- Email to your registered address
- Prominent notice in the application
- Updated "Last updated" date
Changes take effect 30 days after notification, except for legally required changes.
15. Contact
To exercise your rights or for inquiries: Email: [email protected]
For legal matters: Email: [email protected]
Postal address: DawSync Technologies S.L. [Address pending incorporation]
This Privacy Policy complies with the General Data Protection Regulation (GDPR - EU 2016/679), Organic Law 3/2018 on Personal Data Protection (LOPDGDD), and the California Consumer Privacy Act (CCPA).