Privacy Policy
Last updated: February 2026 Version: 1.0
1. Data Controller
Identity: DawSync Technologies S.L. (incorporation in progress) Tax ID: [Pending assignment] Address: [Pending] Contact email: [email protected] Data Protection Officer (DPO): Not required (fewer than 250 employees, no large-scale processing)
2. Scope
This Privacy Policy applies to:
- DawSync desktop application (Windows, macOS, Linux)
- DawSync mobile applications (iOS, Android)
- SessionRecorder VST3 plugin
- SnapshotProducer Max for Live device
- dawsync.app website
3. Data We Collect
3.1 Account Data (Legal Basis: Art. 6.1.b GDPR - Contract Performance)
| Data | Purpose | Retention |
|---|---|---|
| Email address | Authentication, service communications | While account is active |
| Username | Platform identification | While account is active |
| Unique identifier (UID) | Cross-device data linking | While account is active |
Processor: Firebase Authentication (Google LLC)
3.2 Music Project Data (Legal Basis: Art. 6.1.a GDPR - Consent)
| Data | Description | Purpose |
|---|---|---|
| Project name | E.g., "My Track - v2" | Organization and search |
| Local path | Location on your disk | Local synchronization |
| XXHash64 fingerprint | Alphanumeric audio hash | Unique identification without storing audio |
| Technical metadata | BPM, duration, clip count | Productivity analysis |
| Tags and labels | User-assigned categories | Organization |
IMPORTANT about XXHash64: Digital fingerprints are 16-character alphanumeric codes generated using the XXHash64 algorithm. It is mathematically impossible to reconstruct the original audio from this fingerprint. It works like a "fingerprint" that identifies the file without revealing its content.
3.3 Audio Snapshots (Premium Only - Legal Basis: Art. 6.1.a GDPR - Consent)
| Data | Description | Storage |
|---|---|---|
| Audio fragments | WAV/MP3 previews | Cloudflare R2 (EU Region) |
| Session metadata | Timestamp, duration, playhead position | Supabase (EU Region) |
User control:
- Audio sync is always opt-in
- You can delete snapshots individually
- Deleting your account removes all snapshots
3.4 Time Intelligence Data (Legal Basis: Art. 6.1.a GDPR - Consent)
This data is used to generate your personal productivity statistics:
| Data | Description | Calculation |
|---|---|---|
| Session hours | Time spent on projects | Local + synced |
| Momentum Score | Creative activity indicator | Calculated locally |
| Session Intent | Classification: Mixing/Arranging/Sound Design | Local heuristic |
| Creative DNA | Productivity patterns | Anonymized aggregate |
| Most productive hours | E.g., "Tuesdays 8PM-11PM" | Calculated locally |
Privacy by design:
- All Time Intelligence calculations are performed locally on your device
- Only aggregated results are synced, never raw behavioral data
- You can disable this feature at any time
3.5 Payment Data (Legal Basis: Art. 6.1.c GDPR - Legal Obligation)
| Data | Processor | Retention |
|---|---|---|
| Payment method | Stripe, Inc. | Per tax obligations |
| Transaction history | Stripe, Inc. | 5 years (legal requirement) |
| Billing address | Stripe, Inc. | 5 years (legal requirement) |
DawSync does NOT store credit card numbers, CVV, or complete banking data on its own servers.
4. Processing Purposes
| Purpose | Legal Basis | Data Used |
|---|---|---|
| Provide the service | Contract performance (Art. 6.1.b) | Account, projects |
| Cloud synchronization | Consent (Art. 6.1.a) | Snapshots, metadata |
| Productivity statistics | Consent (Art. 6.1.a) | Time Intelligence data |
| Billing | Legal obligation (Art. 6.1.c) | Payment data |
| Service communications | Legitimate interest (Art. 6.1.f) | |
| Product improvement | Legitimate interest (Art. 6.1.f) | Anonymized aggregate data |
5. Data Recipients (Sub-processors)
DawSync shares data with the following providers, all with valid Standard Contractual Clauses (SCCs):
| Provider | Service | Data Location | Legal Mechanism |
|---|---|---|---|
| Firebase (Google LLC) | Authentication | EU/USA | Automatic SCCs |
| Cloudflare, Inc. | Audio storage (R2) | Frankfurt, EU | EU server |
| Supabase, Inc. | Database | Frankfurt, EU | EU server |
| Stripe, Inc. | Payments | USA | Automatic SCCs |
We do not sell or share data with advertisers, data brokers, or third parties for commercial purposes.
6. International Transfers
When data is transferred outside the European Economic Area (EEA), we ensure equivalent protection through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Provider certification under recognized privacy frameworks
- Priority EU storage (Cloudflare R2 Frankfurt, Supabase Frankfurt)
7. Retention Periods
| Data Type | Retention Period |
|---|---|
| Account data | Until account deletion + 30 days |
| Projects and metadata | Until account deletion |
| Audio snapshots | Until manual or account deletion |
| Time Intelligence data | 2 years from last activity |
| Billing data | 5 years (Spanish legal requirement) |
| Security logs | 12 months |
8. Your Rights (GDPR)
Under GDPR and LOPDGDD, you have the right to:
| Right | Description | How to Exercise |
|---|---|---|
| Access | Obtain a copy of your data | Settings > Account > Export Data |
| Rectification | Correct inaccurate data | Settings > Profile |
| Erasure | Delete your account and data | Settings > Account > Delete Account |
| Restriction | Restrict processing | Email [email protected] |
| Objection | Object to processing | Email [email protected] |
| Portability | Receive data in structured format | Settings > Account > Export Data |
Response time: 30 business days (extendable to 60 in complex cases)
Complaint to supervisory authority: Spanish Data Protection Agency (AEPD) C/ Jorge Juan, 6 - 28001 Madrid www.aepd.es
9. Children's Privacy
DawSync is not directed at children under 14 per LOPDGDD (Organic Law 3/2018).
- We do not intentionally collect data from children under 14
- If we detect a minor's account, we will delete it immediately
- Users aged 14-17 may use the service with parental consent
10. Data Security
We implement appropriate technical and organizational measures:
Technical:
- Encryption in transit (TLS 1.3)
- Encryption at rest (AES-256) for snapshots
- Irreversible hashing (XXHash64) for fingerprints
- Two-factor authentication available
Organizational:
- Restricted data access (principle of least privilege)
- Data protection training
- Periodic security audits
11. Cookies and Similar Technologies
See our Cookie Policy for detailed information.
Summary:
- We use essential technical cookies (consent-exempt)
- We do not use advertising or third-party tracking cookies
- Firebase Auth uses session cookies necessary for operation
12. CCPA (California Consumer Privacy Act)
If you reside in California, you have additional rights:
- Right to know what data we collect (see Section 3)
- Right to delete your personal data
- Right to non-discrimination for exercising your rights
DawSync does NOT sell personal information. We do not share data with third parties for direct marketing purposes.
13. Artificial Intelligence and Automated Decisions
DawSync uses machine learning algorithms for:
- Session intent classification (Mixing/Arranging/Sound Design)
- Momentum Score calculation
- "Zombie" project detection (inactive projects)
These features:
- Do NOT make decisions that legally affect you
- Are classified as "low-risk AI" under the EU AI Act
- Can be disabled in Settings > Privacy
14. Changes to This Policy
We will notify you of material changes via:
- Email to your registered address
- Prominent notice in the application
- Updated "Last updated" date
Changes take effect 30 days after notification, except for legally required changes.
15. Contact
To exercise your rights or for inquiries: Email: [email protected]
For legal matters: Email: [email protected]
Postal address: DawSync Technologies S.L. [Address pending incorporation]
This Privacy Policy complies with the General Data Protection Regulation (GDPR - EU 2016/679), Organic Law 3/2018 on Personal Data Protection (LOPDGDD), and the California Consumer Privacy Act (CCPA).