Privacy Notice

Last updated: July 14, 2026

ASR Tech Oy (hereinafter "SFX Stacks", “we”, or “us”) respects your privacy.
This notice applies to the sfxstacks.com website (the “Website”) and the SFX Stacks desktop application (the “App”). Together they form the “Service.”

1 Contact Details

  • Controller: ASR Tech Oy – Business ID 2946518-6
  • Address: Minna Canthin katu 66 lh 1, 70100 Kuopio, Finland
  • Contact for privacy matters: via the support form on the Website (Support)
  • Supervisory Authority: Office of the Data Protection Ombudsman (tietosuoja.fi)

2 What Data We Process and Why

2.1 Website Visitors (SFX Stacks as Controller)

Data GroupExamplesPurposeLegal BasisRetention
Technical LogsIP address, user-agent, requested URL, timestampSecurity, error diagnostics, abuse preventionLegitimate interest (f)30 days
AnalyticsPageviews and aggregated interaction events (via Fathom, no cookies)Understand overall usage and improve the WebsiteLegitimate interest (f)24 months (aggregate)
Support / Contact FormEmail address, message content, technical metadata (IP, timestamp)Respond to questions and provide supportLegitimate interest (f) / Contract (b) when related to a purchaseTypically up to 24 months after last contact, unless longer is needed for legal reasons

2.2 Purchases via Paddle

Purchases are handled by Paddle as our payment processor and merchant of record.

Data GroupExamplesPurposeLegal BasisRetention
Billing DataName, email, VAT ID, country, transaction detailsPayment processing, invoices, fulfilling your orderContract (b) / Legal obligation (c)Kept for statutory accounting periods (currently up to 10 years)

Paddle provides us with the minimum necessary information to link payments to license keys (for example, email, country, transaction ID).

2.3 Free Access, Licenses, Trials and Activations (SFX Stacks API)

We operate the SFX Stacks API to manage Free, Pro and module access, generate license keys, manage activations and seats, and handle trials. The API runs on infrastructure described in section 3.

Data GroupExamplesPurposeLegal BasisRetention
Free Access / Entitlement ChecksDevice fingerprint, app version, access status, entitlement result, first/last seen timestampsProvide the correct Free, Pro or module access level, keep local entitlement status current, prevent abuseLegitimate interest (f) / Contract (b)While needed to manage access and prevent abuse, typically up to 3 years after last activity
License RecordsLicense key, transaction ID, customer email, max seats, status, timestampsManage purchased licenses, entitlement, handle support and refundsContract (b) / Legal obligation (c) / Legitimate interest (f)For the lifetime of the license and for statutory accounting periods (up to 10 years)
ActivationsLicense key, activation ID, device fingerprint, machine name, app version, first/last seen timestampsEnforce seat limits, detect abuse, support users with activation issuesContract (b) / Legitimate interest (f)As long as the license is active and for up to 3 years after the last activation activity
TrialsDevice fingerprint, trial start date, expiry date, last seen timestampProvide time-limited trial and prevent unlimited re-trials on the same machineLegitimate interest (f) / Contract (b)For the duration of the trial and up to 3 years after trial expiry

The device fingerprint is a technical identifier derived from your system and used to recognise the same machine across installs. The underlying machine identifier is hashed locally, and the raw identifier is not sent to us. We use the resulting fingerprint only for Free, Pro, module access, licensing, trial and abuse-prevention purposes. It is not used to track you across other services or websites.

Requests to the SFX Stacks API also include standard connection and request data such as your IP address, user-agent, requested endpoint and timestamp. We process this data to deliver API requests, maintain security, diagnose failures and prevent abuse. Where this data is retained in operational logs, it is kept only as long as needed for those purposes.

2.4 Desktop App Library Processing (Local Only)

Data GroupExamplesPurposeLegal BasisRetention
Indexed Audio Files and Derived Search DataSound files, filenames, folder paths, audio metadata (e.g. duration, sample rate), embeddings, local search index, local metadata contextProvide local search, browsing, similarity matching, preview, export and metadata workflows in the AppLocal processing only, no transferStored locally on your device until you delete them, clear app data or uninstall the App

Except for technical details that may be included in an error report you explicitly choose to send, the App does not upload or share your sound files, filenames, folder paths, audio metadata, embeddings, local search indexes or library data with us or third parties. No library data is uploaded for search, analysis or shared AI training.

The AI models used for search and metadata-writing workflows run locally on your own machine after they have been downloaded. Analysis, indexing, search, similarity matching, preview, export and related audio-library processing are designed for local use.

The App may still connect to the SFX Stacks API for licensing, trials, seat management, optional telemetry when enabled, and reports you choose to submit. It may also connect to the SFX Stacks update service and third-party download servers for application updates, AI models and required local runtime components. These connections are separate from local library processing and do not include your audio library content.

2.5 Optional Telemetry

Optional telemetry is disabled unless you choose to enable it in the App. When enabled, the App sends a random installation identifier generated by the App and records whether the following product events have occurred:

  • the App was opened
  • a folder was added
  • a library scan was started
  • search was used
  • similarity search was used
  • export was used
  • metadata writing was opened
Data GroupExamplesPurposeLegal BasisRetention
Optional TelemetryRandom installation identifier not derived from your hardware, first-occurrence timestamps for the listed events, App version, operating-system family and major versionUnderstand feature adoption, improve the product and identify broad compatibility issuesConsent (a)Kept while needed for product-usage analysis and deleted when no longer necessary

Optional telemetry does not include session identifiers, hardware fingerprints, license keys, email addresses, license or trial status, sound files, filenames, folder paths, audio metadata, embeddings, raw search queries, search results or metadata being edited. Disabling telemetry prevents new telemetry from being sent and does not affect the core local library workflow.

2.6 Support, Feedback, Bug and Error Reports (Optional)

The App lets you send support requests, feedback, bug reports and startup error reports. Nothing is sent until you choose to submit a report.

Data GroupExamplesPurposeLegal BasisRetention
Report ContentReport type, email address and messageRespond to your request, provide support and review feedbackLegitimate interest (f) / Contract (b) when related to a purchase or support requestTypically up to 24 months after last contact, unless longer is needed to investigate an issue or for legal reasons
Optional In-App DiagnosticsDevice fingerprint / support code, App version, operating-system family and version, CPU architecture, license and trial state, entitlement status, and local backend availabilityDiagnose reported issues and provide relevant supportLegitimate interest (f)Typically up to 24 months, or longer if needed to investigate a specific issue
Startup Error DiagnosticsDevice fingerprint / support code, App version, operating system, CPU architecture, timestamp, failed startup or update phase, health and exception details, backend diagnostics, and recent App logsDebug startup and update failures, improve stability and securityLegitimate interest (f)Typically up to 24 months, or longer if needed to investigate a specific issue

In-App diagnostics submitted through the Help & Feedback form do not include App logs, audio files, filenames, file paths, folder paths, audio metadata or search queries. Startup error reports may include recent App logs, which can contain filenames or folder paths depending on what was logged when the error occurred. Reports do not include the contents of your audio files.

2.7 Application Updates, Model Downloads and Runtime Downloads

The App connects to updates.sfxstacks.com, a service operated by us, to check for and download application updates. The update service may receive standard connection and request data such as your IP address, the requested URL or file, user-agent and timestamp. We use this data to deliver updates, maintain security, diagnose failures and prevent abuse. Where this data is retained in operational logs, it is typically kept for up to 30 days.

When required files are not already installed, the App may connect directly to:

  • Hugging Face to download the CLAP model used for local audio search and the optional local metadata-writing language model
  • PyTorch download infrastructure to download required local runtime components

These providers may receive standard connection data such as your IP address, request details, user-agent and timestamp under their own privacy terms. These download requests do not include your audio files, library metadata, embeddings, search data or other local library content. Provider-side connection logs are controlled by the relevant provider.

3 Third Parties and Infrastructure Providers

We use the following third parties to operate the Service or provide optional downloads:

RecipientPurposeRoleLocation / Transfers
Paddle Payments Ltd.Merchant of record, purchases, payment processing, tax handling and refundsIndependent controller for buyer and payment dataUK / international transfers under Paddle's privacy terms
Amazon Web Services (AWS)Website hosting and delivery through Amazon S3 and CloudFront; hosting of the SFX Stacks API and Website form backend; related storage and processing; and email delivery through Amazon SESService provider / processorEU origin infrastructure (currently eu-central-1) with global content delivery where applicable; AWS data processing terms apply
Fathom Analytics Inc.Cookieless Website analyticsService provider / processorEU analytics processing
Cloudflare, Inc.Turnstile spam and bot protection on Website formsService provider / processorGlobal; Cloudflare transfer safeguards apply where required
Hugging Face, Inc.Direct download of local AI model filesIndependent provider receiving the download requestUnited States / international transfers under Hugging Face's privacy terms
PyTorch download infrastructureDirect download of required local runtime componentsIndependent provider receiving the download requestProvider locations may vary; provider privacy terms apply

Some providers process personal data on our behalf under data processing agreements where required by law. Other providers, including Paddle as merchant of record and providers contacted directly for model or runtime downloads, process data under their own terms and privacy notices. We do not control their independent processing or retention practices.

4 Data Subject Rights

You have the right to:

  • access your personal data
  • request correction or deletion
  • restrict or object to processing
  • withdraw consent at any time (where processing is based on consent)
  • data portability (for data you have provided to us)
  • file a complaint with the Data Protection Ombudsman (tietosuoja.fi)

To exercise your rights, please contact us via the support form on the Website (Support).
We respond as soon as reasonably possible and no later than 30 days.

5 Security Measures

We take appropriate technical and organisational measures to protect personal data, including:

  • TLS encryption for all communications with the Website and backend APIs
  • Access control and least-privilege principles for administrative access
  • EU-region origin infrastructure for the Website and SFX Stacks API (currently eu-central-1), with global content delivery where services such as CloudFront require it
  • Local-only processing for your sound library in the App
  • Regular monitoring for abuse and suspicious activity

6 Cookies and Tracking

We try to keep tracking to a minimum.

TypeExamplesPurposeDurationBasis
NecessaryCore session / security functionality, Cloudflare TurnstileEnsure the Website works securely and protect forms from spam and abuseSession or short-livedArt. 6(1)(b) / Legitimate interest (f)
AnalyticsFathom (cookieless)Aggregate pageview statistics without using tracking cookiesLegitimate interest (f)

The Website does not use third-party advertising networks or behavioural tracking cookies. Optional App telemetry is separate from Website cookies and can be disabled in the App.

7 Retention and Deletion

We keep personal data only as long as necessary for the purposes described above or as required by law, for example:

  • Support messages → typically up to 24 months after last contact, unless legal reasons require longer retention
  • Billing and license/payment records → retained for statutory accounting periods (currently up to 10 years)
  • Analytics data → up to 24 months in aggregate form
  • Optional App telemetry → while needed for product-usage analysis and deleted when no longer necessary
  • Website and application-update service logs → typically up to 30 days where operational logs are retained
  • Free access, trial and activation records → while needed to manage access, licenses, trials and prevent abuse, typically up to 3 years after last activity

You can request deletion of your personal data where applicable, subject to our legal obligations to retain certain records (for example, accounting).

8 Changes

We may update this notice from time to time.
The latest version is always available on this page.
Significant changes will be announced via the Website or, where appropriate, directly to affected users.

Legal bases: (a) consent, (b) contract, (c) legal obligation, (f) legitimate interest