Privacy Notice
Last updated: December 11, 2025
ASR Tech Oy (hereinafter "SFX Stacks", “we”, or “us”) respects your privacy.
This notice applies to the sfxstacks.com website (the “Website”) and the SFX Stacks desktop application (the “App”). Together they form the “Service.”
1 Contact Details
- Controller: ASR Tech Oy – Business ID 2946518-6
- Address: Minna Canthin katu 66 lh 1, 70100 Kuopio, Finland
- Contact for privacy matters: via the support form on the Website (Support )
- Supervisory Authority: Office of the Data Protection Ombudsman (tietosuoja.fi)
2 What Data We Process and Why
2.1 Website Visitors (SFX Stacks as Controller)
| Data Group | Examples | Purpose | Legal Basis | Retention |
|---|---|---|---|---|
| Technical Logs | IP address, user-agent, requested URL, timestamp | Security, error diagnostics, abuse prevention | Legitimate interest (f) | 30 days |
| Analytics | Pageviews and aggregated visit data (via Fathom, no cookies) | Understand overall usage and improve the Website | Legitimate interest (f) | 24 months (aggregate) |
| Support / Contact Form | Email address, message content, technical metadata (IP, timestamp) | Respond to questions and provide support | Legitimate interest (f) / Contract (b) when related to a purchase | Typically up to 24 months after last contact, unless longer is needed for legal reasons |
2.2 Purchases via Paddle
Purchases are handled by Paddle as our payment processor and merchant of record.
| Data Group | Examples | Purpose | Legal Basis | Retention |
|---|---|---|---|---|
| Billing Data | Name, email, VAT ID, country, transaction details | Payment processing, invoices, fulfilling your order | Contract (b) / Legal obligation (c) | Kept for statutory accounting periods (currently up to 10 years) |
Paddle provides us with the minimum necessary information to link payments to license keys (for example, email, country, transaction ID).
2.3 Licenses, Trials and Activations (Backend, SFX Stacks as Controller)
We operate a small backend to generate license keys, manage activations and handle trials. This runs on our own infrastructure (see section 3).
| Data Group | Examples | Purpose | Legal Basis | Retention |
|---|---|---|---|---|
| License Records | License key, transaction ID, customer email, max seats, status, timestamps | Manage purchased licenses, entitlement, handle support and refunds | Contract (b) / Legal obligation (c) / Legitimate interest (f) | For the lifetime of the 1.x product line and for statutory accounting periods (up to 10 years) |
| Activations | License key, activation ID, device fingerprint, machine name, app version, first/last seen timestamps | Enforce seat limits, detect abuse, support users with activation issues | Contract (b) / Legitimate interest (f) | As long as the license is active and for up to 3 years after the last activation activity |
| Trials | Device fingerprint, trial start date, expiry date, last seen timestamp | Provide time-limited trial and prevent unlimited re-trials on the same machine | Legitimate interest (f) / Contract (b) | For the duration of the trial and up to 3 years after trial expiry |
The device fingerprint is a technical identifier derived from your system and used to recognise the same machine across installs. We use it only for licensing, trial and abuse-prevention purposes. It is not used to track you across other services or websites.
2.4 Desktop App Usage (Local Only)
| Data Group | Examples | Purpose | Legal Basis | Retention |
|---|---|---|---|---|
| Indexed Audio Files | Filenames, folder paths, audio metadata (e.g. duration, sample rate), internal search index | Provide fast search results and related features in the App | Local processing only, no transfer | Stored locally on your device until you delete them or uninstall the App |
The App never uploads or shares your sound files or library contents with us or with third parties.
All analysis and indexing happen locally on your own machine.
2.5 Error Reports (Optional)
If the App encounters a critical error, you may choose to press “Send error report”.
| Data Group | Examples | Purpose | Legal Basis | Retention |
|---|---|---|---|---|
| Diagnostic Data | App version, operating system, error message, technical logs, timestamp, high-level environment info | Debug issues, improve stability and security | Legitimate interest (f) | Typically up to 24 months, or longer if needed to investigate a specific issue |
Error reports are only sent when you explicitly choose to send them.
3 Third Parties and Sub-processors
We use the following service providers to run the Service:
| Recipient | Purpose | Location | Transfer Basis |
|---|---|---|---|
| Paddle Payments Ltd. | Payment and license billing processing | UK / EU | SCCs and Data Privacy Framework where applicable |
| Amazon Web Services (AWS) | Hosting of licensing backend and related storage (e.g. DynamoDB, Lambda) | EU (currently eu-central-1) | SCCs and AWS data processing terms |
| Fathom Analytics Inc. | Privacy-friendly analytics (cookieless mode) | EU | Intra-EU processing |
| Cloudflare, Inc. | CDN, security, and bot protection (including Turnstile on forms) | Global | SCCs and Data Privacy Framework where applicable |
| Email Service Provider | Handling incoming/outgoing support and license emails | EU / EEA and possibly US | SCCs and provider data processing terms |
Each provider processes personal data only on our documented instructions and under a data processing agreement where required by law.
4 Data Subject Rights
You have the right to:
- access your personal data
- request correction or deletion
- restrict or object to processing
- withdraw consent at any time (where processing is based on consent)
- data portability (for data you have provided to us)
- file a complaint with the Data Protection Ombudsman (tietosuoja.fi)
To exercise your rights, please contact us via the support form on the Website (Support ).
We respond as soon as reasonably possible and no later than 30 days.
5 Security Measures
We take appropriate technical and organisational measures to protect personal data, including:
- TLS encryption for all communications with the Website and backend APIs
- Access control and least-privilege principles for administrative access
- EU-based hosting for the Website and licensing backend (currently EU/EEA region)
- Local-only processing for your sound library in the App
- Regular monitoring for abuse and suspicious activity
6 Cookies and Tracking
We try to keep tracking to a minimum.
| Type | Examples | Purpose | Duration | Basis |
|---|---|---|---|---|
| Necessary | Core session / security functionality, Cloudflare Turnstile | Ensure the Website works securely and protect forms from spam and abuse | Session or short-lived | Art. 6(1)(b) / Legitimate interest (f) |
| Analytics | Fathom (cookieless) | Aggregate pageview statistics without using tracking cookies | – | Legitimate interest (f) |
The Website does not use third-party advertising networks or behavioural tracking cookies.
7 Retention and Deletion
We keep personal data only as long as necessary for the purposes described above or as required by law, for example:
- Support messages → typically up to 24 months after last contact, unless legal reasons require longer retention
- Billing and license/payment records → retained for statutory accounting periods (currently up to 10 years)
- Analytics data → up to 24 months in aggregate form
- Trial and activation records → while needed to manage licenses, trials and prevent abuse, typically up to 3 years after last activity
You can request deletion of your personal data where applicable, subject to our legal obligations to retain certain records (for example, accounting).
8 Changes
We may update this notice from time to time.
The latest version is always available on this page.
Significant changes will be announced via the Website or, where appropriate, directly to affected users.
Legal bases: (a) consent, (b) contract, (c) legal obligation, (f) legitimate interest