Privacy Notice
Last updated: July 14, 2026
ASR Tech Oy (hereinafter "SFX Stacks", “we”, or “us”) respects your privacy.
This notice applies to the sfxstacks.com website (the “Website”) and the SFX Stacks desktop application (the “App”). Together they form the “Service.”
1 Contact Details
- Controller: ASR Tech Oy – Business ID 2946518-6
- Address: Minna Canthin katu 66 lh 1, 70100 Kuopio, Finland
- Contact for privacy matters: via the support form on the Website (Support)
- Supervisory Authority: Office of the Data Protection Ombudsman (tietosuoja.fi)
2 What Data We Process and Why
2.1 Website Visitors (SFX Stacks as Controller)
| Data Group | Examples | Purpose | Legal Basis | Retention |
|---|---|---|---|---|
| Technical Logs | IP address, user-agent, requested URL, timestamp | Security, error diagnostics, abuse prevention | Legitimate interest (f) | 30 days |
| Analytics | Pageviews and aggregated interaction events (via Fathom, no cookies) | Understand overall usage and improve the Website | Legitimate interest (f) | 24 months (aggregate) |
| Support / Contact Form | Email address, message content, technical metadata (IP, timestamp) | Respond to questions and provide support | Legitimate interest (f) / Contract (b) when related to a purchase | Typically up to 24 months after last contact, unless longer is needed for legal reasons |
2.2 Purchases via Paddle
Purchases are handled by Paddle as our payment processor and merchant of record.
| Data Group | Examples | Purpose | Legal Basis | Retention |
|---|---|---|---|---|
| Billing Data | Name, email, VAT ID, country, transaction details | Payment processing, invoices, fulfilling your order | Contract (b) / Legal obligation (c) | Kept for statutory accounting periods (currently up to 10 years) |
Paddle provides us with the minimum necessary information to link payments to license keys (for example, email, country, transaction ID).
2.3 Free Access, Licenses, Trials and Activations (SFX Stacks API)
We operate the SFX Stacks API to manage Free, Pro and module access, generate license keys, manage activations and seats, and handle trials. The API runs on infrastructure described in section 3.
| Data Group | Examples | Purpose | Legal Basis | Retention |
|---|---|---|---|---|
| Free Access / Entitlement Checks | Device fingerprint, app version, access status, entitlement result, first/last seen timestamps | Provide the correct Free, Pro or module access level, keep local entitlement status current, prevent abuse | Legitimate interest (f) / Contract (b) | While needed to manage access and prevent abuse, typically up to 3 years after last activity |
| License Records | License key, transaction ID, customer email, max seats, status, timestamps | Manage purchased licenses, entitlement, handle support and refunds | Contract (b) / Legal obligation (c) / Legitimate interest (f) | For the lifetime of the license and for statutory accounting periods (up to 10 years) |
| Activations | License key, activation ID, device fingerprint, machine name, app version, first/last seen timestamps | Enforce seat limits, detect abuse, support users with activation issues | Contract (b) / Legitimate interest (f) | As long as the license is active and for up to 3 years after the last activation activity |
| Trials | Device fingerprint, trial start date, expiry date, last seen timestamp | Provide time-limited trial and prevent unlimited re-trials on the same machine | Legitimate interest (f) / Contract (b) | For the duration of the trial and up to 3 years after trial expiry |
The device fingerprint is a technical identifier derived from your system and used to recognise the same machine across installs. The underlying machine identifier is hashed locally, and the raw identifier is not sent to us. We use the resulting fingerprint only for Free, Pro, module access, licensing, trial and abuse-prevention purposes. It is not used to track you across other services or websites.
Requests to the SFX Stacks API also include standard connection and request data such as your IP address, user-agent, requested endpoint and timestamp. We process this data to deliver API requests, maintain security, diagnose failures and prevent abuse. Where this data is retained in operational logs, it is kept only as long as needed for those purposes.
2.4 Desktop App Library Processing (Local Only)
| Data Group | Examples | Purpose | Legal Basis | Retention |
|---|---|---|---|---|
| Indexed Audio Files and Derived Search Data | Sound files, filenames, folder paths, audio metadata (e.g. duration, sample rate), embeddings, local search index, local metadata context | Provide local search, browsing, similarity matching, preview, export and metadata workflows in the App | Local processing only, no transfer | Stored locally on your device until you delete them, clear app data or uninstall the App |
Except for technical details that may be included in an error report you explicitly choose to send, the App does not upload or share your sound files, filenames, folder paths, audio metadata, embeddings, local search indexes or library data with us or third parties. No library data is uploaded for search, analysis or shared AI training.
The AI models used for search and metadata-writing workflows run locally on your own machine after they have been downloaded. Analysis, indexing, search, similarity matching, preview, export and related audio-library processing are designed for local use.
The App may still connect to the SFX Stacks API for licensing, trials, seat management, optional telemetry when enabled, and reports you choose to submit. It may also connect to the SFX Stacks update service and third-party download servers for application updates, AI models and required local runtime components. These connections are separate from local library processing and do not include your audio library content.
2.5 Optional Telemetry
Optional telemetry is disabled unless you choose to enable it in the App. When enabled, the App sends a random installation identifier generated by the App and records whether the following product events have occurred:
- the App was opened
- a folder was added
- a library scan was started
- search was used
- similarity search was used
- export was used
- metadata writing was opened
| Data Group | Examples | Purpose | Legal Basis | Retention |
|---|---|---|---|---|
| Optional Telemetry | Random installation identifier not derived from your hardware, first-occurrence timestamps for the listed events, App version, operating-system family and major version | Understand feature adoption, improve the product and identify broad compatibility issues | Consent (a) | Kept while needed for product-usage analysis and deleted when no longer necessary |
Optional telemetry does not include session identifiers, hardware fingerprints, license keys, email addresses, license or trial status, sound files, filenames, folder paths, audio metadata, embeddings, raw search queries, search results or metadata being edited. Disabling telemetry prevents new telemetry from being sent and does not affect the core local library workflow.
2.6 Support, Feedback, Bug and Error Reports (Optional)
The App lets you send support requests, feedback, bug reports and startup error reports. Nothing is sent until you choose to submit a report.
| Data Group | Examples | Purpose | Legal Basis | Retention |
|---|---|---|---|---|
| Report Content | Report type, email address and message | Respond to your request, provide support and review feedback | Legitimate interest (f) / Contract (b) when related to a purchase or support request | Typically up to 24 months after last contact, unless longer is needed to investigate an issue or for legal reasons |
| Optional In-App Diagnostics | Device fingerprint / support code, App version, operating-system family and version, CPU architecture, license and trial state, entitlement status, and local backend availability | Diagnose reported issues and provide relevant support | Legitimate interest (f) | Typically up to 24 months, or longer if needed to investigate a specific issue |
| Startup Error Diagnostics | Device fingerprint / support code, App version, operating system, CPU architecture, timestamp, failed startup or update phase, health and exception details, backend diagnostics, and recent App logs | Debug startup and update failures, improve stability and security | Legitimate interest (f) | Typically up to 24 months, or longer if needed to investigate a specific issue |
In-App diagnostics submitted through the Help & Feedback form do not include App logs, audio files, filenames, file paths, folder paths, audio metadata or search queries. Startup error reports may include recent App logs, which can contain filenames or folder paths depending on what was logged when the error occurred. Reports do not include the contents of your audio files.
2.7 Application Updates, Model Downloads and Runtime Downloads
The App connects to updates.sfxstacks.com, a service operated by us, to check for and download application updates. The update service may receive standard connection and request data such as your IP address, the requested URL or file, user-agent and timestamp. We use this data to deliver updates, maintain security, diagnose failures and prevent abuse. Where this data is retained in operational logs, it is typically kept for up to 30 days.
When required files are not already installed, the App may connect directly to:
- Hugging Face to download the CLAP model used for local audio search and the optional local metadata-writing language model
- PyTorch download infrastructure to download required local runtime components
These providers may receive standard connection data such as your IP address, request details, user-agent and timestamp under their own privacy terms. These download requests do not include your audio files, library metadata, embeddings, search data or other local library content. Provider-side connection logs are controlled by the relevant provider.
3 Third Parties and Infrastructure Providers
We use the following third parties to operate the Service or provide optional downloads:
| Recipient | Purpose | Role | Location / Transfers |
|---|---|---|---|
| Paddle Payments Ltd. | Merchant of record, purchases, payment processing, tax handling and refunds | Independent controller for buyer and payment data | UK / international transfers under Paddle's privacy terms |
| Amazon Web Services (AWS) | Website hosting and delivery through Amazon S3 and CloudFront; hosting of the SFX Stacks API and Website form backend; related storage and processing; and email delivery through Amazon SES | Service provider / processor | EU origin infrastructure (currently eu-central-1) with global content delivery where applicable; AWS data processing terms apply |
| Fathom Analytics Inc. | Cookieless Website analytics | Service provider / processor | EU analytics processing |
| Cloudflare, Inc. | Turnstile spam and bot protection on Website forms | Service provider / processor | Global; Cloudflare transfer safeguards apply where required |
| Hugging Face, Inc. | Direct download of local AI model files | Independent provider receiving the download request | United States / international transfers under Hugging Face's privacy terms |
| PyTorch download infrastructure | Direct download of required local runtime components | Independent provider receiving the download request | Provider locations may vary; provider privacy terms apply |
Some providers process personal data on our behalf under data processing agreements where required by law. Other providers, including Paddle as merchant of record and providers contacted directly for model or runtime downloads, process data under their own terms and privacy notices. We do not control their independent processing or retention practices.
4 Data Subject Rights
You have the right to:
- access your personal data
- request correction or deletion
- restrict or object to processing
- withdraw consent at any time (where processing is based on consent)
- data portability (for data you have provided to us)
- file a complaint with the Data Protection Ombudsman (tietosuoja.fi)
To exercise your rights, please contact us via the support form on the Website (Support).
We respond as soon as reasonably possible and no later than 30 days.
5 Security Measures
We take appropriate technical and organisational measures to protect personal data, including:
- TLS encryption for all communications with the Website and backend APIs
- Access control and least-privilege principles for administrative access
- EU-region origin infrastructure for the Website and SFX Stacks API (currently eu-central-1), with global content delivery where services such as CloudFront require it
- Local-only processing for your sound library in the App
- Regular monitoring for abuse and suspicious activity
6 Cookies and Tracking
We try to keep tracking to a minimum.
| Type | Examples | Purpose | Duration | Basis |
|---|---|---|---|---|
| Necessary | Core session / security functionality, Cloudflare Turnstile | Ensure the Website works securely and protect forms from spam and abuse | Session or short-lived | Art. 6(1)(b) / Legitimate interest (f) |
| Analytics | Fathom (cookieless) | Aggregate pageview statistics without using tracking cookies | – | Legitimate interest (f) |
The Website does not use third-party advertising networks or behavioural tracking cookies. Optional App telemetry is separate from Website cookies and can be disabled in the App.
7 Retention and Deletion
We keep personal data only as long as necessary for the purposes described above or as required by law, for example:
- Support messages → typically up to 24 months after last contact, unless legal reasons require longer retention
- Billing and license/payment records → retained for statutory accounting periods (currently up to 10 years)
- Analytics data → up to 24 months in aggregate form
- Optional App telemetry → while needed for product-usage analysis and deleted when no longer necessary
- Website and application-update service logs → typically up to 30 days where operational logs are retained
- Free access, trial and activation records → while needed to manage access, licenses, trials and prevent abuse, typically up to 3 years after last activity
You can request deletion of your personal data where applicable, subject to our legal obligations to retain certain records (for example, accounting).
8 Changes
We may update this notice from time to time.
The latest version is always available on this page.
Significant changes will be announced via the Website or, where appropriate, directly to affected users.
Legal bases: (a) consent, (b) contract, (c) legal obligation, (f) legitimate interest