Privacy Policy

Last updated: December 11, 2025

1. Data Controller Information

2. Legal Basis for Data Processing

We process your personal data in accordance with:

• GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council
• Polish Data Protection Act - Act of May 10, 2018 on the Protection of Personal Data
• Act on Provision of Electronic Services - Act of July 18, 2002
• Telecommunications Law - Act of July 16, 2004

3. What Personal Data We Collect

3.1 Data Collected Automatically

Data Type	Purpose	Legal Basis
IP Address	Security, fraud prevention	Legitimate interest (Art. 6(1)(f) GDPR)
Browser Information	Service optimization	Legitimate interest (Art. 6(1)(f) GDPR)
Session Data	Service functionality	Legitimate interest (Art. 6(1)(f) GDPR)
Usage Statistics	Service improvement	Legitimate interest (Art. 6(1)(f) GDPR)

3.2 Data You Provide

Data Type	Purpose	Legal Basis
Email Address	Account creation, communication	Contract performance (Art. 6(1)(b) GDPR)
Name	Personalization, invoicing	Contract performance (Art. 6(1)(b) GDPR)
Payment Information	Transaction processing	Contract performance (Art. 6(1)(b) GDPR)
Billing Address	Invoice generation, tax compliance	Legal obligation (Art. 6(1)(c) GDPR)
User-Generated Content	Service provision (presets, projects)	Contract performance (Art. 6(1)(b) GDPR)

4. Purpose of Data Collection and Processing

4.1 Primary Purposes

• Account Management: Creating and maintaining your user account
• Service Delivery: Providing access to HAOS.fm synthesizers and features
• Payment Processing: Processing subscription payments and generating invoices
• Communication: Sending service updates, support responses, and transactional emails
• Security: Protecting against fraud, abuse, and security threats
• Legal Compliance: Fulfilling tax, accounting, and legal obligations

4.2 Secondary Purposes

• Service Improvement: Analyzing usage patterns to enhance user experience
• Marketing: Sending promotional emails (only with your consent)
• Research: Conducting surveys and user research (anonymized data)

5. Data Sharing and Third Parties

We share your personal data with the following third parties:

5.1 Payment Processors

5.2 Cloud Service Providers

5.3 Email Service

5.4 Analytics (Optional)

We may use analytics services to understand service usage. You can opt out through your browser settings.

6. Data Protection and Security

6.1 Security Measures

• Encryption: All data transmitted over HTTPS/TLS
• Password Protection: Passwords hashed using bcrypt
• Access Control: Role-based access to administrative systems
• Regular Backups: Automated daily backups with encryption
• Security Monitoring: 24/7 monitoring for suspicious activity
• Updates: Regular security patches and updates

6.2 Data Breach Notification

In the event of a data breach affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours, as required by GDPR Article 33.

7. Data Retention

Data Type	Retention Period	Reason
Account Data	Duration of account + 30 days after deletion	Service provision, recovery period
Payment Records	5 years	Tax law requirements (Polish Accounting Act)
Invoices	5 years	Tax law requirements
Support Communications	3 years	Legal claims period
Usage Logs	90 days	Security and troubleshooting
Marketing Consent	Until consent withdrawn	Legal basis for processing

8. Your Rights Under GDPR

As a data subject, you have the following rights:

8.1 Right of Access (Art. 15 GDPR)

You have the right to obtain confirmation whether your personal data is being processed and access to that data.

8.2 Right to Rectification (Art. 16 GDPR)

You can request correction of inaccurate personal data and completion of incomplete data.

8.3 Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR)

You can request deletion of your personal data when:

• Data is no longer necessary for the purposes it was collected
• You withdraw consent (where consent is the legal basis)
• You object to processing and there are no overriding legitimate grounds
• Data was unlawfully processed

8.4 Right to Restriction of Processing (Art. 18 GDPR)

You can request restriction of processing when:

• You contest the accuracy of personal data
• Processing is unlawful but you oppose erasure
• We no longer need the data but you need it for legal claims
• You object to processing pending verification of legitimate grounds

8.5 Right to Data Portability (Art. 20 GDPR)

You can receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

8.6 Right to Object (Art. 21 GDPR)

You can object to processing based on legitimate interests or for direct marketing purposes.

8.7 Right to Withdraw Consent (Art. 7(3) GDPR)

Where processing is based on consent, you can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

8.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority:

9. How to Exercise Your Rights

9.1 Access and Manage Your Data

• Account Settings: Log in to your account and navigate to Settings
• Download Your Data: Use the "Export Data" feature in your account settings
• Delete Your Account: Use the "Delete Account" option (subject to legal retention requirements)

9.2 Contact Us

To exercise any of your rights, please contact us:

Please include:

• Your full name
• Your account email address
• Specific right you wish to exercise
• Proof of identity (if necessary to verify your identity)

10. Cookies and Tracking Technologies

10.1 Types of Cookies We Use

Cookie Type	Purpose	Duration
Essential Cookies	Authentication, session management	Session / 30 days
Functional Cookies	Remember preferences, settings	1 year
Analytics Cookies	Usage statistics (anonymized)	2 years
Marketing Cookies	Advertising (only with consent)	1 year

10.2 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may affect service functionality.

11. International Data Transfers

Your data is primarily stored within the European Union (Azure EU data centers). If we transfer data outside the EU, we ensure adequate protection through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission
• Other appropriate safeguards under GDPR Chapter V

12. Children's Privacy

13. Automated Decision-Making and Profiling

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you, as defined in Article 22 of GDPR.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Significant changes will be communicated via email.

15. Contact Information