Privacy Policy

Last updated: May 1, 2026 · Version 1.0

Quick Summary

We are Nocturn Audio LLC, a one-person audio software company based in Iowa, USA. We make plugins and tools that you buy, download, and run on your own computer.

Here is the short version of how we handle your data:

What we collect: your name, email, billing country/postal code (full address only when sales tax or VAT requires it), payment method (handled by Stripe and Lemon Squeezy — we never see your card number), the IP address and machine fingerprint your plugin sends when it activates a license, and any support emails or Discord messages you send us.
Why we collect it: to sell you software, deliver license keys, prevent piracy and abuse, comply with tax and accounting law, and answer your support requests.
Who we share it with: a short list of vetted service providers (Stripe, Lemon Squeezy, Resend, DigitalOcean, Sentry, Discord, Mercury Bank, plus tax-filing services we may add later). Each is listed in section 7 with the specific data they touch.
What we don’t do: we do not sell your personal information, we do not run advertising trackers on our website, we do not share your email with third-party marketers, and we do not include analytics inside the plugin without your explicit opt-in.
Your rights: you can read, correct, export, or delete your data by emailing privacy@nocturnaudio.com or using your account dashboard at nocturnaudio.com.

The detailed sections below explain each topic with the legal precision that GDPR, the UK Data Protection Act, the CCPA/CPRA, and other privacy laws require.

1. Who we are and how to contact us

The data controller responsible for your personal information is:

Nocturn Audio LLC
A limited liability company organised in the State of Iowa, USA.
Contact: privacy@nocturnaudio.com
General correspondence: hello@nocturnaudio.com

For privacy-specific inquiries, data subject rights requests, or compliance questions, please use privacy@nocturnaudio.com so we can route the request correctly. We do not publish a postal mailing address on this page; if you need one for a formal legal notice, request it by email and we will provide it.

We are a single-person company. Aaron Shier (the founder) personally handles all privacy requests. There is no separate Data Protection Officer because GDPR Article 37 does not require one for an organisation of our size, scope, and processing profile.

EU / UK representative

Customers in the European Economic Area and the United Kingdom may contact our designated representative under GDPR Article 27 / UK GDPR Article 27:

EU representative: to be appointed
UK representative: to be appointed

Until those representatives are publicly listed, EU and UK residents may direct privacy requests to privacy@nocturnaudio.com and we will respond within the GDPR-required timelines (see section 11).

2. Scope

This policy covers personal information that we collect:

When you visit nocturnaudio.com, admin.nocturnaudio.com, or any subdomain we operate;
When you create an account, purchase a product, redeem a license, or download a release;
When the software you have licensed (e.g. FAT-X3, FAT-X8, Eclipse, APEX) connects to our license server to activate, deactivate, or revalidate;
When you contact us by email, on our Discord server, or through any official Nocturn Audio social channel;
When you sign up for our newsletter, beta program, or community.

Third-party websites linked from our pages have their own privacy policies, and we are not responsible for their practices.

3. What personal information we collect

We organise the data we collect by the moment we collect it.

3.1 When you create an account or buy a product

Category	Specific items	Source
Identifiers	Name, email address, account password (stored as a salted hash, never in plain text)	You provide directly
Billing data	Country, postal code, and (for US sales tax or international VAT) full street address	You provide directly
Payment metadata	Last 4 digits of your card, card brand, expiry month/year, payment country	Stripe or Lemon Squeezy returns this to us; raw card numbers and CVCs never reach our servers
Order data	Products purchased, prices paid, currency, refund status, license keys issued	Generated by our systems and the payment processor
Tax data	Tax-resident country, VAT/GST/ABN identifier (for B2B EU/UK/AU buyers), tax exemption documents you upload	You provide; required by law

3.2 When the plugin activates a license

When you install one of our plugins on a computer and sign in, the plugin sends our license server:

The license key you entered
A device fingerprint — a non-reversible hash derived from non-sensitive hardware identifiers, used only to count how many machines a license is active on
The current public IP address (derived from the network connection)
Plugin name and version
Operating system family and version

We store this only to enforce license terms (machine count limits, fraud detection, geographic license rules) and to help you when you contact support.

3.3 When you use the plugin

By default, our plugins do not send usage telemetry. If we add optional crash reporting or feature-usage telemetry in a future release, it will be opt-in, off by default, and clearly labelled in the plugin’s preferences. When enabled, the data sent is anonymous and non-identifying — typically a stack trace, plugin version, OS version, and DAW host name.

3.4 When you contact us

If you email support@nocturnaudio.com or any other Nocturn Audio address, we receive your email address, the content of your message, attachments, and metadata your mail client adds (subject, timestamps, IP of the sending mail server). We log these to a database to track support tickets and serve you faster.

If you raise a ticket through the Discord support bot, we receive your Discord username, your Discord user ID, the content of the ticket, and (where you have linked it on Discord) your Discord email address.

3.5 When you visit our website

Our web servers automatically log:

IP address (truncated to /24 or anonymised for analytics aggregations)
Approximate location derived from IP (country and region only)
Browser and operating system reported by the user agent
Pages visited, referring page, and timestamps
Cookies — see section 9

We do not currently run third-party advertising trackers, behavioural analytics, or session-replay tools. If we ever add a privacy-friendly analytics provider (such as Plausible or PostHog in cookieless mode), this policy will be updated and we will mention the provider in section 7.

3.6 When you join our Discord community

Discord — not Nocturn Audio — is the data controller for your Discord account. We see only what Discord exposes to a normal server admin: your username, avatar, roles, the messages you post in our channels, and (if you link a license to receive a customer role) the email tied to your purchase. See section 7 for the data-sharing relationship.

3.7 When you sign up for our mailing list

We collect your email address, the source of the signup (e.g. footer form, account checkbox), your IP at signup, and a confirmation timestamp. Marketing email is opt-in for EU, UK, Brazilian, and Canadian residents. For US residents we operate under the CAN-SPAM Act with a clear unsubscribe link in every message.

3.8 We do not collect

Special categories of personal data under GDPR Article 9 (health data, biometrics, race, religion, sexual orientation, political opinions, etc.)
Children’s data (see section 12)
Financial account numbers beyond what payment processors return to us
Audio you process through the plugins — your audio never leaves your machine

4. How we use your information (purposes)

We process your personal information for the following purposes only:

Provide the product. Issue licenses, deliver downloads, run the activation service, host the customer dashboard.
Process payments. Accept money for our products, refund orders, handle chargebacks.
Comply with tax and accounting law. File US sales tax, EU/UK VAT, AU GST and equivalents; keep records the IRS, state revenue departments, and foreign tax authorities require.
Communicate with you. Send transactional email (license delivery, password reset, security alerts, receipt copies, EULA updates), respond to support requests, notify you about service changes.
Send you marketing (only if you opted in or, for US residents, until you opt out): release announcements, promotions, newsletters.
Prevent fraud and abuse. Detect license-sharing, piracy, payment fraud, account takeovers; enforce our Terms of Service; cooperate with law enforcement when legally required.
Improve the product. Aggregate non-identifying data to find bugs, plan features, and prioritise fixes. Personal identifiers are not used for product improvement unless you specifically opt in to telemetry.
Run our business. Accounting, bookkeeping, audits, internal reporting, defending or pursuing legal claims.
Meet our legal obligations. Respond to subpoenas, court orders, and lawful regulatory requests; comply with mandatory record-keeping.

5. Lawful basis for processing (GDPR / UK GDPR)

For users in the European Economic Area, the United Kingdom, and any jurisdiction that recognises GDPR-equivalent lawful bases, we process personal data on the following legal grounds:

Processing activity	Lawful basis under GDPR Art. 6
Creating your account, taking your order, delivering the license	Performance of a contract (Art. 6(1)(b))
Charging your payment method, refunds, chargeback handling	Performance of a contract (Art. 6(1)(b))
Tax filing, retention of invoice and order records	Compliance with a legal obligation (Art. 6(1)(c))
License activation logging, machine count enforcement	Legitimate interest (Art. 6(1)(f)) — protecting our intellectual property and licensing model
Fraud prevention and abuse detection	Legitimate interest (Art. 6(1)(f))
Responding to your support requests	Performance of a contract (Art. 6(1)(b)) or legitimate interest, as applicable
Sending marketing email	Consent (Art. 6(1)(a)); withdrawable at any time
Optional crash and usage telemetry inside the plugin	Consent (Art. 6(1)(a)); off by default
Defending or bringing legal claims	Legitimate interest (Art. 6(1)(f))
Cooperating with lawful government requests	Compliance with a legal obligation (Art. 6(1)(c))

We do not rely on Article 9 conditions because we do not process special categories of personal data.

You have the right to object to any processing we carry out under legitimate interest. Email privacy@nocturnaudio.com to do so.

6. How long we keep your data (retention)

We keep personal data only as long as we need it for the purposes above, or as long as the law requires. The default periods are:

Data	Retention period	Why
Account data (name, email, password hash)	Until you delete your account, plus 30 days of soft-delete grace	Allows recovery; eliminates orphan license keys
License keys, activation logs	Indefinitely while the license is valid; 7 years after license expiry or refund	Anti-piracy enforcement; tax audit defence; ability to re-issue licenses to verified owners
Order records, invoices, tax data	7 years from the end of the tax year	US IRS, state revenue, and EU/UK VAT record-keeping rules
Payment metadata returned by Stripe/LS	Linked to order; same 7-year window	Accounting and chargeback defence
Support tickets and email	3 years from last activity (extended to 7 years if linked to a paid order or legal matter)	Support history, dispute defence
Marketing list membership	Until you unsubscribe; an unsubscribed-flag record kept indefinitely	To honour your opt-out forever
Web server access logs	30 days hot, 90 days archived	Security and abuse investigation
Error and crash logs (Sentry, if enabled)	90 days	Bug investigation
Backups of any of the above	30 days rolling	Disaster recovery

If a longer retention period is required by law (for example, a litigation hold, an active tax audit, or a fraud investigation), we extend the relevant records until the requirement ends.

7. Sub-processors and third parties we share data with

We share personal data only with the service providers listed below, and only to the extent each one needs it to perform its function. Each provider is bound by a Data Processing Agreement (DPA) or equivalent contract that requires them to handle your data securely and only on our instructions.

Sub-processor	Role	Personal data they touch	Data location	DPA / privacy link
Stripe, Inc. (San Francisco, USA)	US payment processing for direct customers	Name, email, billing address, card data, IP, transaction metadata	USA, with EU sub-region hosting available	Privacy · DPA · Sub-processors
Sold through Link, LLC (d/b/a Lemon Squeezy, Salt Lake City, USA — a Stripe subsidiary)	Merchant of Record for international sales (handles VAT/GST collection and remittance)	Full PII required for tax invoicing: name, email, full billing address, tax ID, card data	USA	Privacy · DPA
Mercury (operated by Column N.A., San Francisco, USA)	Banking — holds Nocturn Audio’s own operating funds	Bank account information of Nocturn Audio LLC; may incidentally show counterparty names from refunds or vendor payments	USA	Privacy
Resend, Inc. (San Francisco, USA)	Transactional and marketing email delivery	Email address, message content, delivery metadata	USA, EU-US Data Privacy Framework certified	Privacy · DPA · Sub-processors
DigitalOcean, LLC (New York, USA) — Spaces (CDN/object storage)	Static-asset hosting, product images, plugin installer downloads	IP addresses appear in download logs; no other PII	USA (sfo3 region)	Privacy · DPA · Sub-processors
DigitalOcean, LLC — Droplet (PostgreSQL host)	Application server and customer database	Every category of customer data we hold	USA (sfo3 region)	Same as above
Sentry (Functional Software, Inc., San Francisco, USA)	Error and crash log aggregation	Error context that may include user IDs and IP addresses	USA, with EU region available	Privacy · DPA · Sub-processors
Discord, Inc. (San Francisco, USA)	Community server and customer support tickets	Discord username, user ID, messages posted in our server, linked email if you link a purchase	USA, EU-US DPF certified	Privacy
Cloudflare, Inc. (San Francisco, USA) — if and when used for DNS or edge caching	DNS resolution; protection against denial-of-service attacks	IP addresses and request metadata at the edge	Global edge network	Privacy
Anrok / Numeral / TaxJar (prospective; will be added if engaged for sales tax filing)	Sales tax calculation, filing, and remittance	Customer billing location, transaction amounts, tax ID	USA	(URL will be added on engagement)
GitHub, Inc.	Source code hosting, release artefact distribution	Public release downloads from the GitHub Releases page only; no customer PII	USA	Privacy
Apple Inc., Microsoft Corp.	Code-signing and notarisation of macOS / Windows installers	The notarisation receipt; no customer PII	USA	(developer-program privacy terms apply to us, not to you)

We do not share your personal information with advertising networks, data brokers, or any third party for their own marketing purposes. We have never sold and will never sell your personal information.

If we add a new sub-processor, we will update this table at least 30 days before the change takes effect, and we will email customers who have account-level processing changes (per common DPA practice).

8. International data transfers

Nocturn Audio is based in the United States. The sub-processors listed above are predominantly US-based, with some operating EU regions. When we transfer personal data of EU, UK, or other non-US residents to the United States, we rely on:

Standard Contractual Clauses (SCCs) — the European Commission-approved 2021 module set, incorporated by reference in each sub-processor’s DPA;
UK International Data Transfer Addendum — for transfers from the UK;
EU-US Data Privacy Framework, UK Extension, and Swiss-US Framework — where the receiving sub-processor self-certifies (Stripe, Resend, Discord, DigitalOcean and others maintain active DPF certifications as of this policy’s effective date);
Supplementary technical measures — encryption in transit (TLS 1.2+) and at rest (AES-256) for any data crossing borders.

You may request a copy of the SCCs that apply to a specific transfer by emailing privacy@nocturnaudio.com. We cannot share the full executed DPA documents with sub-processors (those are confidential commercial contracts), but we can confirm in writing that a particular SCC module is in force for the transfer that affects you.

9. Cookies and similar technologies

The website nocturnaudio.com uses a small number of cookies. We use a tiered, consent-aware approach:

Strictly necessary (always on; no consent required)

Session cookie — keeps you signed in while you browse the dashboard
CSRF token cookie — protects forms against cross-site request forgery
Cart cookie — remembers what you added to the checkout before you sign in
Cookie-preference cookie — remembers your consent choice itself

Functional (set after you opt in via the cookie banner)

Theme/UI preference
Language preference

Analytics (off by default; only on with explicit opt-in)

If we add an analytics provider in the future, it will be a privacy-first product (Plausible, PostHog cookieless, or similar). It will not be loaded until you opt in.

Advertising

We do not use advertising cookies, retargeting pixels, or behavioural tracking.

You can clear cookies in your browser at any time, change your consent through the link in the website footer (“Cookie preferences”), and use Global Privacy Control (GPC) signals — we honour GPC as an opt-out of analytics where applicable.

10. Your privacy rights

Depending on where you live, you have one or more of the following rights with respect to your personal information:

10.1 Rights for everyone (we apply these globally as a baseline)

Access — get a copy of the personal data we hold about you.
Correction — correct inaccurate or incomplete data.
Deletion — ask us to erase your data, subject to legal retention obligations.
Portability — receive your data in a structured, machine-readable format (CSV/JSON) where the processing is automated and based on consent or contract.
Withdraw consent — for any processing that relies on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing that already occurred.
Object — object to processing based on our legitimate interest, including profiling.
Restrict — ask us to pause processing while we resolve a complaint or correction.
Lodge a complaint — with your local data protection authority (in the EU/UK), the California Privacy Protection Agency (in California), or the equivalent in your jurisdiction.

10.2 California residents (CCPA / CPRA)

Even though Nocturn Audio is below the $26,625,000 revenue threshold in CCPA / CPRA — and therefore not strictly within the scope of the law — we extend the following rights to California residents as a matter of policy:

Right to know the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties we share with;
Right to delete personal information, subject to listed exceptions;
Right to correct inaccurate personal information;
Right to opt-out of “sale” or “sharing” of personal information — we do not sell or share your personal information, so there is nothing to opt out of, but if this changes the link will be added to the website footer;
Right to limit use of “sensitive” personal information — we do not process sensitive PII as defined by CPRA;
Right to non-discrimination for exercising any of these rights.

We honour Global Privacy Control (GPC) signals as opt-out signals. We do not offer financial incentives in exchange for personal information.

To exercise these rights, email privacy@nocturnaudio.com with the subject line “California Privacy Request” and identify yourself with the email address tied to your account. We may need to verify your identity before fulfilling certain requests.

10.3 Other US state residents

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MTCDPA), and any other state with a comparable privacy law have substantially similar rights to California residents. The same email address (privacy@nocturnaudio.com) handles all such requests.

10.4 Canada (PIPEDA)

Canadian customers may exercise the rights granted by the Personal Information Protection and Electronic Documents Act (PIPEDA), including access, correction, and challenging compliance. The Office of the Privacy Commissioner of Canada handles complaints.

10.5 Brazil (LGPD)

Brazilian residents have the rights granted by the Lei Geral de Proteção de Dados (LGPD), exercisable at the same email address. ANPD (Autoridade Nacional de Proteção de Dados) handles complaints.

10.6 Australia (Privacy Act 1988)

Although Nocturn Audio’s annual turnover is currently below the AUD $3M Australian Privacy Principles threshold, we voluntarily extend APP-equivalent rights to Australian customers. The Office of the Australian Information Commissioner (OAIC) handles complaints.

10.7 How to make a request

Email privacy@nocturnaudio.com with:

The right you want to exercise;
The email address tied to your account or order;
Enough information to verify your identity (we may ask for additional verification — for example, by sending a confirmation email to the address on file).

We will respond within 30 days for GDPR/UK GDPR/PIPEDA requests, 45 days for CCPA/CPRA requests, and as soon as practicable for everyone else. If we need an extension we will tell you why and how long it will take.

We do not charge a fee for these requests except where the request is manifestly unfounded or excessive (for example, repeated identical requests), in which case we may charge a reasonable administrative fee or refuse to act.

11. Data breach notification

Despite our security efforts, no system is perfectly secure. If we discover a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority (the lead EU DPA, the UK ICO, the California Privacy Protection Agency, or others as applicable) within 72 hours of becoming aware, where required by law;
Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms;
Provide information about what happened, what data was affected, what we are doing to mitigate the harm, and what you can do to protect yourself.

We maintain an internal incident response procedure that covers detection, containment, remediation, notification, and post-mortem.

12. Children’s privacy

Nocturn Audio’s products and website are not directed at children under the age of 16, and we do not knowingly collect personal information from anyone under 16. If you are a parent or guardian and believe your child has provided us with personal information, please email privacy@nocturnaudio.com and we will delete it.

We comply with the US Children’s Online Privacy Protection Act (COPPA), the GDPR digital-consent age requirements (which range from 13 to 16 depending on the EU member state), and equivalent provisions of UK GDPR and other regional laws.

13. Security

We protect your personal information with reasonable and industry-standard safeguards:

In transit: TLS 1.2+ for all connections to nocturnaudio.com and to the license server.
At rest: AES-256 encryption for the customer database; preset blobs and other sensitive customer assets are individually encrypted with per-user content-encryption keys.
Access control: the production database is reachable only over a private interface from the application server; SSH access is key-only with fail2ban; multi-factor authentication is required for admin accounts.
Passwords: stored as bcrypt salted hashes, never in plain text.
Monitoring: anomalous-login alerts, audit logging on admin actions, regular dependency scanning.
Backups: encrypted, with a 30-day rolling window, stored in a separate region.

No method of transmission or storage is 100% secure; if you discover a vulnerability, please report it responsibly to security@nocturnaudio.com.

14. Automated decision-making and profiling

We do not engage in automated decision-making with legal or similarly significant effects on you. License-fraud detection includes some automated rules (for example, “this license has been activated on more than the allowed number of machines”), but every account suspension is reviewed by a human (Aaron) before any action that affects your access. You may request human review and explanation of any automated rule that affects you.

15. Changes to this policy

We may update this Privacy Policy. When we do, we will:

Update the Last updated date at the top;
Bump the Version number;
Keep older versions accessible at nocturnaudio.com/privacy/archive for transparency;
For material changes (for example, adding a new sub-processor that processes substantial customer data, or changing the lawful basis for a processing activity), we will email all account-holders at the address on file at least 30 days before the change takes effect, and where appropriate ask for your fresh consent.

Continued use of the service after the effective date of a non-material update constitutes acceptance.

16. Contact

For all privacy questions, requests, or concerns:

Privacy email: privacy@nocturnaudio.com
General contact: hello@nocturnaudio.com
Security disclosures: security@nocturnaudio.com
EU representative (Article 27): to be appointed
UK representative (Article 27): to be appointed

If you are unhappy with our response to a privacy request you have the right to complain to your local data protection authority. EU residents can find their authority at edpb.europa.eu; UK residents can complain to the ICO; California residents can complain to the CPPA.

EULA Terms of Service Refund Policy DMCA Home