Home

Privacy Policy

Effective 2026-06-08

This page explains what personal data we collect, why we collect it, who we share it with, and your rights under EU GDPR + Swedish law. Short version: we collect the minimum needed to sell you a plugin and let you use it, we don't sell or rent your data, and you can delete your account at any time.

1. Who's the data controller

Blezz Beats (Swedish enskild firma trading as Firma Jonatan Malm (trading as Blezz Beats), VAT-registered as SE890419193201, correspondence address Blezz Beats, Lillsövägen 19, 616 34 Åby, Sweden) is the data controller for personal data collected via this site. Contact us at hello@blezzbeats.com.

2. What we collect, and why

We collect only what we need for each defined purpose:

Account

  • Email address - to sign you in (we send a magic-link email instead of using passwords) and to attach your purchases.
  • Name - only if Paddle passes it through at checkout. Used on receipts + addressing emails.
  • Country - derived from your IP or your payment, used to display localized currency + apply correct VAT. Stored once per account.
  • Display handle- optional; only set if you choose to participate in community features (Peer tips, Owner Q&A, guestbook). Visible to other owners; not visible to anonymous visitors.

Purchases

  • Paddle transaction id, currency, amount, tax - stored to keep your purchase history and serve receipts.
  • Generated license serial(s) - needed to activate the plugin and look up your seats.
  • Card details: NEVER stored by us. Paddle handles them under PCI-DSS Level 1 compliance. We only see the transaction outcome (success, refund, chargeback) and the opaque transaction id.

License activations

  • An anonymous machine identifier- a derived value your plugin computes locally and sends to us. Used solely to count how many machines a license is in use on. We don't use it to identify your hardware.
  • Plugin version, OS family(e.g. “Windows”, “macOS”) - for update notifications and support diagnostics.
  • Activation lifecycle timestamps - so support can free a stuck seat for you on request and detect abuse.

Support & community

  • Contact form submissions - your message + any fields you fill in (OS, DAW, plugin version, etc.). Used to reply and to improve the product.
  • Reviews, peer tips, guestbook entries - only when you explicitly submit them. Visible per the specific surface (Reviews are public; peer tips are visible to other owners; guestbook entries are public).

Operational logs

  • Server access logs (IP, user-agent, requested URL, timestamp) - kept by Vercel for ~24 hours, used for debugging and abuse detection.
  • Error logs with stack traces - anonymous, no personal data attached unless an exception body happens to include it.

3. Legal basis (GDPR Art. 6)

  • Contract performance(Art. 6(1)(b)) - account, purchases, license activations, downloads. Without this data we can't deliver what you bought.
  • Legitimate interests (Art. 6(1)(f)) - operational logs, fraud detection, customer support. Balanced against your interests; minimised; never used for marketing targeting.
  • Legal obligation (Art. 6(1)(c)) - tax records (kept for 7 years per Swedish bookkeeping law).
  • Consent (Art. 6(1)(a)) - only for things you explicitly opt into (newsletter subscription, community surfaces). Withdrawn any time.

4. Who we share data with (processors)

We use a small set of vetted processors. Each has its own DPA (data processing agreement) in place; none of them resell your data.

  • Paddle.com Market Limited (Republic of Ireland) - payment processing, tax, invoicing. They are also a controller for the transaction data they hold; see Paddle's privacy notice.
  • Vercel Inc. (USA) - hosting + Edge network. EU Standard Contractual Clauses in place for the transfer.
  • Neon Inc. (USA) - managed Postgres database (region: EU, eu-central-1). Data physically stored in the EU; SCCs in place.
  • Cloudflare R2 (USA / global) - download file storage (installers, sample packs). Holds files, not personal data; access is via short-lived signed URLs we generate per-request.
  • Resend (USA) - transactional email delivery (magic links, receipts, support replies). Holds the email address + message content for the duration of delivery.

We do NOT share data with advertising networks, data brokers, or social platforms.

5. Analytics & cookies

Currently:we use Vercel's built-in analytics, which is anonymous, cookie-free, and GDPR-safe by design (no personal data is processed, no consent required). We do NOT currently use Google Analytics, Meta Pixel, or any other tracking that would require a cookie banner.

Cookies we set:

  • Session cookie (essential, no consent required) - keeps you signed in after the magic-link click.
  • Locale preference (functional) - remembers your language choice across visits.
  • Cart contents(functional, localStorage) - keeps your cart between visits if you're not signed in.

If we ever re-enable analytics (Google Analytics 4, Meta Pixel, or similar), this section will be updated AND a cookie banner will appear so you can decline. Until then, no such trackers run on the site.

6. Retention

  • Account + purchases - for as long as you have an account, plus 7 years after deletion for tax-record obligations (Swedish bokföringslag).
  • Activation logs - retained while the activation is active + 90 days after deactivation for audit.
  • Support tickets - 24 months from last reply.
  • Server logs - ~24 hours (Vercel default).
  • Email delivery logs - 30 days (Resend default).

7. Your rights

Under GDPR you have the right to:

  • access the personal data we hold about you (Art. 15);
  • have it corrected if it's wrong (Art. 16);
  • have it deleted (Art. 17), except where we're required to keep it (e.g. tax records);
  • have processing restricted while a dispute is resolved (Art. 18);
  • receive a portable export of your data (Art. 20) - for us that's your account JSON;
  • object to processing based on legitimate interests (Art. 21);
  • withdraw consent for anything you consented to, at any time.

Email hello@blezzbeats.com from the address on your account; we respond within 30 days. You can also complain to the Swedish Authority for Privacy Protection (IMY) at any time.

8. Security

Data in transit is encrypted with modern TLS. Data at rest is encrypted at the database level. Secrets and API keys are stored in our hosting provider's encrypted secret store; plaintext is never logged.

9. Children

This site is not directed at children under 16. We don't knowingly collect data from anyone in that group. If you believe we have, email us and we'll delete it.

10. Changes

Material changes will be announced via email to active customers and on this page. The effective date at the top is the only authoritative version marker.

Questions?
Email hello@blezzbeats.com or use /help.