Privacy PolicyDatenschutzerklärung

The controller responsible for the processing of personal data described in this notice, within the meaning of Art. 4 (7) GDPR, is:

Postal addressFabian Bachfischer Software
c/o POSTFLEX PFX-504-917
Emsdettener Straße 10
48268 Greven
Deutschland (Germany)

The person responsible for content (§ 18 (2) MStV) is Fabian Bachfischer. Fabian Bachfischer Software is a sole proprietorship (small business / Kleinunternehmer under § 19 UStG); there is no VAT identification number and no entry in the commercial register.

For any data-protection matter you can reach us at privacy@soundworks-ai.com.

No Data Protection Officer has been appointed, and none is legally required under Art. 37 GDPR / § 38 BDSG. The contact point for data-protection matters is the owner, Fabian Bachfischer, reachable at privacy@soundworks-ai.com.

We only process personal data where a lawful basis under Art. 6 (1) GDPR applies. Depending on the activity, we rely on one or more of the following:

• ▸Performance of a contract (Art. 6 (1)(b) GDPR) - to create and run your account, serve and meter ads, calculate Publisher remuneration, and process payouts and advertiser deposits.
• ▸Legitimate interests (Art. 6 (1)(f) GDPR) - to prevent fraud and invalid traffic, secure the service, and keep the platform honest. The coarse device fingerprint (see § 04) rests on this basis; our weighing of interests is summarised there.
• ▸Compliance with a legal obligation (Art. 6 (1)(c) GDPR) - to retain invoices and accounting records for the statutory periods under German commercial and tax law (see § 08).
• ▸Consent (Art. 6 (1)(a) GDPR) - only where we ask for it explicitly (e.g. optional product email). You can withdraw consent at any time with effect for the future, without affecting the lawfulness of processing carried out beforehand.

We do not run behavioural advertising, retargeting, or tracking pixels, so we do not rely on consent for those - they do not exist on stads.

stads is built to need very little. The categories of personal data we process are:

4.1 · Account email address

When you register as a developer or advertiser we store the email address you sign up with. It identifies your account, lets us authenticate you, and is where we send transactional notices (payout receipts, deposit confirmations, security alerts). Lawful basis: contract (Art. 6 (1)(b) GDPR).

4.2 · Authentication / session cookie

To keep you signed in we set a strictly necessary authentication cookie and the equivalent token used by our auth provider (sb-access-token). It is essential to operate the logged-in service - without it you could not stay authenticated - so it is exempt from consent under § 25 (2) TDDDG (formerly TTDSG). It carries no advertising identifier and is not used to profile you. Lawful basis: contract (Art. 6 (1)(b) GDPR) and our legitimate interest in a secure session (Art. 6 (1)(f) GDPR).

4.3 · Coarse device fingerprint

To stop one machine from minting fraudulent impressions, the stads client derives a coarse, non-identifying device fingerprint. It is deliberately low-resolution: a stable but intentionally blunt signal (for example, a hashed combination of broad device characteristics) used only to recognise that impressions plausibly originate from one device or environment. It is not a precise hardware identifier, it is not linked to advertising IDs, and it is not designed to single you out as an individual across services. No source code, file contents, or keystrokes ever leave your machine - only the coarse signal needed to validate an impression.

4.4 · Billing, payout & ledger data

For advertisers we process deposit and invoice data; for developers we process payout details and earnings. Payment card data and bank details are handled by our payment processor (Stripe, see § 05) - we do not store full card numbers. We do retain the resulting invoices, receipts, and double-entry ledger entries. Lawful basis: contract (Art. 6 (1)(b) GDPR) and legal obligation (Art. 6 (1)(c) GDPR).

4.5 · Server logs & impression metadata

Our servers process technical metadata needed to serve and validate impressions - timestamps, lease validation results, coarse usage signals, and security/diagnostic logs. These are processed to operate and secure the service and to compute the split. Lawful basis: contract and legitimate interest (Art. 6 (1)(b) and (f) GDPR).

We use a small number of carefully chosen service providers who process personal data on our behalf as processors under Art. 28 GDPR, each bound by a data-processing agreement. We select EU regions wherever the provider offers them.

Each provider may rely on its own onward sub-processors; the current, authoritative list of sub-processors and their locations is maintained at /dpa. Stripe acts as an independent controller for some payment-compliance purposes (e.g. its own fraud and regulatory obligations); for those, Stripe's own privacy notice applies.

Under the GDPR you have the following rights regarding your personal data. To exercise any of them, email privacy@soundworks-ai.com. We respond within one month (Art. 12 (3) GDPR).

• ▸Access (Art. 15 GDPR) - get a copy of the personal data we hold about you. You can retrieve much of your data yourself directly via the data export in your dashboard. It contains your account, deposits, campaigns, balances, device fingerprints, your individual impressions, earnings lots with their status history, and device-grant metadata. Only the oldest tail of a very large impression history is truncated, and is available on request at privacy@soundworks-ai.com.
• ▸Rectification (Art. 16 GDPR) - have inaccurate data corrected and incomplete data completed.
• ▸Erasure (Art. 17 GDPR) - ask us to delete your data, subject to the statutory retention obligations described in § 08. The account-deletion flow anonymizes your personal data; financial records that must be kept by law (§ 147 AO) are retained for the duration of the statutory period. We also retain the coarse device fingerprint and any fraud flags after deletion as a fraud-prevention signal on the basis of our legitimate interest (Art. 6 (1)(f) GDPR); you may object to this under Art. 21 GDPR.
• ▸Restriction (Art. 18 GDPR) - ask us to restrict processing while a dispute is resolved.
• ▸Objection (Art. 21 GDPR) - object, on grounds relating to your particular situation, to processing based on our legitimate interests (Art. 6 (1)(f) GDPR), including the device fingerprint.
• ▸Data portability (Art. 20 GDPR) - receive the data you provided in a structured, commonly used, machine-readable format.
• ▸Withdraw consent (Art. 7 (3) GDPR) - where processing is based on consent, withdraw it at any time with effect for the future.

We keep personal data only as long as necessary for the purpose it was collected, then delete or anonymise it - except where the law requires us to keep it longer.

Account email & profile

For the life of the account; deleted on request, subject to the statutory holds below.

Session / auth cookie

For the duration of the session; expires automatically.

Device fingerprint & impression metadata

Kept for the fraud-prevention window needed to validate and reconcile impressions, then deleted or aggregated.

Invoices, receipts & accounting records

Retained for the statutory period - generally 10 years under § 147 AO and § 257 HGB (German tax/commercial law); 6 years for certain commercial correspondence.

The split between “delete when no longer needed” and “keep for the statutory period” matters: closing your account removes your operational personal data, but we must still retain financial records (invoices, ledger entries) for the legally mandated retention period before they can be erased. During that period their processing is restricted to the storage purpose.

We host and process personal data in the EU wherever possible. Some of our processors (notably Stripe, and sub-processors of Supabase and Vercel) may process limited data outside the EU/EEA, for example in the United States.

Where a transfer to a third country occurs, we ensure an adequate level of protection under Chapter V GDPR - by relying on a European Commission adequacy decision where one exists (e.g. the EU-U.S. Data Privacy Framework for certified recipients), or otherwise on the European Commission's Standard Contractual Clauses (Art. 46 (2)(c) GDPR) together with supplementary measures as appropriate. You can request a copy of the relevant safeguards from privacy@soundworks-ai.com.

We may update this notice as the service evolves or the law changes. The current version is always the one published at stads.cc/privacy; material changes will be dated at the top of this page. For any question about this notice or your data, contact the controller via the following addresses:

General

info@soundworks-ai.com

Data protection

privacy@soundworks-ai.com

Billing

billing@soundworks-ai.com

Abuse / notices

abuse@soundworks-ai.com