monsterDSP

Privacy Policy

Last updated: June 26, 2026

This policy applies to monsterDSP websites, online store, user accounts, and audio plugin licensing services.

1. Introduction

At monsterDSP, we respect your privacy. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and what choices you have when you visit our website, create an account, purchase plugins, download installers, or activate licenses.

By using our services, you acknowledge this policy. Where we rely on consent (for example, analytics or marketing cookies), you can withdraw that consent at any time without affecting purchases or core product functionality.

2. Who We Are (Data Controller)

For the purposes of the EU General Data Protection Regulation (GDPR) and Brazil's Lei Geral de Proteção de Dados (LGPD), the data controller is:

Diogo Guedes Audio Profissional

Trade name: monsterDSP
CNPJ: 23.731.502/0001-98
São Paulo, SP, Brazil

Privacy / data protection: privacy@monsterdsp.com

General inquiries: info@monsterdsp.com

Encarregado de Dados (Data Protection Officer): For LGPD and GDPR requests, contact privacy@monsterdsp.com. As a small audio software business, we handle data protection inquiries directly through this channel.

3. Information We Collect

We collect only what we need to run the store, deliver licenses, prevent fraud, and improve our products. Like other professional audio plugin companies, some technical identifiers are required for license activation and trial management.

We describe data by category and purpose, not by internal database or system names. This is the standard approach under GDPR and LGPD and matches how peer audio software companies publish their policies.

3.1 Account & Profile Data

  • Email address, name, and account credentials (passwords are stored hashed by our authentication provider)
  • Account preferences and login timestamps

3.2 Purchase & Billing Data

When you buy plugins, we collect:

  • Name, email address, phone number, and optional company name
  • Full billing address: street line 1, street line 2 (optional), city, state/province, postal code, and country
  • Order details: products purchased, amounts, currency, coupons, and license keys issued
  • Brazilian tax identifiers: CPF (individuals) or CNPJ (companies) when you checkout with Brazil as your billing country, for tax compliance and electronic invoicing (NFS-e)
  • Payment information processed by Stripe — we do not store full payment card numbers on our servers. Stripe may also store your billing address, phone, company name, and Brazilian tax ID on our behalf as part of payment processing.

3.3 Plugin Licensing & Activation Data

To deliver downloads, enforce license terms, and manage trials (similar to industry-standard plugin authorization), we collect:

  • License keys, activation status, and machine slot limits
  • Machine identifier, machine fingerprint, and machine name associated with activations
  • Trial session data and trial period records
  • Plugin version and download events (including timestamp and country, when available)

This data is used for license compliance, fraud prevention, and support — not to track your audio projects or DAW session content.

3.4 Website, Downloads & Technical Logs

  • IP address, browser type, device information, pages visited, referrer, and timestamps
  • Download activity (plugin requested, time, approximate country, browser type, and account association when logged in)
  • Authentication and security logs (sign-in events, IP address, browser type)
  • Cookie and localStorage preferences (see Section 9)
  • Operational logs for payments and errors (session identifiers, technical metadata, masked email where applicable — we do not intentionally log full tax IDs or payment card data in these logs)

3.5 Communications & Optional Programs

  • Messages you send via our contact form or support channels
  • Email newsletter or waitlist signups, if you opt in
  • Beta tester enrollment and feedback, if you participate in a beta program

4. How We Use Your Information

  • Process orders, deliver license keys, and provide downloads
  • Manage accounts, activations, trials, and machine authorizations
  • Provide customer support and respond to inquiries
  • Send transactional emails (receipts, license delivery, password resets, security notices) — required for the service and not promotional
  • Comply with Brazilian tax and invoicing obligations, including NFS-e when applicable
  • Detect fraud, abuse, and unauthorized license use
  • Measure website performance and advertising effectiveness (only with appropriate consent where required)
  • Send marketing or newsletter emails only when you have opted in; unsubscribe anytime via the link in each message
  • Improve our website, plugins, and user experience

We do not sell your personal information to data brokers. We may share data with service providers and advertising partners as described below, which may constitute "sharing" under some U.S. state privacy laws when used for cross-context behavioral advertising.

5. Legal Bases for Processing

Depending on your location, we rely on the following legal bases:

5.1 Contract

Processing necessary to fulfill purchases, deliver licenses, manage activations, and provide support.

5.2 Legal Obligation

Retaining tax and transaction records, processing CPF/CNPJ for Brazilian invoicing, and responding to lawful requests. Under LGPD, CPF/CNPJ may be treated as sensitive personal data; we process it based on legal/regulatory obligation and, where applicable, your consent at checkout. Confirm Art. 11 requirements with qualified counsel.

5.3 Legitimate Interests

  • License enforcement and fraud prevention
  • Website security and abuse prevention

You may object to processing based on legitimate interests by contacting privacy@monsterdsp.com.

5.4 Consent

  • Google Analytics 4 — loaded only after you accept analytics cookies
  • Meta Pixel (browser) and Meta Conversions API (server-side purchase events) — only when you accept marketing cookies at checkout or in cookie settings
  • Marketing emails and newsletter subscriptions

You may withdraw consent at any time via Cookie Settings in the site footer or by unsubscribing from emails.

5.5 Processing Summary

One legal basis per activity (GDPR Art. 6 / LGPD Art. 7). This summary avoids listing internal systems.

ActivityLegal basis
Account, orders, licenses, activationsContract
CPF/CNPJ, invoices, tax recordsLegal obligation
Fraud prevention, security logs, license enforcementLegitimate interests
Google AnalyticsConsent
Meta Pixel and Conversions APIConsent
Marketing emails, beta opt-in, waitlistsConsent
Transactional email (receipts, licenses, security)Contract

6. Data Retention

We keep personal data only as long as needed for the purposes above:

  • Account data: While your account is active, plus up to 3 years after closure unless you request earlier deletion (subject to legal holds)
  • Orders, invoices, and tax identifiers (CPF/CNPJ): Up to 7 years, as required by Brazilian tax and accounting law
  • License and activation records (including machine fingerprints): For the life of the license plus 3 years
  • Download and security logs: Typically 12–24 months
  • Webhook and error logs: Typically 12 months
  • Google Analytics: Up to 26 months (Google's default)
  • Marketing consent records: Until you withdraw consent
  • Beta program data: For the duration of the program plus 1 year, unless you request deletion sooner

When retention periods end, we delete or anonymize data. Backup copies may persist for up to 90 additional days before being overwritten.

7. Service Providers & International Transfers

We use trusted third parties to operate our business. Our primary database is hosted by Supabase in São Paulo, Brazil (AWS sa-east-1). Even though core account and license data is stored in Brazil, some processing still occurs internationally — for example payment data with Stripe (US), analytics with Google (US), advertising with Meta (US), website delivery via Vercel and Cloudflare, and plugin downloads from Cloudflare R2.

7.1 Subprocessors

ProviderPurposeLocation
SupabaseDatabase, authentication, backendBrazil (sa-east-1)
StripePayment processing, billing, tax ID and address storageUnited States / global
VercelWebsite hosting and deploymentUnited States / global edge
Cloudflare R2Plugin installer file storage and deliveryGlobal
Google Analytics 4Website analytics (with consent)United States
Meta (Pixel + Conversions API)Advertising measurement and optimization (with consent)United States
Supabase Auth / emailTransactional emails (account verification, password reset)Varies by configuration
NFS-e provider (when enabled)Brazilian electronic invoicing (name, email, tax ID, address)Brazil

Privacy policies: Stripe, Supabase, Vercel, Cloudflare, Google, Meta.

7.2 Transfer Safeguards

Where personal data is transferred outside Brazil or the EEA, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) and, where applicable, provider participation in recognized transfer frameworks (for example, the EU-U.S. Data Privacy Framework).

8. When We Disclose Information

We may disclose personal data when:

  • Required by law, court order, or government request
  • Necessary to protect our rights, users, or the public
  • Shared with service providers under contract and only for the purposes described in this policy
  • Shared with an NFS-e or tax invoicing provider to issue Brazilian tax documents
  • Part of a business transfer (merger, acquisition) with notice to affected users

Payment card data is handled solely by Stripe under PCI-DSS standards. We never receive or store your full card number.

9. Cookies, Analytics & Advertising

We use cookies and similar technologies on our website. Plugin software installed in your DAW does not use advertising cookies.

9.1 Cookie Categories

  • Necessary: Required for site security, authentication, and checkout. Cannot be disabled.
  • Analytics (Google Analytics 4): Helps us understand traffic and page performance. Loaded only with your analytics consent. GA4 may collect identifiers such as IP address and device data — it is not fully anonymous.
  • Marketing (Meta Pixel): Measures ad conversions and builds audiences. Loaded only with your marketing consent.

9.2 Meta Conversions API (Server-Side)

When you complete a purchase and have accepted marketing cookies, we may send server-side Purchase events to Meta's Conversions API. This includes:

  • Hashed email address (SHA-256)
  • Order value, currency, and product identifiers
  • Event URL and order/session ID (for deduplication with the browser pixel)

Your marketing consent at checkout is recorded and server-side events are not sent if you rejected marketing cookies. See Meta's Privacy Policy.

9.3 Your Cookie Choices

On your first visit, a cookie banner lets you accept all, reject non-essential, or customize preferences. Your choices are stored in browser localStorage under the key cookie-consent (fields: necessary, analytics, marketing, timestamp).

Use Cookie Settings or Do Not Sell or Share My Personal Information in the site footer to change preferences at any time. You can also email privacy@monsterdsp.com.

10. Your Privacy Rights

Depending on where you live, you may have the following rights:

  • Access — know what data we hold about you
  • Correction — fix inaccurate or incomplete data
  • Deletion — request erasure, subject to legal retention requirements
  • Restriction — limit how we process your data in certain cases
  • Portability — receive data you provided in a machine-readable format (account profile, orders, and licenses)
  • Objection — object to processing based on legitimate interests or direct marketing
  • Withdraw consent — where processing is consent-based
  • Anonymization or blocking (LGPD) — request anonymization or suspension of unnecessary processing

10.1 How to Submit a Request

Email privacy@monsterdsp.com with subject line "Data Protection Rights Request" and include your name, account email, and the right you wish to exercise.

Data portability: On request, we provide a structured export (typically JSON or CSV) of your account profile, order history, and active licenses tied to your email.

10.2 Response Times

  • LGPD: Simple confirmation requests may be answered within 15 days; other requests within 30 days (up to 60 days for complex cases, with notice)
  • GDPR: Within 30 days (up to 60 days for complex requests, with notice)
  • California (CPRA): Within 45 days (one 45-day extension possible with notice)

10.3 Complaints

In Brazil, contact the ANPD. In the EU/EEA, contact your local authority via the EDPB.

11. California & U.S. State Privacy Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the CPRA provides additional rights.

11.1 Categories of Personal Information Collected (Last 12 Months)

  • Identifiers: Name, email, phone, IP address, account ID, device/machine identifiers
  • Commercial information: Purchase history, products licensed, order values
  • Internet/network activity: Browsing history on our site, interactions with ads (with consent)
  • Geolocation data: Approximate location derived from IP address
  • Professional information: Company name (if provided)
  • Inferences: Ad targeting profiles created by Meta/Google from your interactions (with consent)

11.2 Purposes & Third Parties

We use these categories to operate our store, deliver licenses, provide support, comply with tax law, prevent fraud, and — with consent — measure advertising. Categories may be shared with Stripe, Supabase, Vercel, Cloudflare, Google, Meta, and NFS-e providers as described in Section 7.

11.3 Sale & Sharing

We do not sell personal information for money. We may share identifiers and commercial information with Meta and Google for cross-context behavioral advertising and conversion measurement when you consent to marketing/analytics cookies, and via Meta Conversions API on purchase when marketing consent was granted.

11.4 Your California Rights

  • Right to know what personal information we collect, use, and disclose
  • Right to delete personal information, subject to exceptions
  • Right to correct inaccurate personal information
  • Right to opt out of sale/sharing for cross-context behavioral advertising
  • Right to limit use of sensitive personal information (we use tax IDs only for invoicing, not for profiling)
  • Right to non-discrimination for exercising your privacy rights

11.5 How to Opt Out of Sharing

Click Do Not Sell or Share My Personal Information in the site footer, use Cookie Settings to disable marketing cookies, or email privacy@monsterdsp.com. If your browser sends a Global Privacy Control (GPC) signal, we honor it for browser-based tracking where technically feasible.

We respond to verifiable California requests within 45 days (with a possible 45-day extension and notice).

12. Brazil (LGPD) Summary

  • CPF/CNPJ is collected for legal/tax compliance when billing country is Brazil
  • Shared with Stripe and NFS-e providers for payment and invoicing
  • Retained up to 7 years for tax records
  • Core account and license data is hosted in Brazil (São Paulo)
  • File complaints with the ANPD at gov.br/anpd

13. Security & Data Breaches

We use encryption in transit (HTTPS), access controls, and secure payment processing through Stripe. If a breach is likely to result in high risk to your rights, we will notify affected users and relevant authorities as required by law.

14. Children's Privacy

Our services are not directed to children under 13 (or under 16 in the EEA). We do not knowingly collect personal information from children. Contact us to request deletion if you believe a child provided us data.

15. Changes to This Policy

We may update this policy when our practices or legal requirements change. We will post the revised version on this page and update the "Last updated" date above.

16. Contact Us

Diogo Guedes Audio Profissional (monsterDSP)

CNPJ: 23.731.502/0001-98
São Paulo, SP, Brazil

Privacy: privacy@monsterdsp.com
General: info@monsterdsp.com
Contact form

This Privacy Policy is provided for informational purposes. It is not legal advice. Consult a qualified attorney for guidance specific to your situation.

© 2026 monsterDSP. All rights reserved.