Privacy Policy

CueSync ("we," "us," or "our") operates the CueSync desktop application and the website at https://www.cuesync.live (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

CueSync is a music-based stage automation platform that analyzes audio in real time to control lighting, video, and show-control systems during live events.

This policy is provided as a best-effort transparency document. It is not a substitute for professional legal advice. We encourage you to consult with a legal professional if you have specific questions about your rights.

We use the information we collect to:

• Operate and maintain the license activation and validation system
• Process payments through Paddle (our Merchant of Record)
• Send transactional emails (license keys, subscription confirmations)
• Enforce device limits (1 device per subscription)
• Monitor for suspicious activity, brute-force attempts, and abuse
• Improve our website through anonymized, consent-based analytics
• Respond to support requests submitted through our contact form

All payments are processed by Paddle.com as our Merchant of Record. Paddle handles all payment card processing, invoicing, sales tax, and compliance. We never receive, store, or process your credit card or payment method details.

For details on how Paddle handles your payment data, please review Paddle's Privacy Policy.

The CueSync desktop application communicates with our servers only for license validation (approximately once every 30 days for token renewal). The application does not send telemetry, usage statistics, or any data about your show files.

All audio analysis is performed entirely on your local device. No audio data is ever transmitted to our servers. Your cue lists, show configurations, and creative content remain entirely on your machine.

To protect the security of our licensing system, we maintain audit logs that record:

• License activation and deactivation events
• IP address changes for active devices
• Failed activation attempts (for brute-force detection)
• Suspicious activity patterns (e.g., rapid IP switching)

Our system includes rate limiting (maximum 5 activation attempts per hour per IP) and prefix-based lockout (after 20 failed attempts with the same key prefix within 24 hours) to prevent abuse.

Your data is stored using the following infrastructure:

• PostgreSQL (United States) — primary database for user accounts, subscriptions, devices, and audit logs
• Redis (United States) — caching layer for rate limiting, session tokens, and temporary data with automatic expiration
• Hetzner (United States) — dedicated server hosting for website and API

We use a minimal set of cookies and local storage for essential functionality and optional analytics. For full details on the specific cookies we use, how to manage your preferences, and your opt-out options, please see our Cookie Policy.

We use the following third-party services that may process your data:

• Account data: retained while your subscription is active, plus 90 days after cancellation
• Audit logs: retained for 12 months, then automatically purged
• Redis cache data: automatically expires with TTLs ranging from 1 hour (rate limits) to 24 hours (lockouts)
• Contact form submissions: retained for 12 months for support purposes

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation:

• Right of Access: request a copy of the personal data we hold about you
• Right to Rectification: request correction of inaccurate or incomplete data
• Right to Erasure: request deletion of your personal data
• Right to Restriction: request that we limit processing of your data
• Right to Data Portability: request your data in a machine-readable format
• Right to Object: object to processing based on legitimate interests
• Right to Withdraw Consent: withdraw consent at any time where processing is based on consent
• Right to Lodge a Complaint: file a complaint with your local supervisory authority

To exercise any of these rights, contact us at contact@cuesync.live. We will respond within 30 days.

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

• Right to Know: request information about the categories and specific pieces of personal information we have collected
• Right to Delete: request deletion of your personal information
• Right to Opt-Out of Sale: we do not sell your personal information to third parties
• Right to Non-Discrimination: we will not discriminate against you for exercising your privacy rights

Your data is processed and stored in the United States. If you are accessing our Service from outside the United States, your information will be transferred to, stored, and processed in the United States.

We rely on standard contractual clauses and other approved transfer mechanisms to ensure that your data receives an adequate level of protection when transferred internationally.

Our Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected data from a child under 16 without parental consent, we will take steps to delete that information promptly.

We implement the following security measures to protect your data:

• SHA-256 hashing for license keys (plaintext keys are never stored)
• Ed25519 digital signatures for license token verification
• Rate limiting on all API endpoints to prevent abuse
• Brute-force protection with automatic prefix lockout
• HTTPS for all data in transit
• httpOnly secure cookies for web sessions

We honor Do Not Track (DNT) browser signals. When DNT is enabled, PostHog analytics are not loaded and no tracking cookies are set. Our essential functionality (license validation, bot protection) continues to work without analytics.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the "Last updated" date at the top of this page. For significant changes, we may also send a notification to the email address associated with your account.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

• Email: contact@cuesync.live
• Contact form: https://www.cuesync.live/contact