Helgoboss Projects

Welcome to our website www.helgoboss.org and to our software and app products (in particular “Jam Pad,” “Helgobox,” and “ReaBoot”). When you view the content, contact us, install or use our software, create a user account, subscribe, or use other features, personal data is processed.

The General Data Protection Regulation (GDPR) requires us to inform you about the terms and conditions of processing at the time of data collection. This Privacy Policy explains what happens to your personal data when you interact with us.

A. GENERAL INFORMATION

1. Data Controller

The data controller within the meaning of the GDPR is:

Benjamin Klum Helgoboss Projects Förstereistr. 40 01099 Dresden Germany

Phone: +49 351 2728 6449 (no hotline) Email: info@helgoboss.org Website: www.helgoboss.org

2. Data Protection Officer

We have not appointed a Data Protection Officer. If you have any questions regarding data protection, you can contact us at any time using the contact details provided above.

3. Your Rights as a Data Subject

You have the right to access (Art. 15 GDPR), rectification (Art. 16 GDPR), erasure (Art. 17 GDPR), restriction of processing (Art. 18 GDPR), and data portability (Art. 20 GDPR), provided that the respective legal requirements are met and no exceptions apply. Please note that you may exercise these rights at any time. However, compliance may be precluded by legal requirements such as retention obligations.

If we process personal data to safeguard our legitimate interests pursuant to Art. 6(1)(f) of the GDPR, you have a general right to object. To the extent that there are specific reasons arising from your particular situation and we have no overriding interest in the processing, we will cease processing in the event of your objection.

If we require consent to process your personal data, we will explicitly request it from you in advance. Consent that has been given may be revoked at any time with future effect. However, this does not affect the data processing that has taken place up to that point.

You may withdraw your consent by contacting us, for example, via email at info@helgoboss.org or in writing by mail to the address listed above.

You also have the right to lodge a complaint with a data protection supervisory authority at any time. The competent supervisory authority for us is:

Saxon Data Protection and Transparency Commissioner Mailing address: P.O. Box 11 01 32 01330 Dresden

Phone: +49 351 85471-101 Email: post@sdtb.sachsen.de Website: www.datenschutz.sachsen.de

4. Recipients of the Data

Your data is accessed and used by the respective authorized personnel within our organization. Since data is stored in IT systems, it cannot be ruled out that IT service providers may also access the data in the context of hosting, maintenance, troubleshooting, and support.

If, in the course of our processing, we disclose data to other individuals and companies (processors or third parties), transfer it to them, or otherwise grant them access to the data, this is done only on the basis of legal authorization (e.g., if a transfer of data to third parties pursuant to Art. 6(1)(b) GDPR is necessary for the performance of a contract), you have consented, a legal obligation requires it, or on the basis of our legitimate interests (e.g., when using agents, hosting providers, billing and similar services that enable us to efficiently and effectively fulfill our contractual obligations, administrative tasks, and duties).

There is a possibility that legally relevant documents—and therefore also the personal data contained therein—may be accessed by supervisory authorities, courts, attorneys, or tax advisors. In cases involving tax-related matters, tax advisors and the tax office may also become aware of the information.

5. Data Transfer to a Third Country

We generally process data within the European Union or the European Economic Area. Data transfers to so-called third countries (i.e., countries outside the EU or the EEA) may occur in individual cases, particularly when we use services whose providers are based outside the EU/EEA or when data processing outside the EU/EEA cannot be ruled out.

This may be particularly relevant in the case of internationally active service providers and platforms, such as app stores, GitHub, Google Workspace, YouTube, RevenueCat, Paddle, 2Checkout, Sentry, or comparable services. Internet synchronization via relay servers may also involve a third country if the relay servers are operated outside the EU or the EEA.

Subject to statutory or contractual permissions, we process or have personal data processed in a third country only if the specific requirements of Articles 44 et seq. of the GDPR are met. This means that processing takes place, for example, on the basis of specific safeguards, such as the officially recognized determination of a level of data protection equivalent to that of the EU (e.g., adequacy decision) or through the agreement of officially recognized standard data protection clauses with the recipient of the data.

Please note that data transfers to third countries may involve risks despite such safeguards. In particular, government access in the third country cannot be completely ruled out in every case.

6. Retention Period

The duration of storage is primarily determined by statutory retention obligations as well as by our legitimate interest in further retention. To the extent that specific retention periods are mentioned in this Privacy Policy, these take precedence.

Unless a specific retention period is specified, we generally delete personal data as soon as the respective purpose no longer applies and there are no legal retention obligations, no statute of limitations, and no legitimate interests in further storage. We generally store support and contact inquiries for the duration of processing and thereafter for a reasonable period for documentation and traceability. Contract

and billing-related data in accordance with statutory commercial and tax retention obligations.

B. INFORMATION ABOUT THE WEBSITE www.helgoboss.org

1. Visiting the Website

When you visit our website and view its content, certain usage data is automatically collected and stored in so-called server log files. In particular, the browser type and version, the operating system used, the referrer URL (the previously visited website), the IP address of your device, and the time of the server request are processed.

The permissibility of this processing is based on Art. 6(1)(f) of the GDPR (legitimate interest). We rely on presenting our services on a website. The internet is an important communication medium. Without our own website, we would not be able to adequately provide information about our projects and products. The data processing described is necessary to access the website.

The IP address is stored to the extent that this is appropriate for data security and for investigating or preventing security or data protection breaches. The storage period for delivery via BunnyCDN is currently three days. According to the provider, IP anonymization is performed in this process. In the event of a criminal complaint or the enforcement of claims against individuals who have committed security or data protection breaches, the data may be stored and used until the matter is fully resolved or claims are enforced.

Hosting

Our website is operated by a hosting provider. The hosting provider may gain access to the aforementioned data as part of its service provision. We have contractually obligated the hosting provider and have previously verified its reliability.

Host: Hetzner Online GmbH Industriestr. 25 91710 Gunzenhausen Germany

Further information: https://www.hetzner.com/de/legal/privacy-policy/

The website is delivered via BunnyCDN. BunnyCDN is used for the high-performance delivery of website content and user content. As of now, BunnyCDN is used in an EU configuration. BunnyCDN stores log data for three days as specified by the client and anonymizes IP addresses. We have a contract with BunnyCDN for data processing.

CDN provider: BunnyWay d.o.o. Dunajska cesta 165 1000 Ljubljana Slovenia

Further information: https://bunny.net/privacy/ https://bunny.net/gdpr/

2. Contacting Us

If you have any questions or a specific inquiry regarding our services and projects, you can contact us via email or by phone. In doing so, we process the data you provide to respond to your inquiry.

The lawfulness of this processing is based on Art. 6(1)(b) of the GDPR (pre-contractual measures), to the extent that your inquiry is aimed at entering into or performing a contract, as well as on Art. 6(1)(f) of the GDPR (legitimate interest), to the extent that we wish to efficiently process general inquiries. Without the provision of your data, we generally cannot respond to your inquiry.

In this respect, the provision of your data is necessary to contact us and receive answers to your questions.

We use Google Workspace for email communication and support. Google Workspace is used for the technical provision and administration of our email inbox. In particular, sender and recipient addresses, subject lines, message content, attachments, timestamps, and technical metadata may be processed. Processing is carried out to receive and respond to incoming inquiries and to document the communication in a traceable manner. The legal basis is Art. 6(1)(b) of the GDPR, insofar as the communication serves the purpose of initiating or performing a contract, and otherwise Art. 6(1)(f) of the GDPR. Our legitimate interest lies in reliable, secure, and efficient email communication.

We do not use a ticket system for direct support. Inquiries are handled via email. We store your inquiry for the duration of its processing and beyond, provided a contract is concluded or provided we have a legitimate interest in documenting the communication. Otherwise, inquiries are deleted as soon as they are no longer necessary and no retention obligations or legal defense interests preclude this.

2.1 Contact Form

When we provide a contact form on our website, the data you enter into the form is processed to receive and respond to your inquiry. Depending on the form, this may include, in particular, your name, email address, subject, and message content. Alternatively, you may also contact us via email.

The lawfulness of this processing is based on Art. 6(1)(b) of the GDPR (pre-contractual measures) and Art. 6(1)(f) of the GDPR (legitimate interest). We want to be able to receive and respond to your inquiries regardless of location or time. Therefore, we provide you with an electronic way to contact us. We use the data you provide to respond to your inquiry. Without the provision of your data, we cannot respond. In this respect, the provision of data is necessary to contact us and receive answers to your questions.

The technical processing of the contact form is handled via a proprietary solution (“Helgoboss API”). The form entries are transmitted to our API and from there sent to our support email address via Mailjet or Sinch Email. As of now, there is no additional storage in a database or CRM system.

Mailjet or Sinch Email is used as the technical mailing service provider. In particular, the email address, message content, technical mailing data, and delivery information may be processed. Processing is carried out to reliably transmit the form request to us. The legal basis is Art. 6(1)(b) GDPR, insofar as it concerns pre-contractual measures or contract performance, and otherwise Art. 6(1)(f) of the GDPR. Our legitimate interest lies in the reliable technical transmission of form requests.

Mailjet / Sinch Email: Sinch Email, part of the Sinch Group, headquartered in Paris, France

Data Processing Agreement (DPA): https://sinch.com/legal/terms-and-conditions/other-sinch-terms-conditions/data-protection-agreement/

We store your inquiry for the duration of processing and beyond, provided a contract is concluded or provided we have a legitimate interest in documenting the communication. Otherwise, the message history is deleted as soon as it is no longer necessary and no retention obligations or legal defense interests preclude this.

As of now, we do not use any cookies on our website that require consent. A consent management tool is not currently in use because we currently operate without a cookie banner.

Should we use cookies or similar technologies in the future that are not technically necessary, we will obtain consent in advance to the extent required by law. To the extent that processing requires the storage of information on your device or access to information already stored on the device, we also comply with § 25 TDDDG.

4. Web Analytics with Umami

We use a self-hosted version of Umami to statistically analyze the use of our website and improve our content. As of now, Umami is used without cookies. The analysis is conducted anonymously or in aggregated form. No cross-website user profiles are created, and there is no recognition across different websites.

When using Umami, technical usage data may be processed, in particular pages visited, referrers, browser used, operating system, device type, approximate location at the country level, and time of access. We use this information to understand which content is accessed, which technical environments are used, and how we can improve our website.

The permissibility of the processing is based on Art. 6(1)(f) of the GDPR. Our legitimate interest lies in the statistical analysis and improvement of our website. To the extent that Umami is operated without cookies and no information is stored or read from your device, consent pursuant to § 25(1) TDDDG is not required under the current design.

Since Umami is self-hosted, processing takes place within our own technical infrastructure. Under the current design, no personal web analytics data is transferred to an external analytics provider.

5. External Links and Third-Party Websites

Our website may contain links to external websites and platforms, in particular to YouTube, GitHub, app stores, payment providers, documentation sites, or community platforms. When you click on an external link, you leave our website. From that point on, the respective provider processes personal data under its own responsibility.

As of now, YouTube videos are not embedded in the website but are only linked. Consequently, simply visiting our website does not result in any automatic data transfer to YouTube due to embedded videos. Only when you click on a YouTube link do you leave our website, at which point YouTube’s or Google’s privacy policy applies.

6. Early Access, Project Updates, and Newsletters

On our website, you can sign up for early access, project updates, newsletters, or similar notifications. To do so, enter your email address in the corresponding form. An optional message field may also be provided.

A double opt-in is used for registration. You will first receive an email asking you to confirm your registration. This ensures that the actual owner of the email address has registered. In doing so, we also process technical verification data, in particular the time and confirmation status.

The lawfulness of data processing when sending the newsletter or similar notifications is based on Art. 6(1)(a) of the GDPR (consent). Providing your data for this purpose is voluntary.

We use Mailjet or Sinch Email for sending. In particular, email addresses, optional message details, consent and confirmation data, as well as sending and delivery information may be processed.

Mailjet / Sinch Email: Sinch Email, part of the Sinch Group, headquartered in Paris, France

Data Processing Agreement (DPA): https://sinch.com/legal/terms-and-conditions/other-sinch-terms-conditions/data-protection-agreement/

Your data will be stored for the duration of your subscription. It will be removed from the active mailing list if you withdraw your consent or unsubscribe from the newsletter. To the extent that further storage of proof data is required, this will only occur for as long as necessary to document consent or for legal defense.

7. Advertising for Similar Services via Email

If you are already a user of our open-source software or our commercial software, or if you have a corresponding customer relationship with us, we may use your email address to inform you about similar services we offer, such as Jam Pad or related Helgoboss products.

The permissibility of this is based on Art. 6(1)(f) of the GDPR (legitimate interest) and, where applicable, § 7(3) of the UWG. Our legitimate interest lies in informing existing users about similar offerings of our own. You may object to the use of your email address for promotional purposes at any time. If you object, your email address will no longer be used for this form of promotional communication.

8. Online Presences, Community Platforms, and Public Support Channels

Based on our legitimate interests within the meaning of Art. 6(1)(f) of the GDPR, we maintain online presences within social networks, developer platforms, and community platforms to communicate with users active there, provide information, receive feedback, and facilitate public discussions about our projects.

When accessing the respective networks and platforms, the terms of service and data processing policies of the respective operators apply. Unless otherwise specified in this Privacy Policy, we process users’ data when they communicate with us within the platforms, for example, by posting on our online presences, creating public issues, submitting feature requests, or sending us messages.

GitHub is used in particular for public issues, feature requests, forum or wiki functions, and for GitHub Releases. These services are community-based and are not strictly necessary for the core operation of the software. Please note that posts on GitHub may be publicly visible. Therefore, do not submit any confidential information or personal data via public GitHub areas that should not be publicly visible.

Profiles and Platforms:

YouTube: https://www.youtube.com/c/BenjaminKlum Support is not normally provided via YouTube.

GitHub: https://github.com/helgoboss GitHub can be used for publicly visible support, issues, feature requests, forum/wiki features, and releases.

Bluesky: https://bsky.app/profile/helgoboss.bsky.social As of now, no support is offered via Bluesky.

C. INFORMATION ABOUT OUR SOFTWARE AND APP PRODUCTS

This section applies in particular to:

Jam Pad (app on Android, iOS, macOS, and Windows; later also web and Linux)
Helgobox (REAPER plugin, consisting of open-source and commercial components)
ReaBoot (installer as a desktop application and website)

1. General Information on the Use of Software and Apps

Depending on the product and type of use, we may process personal data to provide the software, enable features, fix bugs, prevent misuse, assign payments, or provide support.

To the extent that use is possible entirely offline, we perform no data processing or only very limited processing. As soon as online features are used—in particular user accounts, synchronization via servers, collaboration, or payment processing—personal data is processed.

2. Jam Pad

2.1 What data is processed when using Jam Pad

Jam Pad is designed as an offline-first app. The app allows you to create and manage so-called “Spaces.” Depending on the Space type, data is processed exclusively locally on your device, synchronized between devices, or stored and processed on the server.

a) Single-Device Spaces

Single-Device Spaces are Spaces stored locally on a single device. When you use Single-Device Spaces, the content of the respective Space generally remains on the device where the app is installed. We generally do not receive any content or data derived from the content.

With Single-Device Spaces, the responsibility for local data backup lies primarily with you. We have no access to locally stored content as long as you do not use cloud, internet sync, or other online features.

b) Multi-Device Spaces

Multi-Device Spaces enable synchronization between multiple devices. Synchronization can take place directly between your devices via the local network. Optionally, synchronization via the Internet can take place after opt-in.

If synchronization occurs via the Internet, relay servers may be used to establish connections between devices or to mediate encrypted connections when a direct connection is not possible. Iroh relay technology is expected to be used for this purpose. According to current plans, we will operate our own dedicated relay servers (“dedicated relays”). The relay servers may be hosted via Hetzner. It is possible that individual relay servers may also be operated in third countries, provided this is technically or functionally necessary.

The contents of the synchronization are transmitted with end-to-end encryption. According to the technical design, relay servers do not have access to content data. However, for technical reasons, they may process connection data, in particular the IP addresses of both devices, timestamps, connection status, and device identifiers. According to the current design, the device identifiers are public keys generated by Jam Pad upon first launch.

The lawfulness of the processing is based on Art. 6(1)(b) of the GDPR, insofar as internet synchronization is part of the feature you have activated. If consent is required for the integration or activation of the feature, it will be obtained prior to processing. Internet synchronization can be enabled or disabled in the app, provided the feature is available.

Further information on relay technology: https://docs.iroh.computer/concepts/relays

c) Cloud Spaces

Cloud Spaces require a Jam-Pad account and, depending on the feature, an active subscription or a current trial period. When you use Cloud Spaces, content from the respective Cloud Space is automatically uploaded to servers provided by us. The server serves as a central synchronization and storage system. You can log in on multiple devices and synchronize your Cloud Spaces.

For Cloud Spaces, we process the content and metadata contributed by the Space Owner and the invited Space Participants to the extent necessary for cloud storage, synchronization, collaboration, and access control.

In particular, the following categories of data are processed:

Personal data, in particular name and email address
Contract master data, in particular subscription status
Communication data, in particular invitation and system emails as well as internal messages, to the extent this feature is used
Content data, specifically the data you store in Cloud Spaces such as recordings, markers, tags, documents, playlists, comments, messages, and other Space content
Role, invitation, access, and permission data
Quota and usage data, in particular storage space usage, number and assignment of Cloud Spaces, number of participating users including the Space Owner, content storage consumption, and technical usage limits
Usage and log data, in particular technical log data and timestamps for error analysis, IT security, and abuse prevention

The lawfulness of the processing is based on Art. 6(1)(b) of the GDPR (contract), because the processing is necessary to provide the cloud and collaboration features. To the extent that we process log data for security, stability, or to prevent misuse, we also base the processing on Article 6(1)(f) of the GDPR.

You can generally use Jam Pad offline. For Cloud Spaces and collaborative features, you need a Jam Pad account.

When registering and using the user account, we process, in particular, your name, email address, and authentication data. As of now, Keycloak is used for identity and access management. We host Keycloak ourselves on our infrastructure at Hetzner.

Optionally, you can use social login via Apple or Google. In this case, we receive the data necessary for authentication from the respective provider, specifically your email address, name, and provider ID.

Social login providers: Apple Google

The lawfulness of the processing is based on Art. 6(1)(b) of the GDPR (contract or pre-contractual measure). Without the provision of the required data, the creation and use of a Jam Pad account is not possible.

2.3 Hosting of Cloud Functions and Data Processing

We use hosting service providers to operate the server-side components of Jam Pad. The server-side component consists in particular of identity and access management, a database, object storage, and application logic for synchronization.

Hosting provider: Hetzner Online GmbH Industriestr. 25 91710 Gunzenhausen Germany

Further information: https://www.hetzner.com/de/legal/privacy-policy/

As of now, the regions of Falkenstein, Helsinki, and, if applicable, Nuremberg are primarily used. In the production environment, data can be replicated across multiple data centers to improve security, availability, and fault tolerance.

We have a contract with Hetzner for data processing in accordance with Article 28 of the GDPR.

The following data types are covered under the data processing agreement: communication data, personal master data, contract master data, and log data. The group of data subjects includes customers and prospective customers.

The lawfulness of the processing is based on Article 6(1)(b) of the GDPR (contract).

2.4 Collaboration, Invitations, and Roles

In Cloud Spaces, Space Owners can invite other Jam-Pad users to a Cloud Space as Space Participants and remove them from it. To do so, we process data necessary for invitations and rights management, in particular email addresses, user IDs, and information about the Cloud Space and the assigned roles.

Currently, there are two roles: Space Owner and Space Participant. Space Participants can use the respective Cloud Space within the scope of their role and the technically provided permissions without having to hold a subscription themselves. Content, comments, messages, recordings, markers, documents, and other Space content may be visible and usable to Space Participants in accordance with the role and permission logic.

The exact rights matrix is provided in the product documentation, help documentation, or within the app. From a data protection perspective, it is crucial that the visibility and use of content depend on the respective Cloud Space, the role, and the technically provided permissions.

The lawfulness of the processing is based on Art. 6(1)(b) GDPR (contract) and Art. 6(1)(f) GDPR (legitimate interest), insofar as it concerns the secure and traceable management of access rights.

2.5 Cloud Subscription, Quotas, and Permission Status

The Jam-Pad cloud subscription is account-based. Depending on the subscription plan, quotas and technical usage limits may apply, in particular a maximum number of cloud spaces, a maximum number of participating users including the account holder, storage limits for content in GB—especially for larger files such as recordings—as well as other technical usage quotas.

The specific limits are communicated via the app, store, checkout, website, or product information. To provide the cloud and collaboration features and enforce usage limits, we may process, in particular, storage usage, the number and assignment of Cloud Spaces, the number of participating users, subscription and authorization status, quota information, and technical usage limits.

The lawfulness of the processing is based on Art. 6(1)(b) of the GDPR, as the processing is necessary for the provision and enforcement of the contractually agreed features and usage limits.

2.6 Payment Processing, Subscriptions, In-App Purchases

Jam Pad may include one-time payments and subscriptions. Most payments are processed through app stores, specifically the Apple App Store and Google Play Store. In this case, the respective store processes the payment and billing data on its own responsibility. We generally receive information necessary for assigning and providing the purchased services, in particular transaction IDs, purchase status, product ID, subscription status, and, where applicable, country or region.

The lawfulness of the processing is based on Art. 6(1)(b) of the GDPR (contract) and Art. 6(1)(c) of the GDPR (legal obligations), insofar as commercial and tax law retention obligations are concerned.

Where app store-independent payments are offered, a Merchant of Record may be used depending on the product and distribution channel, in particular Paddle or 2Checkout. The respective Merchant of Record regularly processes payment and billing data under its own responsibility.

We receive the data necessary for the provision, allocation, billing, and administration of the service, in particular email address, payment status, billing data, and product or service status.

2.7 RevenueCat (Receipt Validation, Entitlements, and Authorization Status)

We use RevenueCat to technically manage subscriptions and one-time purchases, validate receipts, and provide entitlements. RevenueCat is used in particular for receipt validation, managing entitlements, and verifying which features the user has paid for. The Jam Pad app and the Jam Pad server can call the RevenueCat API to check the authorization status and grant or deny access to paid features.

In particular, user or app user IDs, platform information, product identifiers, purchase and subscription status, receipt information, transaction data, technical access data, and app and device information may be processed to the extent necessary for verifying and granting entitlements.

RevenueCat processes data in accordance with its current classification as a data processor. The lawfulness of the processing is based on Article 6(1)(b) of the GDPR (contract), because the processing is necessary to provide purchased features and implement the authorization status.

To the extent that RevenueCat is additionally used for analytics or attribution, this is done separately and only to the extent that the necessary legal requirements are met. Such processing does not serve the purpose of error diagnosis and must be distinguished from Sentry or technical error tracking.

Service Provider: RevenueCat, Inc.

DPA: https://www.revenuecat.com/dpa/

Further Information: https://www.revenuecat.com/gdpr/

2.8 Push Notifications (future or optional, service only)

Jam Pad does not currently use push notifications. Following release, a feature for service push notifications may be introduced. Push notifications are intended solely for service purposes, not for marketing purposes.

Possible purposes include, in particular, notifications that a Space invitation has been accepted, as well as notifications regarding messages received in a Cloud Space.

If push notifications are enabled, we process technical data to deliver service-related notifications to you. In particular, push tokens, device information, and timestamps may be processed for this purpose. Apple Push Notification Service (APNs) and Firebase Cloud Messaging (FCM) may be used as push services.

The lawfulness of the processing is based on Art. 6(1)(b)

GDPR, insofar as push notifications are necessary for the provision of a feature you have activated. Furthermore, Article 6(1)(f) of the GDPR may apply insofar as our legitimate interest lies in the reliable provision of service-related notifications. Activation and deactivation are performed via the app or through the device settings.

2.9 Bluetooth Functions (Hike and Mark)

Jam Pad can support connection to certain Bluetooth remote controls. This feature is active. In doing so, technical connection data required for pairing and use is processed. As an operating system permission, access to Bluetooth and the scanning of nearby Bluetooth devices are specifically required.

The lawfulness of the processing is based on Art. 6(1)(b) of the GDPR (contract), insofar as the feature is part of the service you have requested, as well as on Art. 6(1)(f) of the GDPR (legitimate interest) for secure provision and troubleshooting.

2.10 Error Tracking and Stability Analysis via Sentry

Jam Pad may use error tracking and technical diagnostics, in particular via Sentry. Error reports are processed to identify and resolve technical issues, crashes, stability problems, and malfunctions.

Sentry is not used for advertising, marketing, or profiling purposes. Error tracking must be distinguished from web analytics, usage analytics, marketing, tracking, and attribution.

In error tracking, the following data may be processed in particular: app version, operating system, device type, timestamp, technical event data, error messages, stack traces, crash reports, and comparable diagnostic data. Content data such as recordings, documents, messages, or other Space content should not be transmitted to Sentry whenever possible.

We configure Sentry in accordance with the principle of data minimization. As of now, Sentry is set up in the EU region. A DPA or a data processing agreement has been signed. Enhanced Privacy is enabled. JavaScript Source Fetching is disabled. Minidumps are not stored as attachments. Data scrubbing is enabled, including the settings “Require Data Scrubber” and “Require Using Default Scrubbers.” The storage of IP addresses is prevented.

The legal basis is Art. 6(1)(f) of the GDPR. Our legitimate interest lies in ensuring the security and stability of our software, analyzing errors, and improving the user experience. To the extent that, following the specific technical implementation, access to information on your end device occurs or such information is stored and consent is required for this, the processing is additionally aligned with the provisions of Section 25 TDDDG.

Users should be able to disable error tracking via a toggle in the app settings. The exact menu path may vary depending on the app version.

Service Provider: Sentry

Further Information: https://sentry.io/legal/privacy/ https://sentry.io/legal/dpa/ https://sentry.io/trust/privacy/gdpr-best-practices

2.11 Deletion and Retention at Jam Pad

Cloud Spaces selected by the Space Owner can be deleted immediately. In this case, restoration is generally not possible.

Upon expiration, cancellation, or non-renewal of a subscription, as well as in the event of a payment hold or account deletion, a 14-day grace period generally applies to the Cloud Spaces managed by the Account Owner, unless otherwise indicated in individual cases.

During this grace period, the affected Cloud Spaces are generally accessible in read-only mode. The user may use this time to make content available locally on their devices or to download it, provided the app technically allows this. Editing, further synchronization, or collaborative use of the affected Cloud Spaces may be restricted or prohibited during the grace period.

After the 14 days have elapsed, access to the affected Cloud Spaces in the cloud ends. Content stored locally or previously made available offline remains unaffected, provided it is present on the respective device and the app technically allows for its local use.

In the event of account deletion, reactivation may be possible within the grace period. After the grace period expires, there is no entitlement to restoration of the account or the affected Cloud Spaces.

Due to technical constraints, backups may remain stored for up to 90 days and may be overwritten or deleted thereafter. The purpose of backups is to protect against data loss on the server side, not to provide a general restoration or export function. Restoration from backups occurs only in exceptional cases and is not provided as a general restoration function.

To the extent that data is subject to commercial and tax law retention obligations, we store it for the periods prescribed by law. We delete other data provided that no legal claims remain or can be asserted, or provided that we have no legitimate interest in further retention.

3. Helgobox

Helgobox is a plugin for the DAW REAPER. It combines an open-source product (ReaLearn, GPL-3) and a commercial product (Playtime). Helgobox essentially operates offline. Online processing may occur, particularly in connection with error tracking, update or version notices, or the acquisition and verification of license keys.

3.1 Open-Source Components

To the extent that open-source components are used, we do not process personal data solely for the purpose of licensing. We provide details on the open-source components and licenses used within the software or on our website.

3.2 Playtime License Keys and Sales via 2Checkout

When you purchase a license key for Playtime, payment processing is handled by the Merchant of Record we use.

Merchant of Record: 2Checkout

We process the data necessary for assigning, providing, and managing the license, specifically email address, name, billing information, country, payment status, transaction information, license status, and, where applicable, device or installation data, to the extent technically feasible.

Purchase and billing-related data is stored for the retention periods required by commercial and tax laws, typically for 10 years.

Further information: https://www.2checkout.com/legal/gdpr-commitment/

The legal basis is Art. 6(1)(b) GDPR (contract) and Art. 6(1)(c) GDPR (retention obligations).

3.3 Version Check and Update Notifications

If Helgobox uses a feature to check the latest version number or to display update notifications, this is currently done by retrieving a static version file. No further telemetry takes place in this process.

When retrieving the version file, technical information may be processed, in particular the IP address, time, requested file or URL, as well as device and browser information in the server log files of the respective hosting service. As of the current status, delivery is handled via BunnyCDN. The log file retention period is currently three days.

The legal basis is Art. 6(1)(f) of the GDPR (legitimate interest). We have a legitimate interest in making security updates and bug fixes available and in notifying users of relevant changes.

3.4 Error Tracking and Technical Diagnostics via Sentry

Helgobox may in the future or optionally use error tracking and technical diagnostics, in particular via Sentry. Error reports will be processed to identify and resolve technical issues, crashes, stability problems, and malfunctions.

Sentry is not used for advertising, marketing, or profiling purposes. Error tracking must be kept separate from web analytics, usage analytics, marketing, tracking, and attribution.

In error tracking, the following data may be processed in particular: software version, operating system, device type, timestamp, technical event data, error messages, stack traces, crash reports, and comparable diagnostic data. Content data should not be transmitted to Sentry whenever possible.

The legal basis is Art. 6(1)(f) of the GDPR. Our legitimate interest lies in ensuring the security and stability of our software, analyze errors, and improve the user experience. To the extent that, depending on the specific technical implementation, access to information on your end device occurs or such information is stored and consent is required for this, the processing is additionally aligned with the provisions of Section 25 TDDDG.

Users should be able to disable error tracking via a toggle in the app or software settings. The exact menu path may vary depending on the version.

4. ReaBoot

ReaBoot consists of a website (reaboot.com) and a desktop application (installer). The installer is primarily used to install and update REAPER and additional software components for the REAPER DAW.

4.1 ReaBoot Website

If you visit the website reaboot.com, the relevant information regarding website usage applies, particularly regarding hosting, CDN, server log files, and web analytics.

As of now, the website is operated in a manner technically identical to the main website.

As of now, ReaBoot.com serves solely for informational purposes and to provide downloads. Contact forms, newsletters, and embedded content are not currently used there. To the extent that the self-hosted, cookie-free web analytics with Umami is also used on reaboot.com, the provisions regarding web analytics apply accordingly.

When accessing reaboot.com and downloading files, server log files may be processed, including, in particular, IP address, time, requested file or URL, user agent or browser and device information, and referrer, if available. This processing serves the operation of the website, IT security, and the provision of downloads. The legal basis is Art. 6(1)(f) of the GDPR.

4.2 ReaBoot Installer

Depending on its function, the installer may access local systems to perform installations. Personal data is generally only transmitted to us if the installer uses online functions, e.g., to access download sources or download files from the Internet.

As of now, ReaBoot contains no telemetry, no crash reports, or update checks for ReaBoot itself. However, ReaBoot is an online installer. This means that the installer downloads files from the Internet according to the installation recipe provided by the user in order to install the desired software component. Additionally, the installer can detect, download, and install the latest version of the REAPER DAW if it is not already present.

Depending on the installation recipe, third-party sources may be accessed, in particular GitHub releases and provider websites such as the REAPER manufacturer’s website. When accessing such sources, the respective providers may process technical data, in particular IP address, time, requested URL or file, user agent, and comparable access data. The respective providers act in this regard on their own responsibility.

The legal basis for the accesses initiated by us within the scope of the installation function is Art. 6(1)(b) of the GDPR, insofar as the access is necessary to provide the installation function requested by the user. Furthermore, Art. 6( 1(f) of the GDPR may apply, insofar as our legitimate interest lies in the functional provision of the installer.

5. Data Security and Technical and Organizational Measures

We implement technical and organizational measures to protect personal data against loss, destruction, unauthorized access, unauthorized alteration, and unauthorized disclosure. The nature and scope of these measures are based on the state of the art, the implementation costs, the nature, scope, circumstances, and purposes of the processing, as well as the likelihood of occurrence and the severity of the risks to the rights and freedoms of natural persons. It should be noted that absolute security in IT systems cannot be guaranteed and that security risks cannot be completely ruled out despite appropriate measures.

5.1 Access Protection and Authorization Concepts

We restrict access to personal data to those individuals and systems that require it to perform their respective tasks. Access to administrative and operating systems is granted according to the principle of least privilege. For account-based services, we use identity and access management; for Jam Pad online services, this is currently Keycloak. Administrative access is logged to the extent that this is technically feasible and necessary for preventing misuse or analyzing errors.

5.2 Encryption and Protection During Transmission

We regularly use transport encryption for the transmission of personal data within the scope of online services, to the extent that this is technically feasible. With Jam Pad, synchronization between devices can take place locally or, if activated by the user, via the Internet. In the case of Internet synchronization, content is transmitted between devices using end-to-end encryption in accordance with the current product concept. Relay services are used to establish the connection and, according to the intended design, do not have access to content data. Connection and metadata such as IP addresses and timestamps may be generated for technical reasons.

5.3 Protection of Storage, Backup, and Recoverability

To the extent that we provide online services, data is processed and stored on servers. We implement appropriate measures to protect this data against unauthorized access. These include, in particular, access controls, role and authorization concepts, as well as procedures for recovery in the event of disruptions. For Jam Pad Cloud Spaces, a deletion policy is in place that provides for a grace period of 14 days following account deletion, expiration, termination, non-renewal, or suspension of payments, unless otherwise indicated in individual cases. Due to technical constraints, data may remain in backup copies for up to 90 days and is subsequently deleted or overwritten as part of the backup rotation.

5.4 Logging, Monitoring, and Abuse Prevention

We may process log data to detect malfunctions, analyze security incidents, and prevent misuse. Depending on the system context, this includes, in particular, access times, technical events, error messages, and security-related information. Logging is performed to the extent necessary and is time-limited, unless longer retention is required to investigate specific incidents.

5.5 Secure Development, Updates, and Vulnerability Management

We develop and operate our software and online services in a manner that appropriately addresses security requirements. This includes, in particular, regular updates, bug fixes, and security patches. To the extent that updates are necessary to maintain security or contractual compliance, users may be required to install them, provided this is reasonable. For consumers, the legal requirements for digital products apply in this regard.

5.6 Data Minimization and Configuration Principles for Error Analysis

To the extent that we use services for error analysis, in particular Sentry, we intend to minimize the collection of personal data and not to transmit content such as recordings or documents. We configure the collection process so that only data necessary for diagnosing and resolving technical errors is processed. Where an opt-out option for crash reporting is offered, the user may disable the feature in the app, provided this is technically feasible.

5.7 User Responsibilities

For offline functions, data backup is particularly the responsibility of the users, as content is stored on the end device. Users should protect their end devices, use appropriate security measures, keep access data confidential, and perform regular data backups to the best of their ability. For collaborative functions, users should carefully address invitations and grant access rights only to authorized persons.

5.8 Procedure for Data Breaches

Should we become aware of a personal data breach, we will investigate the matter and take appropriate remedial action. To the extent that a report to the competent supervisory authority or notification of affected individuals is required, this will be done in accordance with legal requirements, in particular Articles 33 and 34 of the GDPR.

6. Data Protection by Design and Privacy-Friendly Defaults

We take data protection requirements into account from the very beginning of the design, development, and operation of our software and services. The goal is to process personal data only to the extent necessary for the respective function and to provide users with transparent control options. In doing so, we adhere to the principles of data minimization, purpose limitation, and integrity and confidentiality.

6.1 Separation of Local Use, Internet Sync, and Cloud Processing

Where local use is possible, content can be accessed without server-side processing. In Jam Pad in particular, the core functionality is designed so that content remains on the end device in Single-Device Spaces. Multi-device spaces enable synchronization between devices. This can occur locally or via internet synchronization with relay servers. Cloud spaces must be distinguished from these, as cloud spaces involve server-side storage and processing by us or our service providers.

This enables use without server-side content processing, provided the user so desires and has not activated any cloud, internet -Sync, or other online functions are activated.

6.2 Activation of Optional Functions by the User

Certain functions are optional and are only provided if the user consciously uses or activates them. This applies in particular to Internet synchronization, the use of Cloud Spaces and collaboration, as well as future push notifications. To the extent that activating the feature triggers the processing of additional data, this is explained within the app, and activation occurs only upon the user’s explicit decision. Where consent is required, we obtain it prior to processing.

6.3 Data Minimization and Sparse Configuration of Telemetry

When we use telemetry, error analysis, or analytics functions, we intend to configure them sparingly. Content, particularly recordings and documents, should not be transferred to error analysis or analytics systems. We continuously review which data is necessary for diagnosis and improvement and reduce data collection wherever possible.

6.4 Control Options, Opt-Out, and Withdrawal

Where analytics or attribution functions are used, users should be able to disable them in the app’s settings, provided this is technically feasible. The same applies to crash reporting, provided an opt-out option is offered. A revocation or opt-out takes effect for the future. For push notifications, there is also the option to control them via the device’s permission settings.

An app-based opt-out should be provided via an app settings menu. The exact menu path may vary depending on the app version.

6.5 Roles and Access Control in Collaboration

In collaboration, access to content is technically controlled via roles and permissions. Access by uninvolved third parties is not intended. Invitations are sent specifically by users, and access is limited to invited individuals. Specific role permissions are provided in the product documentation, help documentation, or within the app.

6.6 Transparency and Ongoing Updates

We provide information on data processing not only in this Privacy Policy but also, where appropriate, within the app, particularly when sensitive or optional features are activated. If data flows, service providers used, or purposes change, we will update this Privacy Policy and publish the current version.

D. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy if necessary due to factual or legal changes. We will make the current version available on the website.

As of: April 2026