Privacy policy
1. Controller
Controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws is: [Name and address as in the Imprint] Email: hello@outboard.audio You can reach us for data-protection-related enquiries at this email address.
2. Overview of processing
We process personal data for the following purposes: • Provision and technical operation of this website (server logs, CDN) • Creation and management of your Outboard account and the licenses you have acquired • Passwordless magic-link sign-in (Auth.js + Resend) • Order processing via Lemon Squeezy acting as Merchant of Record • Sending transactional email (order confirmations, magic links) • Handling support requests We do not use any analytics, marketing or tracking third parties. No Google Analytics, advertising pixels or comparable services are loaded.
3. Legal bases
Processing of personal data is carried out on the basis of the GDPR. For each processing activity we state the applicable legal basis in the relevant section. The relevant bases are typically: • Art. 6 (1) (b) GDPR — performance of a contract or pre-contractual measures (purchase, account, license) • Art. 6 (1) (c) GDPR — compliance with legal obligations (e.g. commercial and tax record-keeping) • Art. 6 (1) (f) GDPR — legitimate interest (technical operation, IT security)
4. Hosting and delivery (Vercel)
This website is hosted and delivered through the global CDN of Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. On every request your browser transmits technically necessary data to Vercel: • IP address • User agent (browser and operating system identifier) • Requested URL • Referrer • Time of the request Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in stable, secure operation of the website). Third-country transfer: Vercel may process data in the United States. We have concluded the EU Standard Contractual Clauses (SCC) under Implementing Decision (EU) 2021/914 with Vercel. Vercel is additionally certified under the EU-US Data Privacy Framework. Retention: server logs are typically retained for 30 days for abuse and error analysis.
5. Email delivery (Resend)
For transactional email — magic-link sign-in, order confirmations, license delivery, support replies — we use Resend Inc., 2261 Market Street #4193, San Francisco, CA 94114, USA. Processed: email address, message content, delivery status. Legal basis: Art. 6 (1) (b) GDPR (performance of contract) or Art. 6 (1) (f) GDPR for support enquiries. Third-country transfer: a Data Processing Agreement (DPA) and the EU Standard Contractual Clauses are in place with Resend. Retention: delivery logs are typically kept by Resend for 30 days; on our side the email address is only stored in the account context (see section 7).
6. Payment processing (Lemon Squeezy)
Purchases via outboard.audio are processed entirely by Lemon Squeezy LLC, 488 Madison Avenue, 6th Floor, New York, NY 10022, USA. Lemon Squeezy acts as Merchant of Record — sells in its own name, issues invoices and remits applicable taxes. The following data is transmitted directly to Lemon Squeezy at checkout: name, email address, billing address, payment details (credit card, PayPal, etc.) and IP address. We ourselves do not see full payment details or billing address. Upon successful purchase, Lemon Squeezy sends us a confirmation containing: email address, order ID, product variant, order timestamp and the generated license key. We process this data to deliver and manage the license (legal basis: Art. 6 (1) (b) GDPR). Lemon Squeezy's own data processing is governed by their privacy notice: https://www.lemonsqueezy.com/privacy. Third-country transfers occur under the EU Standard Contractual Clauses.
7. Account and license management (Auth.js + Neon Postgres)
On your first purchase we automatically create an account. The identifier is the email address from your order. In our database we store: • Email address (as account identifier) • Acquired license keys and associated order IDs • Activation counts and device instances per license • Hardware-fingerprint hashes per activated device (see below) • Timestamps for account creation and license issuance The database is Postgres, provided by Neon Inc., 209 W. Houston Street, Suite 7, New York, NY 10014, USA. We exclusively use the EU region (Frankfurt) — data is therefore processed within the EU, no third-country transfer. Hardware binding: to enforce the per-license device limit and prevent license sharing, the plugin computes a salted HMAC-SHA256 hash of stable machine identifiers (e.g. the operating-system machine GUID, CPU model, install ID) when you activate. We only ever receive and store these one-way hashes — never the raw identifiers — so the value is pseudonymous and cannot be reversed to identify your hardware. After activation the plugin holds a license token (valid for 14 days, then renewed) locally in its settings file; it is verified offline on each launch. Legal basis: Art. 6 (1) (b) GDPR (the activation is part of the licence contract). You can release a device at any time via your account dashboard. Sign-in to the customer area is passwordless via an email magic link (Auth.js). Auth.js sets a strictly necessary HTTP-only cookie for the duration of an authenticated session. No tracking, marketing or third-party cookies are set. Legal basis: Art. 6 (1) (b) GDPR. Retention: account and license data are stored for the duration of the business relationship. Statutory tax and commercial retention periods (10 years for invoice records under § 147 AO, § 257 HGB) remain unaffected.
8. Web fonts
We use the typefaces Inter Tight and JetBrains Mono. These are self-hosted via the Next.js component `next/font` and delivered alongside the page. No request is made to Google Fonts or other external font servers.
9. Cookies
We use only strictly necessary cookies: • Auth.js session cookie (HTTP-only, SameSite=Lax) — identifies your authenticated session, only set after sign-in. • next-intl locale cookie — stores your language selection. • outboard_consent — stores your cookie consent so the banner does not reappear. • Lemon Squeezy checkout session — set exclusively by the Lemon Squeezy overlay during an active purchase (USA, EU SCC). No analytics, marketing or tracking cookies are set. A full, anytime-editable overview of every cookie in use is available on the cookie settings page: https://outboard.audio/en/cookie-settings.
10. Third-country transfers
Where data is transferred to third countries (in particular the United States), this is based on the EU Standard Contractual Clauses under Implementing Decision (EU) 2021/914. Vercel and Lemon Squeezy are additionally certified under the EU-US Data Privacy Framework. A list of processors and their third-country status is provided in sections 4 to 7.
11. Your rights
Under the GDPR you have the following rights with regard to personal data concerning you: • Access (Art. 15 GDPR) • Rectification (Art. 16 GDPR) • Erasure (Art. 17 GDPR) • Restriction of processing (Art. 18 GDPR) • Data portability (Art. 20 GDPR) • Objection to processing (Art. 21 GDPR) • Withdrawal of consent (Art. 7 (3) GDPR) with effect for the future Please send requests informally to hello@outboard.audio. We respond without undue delay, at the latest within one month.
12. Right to lodge a complaint
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The competent authority is generally the data protection authority of the federal state where you reside or the authority responsible for our place of business: [Supervisory authority by state — e.g. Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)].
13. Updates and changes
This privacy policy was last updated on [insert date before launch]. As our website and offerings evolve, or due to changing legal requirements, we may need to amend this privacy policy. The current version is always available on this page.