Privacy Policy

Effective Date: May 2, 2026

1. Introduction & Scope

SoundKit ("we", "us", "our") operates the SoundKit platform at soundkit.dev. This Privacy Policy describes how we collect, use, store, and share your personal information when you use the SoundKit website and service.

This Privacy Policy applies to all users of the website and service. By using SoundKit, you consent to the practices described in this policy. Your use of the Service is also governed by our Terms of Service at /terms.

If you do not agree with the practices described in this Privacy Policy, do not use the Service.

2. Information We Collect

We collect the following categories of information:

- **Account Information**: Email address, password (hashed — we never store plaintext passwords), display name, profile settings, and notification preferences.

  • **Plugin Creation Data**: Plugin descriptions, planning conversations, parameter configurations, visual design layouts, and build outputs (plugin source code).
  • **Usage Data**: Pages visited, features used, session duration, browser type and version, operating system, IP address, device information, and referring URLs.
  • **Payment Data**: Processed by Stripe — we do NOT store full credit card numbers. We store subscription status, plan type, last 4 digits of card, billing history, and transaction dates.
  • **Community Data**: Shared plugins, download history, remix relationships, ratings, comments, and public profile information.
  • **Communication Data**: Support messages, feedback submissions, and email correspondence.

3. How We Use Your Information

We use the information we collect for the following purposes:

- **Service Delivery**: To create your account, process plugin builds, deliver compiled audio plugins, and manage subscriptions and billing.

  • **AI Training & Improvement**: To train and improve our AI systems (see Section 4 for full details).
  • **Analytics & Improvement**: To understand usage patterns, identify issues, and improve the Service.
  • **Communication**: To send account verification emails, build status notifications, subscription updates, and service announcements. Marketing emails require opt-in and include unsubscribe links.
  • **Security & Fraud Prevention**: To detect and prevent abuse, unauthorized access, and violations of our Terms of Service.
  • **Legal Compliance**: To comply with applicable laws, regulations, and legal processes.

4. AI Training & Data Usage

We use data generated through your use of the Service — including plugin designs, planning conversations, interactive preview sessions, and build outputs — to train, improve, and develop our AI systems.

Data may be anonymized and aggregated for model training and analysis. This usage is essential for improving plugin quality and service capabilities.

By using SoundKit, you consent to this usage as a condition of the service. See Section 9 of our Terms of Service at /terms for the full data usage terms.

You may request deletion of your data (see Addendum A or B for your jurisdiction), but data already used to train AI models cannot be individually extracted or un-trained.

5. Data Sharing & Third Parties

**We do NOT sell your personal information to third parties.**

We share data with the following service providers who process data on our behalf:

- **Stripe** — Name, email, payment method, billing address — for payment processing and subscription management.

  • **Google** — Email, OAuth profile (if used) — for authentication (Google Sign-In) and analytics.
  • **Anthropic** — Plugin descriptions, conversations, build parameters — for AI-powered plugin generation.
  • **GitHub** — Build artifacts (plugin source code only, no personal data) — for plugin compilation.
  • **Vercel** — IP address, browser info (standard web hosting logs) — for frontend hosting.
  • **Railway** — API request data (standard web hosting logs) — for backend hosting.

Each provider operates under its own privacy policy and data processing agreements. We may disclose information if required by law, legal process, or government request.

In the event of a merger, acquisition, or asset sale, user data may be transferred. We will notify affected users.

6. User-Generated Content & Community Board

By sharing a plugin to the Community Board, your plugin, username, and associated metadata become publicly visible to other SoundKit users.

ANY INFORMATION YOU SHARE ON THE COMMUNITY BOARD IS BY DESIGN OPEN TO OTHER USERS AND IS NOT PRIVATE.

Public content may be indexed by search engines. You are responsible for any personal information you include in shared plugin names, descriptions, or comments.

You may remove your shared plugins at any time, but copies downloaded by other users cannot be recalled. See Section 8 of our Terms of Service at /terms for Community Board usage terms.

SoundKit may remove or moderate shared content at its discretion.

7. Sensitive Personal Information

SoundKit does not intentionally collect sensitive personal information, including but not limited to:

- Social Security numbers or government-issued identifiers

  • Racial or ethnic origin
  • Political opinions or religious beliefs
  • Health or medical data
  • Biometric data
  • Genetic information
  • Sexual orientation
  • Criminal history or union membership

Do not submit sensitive personal information through the Service. If we learn that sensitive personal information has been inadvertently collected, we will delete it promptly.

8. Cookies & Tracking

- **Essential Cookies**: Authentication session cookies required for the Service to function. These cannot be disabled without losing access to authenticated features.

  • **Local Storage**: Used to save UI preferences (view mode, editor settings, sidebar state). This data stays on your device and is not transmitted to our servers.
  • **Analytics**: We may use analytics tools to understand aggregate usage patterns. Analytics data is used in aggregate and is not used to identify individual users.
  • **No Third-Party Ad Tracking**: We do not use third-party advertising cookies or ad networks. We do not serve ads.
  • **Global Privacy Control (GPC)**: We acknowledge browser-based Global Privacy Control signals. If your browser sends a GPC signal, we will treat it as a valid opt-out request where required by law.

You can manage cookies through your browser settings, but disabling essential cookies may prevent you from using the Service.

9. Data Retention

- **Account Data**: Retained while your account is active. After account deletion, personal data is removed within 30 days (the deletion grace period described in our Terms of Service at /terms).

  • **Build Artifacts**: Retained as described in your account settings. You may delete individual builds from your library at any time.
  • **Deleted Accounts**: Personal data deleted within 30 days. Anonymized and aggregated data (which cannot identify you) may be retained indefinitely for analytics and AI improvement.
  • **Payment Records**: Retained as required by tax and financial regulations (typically 7 years).
  • **Support Communications**: Retained for 2 years after resolution.
  • **Community Board Content**: Plugins you shared remain available to users who downloaded them, even after you delete your account. Metadata and attribution are anonymized.

10. Security Measures

We implement industry-standard security measures to protect your data:

- Encryption in transit (HTTPS/TLS for all connections)

  • Encryption at rest for stored data
  • Access controls and authentication for internal systems
  • Regular security assessments and monitoring
  • Rate limiting and abuse detection

WE CANNOT GUARANTEE THE ABSOLUTE SECURITY OF YOUR DATA. NO METHOD OF ELECTRONIC TRANSMISSION OR STORAGE IS 100% SECURE.

If we become aware of a security breach affecting your personal data, we will notify you and relevant authorities as required by applicable law.

11. General Provisions

**Children's Privacy**

SoundKit is not intended for users under 18 years of age (see our Terms of Service at /terms, Section 1). We do not knowingly collect personal information from children under 18. If we learn we have collected data from a child under 18, we will delete it promptly. If you believe a child has provided us personal information, contact us immediately at privacy@soundkit.dev.

**International Data Transfers**

SoundKit is operated from the United Kingdom. Your data may be processed in the United Kingdom and other countries where our service providers operate (including the United States). By using the Service, you consent to the transfer of your data outside the UK where necessary. For transfer mechanisms and region-specific detail, see Addendum B.

**Third-Party Links & Services**

The Service may contain links to third-party websites or services. We have no control over and assume no responsibility for the privacy practices of third-party sites. We encourage you to review the privacy policies of any third-party sites you visit.

**Changes to This Policy**

We may update this Privacy Policy from time to time. Material changes will be notified via email to your registered email address. Continued use of the Service after changes constitutes acceptance. The "Effective Date" at the top indicates when the policy was last updated.

Jurisdiction-Specific Addenda

A. Notice to California Residents (CCPA/CPRA)

This section applies to California residents and supplements the general Privacy Policy above.

**Data Categories We Collect**

- **Identifiers** (email, display name, IP address) — Sources: user-provided, automatic collection — Purpose: account management, communication — Shared with: Stripe, Google, Vercel

  • **Commercial Information** (subscription history, transaction records) — Sources: user-provided, Stripe — Purpose: billing, service delivery — Shared with: Stripe
  • **Internet Activity** (pages visited, features used, session data) — Sources: automatic collection — Purpose: analytics, improvement — Shared with: analytics providers
  • **Audio/Visual** (plugin designs, visual layouts) — Sources: user-provided — Purpose: plugin creation, AI training — Shared with: Anthropic, GitHub
  • **Inferences** (plugin category preferences, usage patterns) — Sources: derived from activity — Purpose: personalization, AI improvement — Shared with: internal use

**Your California Rights**

- **Right to Know**: Request disclosure of what personal information we collect, use, and share.

  • **Right to Delete**: Request deletion of your personal information, subject to legal exceptions (e.g., fraud prevention, legal obligations, completing transactions).
  • **Right to Correct**: Request correction of inaccurate personal information.
  • **Right to Opt-Out of Sharing**: We do not sell personal information. We do not "share" personal information for cross-context behavioral advertising.
  • **Right to Non-Discrimination**: We will not discriminate against you for exercising your CCPA rights.

**How to Exercise Your Rights**

Email: privacy@soundkit.dev. We will verify your identity before processing requests. Response within 45 days (may extend to 90 days with notice). You may designate an authorized agent to submit requests on your behalf.

**"Do Not Sell or Share"**

SoundKit does not sell personal information as defined under the CCPA. SoundKit does not share personal information for cross-context behavioral advertising. We acknowledge and honor Global Privacy Control (GPC) browser signals.

B. Notice to European Users (GDPR / UK GDPR)

This section applies to individuals in the European Economic Area (EEA), United Kingdom, and Switzerland, and supplements the general Privacy Policy above.

**Controller**

SoundKit is the data controller for your personal information. Data Protection Officer contact: privacy@soundkit.dev.

**Legal Bases for Processing**

- **Performance of Contract** (Article 6(1)(b)): Account creation, plugin builds, subscription management.

  • **Legitimate Interests** (Article 6(1)(f)): AI training, analytics, fraud prevention, service improvement — we balance our interests against your rights.
  • **Consent** (Article 6(1)(a)): Marketing emails, optional analytics — withdrawable at any time.
  • **Legal Obligation** (Article 6(1)(c)): Tax records, legal requests, breach notification.

**Your GDPR Rights**

- **Right of Access** (Art. 15): Request a copy of your personal data.

  • **Right to Rectification** (Art. 16): Correct inaccurate personal data.
  • **Right to Erasure** (Art. 17): Request deletion of your personal data ("right to be forgotten") — note: data already used to train AI models cannot be individually extracted.
  • **Right to Restrict Processing** (Art. 18): Request restriction of processing in certain circumstances.
  • **Right to Data Portability** (Art. 20): Receive your data in a structured, machine-readable format (JSON).
  • **Right to Object** (Art. 21): Object to processing based on legitimate interests, including AI training.
  • **Right to Withdraw Consent** (Art. 7): Withdraw consent at any time — does not affect lawfulness of prior processing.
  • **Right to Lodge Complaint**: You may file a complaint with your local Data Protection Authority / Supervisory Authority.

**International Transfers**

Your data may be transferred to and processed in the United States by our service providers (Anthropic, GitHub, Vercel, Railway, Stripe, Google). Where data is transferred outside the UK or EEA, we rely on UK International Data Transfer Agreements (IDTAs), EU Standard Contractual Clauses (SCCs), or adequacy decisions as appropriate transfer mechanisms. We commit to updating transfer mechanisms as required by applicable law.

**How to Exercise Your Rights**

Email: privacy@soundkit.dev or gdpr@soundkit.dev. We will respond within 30 days (may extend by 60 days for complex requests, with notice). We may need to verify your identity before processing requests.

C. Contact Information

- **General privacy inquiries**: privacy@soundkit.dev

  • **Support**: support@soundkit.dev
  • **GDPR / EU-UK data protection**: gdpr@soundkit.dev
  • **Mailing address**: [Physical address — TBD before launch]

We will respond to all privacy requests within the timeframes required by applicable law.