Privacy Policy

This policy explains what data Xodus Labs processes when you use our audio plugin software (e.g. REEL-COMP, DAC-CLIP — the "Plugins") and the associated license-activation service. Purchases and account interactions on our website are also covered where noted.

When you activate or validate a license, the Plugin contacts our activation server at https://xoduslabs.xyz/api. It transmits:

• A random device identifier — a randomly generated UUID created on first launch and stored locally. It is not derived from, and does not reveal, your hardware, serial numbers, or operating-system IDs.
• A device public key — the public half of a key pair generated on your device. The private key never leaves your device.
• An optional device name — a human-readable label (e.g. your DAW or computer name) to help you recognize the activation in your account. Provided only if available/entered.
• Product and request metadata — the product identifier (e.g. reel-comp), software version, operating system, and plugin format, sent in the request's User-Agent, plus request timestamps and a one-time cryptographic nonce.
• Session/access tokens — issued by the server to keep your activation valid; rotated on each successful check-in.
• Your IP address — the activation API uses your IP address to rate-limit requests (e.g. device pairing is limited per IP) and to detect and prevent abuse. IP addresses appear in short-lived rate-limit counters (automatically pruned) and in our hosting provider's standard server logs. We do not use your IP address to track or profile you.

The Plugin does not collect, transmit, scan, or access:

• your audio, recordings, projects, or any files on your device;
• your hardware fingerprint or device serial numbers;
• your name, email, or payment details (these are handled on the website at purchase — see §3);
• your license key, which you enter on our website during activation, not in the Plugin.

Stored locally on your device (in the operating-system secure store/keyring where available, otherwise a local file): your key pair, the random device identifier, the current session token, and a cached license summary. You can clear these by deactivating the device from the in-plugin license panel.

When you create an account, purchase a license, or pair a device on xoduslabs.xyz, we process: your email address (via our authentication provider), payment and order details (handled by our payment processor, Stripe — we do not receive or store full payment-card numbers), your license key(s), and your device-pairing and activation records. The store is operated by Xodus Labs on its own website.

• Activate and validate licenses and enforce the per-license Activation Limit.
• Show you license status (plan, seats used, masked key) in the Plugin.
• Detect and prevent fraud, abuse, and license sharing.
• Provide customer support.
• Send transactional emails — license delivery, receipts, and activation notices — via our email provider (Resend). We do not send marketing email unless you opt in.

• Performance of a contract — activation/validation is necessary to provide the licensed Software.
• Legitimate interests — preventing abuse and securing the service.
• Consent — for any optional marketing or non-essential cookies.

We share data only with providers that help us operate the service, under contract:

• Vercel — application hosting and server logs;
• Supabase — database, authentication, and file storage;
• Stripe — payment processing;
• Resend — transactional email delivery.

We do not sell your personal data.

We keep activation records and the random device identifier for as long as your license is active, plus 24 months thereafter for fraud-prevention and legal/accounting purposes, after which they are deleted or anonymized.

License requests are cryptographically signed (Ed25519 proof-of-possession) and sent over HTTPS. Secrets are stored in your operating system's secure credential store where available. No method of transmission or storage is 100% secure, but we apply measures appropriate to the limited, non-sensitive data involved.

Our service and sub-processors are based in the United States, and your data is processed there. If you access the service from outside the United States, you consent to that transfer; where required, we rely on appropriate safeguards (e.g. Standard Contractual Clauses).

Depending on where you live (e.g. EU/UK GDPR, California CCPA/CPRA), you may have the right to access, correct, delete, or port your data, to object to or restrict processing, and to withdraw consent. To exercise these, contact contact@xoduslabs.xyz. You may also deactivate a device yourself from the in-plugin license panel, which frees the activation slot.

The Software and service are not directed to children under 16, and we do not knowingly collect their data.

We may update this policy; material changes will be posted at this URL with a new effective date.

Xodus Labs — contact@xoduslabs.xyz.