GreenEars

Legal documents

Privacy Policy

Version
1.1.0
Effective
2026-06-06
Last revised
2026-06-06

This document constitutes a legally binding agreement between you ("User", "You") and GreenEars Audio LLC ("GreenEars", "we", "us", "our"), a Utah limited liability company. It explains what personal information we collect, why, with whom we share it, and the rights you have.

We aim to write this in plain language alongside the legal terms required by laws like the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), the Utah Consumer Privacy Act (UCPA), and similar laws in Virginia, Colorado, Connecticut, and Texas.

1. WHO WE ARE

1.1 GreenEars Audio LLC is a Utah limited liability company. Business address: 298 24th St 103 Ogden, UT 84401 General privacy contact: privacy@greenearsaudio.com

1.2 GreenEars is the controller of personal data we collect through greenearsaudio.com and through our plugins.

1.3 MOONBASE AS INDEPENDENT CONTROLLER.

When you purchase a license, the Moonbase storefront (greenears.moonbase.sh) is the merchant of record and an independent data controller for the transaction (payment, tax, invoicing, account on Moonbase, fraud prevention). Stripe is Moonbase's underlying payment processor. GreenEars receives a webhook copy of customer and order data from Moonbase and acts as controller of that data for our own purposes (license issuance, support, telemetry correlation, marketing where you opted in). Moonbase's privacy practices are governed by its own policies; contact privacy@moonbase.sh for Moonbase-specific requests.

2. SCOPE

2.1 This Policy applies to:

  • the GreenEars website at greenearsaudio.com;
  • GreenEars audio plugins (VST3, AU, AAX, CLAP, AUv3 formats);
  • email communications we send;
  • support interactions.

3. WHAT WE COLLECT, BY SOURCE

3.1 INFORMATION YOU GIVE US DIRECTLY

3.1.1 Account sign-up on greenearsaudio.com:

name, email address, password (stored as a salted hash), your acceptance of this Policy and our Terms and Conditions, and your optional opt-in to communications.

3.1.2 Account management:

forgot/reset password actions, email confirmation, profile updates, voucher redemptions, offline-activation requests.

3.1.3 Customer phone number.

3.1.4 Support:

information you send to support@greenearsaudio.com (account, billing, refunds, and your Moonbase account), to techsupport@greenearsaudio.com (installation, download, bugs, and plugin usage), or through in-plugin feedback (the Help > Send Feedback button).

3.2 INFORMATION COLLECTED AUTOMATICALLY BY THE WEBSITE

3.2.1 Browser scripts/SDKs in use:

ONLY the Moonbase Vue SDK (@moonbase.sh/vue). We do NOT load Google Analytics, Google Tag Manager, Google Fonts, Hotjar, Intercom, Facebook Pixel, reCAPTCHA, browser-side Sentry, or Datadog.

3.2.2 Cookies and local storage on the website:

  • greenears_error_session_id: a UUID stored in your browser's localStorage to correlate error reports across a session. Set by GreenEars. Persistent. Functional/security.
  • moonbase_session: authentication cookie set by Moonbase. Strictly necessary.
  • moonbase_storefront: cart and UTM-attribution state, set by Moonbase. Strictly necessary.
  • __vdpl: a cookie that may be set by Vercel (our hosting platform).

See COOKIE_POLICY.txt for full details.

3.2.3 Server-side error reports:

when a script error occurs in your browser, the website may POST a sanitized error payload to /api/client-errors, which is stored in Supabase and forwarded to PostHog. Long tokens and email addresses are redacted from the payload.

3.2.4 We do NOT use PostHog's browser SDK on the website. We use PostHog only server-side, with the project API key kept on the server.

3.3 INFORMATION COLLECTED AUTOMATICALLY BY THE PLUGIN

3.3.1 Activation/validation data sent to Moonbase (greenears.moonbase.sh):

  • a hashed device fingerprint derived from your OS hardware UUID via juce::SystemStats::getUniqueDeviceID;
  • device hostname (typically your computer's name);
  • JUCE version;
  • operating system name and bitness;
  • CPU model, vendor, core/thread counts;
  • system memory in MB;
  • DAW name and plugin format;
  • plugin version and product name;
  • the source IP address and HTTP headers as observed by the server.

3.3.2 Telemetry events sent to PostHog:

  • app_started; plugin_instance_started/stopped;
  • editor_opened/closed;
  • license_state; license_activation_started/succeeded; license_deactivation;
  • parameter_adjusted with BUCKETED values (parameter values are quantized before transmission: gain to ~3 dB buckets, percentage controls to ~10% buckets, etc., so the raw mix is not reconstructible);
  • dsp_mode_changed; quality_mode_changed; bypass_toggled;
  • preset_loaded;
  • ab_state_changed/copied;
  • quickstart_opened/card_advanced/dismissed;
  • about_opened; easter_egg_opened;
  • feedback_submitted;
  • host_context_sample, sent approximately every 60 seconds while the plugin editor is open, including:
  • sample_rate;
  • host_is_playing;
  • host_bpm;
  • input_rms_db (loudness of the incoming audio, NOT the audio itself);
  • track_name (the DAW track name where the host exposes it);
  • track_name_available.

3.3.3 SPECIAL DISCLOSURES.

(a) DAW TRACK NAMES. When your DAW exposes a track name to the plugin, we send that string in host_context_sample. Track names sometimes contain personal data (artist names, project codenames, client names). If you do not want a particular track name sent, rename or anonymize the track in your DAW before opening the GreenEars plugin on it, or opt out of telemetry. We store the distinct track names you encounter in session_host_context_agg.track_names in our database.

(b) EMAIL AND NAME ATTACHED TO POSTHOG IDENTITY ON ACTIVATION. Before activation, we identify your plugin instance with an anonymous SHA-256 hash of your device ID (32 hexadecimal characters) as the PostHog distinct_id. When you activate a license, we $alias that anonymous id to your Moonbase customer_id and $identify the person with these properties: email, name, moonbase_customer_id, moonbase_license_id, activation_id, trial flag, activation_method, and expires_at. This means events after activation are linked to your name and email in PostHog.

(c) FEEDBACK BUTTON ALWAYS SENDS. The Send Feedback button in the plugin transmits its event (feedback_submitted) and message text even when you have opted out of analytics. This is because the feedback message IS the user's deliberate communication to us; if you do not wish to send a message, do not press Send. The feedback_submitted event is excluded from the analytics opt-out because of this rationale, and this exception is disclosed here.

3.3.4 We do NOT capture audio. We do NOT capture file system paths of your projects. We do NOT use session recording. We do NOT use PostHog's autocapture.

3.4 INFORMATION FROM MOONBASE

3.4.1 We receive webhook events from Moonbase covering account creation, customer profile changes, orders, license issuance, activations, deactivations, revocations, and refunds. We store the full webhook payload (HMAC-verified) in our moonbase_webhook_events table and mirror the relevant customer identity fields (name, email, phone, country, newsletter opt-in, moonbase_customer_id) into our database.

4. HOW WE USE PERSONAL DATA AND OUR LAWFUL BASES (GDPR / UK GDPR)

We use personal data for these purposes; the GDPR lawful basis for each is identified.

4.1 To provide the Software, including license activation and validation. Lawful basis: contract (Art. 6(1)(b)).

4.2 To operate the website and your account. Lawful basis:

contract (Art. 6(1)(b)).

4.3 For product analytics, troubleshooting, and improving the Software via telemetry and aggregated metrics. Lawful basis: legitimate interests (Art. 6(1)(f)) in operating, securing, and improving our product, balanced with your right to opt out of analytics via the in-plugin Analytics Settings.

4.5 For account support (support@greenearsaudio.com) and technical support (techsupport@greenearsaudio.com). Lawful basis: contract (Art. 6(1)(b)) and legitimate interests.

4.6 To send transactional emails (license issuance, password reset, receipts). Lawful basis: contract.

4.9 We do not sell personal data for money. See Section 9.4 below on California "sale" and "sharing".

5. WHO WE SHARE DATA WITH (SUBPROCESSORS)

We share personal data with the following service providers ("subprocessors") only as needed to operate our service:

5.1 Vercel - website hosting (Nuxt 3 app). Region:

United States.

5.2 Supabase - application database and storage. Region:

us-east-2 (Ohio), United States. Project utebdygcxyhdqawwciyf. RLS enabled with no policies on customer tables; only our service role can read/write.

5.3 PostHog - product analytics. Region:

U.S. cloud (us.i.posthog.com), Project 424839, 30-day event retention.

5.4 Moonbase Technologies - storefront, license service, merchant of record. Storage region: AWS Ireland (EU), encrypted at rest.

5.5 Stripe - payment processor used by Moonbase. GreenEars does not receive your full payment card data.

5.6 Brevo (formerly Sendinblue) - transactional and marketing email and CRM.

5.7 Apple, Microsoft, and PACE (iLok) - signing/notarization and copy-protection services used at BUILD TIME only; these vendors do not receive runtime user data from GreenEars.

We will publish updates to this list when subprocessors change.

6. INTERNATIONAL DATA TRANSFERS

6.1 GreenEars is in the United States. Some of our subprocessors are in the United States (Vercel, Supabase, PostHog, Brevo) and some are in the European Union (Moonbase, AWS Ireland).

6.2 When we transfer personal data of EEA, UK, or Swiss users to the United States, we rely on appropriate safeguards including the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and, for UK transfers, the UK International Data Transfer Addendum or the UK IDTA, plus supplementary technical and organizational measures (encryption in transit and at rest, access controls). For transfers from the UK and Switzerland to the U.S., we use the analogous mechanisms.

6.3 You may request a copy of the relevant transfer safeguards by emailing privacy@greenearsaudio.com.

7. RETENTION

7.1 ACCOUNT DATA:

retained for the lifetime of your active account (consistent with Moonbase's retention model). Inactive Moonbase dialogues are retained by Moonbase for up to 24 months from last activity.

7.2 PLUGIN SESSIONS AND EVENTS:

retained in Supabase indefinitely for now, pending publication of a defined purge schedule. PostHog event retention is 30 days at the analytics layer. We will update this Policy when a defined Supabase purge schedule is set.

7.3 CLIENT ERROR EVENTS:

retained indefinitely for debugging and security purposes, with token and email redaction at intake.

7.4 MOONBASE WEBHOOK EVENTS:

retained indefinitely as a system of record.

7.5 LOCAL FILES on your machine (analytics.json, feedback_outbox.json, settings.json, Presets/, license.mb): under your control. Deleting them or uninstalling the plugin removes them locally. The license.mb JWT contains your email, name, customer_id, license_id, activation_id, and expiration; protect it like any credential.

7.6 SUPPORT CORRESPONDENCE:

emails to support@greenearsaudio.com and techsupport@greenearsaudio.com are retained while your account is active and for a reasonable period afterwards for warranty, refund, troubleshooting, and audit purposes.

8. SECURITY

8.1 We use industry-standard measures including HTTPS in transit, encryption at rest where supported by our providers, HMAC verification of Moonbase webhooks, signed JWTs for license artifacts, server-side use of secret API keys (no PostHog project API key in the browser), Supabase row-level security with service-role-only access on identity tables, and token/email redaction in client-error pipelines.

8.2 No system is completely secure. We follow the breach notification requirements of applicable law, including the Utah breach notification statute (Utah Code ss. 13-44-101 et seq.) and state breach laws elsewhere in the U.S., and we will notify affected individuals and regulators as required.

9. YOUR RIGHTS

9.1 EEA, UK, AND SWITZERLAND (GDPR / UK GDPR).

You have the right to:

  • access your personal data and receive a copy;
  • request correction of inaccurate or incomplete data;
  • request erasure;
  • request restriction of processing;
  • data portability for data processed on the basis of consent or contract and by automated means;
  • object to processing based on our legitimate interests;
  • withdraw consent at any time for processing based on consent (without affecting prior processing);
  • lodge a complaint with your supervisory authority (in the UK, the Information Commissioner's Office; in the EU, your local Data Protection Authority).

9.2 CALIFORNIA (CCPA/CPRA).

You have the right to:

  • know what personal information we collect, use, disclose, and (where applicable) sell or share;
  • delete your personal information, subject to exceptions;
  • correct inaccurate personal information;
  • opt out of "sale" or "sharing" of personal information for cross-context behavioral advertising;
  • limit the use of sensitive personal information;
  • non-discrimination for exercising these rights.

9.3 UTAH, VIRGINIA, COLORADO, CONNECTICUT, TEXAS.

Under the Utah Consumer Privacy Act (UCPA, effective Dec 31, 2023), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), and the Texas Data Privacy and Security Act (TDPSA), you have rights similar to those above (access, deletion, correction, portability, and opt-out of sale or targeted advertising). Some of these laws require an appeal process for denied requests; we will honor such appeals.

9.4 "SALE" AND "SHARING" UNDER CALIFORNIA LAW.

We do not sell personal information for money. We have determined that our current data practices do not include "sharing" of personal information for cross-context behavioral advertising as defined under CPRA, because we do not run advertising trackers on our website or in our plugin. If this changes, we will update this Policy and provide a "Do Not Sell or Share My Personal Information" link as required. PLACEHOLDER LINK: https://greenearsaudio.com/privacy/do-not-sell-or-share.

9.5 SENSITIVE PERSONAL INFORMATION (SPI).

We do not knowingly collect SPI as defined under CPRA. If you believe you have provided SPI to us (for example in a free-text feedback message), contact privacy@greenearsaudio.com to request limitation or deletion.

9.6 CALIFORNIA SHINE THE LIGHT (Civ. Code ss. 1798.83). California residents may request, once per calendar year, information about our disclosures, if any, of personal information to third parties for those parties' own direct marketing purposes during the preceding calendar year. Send requests to privacy@greenearsaudio.com with "Shine the Light" in the subject line. We do not currently share personal information with third parties for their own direct marketing.

10. HOW TO EXERCISE YOUR RIGHTS

10.1 Email privacy@greenearsaudio.com from the email address associated with your account. We will respond within the time required by applicable law (typically 30-45 days; extensions available where law permits).

10.2 In-plugin:

use Help > Analytics Settings to opt out of telemetry. The setting is stored at: [userAppData]/GreenEars/[PluginName]/analytics.json.

10.3 Moonbase account deletion:

log in to greenears.moonbase.sh and use Moonbase's account controls, or contact privacy@moonbase.sh.

10.4 VERIFICATION.

To protect your data, we will verify requests by matching the requesting email to your account and, for sensitive requests, by asking additional questions.

10.5 AUTHORIZED AGENTS.

You may use an authorized agent to submit requests where law permits, with proof of authorization.

11. COOKIES AND SIMILAR TECHNOLOGIES

12. CHILDREN

12.1 The Software and the website are not directed to children under 13 years old. We do not knowingly collect personal information from children under 13 in violation of the U.S. Children's Online Privacy Protection Act (COPPA). If you believe we have collected information from a child under 13, contact privacy@greenearsaudio.com and we will delete it.

13. ANTI-AI-TRAINING PRACTICES

13.1 We do not use personal data we collect from you to train foundation models or general-purpose AI systems. We may use de-identified, aggregated analytics to improve our Software, including testing internal models bounded to a single product.

13.2 We do not license your personal data to third parties for AI/ML training.

14. AUTOMATED DECISIONS

15. CHANGES TO THIS POLICY

15.1 We may update this Policy from time to time. Material changes will be communicated by posting an updated version in our public Business_Docs repository and on greenearsaudio.com/privacy, and where required by law, by direct notice. The "Last Revised" date at the top reflects the most recent update. Prior versions are archived in /archive.

16. CONTACT

GreenEars Audio LLC298 24th St 103 Ogden, UT 84401Privacy: privacy@greenearsaudio.comLegal: legal@greenearsaudio.comAccount support: support@greenearsaudio.comTechnical support: techsupport@greenearsaudio.com

EFFECTIVE DATE: 2026-06-06