Privacy Policy

This Privacy Policy is effective May 11, 2026 and supersedes the April 23, 2026 version (2.0).

Material changes are subject to the notification process in §14 Changes to this policy.

References to “Dunamis Studios,” “Dunamis,” “we,” “us,” or “our” mean Joshua Robert Bradford, an individual resident of the State of Florida, United States, doing business under the name Dunamis Studios. Upon completion of formation, the LLC named Dunamis Studios LLC, a Florida limited liability company, will assume this Privacy Policy and all associated commitments by operation of law and internal transfer.

Postal address and contact channels are listed in §13 Contact.

Different products and surfaces collect different data. This section enumerates every collection point.

Marketing site (dunamisstudios.com)

• Vercel-default access logs (request IP truncated per §6, User-Agent, request path, status code, timing). 30-day retention.
• No web analytics tools. No advertising or tracking pixels.
• No cookies set by Dunamis Studios. Vercel may set a session cookie strictly to route requests to the correct edge region.

Atelier desktop app (local-only)

• Nothing transmittedfrom Atelier except the license-related calls below. Wedding data, vendor data, client PII, business data: never leave the customer’s machine.

Atelier license activation

• License ID, device fingerprint hash, Atelier version, optional device label.
• Request IP (truncated per §6) and User-Agent.

Atelier license heartbeat (once per day)

• License ID, device fingerprint hash, Atelier version. Request IP truncated.
• Payload is approximately 1 KB. No business data, no usage data.

Atelier crash reports

• None. Atelier ships with no crash reporter, no telemetry, no analytics. If this ever changes, it will require an explicit opt-in surface in Settings.

Atelier auto-update check (opt-out)

• Standard HTTP GET to github.com/Dunamis-Studios/atelier/releases/latest/download/latest.json. No payload beyond what every HTTP request carries (request IP, User-Agent). GitHub, not Dunamis Studios, sees and logs this request. Disabled in Atelier Settings to Software Updates.

Dunamis Sync (opt-in only)

• Off by default. When the customer activates Sync, Atelier exchanges client-encrypted opaque blobs with dunamisstudios.net/api/sync/* and sync.dunamisstudios.net. The encryption key lives in Windows Credential Manager and never crosses the network.
• Detailed practices, including blob metadata, retention, and rotation, are documented separately when Dunamis Sync launches as a separately-sold product. Until then, Sync is not available to customers.

Stripe Checkout (license purchase, custom-build invoicing)

• Stripe is the controller for payment data (card details, billing address). Dunamis Studios receives a Stripe customer ID, a payment intent reference, and the customer email used at checkout. Card numbers do not transit Dunamis-controlled infrastructure. See Stripe’s Privacy Policy.

Customer accounts on dunamisstudios.com

• Email address, hashed password (bcrypt), name, optional company name.
• Account creation IP (truncated per §6), account creation timestamp, last-login timestamp.
• License history: every license ID associated with the account plus its issuance date, current status (active / refunded / revoked), and per-device activation records.
• EULA acceptance history: a record of every EULA version accepted on this account.

HubSpot marketplace apps (Debrief, Property Pulse)

• For Customer CRM data accessed by these apps, the customer organization is the controller and Dunamis Studios is a processor. See the Data Processing Addendum (linked from /legal/dpa) for the full processor terms.

• License validation and enforcement: Article 6(1)(b), performance of a contract. The license is the contract; validation is the performance.
• Anti-abuse logging on activation and heartbeat endpoints: Article 6(1)(f), legitimate interests. Detecting and blocking license-key sharing, automated activation tooling, and endpoint scanning protects the perpetual-license commercial model and the operational availability of the licensing service. A Legitimate Interests Assessment is on file internally and is summarized in our public statements; data subjects may object via dsr@dunamisstudios.net.
• Account creation and management: Article 6(1)(b), contract performance (customer-account contract enabling license management, EULA acceptance, refund handling, license-deactivation self-service).
• EULA acceptance recording: Article 6(1)(c), legal obligation, plus 6(1)(b) contract performance. Acceptance records are the legal artifact establishing the contract.
• Marketing emails (if any in the future): Article 6(1)(a), consent. No marketing email program is operating today; if one is introduced, opt-in is required and opt-out is one click.
• Stripe-administered payment processing: Article 6(1)(b), performance of the sales contract. Stripe is a joint controller for payment data.

• Wedding data, vendor data, client PII, or any business data from inside Atelier.
• Telemetry, analytics, or behavioral tracking inside Atelier. The binary has no such code paths.
• Cross-site tracking cookies on the marketing site. No third-party trackers.
• Advertising or marketing pixels of any kind.
• Health data, financial account numbers, or government-issued identification.
• Biometric identifiers.
• Precise geolocation. (Coarse country-level inference from IP only, used for tax-routing during Stripe Checkout.)
• Data about minors. Our products are not directed to children under 16.

Your device is identified by a fingerprint generated from your computer’s hardware identifiers. We hash these locally on your machine before transmitting; the hash cannot be reversed to identify your computer’s components or to track you across other software. The hash is purpose-bound to license-slot enforcement and is not combined with any other dataset.

IP truncation. Request IPs received at any Dunamis-Studios-operated endpoint are truncated before persistence. IPv4 addresses are truncated to a /24 (the last octet replaced with zero); IPv6 addresses are truncated to a /48. Truncation occurs at ingest, prior to any log write.

• License activation and heartbeat records: lifetime of the license plus seven (7) years for tax and audit. Contains license ID, hashed device fingerprints of activated devices, first-activation and last-heartbeat timestamps, and Atelier versions observed.
• Truncated IPs in access and abuse-detection logs: 30 days, then automatically deleted by Redis TTL.
• Customer account record: until deletion request, or 3 years after last login activity, whichever comes first.
• EULA acceptance records: retained permanently. These are the legal artifact establishing the contract; deletion would void the contractual evidence record. Includes the verbatim rendered EULA text the customer accepted.
• Stripe payment records: retained by Stripe per Stripe’s own policy and applicable payment-card-industry regulations.
• Support correspondence: 3 years from the last message in the thread.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights:

• Right to access: request a copy of the personal data we hold about you. Email dsr@dunamisstudios.net. 30-day response SLA.
• Right to portability: receive your data in a machine-readable JSON format. Use the in-app Export feature inside Atelier for local business data; for account-level data including license history, EULA acceptances, and activation records, use the “Download my data” button on /account/atelier-licenses.
• Right to rectification: correct inaccurate personal data. Email dsr@dunamisstudios.net.
• Right to erasure: request deletion of your personal data. Email dsr@dunamisstudios.net. Some records (EULA acceptance, Stripe payment history) are retained under legal or contractual obligation and cannot be deleted on request; we will tell you which records are retained and why.
• Right to object to processing: object to processing based on legitimate interests (most notably the anti-abuse logging described above). Email dsr@dunamisstudios.net.
• Right to lodge a complaint with your local supervisory authority (e.g., your national Data Protection Authority).

Dunamis Studios currently operates below CCPA/CPRA’s revenue ($26,625,000), consumer (100,000 California residents), and data-sale (50% of revenue) thresholds, so the statute does not strictly apply. We voluntarily extend the substantive rights below to California residents.

• Right to know what personal information we have collected, used, shared, or sold.
• Right to delete personal information we have collected.
• Right to opt out of sale or share for cross-context behavioral advertising. See Do Not Sell or Share My Personal Information. Dunamis Studios does not sell or share personal information for behavioral advertising and has no plans to.
• Right to non-discrimination for exercising any CCPA right.

Exercise any of the above by emailing dsr@dunamisstudios.net. 45-day response under CCPA (we aim for 30).

Personal data we hold is stored on infrastructure operated by Vercel (United States) and Upstash Redis (United States region). For personal data originating in the European Economic Area, United Kingdom, or Switzerland, transfers to the United States are made under Standard Contractual Clauses (Module 2: Controller to Processor) executed with our processors. SCCs are available on request to privacy@dunamisstudios.net.

We do not transfer personal data to jurisdictions that have not received a European Commission adequacy decision, except under SCCs or another lawful transfer mechanism.

• GDPR: notification to the relevant supervisory authority within 72 hours of becoming aware of a personal-data breach. Affected data subjects notified without undue delay when the breach is likely to result in high risk to their rights and freedoms.
• Florida §501.171: notification to affected Florida residents within 30 days of determining that a breach has occurred.
• Customer contractual notification: 48 hours for enterprise customers under SOWs that include a notification clause; check your SOW.

The marketing site sets the following cookies and only these:

• Vercel session cookie: set by the hosting platform to route requests to the correct edge region. Session lifetime. No tracking.
• Stripe Checkout cookies(only when a customer enters a Stripe Checkout flow): set by Stripe’s payment form to prevent fraud and complete the transaction. Governed by Stripe’s privacy policy.

No analytics cookies (Dunamis Studios uses no web analytics). No marketing or advertising cookies. No third-party cookies set directly by Dunamis Studios.

• General privacy inquiries: privacy@dunamisstudios.net
• Data subject requests (access, deletion, portability, objection): dsr@dunamisstudios.net
• Security incidents: security@dunamisstudios.net (see also /security for GPG-encrypted disclosure)
• Postal address: to be updated upon LLC formation. Until then, correspondence should go through the email channels above.

We will provide thirty (30) days’ advance notice of any material change to this Privacy Policy. Notice is delivered via:

• Email to all account holders at the address on file.
• On-site banner on dunamisstudios.com for the duration of the notice period.

Non-material changes (typos, clarifications that do not change practices) are tracked in the version history but do not trigger the notification process.