Privacy Policy

1. Who We Are

Carrier-Nation LLC is the data controller responsible for your personal information collected through the Service. This means we determine the purposes and means of processing your data.

For privacy-related questions, requests, or legal notices, contact us at:

legal@sapparstudio.com — privacy requests, data rights, legal notices
support@sapparstudio.com — general account and support questions

2. Information We Collect

We collect only the minimum information necessary to provide the Service.

Account Information

When you create an account, we collect your email address and a securely hashed password. Passwords are never stored in plain text and are hashed using industry-standard cryptographic methods before storage. We may also collect a display name if you provide one.

License and Activation Data

When you activate a beta or paid license, we store a hashed device identifier to bind the license to your device. This is a one-way hash and cannot be used to identify your hardware specifications, manufacturer, or other device details. We do not collect your IP address for license binding purposes.

Payment Information

All payments are processed by Stripe, Inc. We do not collect, store, or transmit your credit card number, CVV, bank account details, or other full payment credentials. Stripe receives your payment information directly and handles it under their own privacy policy available at stripe.com/privacy. We retain only the transaction confirmation, amount, date, and a tokenized reference provided by Stripe for billing records.

Usage and Analytics Data

We may collect anonymized, aggregated data about how the software is used, such as which features are accessed and how frequently. This data is processed in a manner that cannot be linked back to you individually. We may also collect crash reports to diagnose and fix software bugs. Crash reports do not contain the contents of your documents.

Log Data

When you interact with the sapparstudio.com website, our servers may automatically record standard log data including your IP address, browser type, browser version, the pages you visit, the time and date of your visit, and the time spent on each page. This data is used for security monitoring, abuse prevention, and aggregate traffic analysis. Log data is retained for a maximum of 90 days and is not linked to your account unless required for security investigation.

Communications

If you contact us by email or through a feedback form, we retain the content of that communication and your contact details in order to respond to you and improve the Service.

Beta Program Data

As a beta participant, we may collect additional information relevant to the beta program, including your responses to surveys, feedback submissions, and feature usage patterns specific to features under active testing. This data is used solely to improve the software.

3. Information We Do Not Collect

We want to be explicit about what we do not collect:

• The contents of your documents, manuscripts, or exported files
• Your browsing history outside of sapparstudio.com
• Your hardware specifications beyond the hashed device identifier used for license binding
• Advertising identifiers or cross-site tracking data
• Your precise location

Sappar Studio is a local-first application. Your .sapr project files are stored on your device. We do not upload, access, sync, or analyze the content of any file you create or export using the software.

4. How We Use Your Information

We use the information we collect for the following purposes:

• To create and manage your account and provide access to the Service
• To validate and enforce license activations and device limits
• To process purchases and deliver license keys
• To send transactional emails including account confirmations, password resets, billing receipts, and license delivery
• To send product update and marketing communications, where you have consented or where permitted by applicable law, with the ability to opt out at any time
• To respond to your support requests and communications
• To diagnose software bugs and improve the Service based on anonymized usage data
• To detect, investigate, and prevent fraudulent or unauthorized activity
• To comply with applicable legal obligations

We do not sell, rent, trade, or share your personal information with third parties for their own marketing purposes.

5. Legal Basis for Processing (EU/EEA Users)

If you are located in the European Union or European Economic Area, we process your personal information on the following legal bases under the General Data Protection Regulation (GDPR):

• Contract performance: Processing your account information, license data, and payment records is necessary to provide the Service you have requested
• Legitimate interests: Processing anonymized usage data, log data, and crash reports to improve and secure the Service, where these interests are not overridden by your rights
• Legal obligation: Retaining certain records as required by applicable law
• Consent: Sending marketing and promotional communications, where we rely on your consent which you may withdraw at any time

6. Third-Party Service Providers

We use a limited number of trusted third-party service providers to operate the Service. These providers receive only the minimum personal data necessary to perform their function and are contractually obligated to protect your data and use it only for the purposes we specify.

Stripe — payment processing. Stripe receives your payment details directly and handles them under their own privacy policy. We do not transmit your full payment credentials to Stripe — they are entered directly into Stripe's secure infrastructure. See stripe.com/privacy.

Supabase — database infrastructure, user authentication, and file storage. Supabase stores your account information, license records, and any files you upload through the Service (such as screenshots submitted for the Earn Your Upgrade promotion). Supabase operates under its own privacy policy at supabase.com/privacy.

Transactional email provider — we use a third-party email delivery service to send transactional and marketing emails. This provider receives your email address solely for the purpose of delivering emails on our behalf.

We do not use advertising networks, data brokers, or social media tracking pixels on our website or in our software.

7. Your Documents and Local Data

Sappar Studio is designed as a local-first application. All documents you create are stored in the .sapr file format on your local device. We do not upload, sync, back up, or transmit the contents of your documents to our servers or any third party.

Files you explicitly submit through the Service — such as screenshots uploaded as part of the Earn Your Upgrade promotion — are stored on our infrastructure solely for the stated purpose and are accessible only to authorized Sappar staff for review.

8. Cookies and Tracking

We use cookies and similar technologies only to the extent necessary to operate the Service.

Essential cookies: We use session cookies to maintain your authenticated state on sapparstudio.com. These are necessary for the website to function and cannot be disabled without preventing login.

Analytics: We do not use Google Analytics, Meta Pixel, or any third-party behavioral analytics or advertising tracking on our website or in our software.

Do Not Track: We respect Do Not Track ("DNT") signals. When we detect a DNT signal from your browser, we do not use cookies or tracking technologies beyond what is strictly necessary for authentication.

We do not use advertising cookies, retargeting pixels, cross-site tracking scripts, or any cookies for purposes beyond authentication and essential site functionality.

9. Data Storage and Security

Your personal data is stored on secure cloud infrastructure provided by Supabase, with encryption at rest and in transit using industry-standard protocols (AES-256 at rest, TLS 1.2+ in transit).

We enforce strict access controls ensuring that users can only access their own data. Access to production data by Sappar staff is logged, restricted to authorized personnel, and limited to what is necessary for support and operations.

Sensitive credentials including passwords and license signatures are stored using one-way cryptographic hashing and are never accessible in plain text by any party.

While we implement commercially reasonable security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security and encourage you to use a strong, unique password for your account.

10. Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users without undue delay and in accordance with applicable law. Where required by law, we will also notify the relevant supervisory authority. Notifications will be sent to the email address associated with your account.

11. International Data Transfers

Carrier-Nation LLC is based in the United States. If you are located outside the United States, your personal information will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.

For users in the European Union or European Economic Area, we rely on Standard Contractual Clauses approved by the European Commission as the lawful mechanism for transferring your personal data to the United States. For questions about international data transfers, contact us at legal@sapparstudio.com.

12. Data Retention

We retain your personal information for as long as your account remains active or as necessary to provide the Service.

Specifically:

• Account data (email, hashed password, license records): retained for the duration of your account. Deleted within 30 days of account closure
• Payment records: retained for 7 years as required for financial and tax compliance, even after account closure
• Log data: retained for a maximum of 90 days
• Anonymized usage data: may be retained indefinitely as it cannot be linked to you
• Support communications: retained for 3 years from the date of last contact
• Backup copies: account data deleted from active systems will be purged from backup copies within 90 days of the deletion completing in our active database

After your account is deleted, we may retain data where we have a legal obligation to do so, where it is necessary for the establishment, exercise, or defense of legal claims, or where it has been fully anonymized.

13. Your Privacy Rights

Depending on your location, you may have the following rights with respect to your personal information:

Right to Access: You may request a copy of the personal data we hold about you.

Right to Rectification: You may request that we correct any inaccurate or incomplete personal data.

Right to Erasure: You may request that we delete your personal data. We will honor this request subject to any legal obligations requiring us to retain certain data.

Right to Data Portability: You may request that we provide your personal data in a structured, machine-readable format.

Right to Restrict Processing: You may request that we restrict the processing of your personal data in certain circumstances.

Right to Object: You may object to our processing of your personal data where we rely on legitimate interests as the legal basis, including objecting to receiving marketing communications.

Right to Withdraw Consent: Where we rely on your consent to process your personal data, you may withdraw that consent at any time without affecting the lawfulness of processing prior to withdrawal.

Right to Lodge a Complaint: If you are located in the EU/EEA, you have the right to lodge a complaint with your local data protection supervisory authority.

To exercise any of these rights, contact us at legal@sapparstudio.com. We will respond to your request within 30 days. We may need to verify your identity before processing your request.

14. California Privacy Rights (CCPA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

Right to Know: You have the right to request that we disclose what personal information we collect, use, disclose, and sell about you.

Right to Delete: You have the right to request that we delete personal information we have collected from you, subject to certain exceptions.

Right to Correct: You have the right to request that we correct inaccurate personal information we maintain about you.

Right to Opt Out of Sale or Sharing: We do not sell or share your personal information with third parties for cross-context behavioral advertising. You do not need to opt out as we do not engage in this activity.

Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise your California privacy rights, contact us at legal@sapparstudio.com. You may also designate an authorized agent to make a request on your behalf, provided we can verify the agent's authority.

15. Children's Privacy

The Service is not directed to children under the age of 13, or under the age of 16 for users in the European Union or European Economic Area. We do not knowingly collect personal information from children below these age thresholds.

If you are a parent or guardian and believe that your child has provided us with personal information without your consent, contact us immediately at legal@sapparstudio.com and we will take steps to delete the information and close the account promptly.

16. Marketing Communications

We may send you promotional emails about new features, special offers, and other news related to the Service where you have consented or where permitted by applicable law.

You may opt out of marketing communications at any time by:

• Clicking the "unsubscribe" link in any marketing email we send
• Contacting us at support@sapparstudio.com

Opting out of marketing communications will not affect your receipt of transactional emails that are necessary for the operation of your account, such as license key delivery, billing receipts, and password resets.

17. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify registered users via email at least 14 days before the changes take effect, where reasonably practicable. The "Last updated" date at the top of this page reflects the most recent revision.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree to the updated policy, you must stop using the Service and may request deletion of your account.

18. Contact

For privacy-related questions, data rights requests, or legal notices:

Carrier-Nation LLC
legal@sapparstudio.com — privacy requests, data rights, legal notices
support@sapparstudio.com — general account and support questions
sapparstudio.com