Legal
Privacy Policy
1. Most of your data never reaches us
The Gustalabs apps are local-first. Your songs, samples, recordings, 3D models, and preferences live in your own browser's storage on your own device unless you explicitly save a project to the cloud. We run no ads, no analytics, and no trackers, and the sites set no cookies. What follows is only about the data we actually store when you use a Gusta account.
2. What we store, why, and for how long
- Account: your email address, a salted hash of your password (never the password itself), and whether the address is verified. We send one transactional email at signup with the verification link, nothing else. Basis: contract. Kept until you delete the account.
- Purchases and token ledger: what you bought and what the AI consumed. Card details go directly to Stripe; we never see them. Basis: contract and bookkeeping law. Accounting records are kept as Swedish law requires (7 years), pseudonymized after account deletion.
- Cloud saves: projects you choose to save to the cloud. Basis: contract. Kept until you delete them or the account.
- AI requests: the prompts sent to the assistant are logged for 30 days for abuse detection and support, then swept automatically. Basis: legitimate interest.
- Support and feedback: messages you send through the in-app feedback circle. Basis: contract. Kept until account deletion.
3. Who processes it
Three processors, no one else: Amazon Web Services hosts everything in Stockholm; Stripe processes payments; Anthropic runs the AI models that answer assistant requests, which can involve processing outside the EEA under the EU standard safeguards. We never sell or share data for advertising.
4. Your rights, self-service
Both rights that matter most are buttons in the account menu of every app, no support ticket needed:
- Download my data: a JSON export of everything we hold about you: account record, ledger, cloud saves, and feedback threads.
- Delete my account: permanently removes your account, sessions, cloud saves, and feedback, and severs stored AI logs from your identity. Bookkeeping records are kept in pseudonymized form as the law requires.
You also have the rights to rectification, restriction, and objection under the GDPR, and you can complain to the Swedish Authority for Privacy Protection (IMY, imy.se) or your local supervisory authority. For anything else, use the in-app support channel or email support@gustalabs.com; both land in the same support queue, kept until account deletion.
5. Security
Everything is served over TLS. Passwords are stored hashed, access tokens are opaque and revocable, the apps enforce a strict content security policy, and production access is limited to the operator. If a breach ever affects your data, we will tell you and the authority as the GDPR requires.
6. Changes
If this policy changes materially, we will show a notice in the apps before the change takes effect. The version and date at the top always tell you what you are reading.