Privacy Policy

Last updated: March 2026

1. Introduction

This Privacy Policy explains how Javier Belzunce, operating as dBaton ("dBaton", "we", "us", "our"), collects, uses, stores, and protects your personal data when you use the dBaton Cue plugin and related services (the "Service").

dBaton is the data controller for the purposes of the EU General Data Protection Regulation (GDPR) and the Spanish Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD).

Contact: Javier Belzunce — support@dbaton.com

2. What data we collect

2.1 License activation data. When you activate a license, we store:

• Your license serial number;
• A machine identifier (a unique ID generated locally by the plugin — it is not your computer's serial number or MAC address);
• A machine name (the name of your computer as reported by the operating system);
• The date and time of activation.

This data is stored in Cloudflare KV (a key-value store hosted by Cloudflare, Inc.) and is used solely for enforcing the two-machine activation limit described in our Terms of Service.

2.2 Session signaling data. When you start a streaming session, the Service temporarily stores:

• A session identifier (a randomly generated UUID);
• WebRTC connection metadata (SDP offers/answers, ICE candidates) — this is technical data required to establish the audio connection;
• The IP address of the session creator (used for rate limiting).

This data is ephemeral. It exists only for the duration of the session and is automatically deleted by Cloudflare KV's expiration mechanism. Session data is not used for any purpose other than establishing the audio connection.

2.3 Audio content. We do not collect, access, store, record, monitor, or process any audio content. Audio is transmitted directly between the plugin on your computer and the listener's web browser using encrypted WebRTC peer-to-peer connections. Audio data does not pass through dBaton's servers at any point. When a direct connection cannot be established and a TURN relay is used, the audio passes through the relay server in encrypted form — the relay cannot decrypt or access the audio content.

2.4 Payment data. We do not collect or store any payment information. All payment processing is handled by Paddle.com Market Ltd ("Paddle"), our merchant of record. When you make a purchase, Paddle collects and processes your payment details, billing address, and email address in accordance with Paddle's Privacy Policy. Paddle shares with us only your email address, the transaction identifier, and the product purchased — we do not receive or store credit card numbers, bank account details, or other financial information.

2.5 Browser listener data. When someone opens a listener link in their browser, we collect no personal data from the listener. The listener does not need to create an account, provide an email, or identify themselves in any way. The only data stored is a randomly generated listener UUID that exists for the duration of the session.

2.6 Website analytics. We may use privacy-respecting analytics on our website to understand aggregate traffic patterns (pages visited, referral sources, country). We do not use Google Analytics. If analytics are enabled, they operate without cookies and do not collect personally identifiable information.

2.7 Support communications. If you contact us at support@dbaton.com, we store the content of your communication and your email address for the purpose of providing support. This data is retained for as long as reasonably necessary to resolve your issue and for our records.

3. Legal basis for processing

Under the GDPR, we process your personal data on the following legal bases:

• Contract performance (Article 6(1)(b)): License activation data and session signaling data are necessary to provide the Service you purchased.
• Legitimate interest (Article 6(1)(f)): IP addresses for rate limiting and abuse prevention; aggregate analytics for improving the Service.
• Legal obligation (Article 6(1)(c)): Retaining transaction records as required by Spanish tax law.

4. How we use your data

We use the data we collect exclusively for the following purposes:

• To enforce license terms (activation limits, license validity);
• To establish and maintain WebRTC audio connections;
• To prevent abuse of our infrastructure (rate limiting);
• To provide customer support;
• To comply with legal obligations.

We do not use your data for advertising, profiling, automated decision-making, or any purpose other than those listed above. We do not sell, rent, or share your personal data with third parties for their own purposes.

5. Data sharing

We share data only with the following third-party service providers, each of which processes data on our behalf or as an independent controller:

• Cloudflare, Inc. (USA) — Hosts our signaling infrastructure (Cloudflare Workers) and stores license activation data (Cloudflare KV). Cloudflare processes data under its Privacy Policy and is certified under the EU-US Data Privacy Framework.
• Paddle.com Market Ltd (UK) — Processes payments as merchant of record. Paddle acts as an independent data controller for payment data. See Paddle's Privacy Policy.
• TURN relay provider — When relay connections are necessary, a third-party TURN server routes encrypted audio. The relay provider does not have access to the content of the audio stream and processes only connection metadata (IP addresses) for the duration of the session.

We do not share your data with any other third parties.

6. International data transfers

Some of our service providers (Cloudflare) are based in the United States. Data transfers to the US are protected by the EU-US Data Privacy Framework, Standard Contractual Clauses, or other appropriate safeguards as required by the GDPR.

7. Data retention

• License activation data: Retained for as long as your license is active. Upon deactivation or license termination, activation data is deleted within 30 days.
• Session signaling data: Automatically expires from Cloudflare KV within 30 days. Active session data is typically deleted within minutes of a session ending.
• IP addresses (rate limiting): Stored for no longer than 60 seconds.
• Support communications: Retained for up to 3 years for our records, or longer if required by law.
• Transaction records: Retained for the period required by Spanish tax law (currently 4 years from the end of the fiscal year).

8. Your rights

Under the GDPR and LOPDGDD, you have the following rights:

• Right of access: You may request a copy of all personal data we hold about you.
• Right to rectification: You may request correction of inaccurate personal data.
• Right to erasure: You may request deletion of your personal data, subject to our legal obligations to retain certain records.
• Right to restriction: You may request that we restrict the processing of your data in certain circumstances.
• Right to data portability: You may request your data in a structured, commonly used, machine-readable format.
• Right to object: You may object to processing based on legitimate interests.

To exercise any of these rights, contact us at support@dbaton.com. We will respond within 30 days as required by law. If you are not satisfied with our response, you may lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, www.aepd.es) or the supervisory authority in your country of residence.

9. Cookies

The dBaton Cue website and browser listener interface do not use tracking cookies. We do not use cookies for advertising, analytics, or profiling.

If we introduce cookies in the future (for example, for session management), we will update this policy and provide appropriate notice and consent mechanisms as required by applicable law.

10. Children's privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16 without appropriate parental consent, we will take steps to delete that data.

11. Security

We take appropriate technical and organisational measures to protect your personal data, including:

• All data in transit is encrypted using TLS/HTTPS;
• Audio streams are encrypted end-to-end using DTLS (Datagram Transport Layer Security);
• Access to infrastructure is protected by authentication;
• License data is stored in Cloudflare's globally distributed, encrypted infrastructure.

No system is perfectly secure. While we take reasonable precautions, we cannot guarantee absolute security.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via our website and, where possible, via email. The "Last updated" date at the top indicates when the policy was last revised.

13. Contact

For any questions about this Privacy Policy or your personal data, contact:

dBaton — Javier Belzunce
Email: support@dbaton.com
Website: https://dbaton.com