This policy was last modified on 29th May 2018.
At Spitfire Audio, we are committed to maintaining the trust and confidence of visitors to our website, and users of our products and services. In particular, we want you to know that Spitfire Audio is not in the business of buying, selling, renting or trading email lists with other companies and businesses for marketing purposes.
You can contact us with data information requests by emailing James Bellamy on firstname.lastname@example.org, or alternatively get in touch via our support page, who can pass on your request to the right person.
We are a data controller as defined by the GDPR ("A controller determines the purposes and means of processing personal data"). We are registered with the UK Information Commissioner's Office (https://ico.org.uk/) with registration number ZA170164.
We have our own customer database which is stored on servers inside the EU (Ireland), and is never transferred, duplicated or backed up outside of the EU. Stringent measures are in place to prevent unauthorised access to this database, including IP locking and strong "need to know basis" access policies.
Our customer experience team and finance teams, via the administration section of our website, have access to all customer details including name, postal address, email address, order history, transaction and stored wish list items. Only the head of department can access the raw underlying data.
Our web development teams, both internally, and employed by our third party provider work with an anonymised copy of the live database (the same underlying data, but with all references to identifiable personal information scrambled, including names, email addresses, postal addresses, & phone numbers).
Access keys for our various third party services are stored securely external to the code to which developers have access.
Our home page contains a form you can use to sign up to our mailing list (sometimes known as our newsletter). In using it you'll be opting in to receiving all 3 categories of emails we send (explained below), however you can update your preferences at any time using this link (which will also be included in every email we send you). You can unsubscribe altogether in the same place.
After you've given us your email using this form, we'll send you a confirmation email, and you'll need to click the confirm button to affirm that you opt in and that the email address you used is valid.
At this point we'll ask you for your name, but giving it to us is optional. The single piece of mandatory information we need from you in order to subscribe you is a valid email address.
You can also opt to join our mailing list during the process of creating an account. You will be opted into all 3 categories above if you opt in, but you can update your preferences at any time (using this form).
Apart from your email address and (optionally) your name, Mailchimp also tracks your interactions with our campaigns (opens, clicks) as well as detecting if the email is marked as spam or doesn't get delivered (bounces). They also track whether or not you have unsubscribed.
Every message we send from this platform has an unsubscribe button, and the option to update your mailing preferences.
Additionally, we send some promotional email campaigns via our own website, usually where the message relies on us knowing more information about you. Examples of this include our wish list campaign emails (for which we need to know which products are in your wish list) or "affiliation" messages (e.g. to let Spitfire Symphonic Strings owners know that we have released an Expansion Pack).
We maintain synchronicity between your preferences in our own database, and your preferences on Mailchimp (whichever way round you choose to edit them).
One caveat you should note is that if you change your email address directly using Mailchimp's supplied form, and don't make the same adjustment on your Spitfire account, we will be unable to maintain sync between both sets of preferences, and you may receive emails you don't expect.
We'll keep you on our mailing list until you unsubscribe so long as you occasionally open our messages.
Once a year we'll remove people from our list who have not opened any of our emails in the previous 12 months.
Where we have not obtained explicit consent from our customers for sending of marketing messages, we may still use the legitimate interests legal basis to send direct messages. We've conducted a comprehensive legitimate interests assessment to justify this which you can read here.
Certain activities you might perform on our website require you to have a Spitfire Audio account. These include:
When you create an account, we ask for your first and last names, your email address and a password, and also ask whether you'd like to opt in to our mailing list (MORE ABOVE).
Your password is stored encrypted using an industry standard password hashing mechanism which isn't reversible, so nobody, including us, can find out what your password is in plain text. We encourage our customers to use difficult to guess passwords or passphrases, and to use a password manager to discourage password sharing between websites (we use Lastpass at Spitfire).
Known under the GDPR as a "Subject Data Access Request," you can request that we supply you with all the data we hold on you at any time. To make this easy for you, we have created a page in your account area here: http://www.spitfireaudio.com/my-account/my-information/. A print optimised version is available on the same page.
We will retain your Spitfire Audio account indefinitely unless you ask us to delete it (which you can do by submitting a support ticket).
If you have ever bought anything from us we are required by law to retain financial records for at least 6 years, so we will not be able to completely remove you if you have made any orders more recently than this (see OUR SHOP section below).
If you buy something from us, we will ask for some additional information from you in order to process your payment, deliver you your purchases and continue to support them in future. This is to enable us to fulfill our contractual obligation to you which begins at the point of sale.
We ask for your name, email address, company name (if applicable), your registered card billing address, your delivery address (only if you ordered a hard drive), your phone number (which we use as part of our fraud checking process), your credit card number (unless you use Paypal), expiry date and CVS code ("the last 3 digits on the back of the card").
Our Payment Service Provider is Sage Pay (formerly Protx) – the largest independent payment service provider (PSP) in the UK and Ireland.
Sage Pay provides a secure payment gateway (Level 1 PCI DSS), processing payments for thousands of online businesses, including ours. It is Sage Pay’s utmost priority to ensure that transaction data is handled in a safe and secure way.
Sage Pay uses a range of secure methods such as fraud screening, IP address blocking and 3D secure. Once on the Sage Pay systems, all sensitive data is secured using the same internationally recognised 256-bit encryption standards.
Sage Pay is PCI DSS (Payment Card Industry Data Security Standard) compliant to the highest level and maintains regular security audits. They are also regularly audited by the banks and banking authorities to ensure that their systems are impenetrable.
Sage Pay is an active member of the PCI Security Standards Council (PCI SSC) that defines card industry global regulation.
All data transfer between our server and Sage Pay is over HTTPS which means it is encrypted in transit, and can only be unencrypted by the intended recipient.
Sage Pay retain your card information in order that we can refund all or part of your transaction in future, but we only have access to the last 4 digits, card name and CVS code.
We don't make use of any kind of token which would enable us to take another payment in future on the same card (even if you asked us to).
After a payment is successful, Sage Pay provide us with an automated fraud score which combined with other measures of our own, we use to make an automated decision to either process the order immediately or hold for investigation by one of our customer experience team.
After a successful transaction, we have access to the billing address, name and email address of the Paypal account which was used to make the transaction, which we recognise may not be the same as the Spitfire Audio account holder. We don't make use of this information for anything. We use the transaction references for accounting purposes.
Access to our Sage Pay and Paypal data is restricted to our customer experience and finance teams (both of whom legitimately need it to be able to carry out their jobs). The heads of our web and operations teams (including at our external partners Switchplane) also have access in order to be able to manage the integration with our site, and act as tier 3 level support in case of unusually problematic transactions. The Customer Experience team has access to Paypal principally so that they can request and confirm manual payments.
|When and what?||Legal basis|
|Order confirmation||Confirms that we have received your order and the amount you spent. Includes link to your invoice||Contractual obligation - we need to confirm your order has been successful|
|Purchase is ready||After fraud checking has finished and your order has been fully processed, we'll send this message to let you know it is ready to be downloaded. This email also contains your serial number(s), if applicable.||Contractual obligation - this is part of us delivering the product to you|
|Hard drive in progress||If you've ordered a hard drive, we'll send you a quick email to let you know we've started to build it.||Legitimate interests - we think it polite and reasonable to let you know your order is in progress|
|Hard drive dispatched||When your hard drive is shipped we'll let you know, and give you a shipping tracking reference.||Legitimate interests - we think it is reasonable for us to let you know that your order is on its way|
|Product Updates||We typically offer free updates to products during their lifetime. This message is to let you know when one is available for something you own.||Legitimate interests - we think you'll want to know that there have been improvements to a product you own. This is part of our ongoing commitment to our customers.|
Our Spitfire Application software requires you to have an account on our website. Logging into your account via the app allows it to know which products you own. All communication with our server is transferred over HTTPS.
During the install process we log information about the progress of your download and install, including your operating system and IP address. We do this so that our customer experience team can diagnose problems more effectively if something goes wrong, as well as for the purpose of recognising and preventing unusual download activity (for example, a single purchase being downloaded simultaneously in several different countries may indicate piracy). This data may also be used statistically to help us improve the quality, reliability and speed of our download service.
We typically offer free updates to our products during their lifetime, either to fix bugs or to add new features. In order for us to be able to to send these to you, we must retain your account email address and your order history. If you'd like to opt out of future updates, you can (by contacting support), though since installing an update is entirely optional and older versions of our products may conceivably stop working, we'd recommend that you don't.
Our Kontakt and Kontakt Player libraries are watermarked to help protect us against software piracy. Watermarks are encoded on our server in advance, and allocated to individuals by our automated order processor when they buy. They contain no personally identifiable data in themselves, though we can work out who a watermarked file belongs to if we need to by referring to our allocation records.
Our standalone plugins (e.g. BT Phobos, Hans Zimmer Strings) are encrypted for use only on your individual computer(s). To achieve this our Spitfire Application software reads certain bits of system information from your machine then uses it to generate a key which is unique to your machine. Only this key is sent back to our server where it is used to encrypt some of the files we send you. No personally identifiable information is used at any time during this process.
None of our products besides our Spitfire Application (installer software, details above) communicates with our servers in any way, either for statistical purposes, or to pass usage or personal data of any kind.
At Spitfire we want happy customers. To help us to help you, we will often need to know a little bit about you.
We use US-based company Zendesk (https://www.zendesk.co.uk/) as our customer support ticketing system and to provide live chat customer service. You can find full details of their comprehensive compliance with data protection regulations here:
Your data may be stored on servers outside of the EU, but Zendesk are a certified member of the EU-US Privacy Shield Scheme (see item 13 in their data protection policy) as well as the US-Swiss Safe Harbor scheme which demonstrates that they process data to a GDPR-compliant standard.
If you choose to get in touch with our support team via our live chat service we'll ask you for your name and email address however if you choose not to tell us, you can still talk to us, and the chat will only be retained in Zendesk against an anonymous visitor number. Note that the nature of some enquiries may mean we have to insist on you telling us your account or other sensitive personal details during the chat in order to be able to fulfill your requirements.
If you do give us an email address and subsequently create an account at spitfireaudio.com using the same email address, the chat you initiated before you had an account will be attached to the account you subsequently create.
When you start a chat your browser will report to Zendesk your IP address, which browser (and version) you're using, which operating system you're using, your approximate location (City & Country) and the URL of the page you're looking at at the point the chat begins.
If you call us, we will collect your caller ID (ie. phone number) if available, and store a recording of the call against this phone number. During the call we will ask for your name and account details (if applicable), and will add all this information into your account. If you call us from the same number at a later date, we can retrieve this account information the next time you call.
If you block the sending of your caller ID, and don't tell us who you are during the call, only the recording will be saved against an anonymous ID number.
In order to be able to create a support ticket in our system, we ask you to log in to your Spitfire Audio account. We can then log you into Zendesk using a process called Single Sign On. With this, we confirm to Zendesk that you have a valid account with us via a secure exchange of tokenised data. There's no need for you to have a separate password to access Zendesk. They don't have any record of your Spitfire Audio password, even in encrypted form.
You can see all your own activity on Zendesk at the following URL (you will be redirected to the spitfireaudio.com website to log in first if necessary):
In the process of servicing your request, we may ask for additional personal or financial information or details of your order history or your hardware and software, and all such information will be retained with the ticket for future reference.
All knowledgebase articles we publish allow customers to comment. You must be logged into your account to do this. There is also a community section where you can chat to other Spitfire customers and Spitfire Customer Experience Advocates.
Your comments will be visible to anyone on the internet, and we will publish your account name alongside your comment. You can delete your own comments at any time.
You can see all your own comments by clicking here:
We retain all customer service tickets indefinitely. This is to ensure that we have a full case history of any problems you may have experienced in the past, and can refer back to these when necessary. We are happy to delete your full Zendesk history upon request. Please create a support ticket and ask.
We offer educational discounts to students & teachers in schools, colleges and universities. To qualify for this, we ask you to create an account, and submit documented proof that you are a student or teacher. This may be in the form of a college ID card, a payslip, a bank statement or a letter from the institution, and will often contain personally identifiable information, and / or a photograph of you.
We further recognise that by the nature of the scheme, it is possible that we will be collecting information about people who are under the age of 18. Consequently, we are careful to restrict access to these documents to just the customer experience team who process them.
We retain the documents for 30 days from the date we process the request, after which they are automatically deleted. This is sufficient to help us deal with any enquiries which may arise during purchase in most cases. In rare cases, we may ask you to re-submit your documents if your enquiry falls outside of the 30 day period.
|When and what?||Legal basis|
|Educational discount application was successful||If you apply for an educational discount, we'll send you a message confirming that you have been approved and offering you the appropriate discount codes.||Consent - by applying for this discount scheme, you agree that we'll have to communicate the outcome to you.|
|Educational discount application was not successful||If you are not approved for an educational discount for any reason, we'll let you know in an email.||Consent - by applying for this discount scheme, you agree that we'll have to communicate the outcome to you.|
|Educational discount application follow up message||If you are not approved for an educational discount, we may follow up with you in a personal email to ask for further details. You can choose not to engage with this message if you wish.||Legitimate interests - by applying for the scheme we take that to mean that you'd like us to do all we can to help you secure your discount.|
We use a few different technologies to track behaviour on our site.
When someone visits spitfireaudio.com we use a third party service, Google Analytics, to collect standard internet log information (e.g. geographical location, OS and browser information, and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website.
Besides members of our own internal marketing team, the other third parties who have access to Google Analytics information are:
When someone visits spitfireaudio.com we use a third party service, Facebook Pixel, to collect standard internet log information and details of visitor behaviour (e.g. which pages they visit, whether they add something to their cart or their wish list). We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make any attempt to find out the identities of those visiting our website.
We consider a data breach to be one or more of the following:
If we discover or are notified of any of the above:
After investigating the breach, we will determine whether it is necessary to report it to the Information Commissioner's Office (ICO), and if so, will do so within a maximum of 72 hours of becoming aware of the breach, if possible.
Every incident will be assessed on a case by case basis. The following will be considered:
Individuals whose personal data has been affected by the incident, and where it has been considered likely to result in a high risk of adversely affecting that individual’s rights and freedoms will be informed without undue delay. Notification will include a description of how and when the breach occurred and the data involved. Specific and clear advice will be given on what they can do to protect themselves, and include what action has already been taken to mitigate the risks. Individuals will also be provided with a way in which they can contact us for further information or to ask questions on what has occurred.
We will consider notifying third parties such as the police, insurers, banks or credit card companies. This would be appropriate where illegal activity is known or is believed to have occurred, or where there is a risk that illegal activity might occur in the future.
We will consider whether our marketing team should be informed regarding a press release and to be ready to handle any incoming press enquiries.
An internal record will be kept of any personal data breach, regardless of whether notification was required.
Once the initial incident is contained, we will carry out a full review of the causes of the breach, the effectiveness of the response(s) and whether any changes to systems, policies and procedures should be undertaken.
Existing controls will be reviewed to determine their adequacy, and whether any corrective action should be taken to minimise the risk of similar incidents occurring.
The review will consider:
If deemed necessary, a report recommending any changes to systems, policies and procedures will be considered by the Spitfire Audio board.