This policy was last modified on 16th Feb 2022
At Spitfire Audio, we are committed to maintaining the trust and confidence of visitors to our website, and users of our products and services. In particular, we want you to know that Spitfire Audio is not in the business of buying, selling, renting or trading email lists with other companies and businesses for marketing purposes.
You can contact us with data information requests by emailing James Bellamy on email@example.com, or alternatively get in touch via our support page, who can pass on your request to the right person.
What are cookies?
Cookies are essential for the effective operation of our websites and to help you shop with us online. They are also used to tailor the products and services offered and advertised to you, both on our websites and elsewhere.
How are cookies managed?
The cookies stored on your computer or other device when you access our websites are designed by:
- Spitfire Audio, or on behalf of Spitfire Audio, and are necessary to enable you to a make purchases on our website.
- Third parties who collect analytical data (namely Google Analytics, Facebook Pixel and Zendesk).
What are cookies used for?
The main purposes for which cookies are used are:
- For technical purposes essential to effective operation of our website, particularly in relation to online transactions and site navigation.
- To enable Spitfire Audio to collect information about your browsing and shopping patterns, including to monitor the success of campaigns, competitions etc.
How do I disable cookies?
If you want to disable cookies you need to change your website browser settings to reject cookies. How you can do this will depend on the browser you use. Further details on how to disable cookies for the most popular browsers are set out below:
- For Microsoft Internet Explorer
- For Google Chrome
- For Safari
- For Mozilla Firefox
- For Opera
- For Safari on iPhone
- For Chrome on iPhone
- For Android Browser
What happens if I disable cookies?
This depends on which cookies you disable, but in general the website will not operate properly if cookies are switched off. If you only disable third party cookies, you will not be prevented from making purchases on our sites. If you disable all cookies, you will be unable to complete a purchase on our site, some buttons will become inactive, and some navigation functionality will be lost.
Our customer database
We are a data controller as defined by the GDPR ("A controller determines the purposes and means of processing personal data"). We are registered with the UK Information Commissioner's Office (https://ico.org.uk/) with registration number ZA170164.
We have our own customer database which is stored on servers inside the EU (Ireland), and is never transferred, duplicated or backed up outside of the EU. Stringent measures are in place to prevent unauthorised access to this database, including IP locking and strong "need to know basis" access policies.
Who has access?
Our customer experience team and finance teams, via the administration section of our website, have access to all customer details including name, postal address, email address, order history, transaction and stored wish list items. Only the head of department can access the raw underlying data.
Our web development teams, both internally, and employed by our third party provider work with an anonymised copy of the live database (the same underlying data, but with all references to identifiable personal information scrambled, including names, email addresses, postal addresses, & phone numbers).
Access keys for our various third party services are stored securely external to the code to which developers have access.
Signing up for our mailing list
Our home page contains a form you can use to sign up to our mailing list (sometimes known as our newsletter). In using it you'll be opting in to receiving all 3 categories of emails we send (explained below), however you can update your preferences at any time using this link (which will also be included in every email we send you). You can unsubscribe altogether in the same place.
After you've given us your email using this form, we'll send you a confirmation email, and you'll need to click the confirm button to affirm that you opt in and that the email address you used is valid.
At this point we'll ask you for your name, but giving it to us is optional. The single piece of mandatory information we need from you in order to subscribe you is a valid email address.
- If you opt in to this category we’ll tell you about new and upcoming products and significant updates or changes to existing products. We’ll also use this category to send messages about upcoming promotional pricing events in our shop (such as the promotions we run for Black Friday or our Wish List campaigns).
- This selection will ensure you'll be among the first to access our free libraries; along with new music, videos, and interviews which relate to the infinite LABS programme. Let's all become something.
- With this, we'll keep you abreast of our editorial and educational Journal content including Quick Tips, Creative Cribs, Ones to Watch, and much more. We'll also announce all the exclusive events and competitions we're planning, and share social media activity we think might interest you.
Your data may also have been provided to us by a third-party, where you have expressly given consent for that third-party to share your data with us. We only process such data in accordance with the instructions given to us by the third-party. You can always update your preferences on how we use your data and please refer to the section on how you can keep your data up to date.
You can also opt to join our mailing list during the process of creating an account. You will be opted into all 3 categories above if you opt in, but you can update your preferences at any time (using this form).
Where we keep our mailing list
Apart from your email address and (optionally) your name, Drip also tracks your interactions with our campaigns (opens, clicks) as well as detecting if the email is marked as spam or doesn't get delivered (bounces). They also track whether or not you have unsubscribed.
Every message we send from this platform has an unsubscribe button, and the option to update your mailing preferences.
Additionally, we send some promotional email campaigns via our own website, usually where the message relies on us knowing more information about you. Examples of this include our wish list campaign emails (for which we need to know which products are in your wish list) or "affiliation" messages (e.g. to let Spitfire Symphonic Strings owners know that we have released an Expansion Pack).
We maintain synchronicity between your preferences in our own database, and your preferences on Drip (whichever way round you choose to edit them).
One caveat you should note is that if you change your email address directly using Drip's supplied form, and don't make the same adjustment on your Spitfire account, we will be unable to maintain sync between both sets of preferences, and you may receive emails you don't expect.
How long we'll keep you on our mailing list
We'll keep you on our mailing list until you unsubscribe so long as you occasionally open our messages.
Once a year we'll remove people from our list who have not opened any of our emails in the previous 12 months.
The legal basis we use for marketing messages we send
Where we have not obtained explicit consent from our customers for sending of marketing messages, we may still use the legitimate interests legal basis to send direct messages. We've conducted a comprehensive legitimate interests assessment to justify this which you can read here.
Creating a Spitfire Audio account
Certain activities you might perform on our website require you to have a Spitfire Audio account. These include:
- Buying products
- Downloading and installing products
- Storing a personal "wish list" of products you are interested in
- Submitting a customer service request (* see Zendesk section below)
- Applying for a student discount
When you create an account, we ask for your first and last names, your email address and a password, and also ask whether you'd like to opt in to our mailing list (more above).
Your password is stored encrypted using an industry standard password hashing mechanism which isn't reversible, so nobody, including us, can find out what your password is in plain text. We encourage our customers to use difficult to guess passwords or passphrases, and to use a password manager to discourage password sharing between websites (we use Lastpass at Spitfire).
How you can keep your data up to date
How you can find out what data we hold
Known under the GDPR as a "Subject Data Access Request," you can request that we supply you with all the data we hold on you at any time. To make this easy for you, we have created a page in your account area here: http://www.spitfireaudio.com/my-account/my-information/. A print optimised version is available on the same page.
How long do we keep your data
We will retain your Spitfire Audio account indefinitely unless you ask us to delete it (which you can do by submitting a support ticket).
If you have ever bought anything from us we are required by law to retain financial records for at least 6 years, so we will not be able to completely remove you if you have made any orders more recently than this (see our shop section below).
If you buy something from us, we will ask for some additional information from you in order to process your payment, deliver you your purchases and continue to support them in future. This is to enable us to fulfill our contractual obligation to you which begins at the point of sale.
What data do we collect
We ask for your name, email address, company name (if applicable), your registered card billing address, your delivery address (only if you ordered a hard drive), your phone number (which we use as part of our fraud checking process), your credit card number (unless you use Paypal), expiry date and CVS code ("the last 3 digits on the back of the card").
Who deals with our payments
Our principal Payment Service Provider is Opayo (formerly Sage Pay) – the largest independent payment service provider (PSP) in the UK and Ireland.
Opayo provides a secure payment gateway (Level 1 PCI DSS), processing payments for thousands of online businesses, including ours. It is Opayo's utmost priority to ensure that transaction data is handled in a safe and secure way.
Opayo uses a range of secure methods such as fraud screening, IP address blocking and 3D secure. Once on the Opayo systems, all sensitive data is secured using the same internationally recognised 256-bit encryption standards.
Opayo is PCI DSS (Payment Card Industry Data Security Standard) compliant to the highest level and maintains regular security audits. They are also regularly audited by the banks and banking authorities to ensure that their systems are impenetrable.
Opayo is an active member of the PCI Security Standards Council (PCI SSC) that defines card industry global regulation.
All data transfer between Spitfire's servers and Opayo is over HTTPS which means it is encrypted in transit, and can only be unencrypted by the intended recipient.
Opayo retain your card information in order that we can refund all or part of your transaction in future, but we only have access to the last 4 digits, card name and CVS code.
During checkout we offer the option to securely store your credit card details so as to allow "one click" payment at a later date. If you accept this option, your card details are stored securely on Opayo's level 1 PCI compliant systems, and are never stored, even temporarily, on any Spitfire Audio server. We save a token representing the stored card which is only usable by Spitfire Audio. Nobody at Spitfire or at Opayo has unencrypted access to the full credit card details at any time.
After a payment is successful, Opayo provide us with an automated fraud score which combined with other measures of our own, we use to make an automated decision to either process the order immediately or hold for investigation by one of our customer experience team.
After a successful transaction, we have access to the billing address, name and email address of the Paypal account which was used to make the transaction, which we recognise may not be the same as the Spitfire Audio account holder. We don't make use of this information for anything. We use the transaction references for accounting purposes.
If you choose Apple Pay during checkout, we will take your payment using the payment gateway Stripe. They are also fully PCI DSS Level 1 compliant. More details of their security policies are available here. With Apple Pay, no credit card details are entered in full at any time during the transaction with us. You will have entered your credit card details when you set up your device to support Apple Pay.
Who has access to financial data?
Access to our Sage Pay and Paypal data is restricted to our customer experience and finance teams (both of whom legitimately need it to be able to carry out their jobs). The heads of our web and operations teams (including at our external partners Switchplane) also have access in order to be able to manage the integration with our site, and act as tier 3 level support in case of unusually problematic transactions. The Customer Experience team has access to Paypal principally so that they can request and confirm manual payments.
- Confirms that we have received your order and the amount you spent
- Includes link to your invoice
- Legal basis: Contractual obligation - we need to confirm your order has been successful
Purchase is ready
- After fraud checking has finished and your order has been fully processed, we'll send this message to let you know it is ready to be downloaded. This email also contains your serial number(s), if applicable.
- Legal basis: Contractual obligation - this is part of us delivering the product to you.
Hard drive in progress
- If you've ordered a hard drive, we'll send you a quick email to let you know we've started to build it.
- Legal basis: Legitimate interests - we think it polite and reasonable to let you know your order is in progress
Hard drive dispatched
- When your hard drive is shipped we'll let you know, and give you a shipping tracking reference.
- Legal basis: Legitimate interests - we think it is reasonable for us to let you know that your order is on its way
- We typically offer free updates to products during their lifetime. This message is to let you know when one is available for something you own.
- Legal basis: Legitimate interests - we think you'll want to know that there have been improvements to a product you own. This is part of our ongoing commitment to our customers.
Our Spitfire Application software requires you to have an account on our website. Logging into your account via the app allows it to know which products you own. All communication with our server is transferred over HTTPS.
During the install process we log information about the progress of your download and install, including your operating system and IP address. We do this so that our customer experience team can diagnose problems more effectively if something goes wrong, as well as for the purpose of recognising and preventing unusual download activity (for example, a single purchase being downloaded simultaneously in several different countries may indicate piracy). This data may also be used statistically to help us improve the quality, reliability and speed of our download service.
We typically offer free updates to our products during their lifetime, either to fix bugs or to add new features. In order for us to be able to send these to you, we must retain your account email address and your order history. If you'd like to opt out of future updates, you can (by contacting support, though since installing an update is entirely optional and older versions of our products may conceivably stop working, we'd recommend that you don't.
Watermarking and encryption
Our Kontakt and Kontakt Player libraries are watermarked to help protect us against software piracy. Watermarks are encoded on our server in advance, and allocated to individuals by our automated order processor when they buy. They contain no personally identifiable data in themselves, though we can work out who a watermarked file belongs to if we need to by referring to our allocation records.
Our standalone plugins (e.g. BT Phobos, Hans Zimmer Strings) are encrypted for use only on your individual computer(s). To achieve this our Spitfire Application software reads certain bits of system information from your machine then uses it to generate a key which is unique to your machine. Only this key is sent back to our server where it is used to encrypt some of the files we send you. No personally identifiable information is used at any time during this process.
We ask for consent to receive diagnostic information from you when you first open the Spitfire Audio app. This will help improve the quality and performance of both the app and our plugins as well as dramatically improve our ability to help fix an issue for you if you contact our support team.
All data is sent only with your consent and is anonymised such that even Spitfire staff cannot access your specific data unless you provide us with your identifier in the event of a technical support intervention.
If you agree to send diagnostics information to Spitfire Audio, it may contain the following:
- Details about app or plugin crashes, freezes or errors.
- Usage information, for example, data about how you use the app and our plugins.
Analytics data contains your computer’s hardware and software specifications, including information about devices connected to your computer and the versions of the operating system and DAWs you’re using. Personal data is either not logged at all in the reports generated, is subject to privacy preserving techniques such as differential privacy or is removed from any reports before they’re sent to Spitfire Audio.
Information is sent to Spitfire Audio using your internet connection. If your computer is not connected to the internet, the data is saved and sent the next time you connect to the internet.
Opt out of sharing diagnostics
You can opt out of sharing your information with Spitfire Audio at any time by logging in to the Spitfire Audio app, clicking on Settings > Analytics "Send diagnostics to Spitfire Audio".
We use a third party service, Sentry, to collect analytics. The data that Sentry hold is anonymised, Sentry will not have access to the identifier that connects the data to the individual.
At Spitfire we want happy customers. To help us to help you, we will often need to know a little bit about you.
We use US-based company Zendesk (https://www.zendesk.co.uk/) as our customer support ticketing system and to provide live chat customer service. You can find full details of their comprehensive compliance with data protection regulations here:
Your data may be stored on servers outside of the EU, but Zendesk are a certified member of the EU-US Privacy Shield Scheme (see item 13 in their data protection policy) as well as the US-Swiss Safe Harbor scheme which demonstrates that they process data to a GDPR-compliant standard.
If you choose to get in touch with our support team via our live chat service we'll ask you for your name and email address however if you choose not to tell us, you can still talk to us, and the chat will only be retained in Zendesk against an anonymous visitor number. Note that the nature of some enquiries may mean we have to insist on you telling us your account or other sensitive personal details during the chat in order to be able to fulfill your requirements.
If you do give us an email address and subsequently create an account at spitfireaudio.com using the same email address, the chat you initiated before you had an account will be attached to the account you subsequently create.
When you start a chat your browser will report to Zendesk your IP address, which browser (and version) you're using, which operating system you're using, your approximate location (City & Country) and the URL of the page you're looking at at the point the chat begins.
If you call us, we will collect your caller ID (ie. phone number) if available, and store a recording of the call against this phone number. During the call we will ask for your name and account details (if applicable), and will add all this information into your account. If you call us from the same number at a later date, we can retrieve this account information the next time you call.
If you block the sending of your caller ID, and don't tell us who you are during the call, only the recording will be saved against an anonymous ID number.
Creating a support ticket
In order to be able to create a support ticket in our system, we ask you to log in to your Spitfire Audio account. We can then log you into Zendesk using a process called Single Sign On. With this, we confirm to Zendesk that you have a valid account with us via a secure exchange of tokenised data. There's no need for you to have a separate password to access Zendesk. They don't have any record of your Spitfire Audio password, even in encrypted form.
You can see all your own activity on Zendesk at the following URL (you will be redirected to the spitfireaudio.com website to log in first if necessary): https://spitfireaudio.zendesk.com/hc/en-us/requests
In the process of servicing your request, we may ask for additional personal or financial information or details of your order history or your hardware and software, and all such information will be retained with the ticket for future reference.
Knowledgebase & community
All knowledgebase articles we publish allow customers to comment. You must be logged into your account to do this. There is also a community section where you can chat to other Spitfire customers and Spitfire Customer Experience Advocates.
Your comments will be visible to anyone on the internet, and we will publish your account name alongside your comment. You can delete your own comments at any time.
You can see all your own comments by clicking here: https://spitfireaudio.zendesk.com/hc/contributions/posts
How long we keep your data for
We retain all customer service tickets indefinitely. This is to ensure that we have a full case history of any problems you may have experienced in the past, and can refer back to these when necessary. We are happy to delete your full Zendesk history upon request. Please create a support ticket and ask.
We offer educational discounts to students & teachers in schools, colleges and universities. To qualify for this, we ask you to create an account, and submit documented proof that you are a student or teacher. This may be in the form of a college ID card, a payslip, a bank statement or a letter from the institution, and will often contain personally identifiable information, and / or a photograph of you.
We further recognise that by the nature of the scheme, it is possible that we will be collecting information about people who are under the age of 18. Consequently, we are careful to restrict access to these documents to just the customer experience team who process them.
We retain the documents for 30 days from the date we process the request, after which they are automatically deleted. This is sufficient to help us deal with any enquiries which may arise during purchase in most cases. In rare cases, we may ask you to re-submit your documents if your enquiry falls outside of the 30 day period.
Educational discount application emails
Educational discount application was successful
- If you apply for an educational discount, we'll send you a message confirming that you have been approved and offering you the appropriate discount codes
- Legal basis: Consent - by applying for this discount scheme, you agree that we'll have to communicate the outcome to you
Educational discount application was not successful
- If you are not approved for an educational discount for any reason, we'll let you know in an email
- Legal basis: Consent - by applying for this discount scheme, you agree that we'll have to communicate the outcome to you
Educational discount application follow up message
- If you are not approved for an educational discount, we may follow up with you in a personal email to ask for further details. You can choose not to engage with this message if you wish
- Legal basis: Legitimate interests - by applying for the scheme we take that to mean that you'd like us to do all we can to help you secure your discount
We use a third party company - Trustpilot - to collect, analyse and display reviews relating to our customers’ experience with our service and our products themselves. After purchase, we share the order number, email address and the name of the product that you have bought with Trustpilot in order to send a request to you by email for a review of our service and the product that you have bought.
If you choose to leave a review:
- Service ratings and reviews are displayed on Trustpilot's own site in order that potential customers can look Spitfire Audio up and see our average rating and read any reviews that have been left.
- Product ratings and reviews are displayed on our product pages along with the average rating.
In both cases, moderation of reviews is only possible under Trustpilot's own terms, Spitfire Audio does not have the ability to edit or delete reviews left using Trustpilot.
If you wish to unsubscribe from Trustpilot's mailing list, please follow the instructions here.
We use a third party company - Vanilla - to provide a forum at https://community.spitfireaudio.com/.
Visiting our forum logs you in using your spitfireaudio.com credentials via SSO (single sign-on) and through this mechanism provides your name and email address to Vanilla.
Any interactions you engage in on the forum may be visible to other users and to Spitfire staff as well as Vanilla.
Analytics and statistics
We use a few different technologies to track behaviour on our site:
When someone visits spitfireaudio.com we use a third party service, Google Analytics, to collect standard internet log information (e.g. geographical location, OS and browser information, and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website.
Besides members of our own internal marketing team, the other third parties who have access to Google Analytics information are:
- Switchplane, who administer the analytics service integration on our behalf.
When someone visits spitfireaudio.com we use a third party service, Facebook Pixel, to collect standard internet log information and details of visitor behaviour (e.g. which pages they visit, whether they add something to their cart or their wish list). We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make any attempt to find out the identities of those visiting our website.
Our data breach policy
What is a data breach?
We consider a data breach to be one or more of the following:
- Loss or theft of confidential or sensitive data or equipment on which such data is stored (e.g. loss of laptop, USB stick, iPad / tablet device, or paper record)
- Equipment theft or failure
- System failure
- Unauthorised use of, access to or modification of data or information systems
- Attempts (failed or successful) to gain unauthorised access to information or IT system(s)
- Unauthorised disclosure of sensitive / confidential data
- Website defacement
- Hacking attack
- Human error
- ‘Blagging’ offences where information is obtained by deceiving the organisation who holds it.
Investigation and containment
If we discover or are notified of any of the above, we will firstly determine whether the breach is ongoing, and if so, take immediate measures to stop it and minimise its impact. Secondly, we will investigate the extent and severity of the breach and assess the risks associated with it, for example, the potential adverse consequences for individuals, how serious or substantial those are and how likely they are to occur.
This investigation will consider the following:
- The type of data involved
- Its sensitivity
- The protections which are in place (e.g. encryptions)
- What has happened to the data (e.g. has it been lost or stolen)
- Whether the data could be put to any illegal or inappropriate use
- Data subject(s) affected by the breach, number of individuals involved and the potential effects on those data subject(s)
- Whether there are wider consequences to the breach
After investigating the breach, we will determine whether it is necessary to report it to the Information Commissioner's Office (ICO), and if so, will do so within a maximum of 72 hours of becoming aware of the breach, if possible.
Every incident will be assessed on a case by case basis. The following will be considered:
- Whether the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms under Data Protection legislation
- Whether notification would assist the individual(s) affected (e.g. could they act on the information to mitigate risks?)
- Whether notification would help prevent the unauthorised or unlawful use of personal data
- Whether there are any legal / contractual notification requirements
- The dangers of over notifying. Not every incident warrants notification and over notification may cause disproportionate enquiries and work.
Individuals whose personal data has been affected by the incident, and where it has been considered likely to result in a high risk of adversely affecting that individual’s rights and freedoms will be informed without undue delay. Notification will include a description of how and when the breach occurred and the data involved. Specific and clear advice will be given on what they can do to protect themselves, and include what action has already been taken to mitigate the risks. Individuals will also be provided with a way in which they can contact us for further information or to ask questions on what has occurred.
We will consider notifying third parties such as the police, insurers, banks or credit card companies. This would be appropriate where illegal activity is known or is believed to have occurred, or where there is a risk that illegal activity might occur in the future.
We will consider whether our marketing team should be informed regarding a press release and to be ready to handle any incoming press enquiries.
An internal record will be kept of any personal data breach, regardless of whether notification was required.
Evaluation and response
Once the initial incident is contained, we will carry out a full review of the causes of the breach, the effectiveness of the response(s) and whether any changes to systems, policies and procedures should be undertaken.
Existing controls will be reviewed to determine their adequacy, and whether any corrective action should be taken to minimise the risk of similar incidents occurring.
The review will consider:
- Where and how personal data is held and where and how it is stored
- Where the biggest risks lie including identifying potential weak points within existing security measures
- Whether methods of transmission are secure; sharing minimum amount of data necessary
- Staff awareness
If deemed necessary, a report recommending any changes to systems, policies and procedures will be considered by the Spitfire Audio board.