Storage Studio

← All legal documents

Legal · v1.0.0-draft · effective 2026-05-18

Privacy Policy

Storage Studio · Techtonic Systems Research and Media LLC

DRAFT — REQUIRES LEGAL REVIEW BEFORE PUBLICATION.

This Privacy Policy describes how Techtonic Systems Research and Media LLC ("we", "us", "our") processes personal data in connection with the Storage Studio desktop application (the "Software").

We are committed to the principle that the Software runs on your Mac, and your data stays on your Mac. Storage Studio is a local utility. It does not transmit your files, file paths, file contents, folder structures, or usage patterns to any server we operate.

1. Quick-read summary

  • Your files (Documents, Downloads, app data, etc.) — stay on your Mac. Never transmitted by Storage Studio.
  • File paths, folder names, sizes — recorded in local manifests on your Mac. Not transmitted.
  • Cloud account credentials — held by the bundled rclone tool on your Mac. We never see them.
  • License key — stored as a file with owner-only permissions, mirrored to your chosen NVMe drive. The transaction identifier you typed at activation is sent to our server once during activation and on each periodic heartbeat.
  • Update / manifest check — periodic HTTPS call to our server. Sends only your IP and a User-Agent identifying the app version + macOS major.
  • Camera / microphone — not captured. We only detect whether they are in use by another app, to pause heavy operations during meetings.
  • Anonymous usage telemetry — none collected in this version.
  • Crash reports — none collected in this version.

2. Who this Policy applies to

This Policy applies to all individuals who install or use the Software, anywhere in the world. Region-specific provisions for the European Union and United Kingdom (GDPR / UK GDPR), California (CCPA / CPRA), India (DPDPA 2023), Canada (PIPEDA / Quebec Law 25), and other jurisdictions appear in §11.

3. Personal data we process

3.1 Data processed entirely on your Mac (never transmitted to us)

The Software reads, writes, and stores the following on your Mac. We do not have access to it. It does not leave your Mac through Storage Studio.

  • File and folder metadata — paths, sizes, modification times, code signatures, file modes — for files you instruct the Software to move, relocate, hash, or back up.
  • Move manifests — JSON files at ~/.storagestudio/state/folder-moves/ and app-moves/ recording in-flight transactions for crash recovery. Auto-deleted on successful completion.
  • Transfer history~/.storagestudio/sync/jobs.json recording cloud transfer jobs you've configured. Includes endpoints, schedules, and status.
  • Daemon configuration~/.storagestudio/storage-studio.conf holding your rules, schedules, and preferences.
  • Daily storage snapshots~/.storagestudio/state/history.ndjson for the Storage Charts window. 365-day rolling window.
  • License key — stored as JSON at ~/.storagestudio/state/license.json with POSIX 0600 perms (owner-only read/write), mirrored to your NVMe drive at <NVMe>/Mac/StorageStudio-State/license.json. If your internal disk is encrypted (FileVault), the file is encrypted at rest.
  • Cloud account credentials — held by the bundled rclone tool at ~/.config/rclone/rclone.conf, encrypted with rclone's own config-encryption mechanism. We never see, read, or transmit these.
  • Camera and microphone activity flag — a single Boolean reflecting whether ANY app is currently using your camera or mic, used by smart-mode to pause auto-actions during meetings. No video or audio is ever captured.

Retention. This data is retained on your Mac for as long as you keep the Software installed, plus the retention windows the Software itself enforces (e.g. 365-day history cap, 7-day self-backup rolling retention). Uninstalling the Software does not delete these files by default — see §10 for how to fully erase.

3.2 Data that crosses the network

The Software opens HTTPS connections to one endpoint only: storagestudio.techtonic.systems (operated by us on Cloudflare Workers).

(a) Manifest / update check

Frequency: on app launch + once every 24 hours while running.

Data sent: standard HTTPS request headers including your IP address (necessary for any HTTP transaction); a User-Agent identifying the Software version and macOS major version. No identifying cookies, account IDs, or installation IDs.

Data received: current manifest JSON listing the latest available version, license behaviour, trial duration, and any in-app messages we wish to display.

(b) License activation and heartbeat

Frequency: once during activation, then a periodic heartbeat (every 1 day for Monthly/Annual, every 7 days for Lifetime).

Data sent: your purchaser email address, your Stripe transaction identifier (pi_… or sub_…), and a one-way hashed machine fingerprint derived from your Mac's IOPlatformUUID and macOS install date. The fingerprint is irreversible — it cannot be used to identify your Mac in isolation.

Data received: a signed JWT confirming your license status, valid until the next heartbeat.

(c) Webhook-driven status (no client call)

When Stripe notifies us of a subscription change (cancelled, payment failed, refunded, etc.), the server updates its mirror of your license. Your Mac picks this up at the next heartbeat. No additional data is collected from you.

3.3 Data Stripe processes on our behalf

Stripe processes your billing details, payment card information, billing address, and tax data directly. We don't see card numbers; we see receipts. Stripe's privacy notice: stripe.com/privacy.

4. Purposes and lawful bases

| Purpose | Data | Lawful basis (GDPR/UK GDPR) | |---|---|---| | Validate license | email + transaction ID + fingerprint | Contract (§6(1)(b)) | | Process payments | (Stripe handles) | Contract | | Detect software updates | IP + version + macOS major | Legitimate interest (§6(1)(f)) | | Detect license sharing | hashed fingerprint | Legitimate interest | | Support / abuse handling | email and your message contents | Legitimate interest |

5. Sharing

We do not sell or rent personal data. We share personal data only with:

  • Stripe (payment processing, billing). Privacy notice.
  • Cloudflare (infrastructure provider for the backend and Workers KV/D1/R2). Privacy notice.
  • Brevo (transactional email — internal staff communications only; not used for marketing). Privacy notice.
  • Law enforcement, when required by valid legal process.

6. International transfers

Backend hosted on Cloudflare's globally distributed network. Logs and license records reside in Cloudflare D1 (currently within EU/US infrastructure depending on edge proximity). For EU/UK data subjects, transfers outside the EEA/UK rely on the European Commission's Standard Contractual Clauses (Stripe, Cloudflare, Brevo are signatories).

7. Retention

  • License records (email, transaction ID, fingerprint): retained for the lifetime of the license + 7 years for tax/audit, then deleted.
  • Trial fingerprints: retained for 90 days after trial expiration.
  • Manifest / update logs: 30 days then aggregated and anonymised.
  • Support emails: retained for as long as needed to resolve the case, then archived for 2 years.

8. Your rights

Depending on your jurisdiction you have rights to access, correct, delete, restrict processing, object to processing, portability, and to lodge a complaint with your supervisory authority. Email hi@rajneeshmaurya.com with "Privacy request" in the subject. We respond within thirty (30) days.

9. Security

Server side: TLS in transit, encrypted at rest by Cloudflare. JWTs are HS256 signed with a 32-byte secret. Internal staff access to license records is restricted and audit-logged.

Client side: license file is POSIX 0600 owner-only. Mirror on NVMe inherits the same perms.

Report a vulnerability: see the Security Policy.

10. Deleting your data

  • Local files: delete ~/.storagestudio/ and <NVMe>/Mac/StorageStudio-State/.
  • Server records: email hi@rajneeshmaurya.com from your purchaser address with "Delete my data". We require identity verification before deletion. Tax and audit records (§7) are retained as required by law.

11. Region-specific provisions

European Union / United Kingdom (GDPR). The controller is Techtonic Systems Research and Media LLC. We process the data described in §3 on the bases listed in §4. You may lodge a complaint with your supervisory authority.

California (CCPA/CPRA). We do not sell or share (as defined by CCPA/CPRA) your personal information. We do not process your sensitive personal information for inferences. You have the rights to know, delete, correct, and limit; exercise them via the contact above.

India (DPDPA 2023). We are a data fiduciary under the DPDPA. Your purpose-specific consent is recorded at the activation step; you may withdraw it via the contact above.

Canada (PIPEDA / Quebec Law 25). The privacy officer is the contact below.

12. Children

The Software is not directed at children under 16. We do not knowingly collect data from children under 16. If you believe we have, please contact us so we can delete it.

13. Changes

We may update this Policy from time to time. Material changes will be notified inside the Software at next launch and on this page. The effective date at the top of this Policy will be updated whenever a change is published.

14. Contact

Privacy questions, requests, or complaints: hi@rajneeshmaurya.com.