Legal

Privacy Policy

Effective 2026-05-16. Short version: the plugin doesn't phone home during normal use. The activation handshake is the only network interaction we control.

Summary at a glance

  • The QREL Nodes plugin does not transmit audio, project content, or DAW metadata over the network.
  • The plugin does perform a one-time HTTPS activation handshake when you click Activate, and may perform periodic refresh checks against the activation server.
  • Payments and license-key issuance run through Paddle, a third-party storefront. Their privacy policy applies to checkout.
  • This website uses no cookies and no third-party analytics. Self-hosted server access logs only retain request metadata (IP, timestamp, URL) for the time strictly needed to debug abuse.

1. What the plugin sends, and when

The plugin makes outbound network requests in exactly three situations:

  1. Activation — when you click Activate, the plugin POSTs the following fields over HTTPS to the QREL activation service:
  • The email address you typed.
  • The license key you typed.
  • The plugin code (a fixed string identifying the QREL product).
  • The plugin version.
  • A machine fingerprint: a SHA-256 hash derived from your machine's stable hardware identifiers (Windows MachineGuid; macOS hardware UUID) combined with CPU vendor and model. The plugin does not transmit raw hardware identifiers; only the resulting hash.
  • A human-readable machine name (e.g. DESKTOP-F9EQ5UO).
  • The operating system name and version string.
  1. Refresh — if you click Refresh in the license panel, or if the local certificate is older than 30 days, the plugin re-runs the same handshake. Same fields, same destination.
  2. Deactivate — when you click Deactivate, the plugin POSTs the license identifier and machine fingerprint so the server can free the seat.

The plugin never transmits audio data, DAW session content, plugin parameter automation, or telemetry between Track and Master instances over the public internet. Track ↔ Master communication happens entirely over the local loopback interface on your own computer; nothing leaves the machine.

2. What the activation server stores

The activation service is a small self-hosted server (Python + SQLite). For each license key, it stores:

  • A SHA-256 hash of the license key (never the raw key).
  • The buyer email returned by Paddle.
  • An "active" / "disabled" flag mirrored from Paddle.
  • The count of Paddle-reported uses.

For each activation (machine seat), it stores:

  • The license-key hash.
  • The machine fingerprint hash you sent at activation.
  • A randomly-generated activation ID (24 hex characters).
  • The machine name string you sent.
  • The OS name string you sent.
  • The plugin version string.
  • First-activated timestamp and last-activated timestamp.

That is the complete record per activation. No audio, no DAW state, no project content, no usage telemetry.

3. What Paddle processes

Checkout and license-key issuance run through Paddle. Paddle handles the payment, the receipt, the buyer email, and the original license-key generation. Their privacy policy applies to that part of the flow. QREL receives only the hashed license key, the buyer email, and the active/disabled flag back from Paddle's verification API.

4. Why we hash the machine fingerprint

The machine fingerprint is a SHA-256 hash, not the raw hardware identifiers. We can verify that two activation attempts come from the same machine, but we cannot reconstruct the underlying serial numbers, MAC addresses, or volume IDs from the hash. This is a one-way function. If our activation database were stolen, an attacker would learn that some machine was activated, not which machine.

5. Where the license file lives on your disk

After successful activation, the plugin writes a signed JSON certificate to a per-user folder you fully control:

  • Windows: %APPDATA%\QREL\licenses\qrel_license.qrellic

You can delete this file at any time to remove the cached license. The plugin will fall back to Analyze-Only mode and prompt for re-activation on next launch.

v1 ships Windows VST3 only. When the macOS build ships in v1.1, the equivalent path will be ~/Library/Application Support/QREL/licenses/qrel_license.qrellic.

6. This website

This website is a static site served from a CDN. It does not set cookies. It does not use third-party analytics scripts (no Google Analytics, no Meta pixel, no marketing tags). Standard CDN access logs (IP, timestamp, request URL, user-agent) are retained for up to 14 days for security and abuse purposes, then rotated out.

Web fonts are loaded from Google Fonts. Google's privacy policy applies to that font fetch. If you would prefer the site self-host its fonts to avoid that fetch entirely, write to [email protected].

7. Your rights

If you are located in the European Union, the United Kingdom, or another jurisdiction with comparable data-protection law, you have the right to:

  • Request a copy of every activation record we hold tied to your license key.
  • Request deletion of those records (note: this will deactivate every machine seat associated with that license).
  • Request correction of the buyer email or machine name fields.
  • Withdraw consent and request portability where applicable.

Send the request to [email protected] with your license key (or the email used at purchase). We respond within 30 days.

8. Children

The Software is professional audio software not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a minor has activated the Software, contact us and we will purge the corresponding records.

9. Changes to this policy

If we materially change this policy, we update the "Effective" date at the top and announce it on the website. If you have an active license, we'll email you at the address on file before the change takes effect.

10. Contact

Privacy questions: [email protected]. General support: [email protected].