Privacy Policy

Effective Date: April 1, 2026

Soul Studios Pty Ltd ("Soul Studios," "we," "us," or "our") operates the Luna platform ("Service"). This Privacy Policy explains how we collect, use, store, and protect your information when you use the Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect information provided through our authentication provider, Kinde, including your name, email address, and profile picture. If you sign in via single sign-on (SSO), we receive the identity attributes shared by your identity provider.

1.2 Organization Data

When you create or join an organization, we store organization details (name, slug, settings) and your membership information (role, permissions). All content created within an organization — including projects, issues, assets, and team profiles — is stored as organization data.

1.3 Usage Data

We automatically collect information about your interactions with the Service, including pages visited, features used, timestamps, and referring URLs. This data is used to improve the Service and provide audit logging for organization administrators.

1.4 Device and Browser Information

We collect standard technical information transmitted by your device, including browser type and version, operating system, device type, and IP address. This information is used for security, fraud prevention, and service optimization.

1.5 Files and Content

If you use the Digital Asset Manager or file upload features, we store the files you upload along with associated metadata (file name, size, type, upload date). Files are stored in Cloudflare R2 object storage.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service.
• Authenticate your identity and manage access to your organization.
• Process payments and manage subscriptions through our Merchant of Record, Paddle.
• Send transactional emails (account verification, billing receipts, security alerts).
• Provide audit logging and activity tracking for organization administrators.
• Detect, prevent, and respond to security incidents and abuse.
• Comply with legal obligations and respond to lawful requests from public authorities.

3. Data Storage and Security

3.1 Database

Application data is stored in a PostgreSQL database hosted by Neon, a serverless PostgreSQL provider. Data is encrypted at rest using AES-256 encryption and in transit using TLS 1.2 or higher. Multi-tenant data isolation is enforced at the database level through row-level security (RLS) policies.

3.2 File Storage

Uploaded files are stored in Cloudflare R2 object storage. Files are encrypted at rest and served over HTTPS. Access to files is controlled through signed URLs that expire after a limited time.

3.3 Security Measures

We implement industry-standard security measures including, but not limited to: encrypted data transmission (TLS), encrypted data at rest, role-based access controls, session management with secure tokens, CSRF protection for state-changing requests, and regular security assessments.

4. Payment Processing

All payment processing is handled by our Merchant of Record, Paddle.com Market Limited ("Paddle"). We do not directly collect, store, or process credit card numbers or payment credentials. Paddle collects payment information directly and provides us with subscription status and transaction records. For more information, please review Paddle's Privacy Policy.

5. Third-Party Services

We use the following third-party services to operate the Luna platform:

• Kinde — Authentication, organization management, and single sign-on. Kinde processes your email, name, and authentication credentials.
• Paddle — Payment processing and subscription management. Paddle processes payment details and billing information.
• Neon — Database hosting. Neon stores application data in encrypted PostgreSQL databases.
• Cloudflare R2 — File and asset storage. Cloudflare stores uploaded files with encryption at rest.
• Vercel — Application hosting and deployment. Vercel processes request data including IP addresses and request headers.
• Resend — Transactional email delivery. Resend processes email addresses and message content for delivery.

Each third-party service processes data in accordance with their own privacy policies. We select providers that meet industry-standard security and privacy requirements.

6. Cookies and Tracking

We use the following types of cookies:

• Essential cookies — Required for authentication, session management, and CSRF protection. These cannot be disabled.
• Preference cookies — Store your display preferences (e.g., theme selection). These are optional and stored locally.

We do not use third-party advertising or analytics cookies. We do not sell or share your data with advertisers.

7. Data Sharing

We do not sell your personal information. We share data only in the following circumstances:

• Within your organization — Data you create within an organization is visible to other members according to their roles and permissions.
• Service providers — With the third-party services listed above, strictly for the purpose of providing the Service.
• Legal compliance — When required by law, regulation, legal process, or governmental request.
• Business transfers — In connection with a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity.

8. Data Retention

We retain your account information for as long as your account is active. Organization data is retained for as long as the organization exists. If you delete your account or organization, we will delete or anonymize your data within 30 days, except where retention is required by law or for legitimate business purposes (such as fraud prevention and audit logging).

9. Your Data Rights

Depending on your jurisdiction, you may have the following rights:

• Access — Request a copy of the personal information we hold about you.
• Correction — Request correction of inaccurate personal information.
• Deletion — Request deletion of your personal information, subject to legal retention requirements.
• Portability — Request an export of your data in a machine-readable format.
• Objection — Object to the processing of your personal information for certain purposes.
• Restriction — Request restriction of processing of your personal information.

To exercise any of these rights, please contact us at the address below. We will respond to your request within 30 days.

10. International Data Transfers

Your data may be transferred to and processed in countries other than your own, including the United States and Australia, where our service providers operate. We ensure that appropriate safeguards are in place for international data transfers in compliance with applicable data protection laws.

11. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the Service prior to the change becoming effective. Your continued use of the Service after such changes constitutes your acceptance of the revised policy.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

• Email: privacy@soulstudios.com.au
• Company: Soul Studios Pty Ltd
• Location: Sydney, New South Wales, Australia