Privacy Policy

MixOps ("we," "us," or "our") operates the website mixops.io and the MixOps software-as-a-service platform (collectively, the "Service"). The Service provides browser-based tools for managing configuration files used by Avid S6, S4, S1, and S3 control surfaces, EuCon-based workflows, and Pro Tools sessions. This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use our Service.

By accessing or using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Information You Provide

We collect information you voluntarily provide when you use the Service, including:

• Your email address, used for authentication via one-time PIN login;
• Console configuration files (XML layout files, softkey configurations, knob maps, preferences, and other mix console data) you upload or create within the Service;
• Cloud-stored files — if you use cloud sync, your console configuration files and associated metadata (file name, tags, notes, room profile) are stored in Cloudflare R2 object storage, with metadata indexed in Cloudflare D1; and
• Any feedback messages or issue reports you submit through the Service.

1.2 Information Collected Automatically

When you access the Service, we automatically collect:

• Session cookie: A single authentication cookie (MO_Session) that is HttpOnly, Secure, and SameSite=Strict, with a default expiry of 7 days;
• Audit events: Actions performed within the Service (e.g., pages visited, files opened, edits made), along with timestamps, your browser's user agent string, IP address, and country (derived from request headers). These are stored in a server-side database for operational and security purposes;
• Device and browser information: Browser type, version, operating system, and screen dimensions; and
• Session activity: Session duration, active time, and page navigation within the Service.

1.3 Information Stored Locally

The Service uses your browser's IndexedDB to store console configuration files locally on your device for editing purposes. This data serves as your primary working copy and offline cache. If you enable cloud sync, files are also stored on our servers (see Section 1.1). Local data is not transmitted to our servers unless you explicitly sync, upload, export, or share it.

1.4 Information from Third Parties

We do not purchase or obtain personal information from third-party data brokers.

2. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service;
• Authenticate your identity and manage your account;
• Synchronize your files across devices via cloud storage;
• Enable file sharing with other users you explicitly authorize;
• Improve, personalize, and expand the Service;
• Communicate with you, including for customer support and product updates;
• Monitor and analyze usage trends to improve user experience;
• Detect, prevent, and address technical issues and security threats; and
• Comply with legal obligations.

3. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases:

• Performance of a Contract — to provide the Service you requested;
• Legitimate Interests — to improve and secure the Service, provided these interests are not overridden by your rights; and
• Consent — where you have given explicit consent, which you may withdraw at any time.

4. Data Sharing and Disclosure

We do not sell your personal information. We do not use third-party analytics services or advertising trackers.

We may share your information in the following limited circumstances:

• Cloudflare, Inc. — provides hosting, content delivery, edge compute (Workers), key-value storage, database services (D1), and object storage (R2) that power the Service. Cloud-synced files are stored in Cloudflare R2 with server-side encryption at rest;
• Resend, Inc. — delivers transactional emails on our behalf (authentication PINs, account notifications). Only your email address is shared with Resend for this purpose;
• If required by law, regulation, legal process, or governmental request;
• To protect our rights, privacy, safety, or property, or that of our users or the public; and
• In connection with a merger, acquisition, or sale of assets, in which case you will be notified.

5. Data Retention

We retain your personal information as follows:

• Session tokens: 7 days (up to 1 year for long-lived administrative sessions);
• Authentication PINs: 10 minutes after generation;
• Audit events: Retained for operational and security purposes;
• Uploaded configuration files: Retained until you delete them or request account deletion;
• Cloud-stored files: Retained until you delete them, request account deletion, or your account is terminated. Upon account termination, cloud-stored files are retained for 30 days before permanent deletion; and
• Account information: Retained as long as your account is active or as needed to provide the Service.

We may also retain certain information as required by law or for legitimate business purposes (e.g., resolving disputes, enforcing agreements).

6. Data Security

We implement commercially reasonable administrative, technical, and physical safeguards to protect your information, including:

• HttpOnly, Secure, SameSite=Strict session cookies;
• Cryptographically secure session tokens;
• Rate limiting and brute-force protection on authentication;
• Parameterized database queries to prevent injection attacks; and
• Security headers including X-Content-Type-Options, X-Frame-Options, and strict Referrer-Policy.

However, no method of transmission over the Internet or electronic storage is completely secure, and we cannot guarantee absolute security.

7. Your Rights

7.1 All Users

You may:

• Access, update, or delete your account information by contacting us;
• Request a copy of the personal data we hold about you; and
• Opt out of non-essential communications.

7.2 California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, and disclose;
• Request deletion of your personal information;
• Opt out of the sale or sharing of personal information (we do not sell your data); and
• Not be discriminated against for exercising your rights.

To exercise these rights, contact us at the address below.

7.3 EEA/UK Residents (GDPR)

If you are in the EEA or UK, you have additional rights including:

• The right to rectification of inaccurate data;
• The right to restrict processing;
• The right to data portability; and
• The right to lodge a complaint with your local data protection authority.

8. Cookies and Local Storage

The Service uses a single essential cookie (MO_Session) for authentication. This cookie is:

• HttpOnly — not accessible to client-side JavaScript;
• Secure — only transmitted over HTTPS; and
• SameSite=Strict — not sent with cross-site requests.

The Service also uses IndexedDB (a browser-based storage mechanism) to store your configuration files locally. This data remains on your device.

We do not use advertising cookies, third-party tracking cookies, or analytics cookies.

9. Cloud Storage and File Sharing

The Service offers optional cloud storage powered by Cloudflare R2. When you enable cloud sync:

• Your console configuration files are stored with server-side encryption at rest provided by Cloudflare;
• Files are namespaced per user — no other user can access your files unless you explicitly share them;
• File sharing is opt-in, per-file, and revocable at any time. When you share a file, the recipient receives read-only access to that specific file for the duration of the share;
• You may connect with other users via a friends feature. Friend connections require mutual consent (request and acceptance). Only accepted friends can be selected as share recipients; and
• You may delete your cloud-stored files at any time. Deleted files are soft-deleted and permanently removed after 30 days.

10. Third-Party Links and Services

The Service may contain links to third-party websites or integrate with third-party tools. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies.

11. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 16, we will take steps to delete it promptly.

12. International Data Transfers

Your information may be transferred to and processed in the United States or other countries where our service providers (including Cloudflare) operate. We take steps to ensure that data transfers comply with applicable law, including the use of standard contractual clauses where required.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service and updating the "Last Updated" date. Your continued use of the Service after changes constitutes acceptance of the revised policy.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, contact us at:

MixOps
Email: privacy@mixops.io