Privacy Policy

This policy applies to the Sequence Tool® website, macOS application, and related services. It describes how Rock Stars Unlimited Ltd ("we", "us", "our") processes personal data in line with UK data protection law.

1. Who we are

Sequence Tool® is operated by Rock Stars Unlimited Ltd (Company No. 13875186), registered in the United Kingdom. For privacy-related requests, contact us at Click to reveal email .

2. Legal bases

We rely on the following legal bases under the UK GDPR. Contract: to provide your account, licensing, purchases, and essential transactional email (for example receipts and magic-link sign-in). Legitimate interests: to keep our services secure, investigate abuse, process pseudonymised authentication telemetry as described in section 3, and run privacy-focused website analytics and website session replay in cookieless mode with masking safeguards (we balance this against your rights). Consent: for optional in-app product analytics (PostHog) and error monitoring (Sentry), which we only enable after you agree at first launch and which you can turn off in the app’s Settings. Withdrawing consent does not affect the lawfulness of processing before withdrawal.

3. Data we collect

Account and identity: email address when you create an account or sign in (for example via magic link).

Payment and licensing: information needed to process purchases (via Stripe), licence activation, and device association.

Product analytics and error monitoring: with your consent in the Sequence Tool app, we use PostHog for product analytics and Sentry for error monitoring and diagnostics. On the website, PostHog runs in a cookieless configuration (no analytics cookies or local storage for that purpose).

Session replay (website): on selected marketing and product pages we record session replays at approximately 50% sampling, retained for up to 90 days in production, under our legitimate interests basis. We configure masking and related safeguards to reduce capture of sensitive information.

Security and authentication telemetry: to protect accounts and detect abuse, we process pseudonymised authentication logs, including hashed IP address and user-agent, coarse geolocation, a device fingerprint hash, and sign-in outcomes. These data can still identify you indirectly and are personal data. Default retention is 90 days. This processing is based on legitimate interests.

Technical data: we process IP addresses transiently at our network edge (for example Cloudflare) for security, abuse prevention, and service delivery. We do not durably store raw IP addresses in our product analytics or authentication telemetry systems; we retain pseudonymised, hashed identifiers derived from them as described above. We may also process browser and device type where needed to operate the service.

Email and newsletter: we send email through Postmark. Transactional messages (for example receipts, magic-link sign-in, account or security notices, and product onboarding email) do not use link tracking—links go directly to our sites and services. If you subscribe to our newsletter, we use double opt-in (you must confirm by email before your subscription is activated) and we store consent timestamps. Marketing newsletters may use link tracking so we can measure engagement in aggregate; we do not use email open tracking. Where a link is tracked, clicking it may cause Postmark to process the time of the click, IP address, approximate location, and browser or device information (for example via click.pstmrk.it).

We do not sell your personal data. We use it to provide the service, process payments, communicate with you, and improve and secure our product, as described in this policy.

4. How we use your data

We use the data we collect to: operate your account and licensing; process payments; send transactional email and (where you have confirmed) newsletters; run product analytics and error monitoring where you have consented in the app, and run website analytics and session replay as described above; detect and investigate abuse using authentication telemetry; respond to support and security reports; improve and secure our app and website; and comply with legal obligations.

5. Third-party processors

We use processors who handle data on our behalf, including: Cloudflare (hosting, CDN, and edge security); Stripe (payments); Postmark (email delivery; link tracking on marketing newsletters only); PostHog (product analytics — cookieless on the website; in the app, only with consent); and Sentry (error monitoring in the app, only with consent). They are bound by contracts (including data processing terms) that limit use of your data to providing services to us. We may also disclose data when required by law or to protect our rights and safety.

6. Cookies and similar technologies

We use cookies and similar technologies where needed for essential functions (for example keeping you signed in and security). Our website analytics (PostHog) runs without analytics cookies or local storage for that purpose. Because we do not use non-essential analytics cookies, we do not show a cookie consent banner. For full detail, see our Cookie Policy.

7. Your rights

Depending on where you live, you may have the right to access, correct, delete, or port your data, or to object to or restrict certain processing. You may withdraw consent for optional in-app analytics and error reporting at any time in the app’s Settings. To exercise these rights or submit a data subject access request, see our Your rights page or contact us using the details below. You may also have the right to lodge a complaint with a supervisory authority.

8. Retention and security

Retention depends on the data: for example, authentication risk telemetry defaults to about 90 days; session replay recordings may be retained for up to about 90 days in production; account and billing records are kept while your account is active and for a period afterwards where required for tax, legal claims, or compliance. Other data is retained only as long as needed for the purposes in this policy. We use appropriate technical and organisational measures to protect your data; no system is completely secure, and we cannot guarantee absolute security.

9. International transfers

Your data may be processed in countries outside the UK, including the United States, where providers such as Postmark, PostHog, Sentry, and Stripe operate. We ensure appropriate safeguards where required by applicable law, including the UK International Data Transfer Addendum or Agreement (IDTA) and EU Standard Contractual Clauses (SCCs), together with adequacy regulations where they apply.

10. Changes

We may update this policy from time to time. We will post the updated version on this page. We will notify you of material changes in an appropriate way (for example by email or an in-product notice). Where a change requires your consent under data protection law, we will seek that consent before the change takes effect.

11. Contact

For privacy questions or to exercise your rights: Click to reveal email .