Formula FORMULAv0.8.3

Privacy Policy

Last updated: March 2026

1. Introduction

AfterLight ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use Formula and its related online services.

2. Data Controller

The data controller responsible for your personal data is AfterLight di Andrea Pastorelli, based in Italy. For any privacy-related inquiries, you can contact us at [email protected].

3. Data We Collect

We collect the following types of information:

  • Account information: email address and display name provided during registration.
  • Authentication data: tokens and session data managed through our authentication provider (Logto).
  • Usage data: aggregated statistics about feature usage.
  • Technical data: IP address, browser type, operating system, device type, and preferred language collected automatically at each login for security, analytics, and service improvement purposes.
  • Licensing records: we generate and assign software licenses (code, type, status, activation and expiry dates) and link them to your account. These are business records we maintain, not data you provide.
  • Payment records: transaction references, subscription identifiers, and billing status are generated by our payment provider and linked to your account. We do not store credit card numbers or bank details.
  • Session data: device fingerprint, session tokens, and heartbeat timestamps used to enforce single-session-per-license and detect unauthorized access.
  • Security events: hashed IP addresses, event types, and timestamps logged for security monitoring, including failed authentication attempts, webhook verification failures, and suspicious traffic patterns. IP addresses are hashed for GDPR compliance.
  • Feedback and issue tracker data: issues, comments, votes, and emoji profile avatars you submit through the built-in feedback system.
  • Notification preferences: your email preference settings for product updates and security alerts.

4. Data We Do NOT Collect

Your data files (.fml) are stored locally on your device. We do not access, collect, upload, or store the contents of your data files. Formula is designed as a local-first application, and your data remains on your machine.

5. How We Use Your Data

  • To provide and maintain the service, including authentication and account management.
  • To track usage for billing and plan management purposes.
  • To communicate with you about your account, service updates, and important notices.
  • To manage software licenses, including activation, renewal, expiry, and session enforcement.
  • To link your account with purchases and subscriptions processed by our payment provider (Merchant of Record).
  • To monitor security events, detect abuse, and protect against unauthorized access.
  • To send you email communications about product updates and security alerts, based on your notification preferences. You can opt out at any time from your dashboard.

6. Methods of Processing

Your personal data is processed using electronic and automated means, through IT systems and software managed by us or by our third-party service providers. Access to personal data is restricted to authorized personnel only, on a need-to-know basis, and solely for the purposes described in this policy. We do not carry out manual processing beyond what is strictly necessary for account support and legal compliance. Appropriate technical and organizational security measures are applied to prevent unauthorized access, loss, or misuse of data.

7. Legal Basis for Processing

We process your personal data under the following legal bases (GDPR Article 6):

  • Contract performance (Art. 6(1)(b)): account creation, authentication, license management, payment processing, and service delivery — these are necessary to fulfill our agreement with you.
  • Legitimate interest (Art. 6(1)(f)): security monitoring, abuse detection, session enforcement, aggregated analytics, and service improvement — these are necessary to protect the service and its users.
  • Consent (Art. 6(1)(a)): marketing email communications (product updates) — you can withdraw consent at any time from your dashboard notification preferences.
  • Legal obligation (Art. 6(1)(c)): retention of payment and license records for accounting and tax compliance.

8. Where Your Data Is Located

Your account data, license records, session data, and security logs are stored on servers located in Germany (European Union). Authentication data is stored by Logto in the European Union. Email communications are processed by Brevo on servers in the European Union (France, Belgium, Germany). Payment data is processed by Lemon Squeezy in the United States, acting as Merchant of Record. Website analytics are processed by Umami — no personal data is collected or stored.

9. Data Storage and Security

Your account data is stored in secure databases. We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These include encrypted license signatures, one-way hashing of IP addresses in security logs, and cryptographic verification of all external communications. Authentication is handled through Logto, an industry-standard identity provider.

10. Third-Party Services

We use the following third-party services, which act as data processors on our behalf:

  • Logto: for user authentication and identity management.
  • Lemon Squeezy: for payment processing and subscription management. When you make a purchase, your email and transaction data are shared with Lemon Squeezy. We do not store credit card numbers or bank details. See Lemon Squeezy’s Privacy Policy.
  • Brevo: for email communications including product updates and security alerts. Your email address and name are shared with Brevo when you register or subscribe. You can opt out of marketing emails at any time from your dashboard. See Brevo’s Privacy Policy.
  • Umami: for privacy-friendly website analytics. Umami does not use cookies, does not collect personal data, and does not track users across websites. All data is aggregated and anonymous. Umami is GDPR-compliant by design. See Umami’s Privacy Policy.

11. International Data Transfers

We only use third-party service providers that offer adequate data protection guarantees. Some of these providers (listed in Section 10) may process data outside the European Economic Area (EEA). We have verified that each provider either operates under a Data Processing Agreement (DPA) with appropriate safeguards, is based in a country with an EU adequacy decision, or acts as an independent controller for specific data (e.g., payment processing). For details about a specific provider’s data handling, please contact us at [email protected].

12. Cookies and Local Storage

We use browser localStorage to store your authentication token, user profile cache, theme preference, and language preference. We do not use tracking cookies or third-party advertising cookies. Our analytics provider (Umami) is fully cookie-free. Session tokens for license enforcement are stored server-side and transmitted via HTTP headers — they are not stored in cookies.

13. Your Rights

Under applicable data protection laws (including GDPR), you have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate personal data.
  • Request deletion of your personal data and account.
  • Object to or restrict the processing of your data.
  • Request a copy of your data in a portable format.
  • Withdraw consent for processing based on consent (e.g., marketing emails) at any time, without affecting the lawfulness of processing performed before withdrawal.
  • Lodge a complaint with your local data protection supervisory authority. If you are in Italy, this is the Garante per la Protezione dei Dati Personali (https://www.garanteprivacy.it).

To exercise any of these rights, please contact us at [email protected].

14. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you. License assignment, session enforcement, and rate limiting are rule-based systems, not AI-driven profiling.

15. Data Retention

We retain your account data for as long as your account is active. Usage data is retained for billing and analytics purposes. License and payment records are business records retained as required for legal and accounting obligations, even after account deletion. Security event logs are retained for up to 12 months. When you delete your account, your personal data will be removed within 30 days, except where retention is required by law.

16. Children’s Privacy

The service is not intended for users under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

17. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of significant changes via the website or application. The date at the top of this page indicates when the policy was last updated.

18. Contact

If you have any questions about this Privacy Policy or our data practices, please contact us at [email protected].

Back to Home