Translation Notice: This is a Claude-assisted translation of the lawyer-reviewed German privacy notice (dated 2026-05-20). The German text is the authoritative version of this data protection notice; the current authoritative version is published at https://aaf-prep.com/de/datenschutz/software. This English translation is provided for understanding purposes only. Any divergence between the German and English versions shall be resolved in favor of the German version. For data protection inquiries, please contact kraaz@aa-schmiede.com (privacy matters) or beta@aaf-prep.com (tester support).
Privacy Notice — aaf-Prep Closed Beta
(Registration and Software Use)
Section 1 Controller
(Article 13(1)(a) GDPR / DSGVO)
The party responsible for the processing of personal data through the software aaf-Prep within the meaning of Article 4(7) GDPR / DSGVO is:
aa-Schmiede Owner:
Tobias Kraaz
Luxemburger Straße 281
50939 Cologne
Germany
E-mail: kraaz@aa-schmiede.com
Section 2 Data Protection Officer
There is no obligation to appoint a data protection officer under Section 38 of the BDSG (German Federal Data Protection Act), because aa-Schmiede as a sole proprietorship does not reach the threshold of 20 persons permanently engaged in the automated processing of personal data (Section 38(1) sentence 1 BDSG), does not carry out any processing activities subject to a data protection impact assessment under Article 35 GDPR / DSGVO (Section 38(1) sentence 2 alt. 1 BDSG), and does not carry out any commercial processing for the purpose of transmission, anonymised transmission, or for purposes of market or opinion research (Section 38(1) sentence 2 alt. 2 BDSG). For data protection inquiries, please contact kraaz@aa-schmiede.com directly.
Section 3 Processed Data, Purposes, and Legal Bases
(1) During Beta registration, the Controller processes the following data:
- Name
- Postal address
- E-mail address
(2) The purposes of processing are the identification of the contractual partner and the enabling of correspondence with such partner. The legal bases are Article 6(1)(a) and (b) GDPR / DSGVO.
(3) Within the scope of software use, personal data are processed; the individual data categories, their technical processing, and the respective legal bases are described in Sections 4 and 6.
| No. | Processing | Data | Recipient | Legal Basis |
|---|---|---|---|---|
| 1 | License validation at program start and during license actions | Pseudonymous device fingerprint, license key, License-ID, Machine-ID, IP address | Keygen LLC (USA) — see Section 5 | Article 6(1)(b) GDPR / DSGVO |
| 2 | Local storage of license status | License key, pseudonymous fingerprint, validation timestamp, license status | local file system only — see Section 6 | Article 6(1)(b) GDPR / DSGVO |
| 3 | Local logging (logs) | masked file paths, masked UUIDs, program events | local file system only — see Section 6 | Article 6(1)(f) GDPR / DSGVO |
| 4 | Processing of AAF audio files | technical AAF contents | purely local, no recipients | Article 6(1)(b) GDPR / DSGVO |
(4) The following expressly do not take place: telemetry, crash reporting, analytics, periodic phoning home to the Controller, auto-update mechanism, automatic transmission of AAF contents.
(5) The collected data are not used for advertising outside Closed Beta communication or for market/opinion research. Disclosure to third parties for their own purposes also does not take place.
Section 4 Description of the Individual Data
4.1 Pseudonymous device fingerprint
On program start and during license actions, the software generates a pseudonymous device fingerprint within the meaning of Article 4(5) GDPR / DSGVO:
- Source: a platform-specific hardware identifier (macOS: IOPlatformUUID from ioreg; Windows: MachineGuid from the registry, combined with the BIOS UUID; Linux: /etc/machine-id)
- Processing: cryptographic SHA-256 hash of the identifier
- Purpose: technical binding of the license to a specific device (1-device activation limit)
The hash is a 64-character hexadecimal string without salt. The raw hardware identifiers do not leave the device at any time — the recipient receives only the hash. Re-identification of the device is only possible either through physical access to the hardware or through linking the hash with the license database of the Controller or of Keygen.
4.2 License key
The license key assigned by the Controller is transmitted to Keygen LLC in plaintext on program start and during license actions (required for API authentication). The key is associated with a specific Tester at the Controller; at Keygen the key is additionally linked with the plaintext name of the Tester (see Section 6.3).
4.3 IP address
With every connection to api.keygen.sh (HTTPS/TLS), the IP address of the device is technically transmitted and processed by the recipient in server logs. Under the case law of the Court of Justice of the European Union (CJEU), the IP address is, in principle, considered personal data.
4.4 Locally stored license data
The software stores the license status in a local file ~/.aaf-prep/license.json on the Tester's device:
- Fields: license key (plaintext, required for API calls), License-ID, pseudonymous device fingerprint, timestamp of last validation, license status, where applicable Machine-ID, activation limit, device count, validity
- File permissions: owner read/write via Unix mode 0o600 on POSIX systems; on Windows the standard user profile ACL applies.
- Write operation is atomic (no risk of incomplete saves)
4.5 Local logs
The software writes diagnostic logs to ~/Library/Logs/aaf-Prep/aaf-prep.log (macOS) or the corresponding standard path on other operating systems. Two masking mechanisms apply prior to writing to the log file:
- Path and UUID masking through the SanitizingFormatter: file paths under /Volumes/, /Users/, Windows drive letters, as well as 32-character UUIDs are masked in log messages and tracebacks.
- License key masking through a dedicated helper function: license keys are not written in plaintext in the log messages of the license validation calls.
Logs are automatically rotated (maximum 5 × 1 MB backup files). No transmission to the Controller or to third parties takes place.
4.6 AAF files and other media
AAF files and other media locally integrated within the scope of software use (in particular audio and video files associated with the AAF project) are processed exclusively locally on the Tester's device. No transmission of file contents, metadata, or extracts to the Controller, to Keygen, or to third parties takes place.
Section 5 Recipients and Storage Locations of Registration Data
(Article 13(1)(e) + (f) GDPR / DSGVO)
5.1 Local tester list held by the Controller
The collected data are stored in a local file (table format, Microsoft Excel) on the Controller's device (macOS). On this device, the automatic synchronisation of the standard system directories „Desktop“ and „Documents“ with iCloud Drive is disabled; the tester list is also not held in a directory synchronised by default with the cloud (no Dropbox, OneDrive, Google Drive). The tester list therefore does not leave the local file system via automated cloud backups.
5.2 Email service provider — All-Inkl.com (Processor)
For the sending of emails to testers and for the receipt of tester emails to beta@aaf-prep.com, the Controller uses the German email and hosting provider:
ALL-INKL.COM — Neue Medien Münnich
Owner: René Münnich
Hauptstraße 68
02742 Friedersdorf
Germany
VAT-ID: DE 212657916
Phone: +49 35872 353-10
Website: https://all-inkl.com
- Data center location: „Data center in Germany“ (source: All-Inkl Privacy Notice points 7.1 + 10.5).
- Third-country transfer in the email transmission path: No — email processing takes place in the German data center (All-Inkl Privacy Notice point 7.1). For the separate intermediation of the domain registration aaf-prep.com (.com TLD), under point 7.3 of its own Privacy Notice, All-Inkl may transfer personal data to US registries; such transfer is carried out by All-Inkl on the basis of Standard Contractual Clauses (SCCs). It lies outside the aaf-Prep Closed Beta processing setup of this Privacy Notice and is subject to the All-Inkl Privacy Notice itself.
- Data Processing Agreement: All-Inkl.com acts as Processor within the meaning of Article 28 GDPR / DSGVO. The contractual binding is effected through an electronic Data Processing Agreement (DPA) framework with Standard Contractual Clauses (All-Inkl Privacy Notice point 22.6.2; Article 28(9) GDPR / DSGVO expressly provides for electronic format).
5.3 Mail archive of the Controller
Incoming registration emails to beta@aaf-prep.com and subsequent correspondence with the testers are archived in the Controller's mail account. The mail archive serves:
as evidence of consent granted (Article 7(1) GDPR / DSGVO — obligation to demonstrate consent)
as a documentation basis for the handling of bug reports and support inquiries
Section 6 Third-Party Providers and Recipients in the Context of Software Use (Article 13(1)(e) + (f) GDPR / DSGVO)
6.1 Keygen LLC
For license validation, the Controller uses the service Keygen LLC:
- Registered office: Virginia, USA (server location Amazon AWS US-East)
- Data protection contact: privacy@keygen.sh
- Privacy notice: https://keygen.sh/privacy/
- Security information: https://keygen.sh/security/ (SOC 2 Type II certification)
Data transmitted:
- pseudonymous device fingerprint (SHA-256 hash)
- license key (plaintext, required for API authentication)
- License-ID, Machine-ID
- IP address (implicit with HTTPS connection)
Triggers of the transmission, following initial setup, are exclusively Tester-initiated actions (registration, activation, refresh, deactivation) as well as a one-time validation check on program start. No periodic phoning home or persistent heartbeat takes place.
Legal basis: Article 6(1)(b) GDPR / DSGVO — the transmission is necessary for the performance of the license agreement (EULA) between the Controller and the Tester.
Data Processing relationship: Keygen LLC is Processor within the meaning of Article 28 GDPR / DSGVO. The Data Processing Agreement (DPA) is integrated into the Keygen Standard Terms of Service (Section 12); this is permissible under Article 28(9) GDPR / DSGVO in electronic format.
6.2 Third-country transfer to the USA
(Article 13(1)(f), Article 46 GDPR / DSGVO)
The transmission to Keygen LLC entails a third-country transfer to the USA. As a safeguard within the meaning of Article 46(2)(c) GDPR / DSGVO, the Keygen Terms (Section 12.1.9) incorporate Standard Contractual Clauses (SCCs) of the European Commission.
6.3 Plaintext name entry in the Keygen dashboard
Beyond the transmissions from the app, the Controller manually creates a user object in the Keygen dashboard for each Tester, which contains the plaintext name of the Tester. This entry is not made by the software, but administratively by the Controller outside the app data flow. The plaintext name is linked at Keygen with the license key.
6.4 Sub-Processors of Keygen LLC
Separate data processing agreements exist between Keygen LLC and the following companies: Cloudflare (DNS / WAF / DDoS protection), Stripe (payment processing), Fathom (privacy-friendly analytics), BetterStack (alerting / logs), SendGrid (transactional emails), Heroku (hosting infrastructure), Amazon Web Services (hosting infrastructure), WorkOS (SAML/SSO).
Section 7 Storage Period
(Article 13(2)(a) GDPR / DSGVO)
7.1 Registration data
(1) The registration data stored in the local tester list (Section 5.1) and in the mail archive (Section 5.3) are stored for the duration of the Closed Beta phase. Upon its end, they are deleted without undue delay, unless statutory retention obligations (in particular tax-law and commercial-law retention obligations under Sections 147 of the AO (German Fiscal Code) and 257 of the HGB (German Commercial Code)) preclude this.
(2) Deletion shall take place independently thereof upon Tester request (see Section 8), unless statutory retention obligations preclude this.
7.2 Data at Keygen LLC
- Server logs (Keygen-side): up to 30 days (source: https://keygen.sh/privacy/)
- Account analytics / webhook data: up to 90 days
- License data and user objects (license key + plaintext name): for the duration of the Closed Beta phase. After the termination of the Closed Beta phase, the Tester user objects are deleted by the Controller from the Keygen dashboard.
7.3 Local software files on the Tester's device
The local data referred to under Section 4.4 (license.json) and Section 4.5 (logs) are stored on the Tester's device. Logs are kept in automatic rotation (maximum 5 × 1 MB backup files). Upon termination of the Beta license or uninstallation of the software, the Tester may manually remove the local data through the supplied uninstaller; an automatic deletion by the software does not take place.
Section 8 Withdrawal of Consent
(Article 13(2)(c), Article 7(3) GDPR / DSGVO)
(1) Insofar as processing is based on a consent of the Tester (cf. Section 3(2), Article 6(1)(a) GDPR / DSGVO), such consent may be withdrawn at any time without giving reasons, with effect for the future. The lawfulness of the processing carried out up to the withdrawal remains unaffected.
(2) An informal email to beta@aaf-prep.com is sufficient for withdrawal. Upon receipt of the withdrawal:
- the entry in the tester list is removed
- the assigned license key is deactivated (the installed software no longer validates successfully on next launch)
- the Tester user object in the Keygen dashboard is deleted (plaintext name)
- the mail archive is deleted upon separate request of the Tester, insofar as no statutory retention obligations preclude this
Section 9 Data Subject Rights
(Article 13(2)(b) GDPR / DSGVO)
You have the following rights vis-à-vis the Controller:
- Access (Article 15 GDPR / DSGVO) — which data are processed about you
- Rectification (Article 16 GDPR / DSGVO) — having inaccurate data corrected
- Erasure (Article 17 GDPR / DSGVO, „right to be forgotten“) — insofar as statutory retention obligations do not preclude this
- Restriction of processing (Article 18 GDPR / DSGVO)
- Data portability (Article 20 GDPR / DSGVO)
- Objection to processing on the basis of Article 6(1)(e) or (f) GDPR / DSGVO (Article 21 GDPR / DSGVO), insofar as such processing takes place.
- Right to lodge a complaint with a supervisory authority (Article 77 GDPR / DSGVO)
To exercise these rights, please contact beta@aaf-prep.com.
9.1 Competent supervisory authority
Due to the Controller's registered office in Cologne (North Rhine-Westphalia), the competent data protection supervisory authority is:
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia
Postal address: Postfach 20 04 44, 40102 Düsseldorf
Visitor address: Kavalleriestraße 2-4, 40213 Düsseldorf
Phone: +49 (0)211 / 38424-0
Fax: +49 (0)211 / 38424-999
E-mail: poststelle@ldi.nrw.de
Web: https://www.ldi.nrw.de
Section 10 Necessity of Data Provision
(Article 13(2)(e) GDPR / DSGVO)
Without the processing of the data, identification of the contractual partner and performance of the contract are not possible.
Section 11 No Automated Decision-Making
(Article 13(2)(f) GDPR / DSGVO)
Automated decision-making, including profiling within the meaning of Article 22 GDPR / DSGVO, does not take place.
Section 12 Data Security
(Article 32 GDPR / DSGVO)
12.1 Security measures on the registration data path
Email transmission generally takes place via the standard encryption mechanisms of the mail servers involved (transport encryption via TLS, insofar as the sender's mail server supports this).
The local tester list is stored on a device with standard user profile protection; the automatic cloud synchronisation of the relevant directories is disabled (see Section 5.1).
All-Inkl.com applies standard security measures of a German email and hosting provider (see https://all-inkl.com/datenschutz/).
12.2 Security measures on the software data path
The Controller and his Processor Keygen LLC take technical and organisational measures to ensure a level of protection appropriate to the risk:
- Pseudonymisation (Article 32(1)(a) GDPR / DSGVO): hardware identifiers are processed as SHA-256 hash prior to transmission; plaintext identifiers do not leave the device.
- Encryption in transit: all transmissions to api.keygen.sh take place exclusively via HTTPS/TLS.
- Confidentiality, integrity, availability (Article 32(1)(b) GDPR / DSGVO): local license data are protected with file system permissions (owner read/write via Unix mode 0o600 on POSIX systems; on Windows the standard user profile ACL applies); logs are automatically sanitised prior to writing (masking of sensitive paths and UUIDs).
- At the Processor Keygen LLC: SOC 2 Type II certification (see https://keygen.sh/security/); general security obligation in Keygen Terms 12.1.5.
Section 13 Changes to this Privacy Notice
With ongoing further development of the software or changes in the legal situation, an update of this Privacy Notice may become necessary. The version applicable in each case is published at https://aaf-prep.com/en/privacy/software and, in case of material changes, communicated to the testers by email.
← back to homepage