Privacy Policy
Last updated: April 1, 2026
This Privacy Policy explains how Castle 11 Labs, LLC ("Castle 11 Labs," "we," "us," or "our") collects, uses, and shares personal information when you visit castle11labs.com (the "Site"), purchase or use our products, join our waitlist, or contact us.
For the purposes of the EU and UK General Data Protection Regulation ("GDPR"), Castle 11 Labs, LLC is the data controller. Our contact details are at the end of this Policy.
The short version: we collect only what we need to run an online software store — your email, your purchases, and your license activations. We use cookieless analytics, we don't run advertising pixels or ad networks, we don't do cross-site tracking, and we never sell your personal information.
1. Information We Collect
Account information. If you create an account, we collect your email address and, optionally, your first and last name. You can register with an email and password or by signing in with Google or Apple; if you use Google or Apple sign-in, we receive your email address (and name, if you share it) from that provider. Passwords are handled by our authentication provider and stored only in hashed form.
Purchase and payment information. Payments are processed by Stripe. We never receive or store your card number. We store the Stripe checkout session and payment identifiers, the product purchased, the amount paid, and refund status. If you purchase without an account (guest checkout), we associate the purchase with the email address you provide, so you can claim it into an account later using that same email.
Licensing information. We generate and store your license keys and track machine activations against your activation limit. When you activate a product on a machine, we may process a machine identifier such as a hostname or device fingerprint solely to count activations and enforce the activation limit.
Email and communications. We use your email address to send transactional messages (receipts, license delivery, account and security notices). We send marketing email only if you opt in via an unticked checkbox; every marketing email includes a one-click unsubscribe link, which we honor.
Waitlist. If you join a pre-launch waitlist, we collect your email address and the product you are interested in.
Support. If you contact support, we collect your name, email address, and the content of your messages.
Analytics. We use Vercel Web Analytics, which is cookieless and privacy-focused: it does not use cookies or persistent identifiers, does not track you across sites, and gives us only aggregated page-view and visitor statistics.
Cookies. We use only strictly necessary cookies: session and authentication cookies that keep you signed in and keep the Site working. We do not use advertising, tracking, or third-party analytics cookies, which is why the Site does not show a cookie consent banner.
We do not knowingly collect any special categories of personal data.
2. How We Use Information, and Legal Bases
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Providing your account and signing you in | Account information, auth cookies | Performance of a contract |
| Processing purchases, delivering products and license keys, handling refunds | Purchase, payment, and licensing information | Performance of a contract |
| Enforcing license activation limits and preventing license fraud | Licensing information, machine identifiers | Performance of a contract; legitimate interest in protecting our products |
| Sending transactional email (receipts, license delivery, security notices) | Email address | Performance of a contract; legitimate interest |
| Sending marketing email | Email address | Consent (opt-in; withdraw anytime via unsubscribe) |
| Operating the waitlist | Email address, product interest | Consent / steps prior to a contract |
| Responding to support requests | Support information | Performance of a contract; legitimate interest |
| Understanding aggregate Site usage | Cookieless analytics | Legitimate interest in improving the Site |
| Complying with legal obligations (tax, accounting, lawful requests) | Purchase records | Legal obligation |
| Establishing or defending legal claims | Relevant records | Legitimate interest |
We do not use your personal information for automated decision-making that produces legal or similarly significant effects, and we do not use it for cross-site behavioral advertising.
3. How We Share Information
We share personal information only with:
Service providers (processors). Companies that process data on our behalf, under contracts limiting their use of it to providing services to us. We use providers in the following categories; the named provider is current as of the "Last updated" date, and we may replace a provider with another performing the same function under equivalent safeguards:
| Function | Current provider |
|---|---|
| Hosting, content delivery, and web analytics | Vercel |
| Database and authentication | Supabase |
| Payment processing | Stripe |
| Transactional and marketing email | Resend |
| File storage and download delivery | Cloudflare (R2) |
| License key validation | Keygen |
Sign-in providers. If you choose Google or Apple sign-in, those providers process your sign-in under their own privacy policies.
Legal and safety. We may disclose information if required by law or legal process, or as reasonably necessary to protect the rights, safety, or property of Castle 11 Labs, our users, or the public.
Business transfers. If Castle 11 Labs is involved in a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction, subject to this Policy's commitments.
We do not sell personal information, and we do not share it for cross-context behavioral advertising.
4. International Transfers
We are based in the United States, and our service providers process data primarily in the United States. If you are in the EU, UK, or another jurisdiction with data transfer restrictions, your personal information will be transferred to the United States. We rely on appropriate safeguards for these transfers: we have data processing agreements in place with our service providers that incorporate the European Commission's Standard Contractual Clauses (and the UK addendum) or rely on the provider's certification under the EU–U.S. Data Privacy Framework. You can request more information about these safeguards, or a copy of the relevant clauses, using the contact details below.
5. Retention
We keep personal information only as long as needed for the purposes above:
- Account data — for as long as your account exists, then deleted or anonymized within a reasonable period after account deletion.
- Purchase and license records — for as long as your license is active, and as required for tax, accounting, and legal purposes (typically 7 years for transaction records). Because licenses are perpetual, license records are kept for the life of the license.
- Marketing consent and waitlist data — until you unsubscribe or withdraw consent; we keep a minimal suppression record afterward so we don't email you again.
- Support tickets — for up to 3 years after resolution.
- Analytics — aggregated and not tied to you.
6. Your Rights
Everyone. You can unsubscribe from marketing email at any time using the one-click link in any marketing message, and you can contact us to access, correct, or delete your information.
EU and UK. If you are in the EU or UK, you have the right to access, rectify, and erase your personal data; to restrict or object to its processing (including an absolute right to object to direct marketing); to data portability; and to withdraw consent at any time without affecting prior processing. You also have the right to lodge a complaint with your data protection supervisory authority (in the UK, the Information Commissioner's Office).
US states. Depending on your state (for example, California), you may have rights to know, access, correct, and delete personal information, and the right not to be discriminated against for exercising them. We do not sell personal information or share it for targeted advertising, so there is nothing to opt out of on that front.
To exercise any right, email legal@castle11labs.com. We will verify your request (normally by confirming control of the email address associated with your data) and respond within the time required by applicable law. Note that we may need to retain certain records (for example, purchase records) where the law requires or permits it, and deleting your licensing data may make your license impossible to support or restore.
7. Security
We take reasonable technical and organizational measures to protect personal information, including encryption in transit, access controls, and reliance on established infrastructure providers. Card data is handled entirely by Stripe and never touches our systems. No system is perfectly secure; if a breach occurs that affects your personal data, we will notify you and regulators as required by law.
8. Children
The Site is not directed to children under 13, and we do not knowingly collect personal information from children under 13 (or under the higher age at which a child can consent to data processing in your country, where that applies). If you believe a child has provided us personal information, contact us and we will delete it.
9. Changes to This Policy
We may update this Policy from time to time. We will post the updated version on the Site with a new "Last updated" date and, for material changes affecting existing customers, notify you by email. The current version always applies.
10. Contact
Castle 11 Labs, LLC 169 Madison Ave, STE 58067 New York, NY 10016 legal@castle11labs.com