Cool idea, but what happens with the data?

[drsyncenstein]

What the title says. What happens with the data that is collected from my machine?
I'm thinking mostly privacy. But the program might find pirated plugins too.

[NateKVR]

What the title says. What happens with the data that is collected from my machine?
I'm thinking mostly privacy. But the program might find pirated plugins too.

The only data collected is common meta data from VST plugins (developer; category; format etc.) and basic system info (OS, Memory, CPU etc.). This is matched with the database and the MyKVR section of your account (Which has been around for ages already) and is only used to update the database, your lists and identify areas that need work (ie. many users scanmning a plugin that we don't list will pompt us to prioritize getting it listed.)

As for the piracy issue... we'd prefer it if folks didn't pirate software, but if you do thats your decision to make. We are not here to police it despite our opinions on it, outside of it being discussed in the forums of course. As for KSM detecing pirated software, our scanner is no different to any plugin scanner that runs in any DAW. If you're fine loading pirated plugins in a DAW on your system, using KSM would make literally no difference.

[drsyncenstein]

Thanks for replying.
I'm fine as long as data is not shared or sold to other interested parties, nor used for targeted advertising.

[audiojunkie]

Why no Linux version?

[BackInCheck]

Well, it seems that more than just plugin-related metadata is being collected! Are you sure you are compliant with privacy regulations? I don't think that you should collect the Machine ID of users without their consent!

[Teksonik]

"Trust us. We'll respect your data".....No, not in 2024. I don't trust anyone, not even KVR.

The fact that KVR's "Advertising Manager" is involved is enough of a clue for me.

[audiojunkie]

"Trust us. We'll respect your data".....No, not in 2024. I don't trust anyone, not even KVR.

The fact that KVR's "Advertising Manager" is involved is enough of a clue for me.

Oooh! Good point!

[NateKVR]

"Trust us. We'll respect your data".....No, not in 2024. I don't trust anyone, not even KVR.

The fact that KVR's "Advertising Manager" is involved is enough of a clue for me.

Full disclosure, I started off with KVR due my career at the time being upended due to covid, assisting them with, yes, ad sales. I've stuck around though for the last 3 years. We’re a small team and I am now also involved in pretty much everything from the running of the marketplace, news feeds, graphic design work and product managing the KVR Studio manager.

My background isn’t in advertising. I’ve been a musician and performing artist for over 20 years under the name Protoculture, a sound designer for a number of plugin developers, and create content part time for Sonic Academy. I’m just stating that for my sake since you’re making assumptions based purely on an outdated title.

I do totally understand your position.. It’s warranted in this day and age, sure. If there is a trust issue, you really are under no obligation to use the app.

As for the machine ID… one of the features is being able to create groups for multiple systems within your MyKVR. The groups are created from the computer name to differentiate between scans. This also allows you to compare systems, create snapshots and view the history for both of them. Personally I don’t really see how this is different from say, licensing a DAW to your Computer via a Machine ID.

If you have further concerns, here is the section on data & privacy from the EULA you accept when installing the software.

8. Personal Data and Privacy Protection In order to use the Software you must create an account at www.kvraudio.com. KVR may collect your contact information and other information that you choose to provide, including but not limited to salutation, name, company, address, e-mail address, phone number, website, forum name, and information about registered products. When you use the Software, KVR may collect data about your computer’s hardware and operating system, and your provided email address. KVR collects, stores and processes your personal data for providing a service to you. In this context KVR may transmit certain information to commissioned third parties. These partners will also maintain a similar privacy statement. KVR will only contact you based on the stored data if you have given your consent to do so (e.g., by subscribing to a newsletter). KVR may aggregate or anonymize your plugin data to create statistical or demographic information that cannot be linked back to you. We may use and disclose such aggregated or anonymized data for any purpose. Your user data will be stored as long as you are a registered KVR member. Registered members may request the deletion of their data at any time.

[NateKVR]

Furthermore, anyone who isn’t comfortable with the Machine ID being stored, it is only used to create the group for KSM in your MyKVR page. You can follow the steps below to delete it.

Check the burger icon top left of the website.
Go to MyKVR in the menu.
You should see your computer name in the lists on the left.
Click the group, and you should see a little blue 'manage' tab with a gear icon.
Click that and choose the option to delete the group.

[ghettosynth]

Furthermore, anyone who isn’t comfortable with the Machine ID being stored, it is only used to create the group for KSM in your MyKVR page. You can follow the steps below to delete it.

Deleting it isn't the point. Once sent, you have it. Are we to believe that there's no record of the machine ID?

If it's only used to tag a group, why not just ask the user for a named tag that they're comfortable with sharing? MainStudioPC conveys far less information than machine ID. The latter is useful to advertisers, the former less so.

If there's only one computer, the you can give the group a default name.

[drsyncenstein]

"Trust us. We'll respect your data".....No, not in 2024. I don't trust anyone, not even KVR.

The fact that KVR's "Advertising Manager" is involved is enough of a clue for me.

Full disclosure, I started off with KVR due my career at the time being upended due to covid, assisting them with, yes, ad sales. I've stuck around though for the last 3 years. We’re a small team and I am now also involved in pretty much everything from the running of the marketplace, news feeds, graphic design work and product managing the KVR Studio manager.

My background isn’t in advertising. I’ve been a musician and performing artist for over 20 years under the name Protoculture, a sound designer for a number of plugin developers, and create content part time for Sonic Academy. I’m just stating that for my sake since you’re making assumptions based purely on an outdated title.

I do totally understand your position.. It’s warranted in this day and age, sure. If there is a trust issue, you really are under no obligation to use the app.

As for the machine ID… one of the features is being able to create groups for multiple systems within your MyKVR. The groups are created from the computer name to differentiate between scans. This also allows you to compare systems, create snapshots and view the history for both of them. Personally I don’t really see how this is different from say, licensing a DAW to your Computer via a Machine ID.

If you have further concerns, here is the section on data & privacy from the EULA you accept when installing the software.

8. Personal Data and Privacy Protection In order to use the Software you must create an account at www.kvraudio.com. KVR may collect your contact information and other information that you choose to provide, including but not limited to salutation, name, company, address, e-mail address, phone number, website, forum name, and information about registered products. When you use the Software, KVR may collect data about your computer’s hardware and operating system, and your provided email address. KVR collects, stores and processes your personal data for providing a service to you. In this context KVR may transmit certain information to commissioned third parties. These partners will also maintain a similar privacy statement. KVR will only contact you based on the stored data if you have given your consent to do so (e.g., by subscribing to a newsletter). KVR may aggregate or anonymize your plugin data to create statistical or demographic information that cannot be linked back to you. We may use and disclose such aggregated or anonymized data for any purpose. Your user data will be stored as long as you are a registered KVR member. Registered members may request the deletion of their data at any time.

Thanks for your openness.
However this transfers personal data of your EU users to the US.
This might be enough for US citizens, but i doubt it fully complies with GDPR.
KVR collects, stores and processes your personal data for providing a service to you. In this context KVR may transmit certain information to commissioned third parties.
Certain information to third parties is too general. You can only do that as part of the service when it is necessary for providing the service. There are strict rules for that. Making money is not a valid reason. A EULA is probably not the explicit consent a EU users would have to give, assuming the legal basis is consent.
These partners will also maintain a similar privacy statement. By sharing personal data with partners, the responsability is not transferred to the partners.
A machine ID is personal data, so is an IP address.
We may use and disclose such aggregated or anonymized data for any purpose But not if the aggregated information is not pseudomized.

[NateKVR]

Furthermore, anyone who isn’t comfortable with the Machine ID being stored, it is only used to create the group for KSM in your MyKVR page. You can follow the steps below to delete it.

Deleting it isn't the point. Once sent, you have it. Are we to believe that there's no record of the machine ID?

If it's only used to tag a group, why not just ask the user for a named tag that they're comfortable with sharing? MainStudioPC conveys far less information than machine ID. The latter is useful to advertisers, the former less so.

If there's only one computer, the you can give the group a default name.

I'm not entirely sure what you think can be done with a Machine ID. It is an identifier, nothing more and really pretty safe to share. Plenty of info out there in this regard.

As for ad targeting, again, not sure what you think can be done with a machine ID. We serve mostly internal ads at KVR Audio, static, with zero targeting. We have 4 banners that run Google ads on the site. If you don’t like those, you can use an ad blocker.

I’m really trying to be as forthcoming as I can here. We put a lot of hard work into this and I would rather focus my attention on ironing out the bugs and making this app a useful tool to our members. We'd hate to see you go and I honestly don't mean to sound confrontational, but if it is a huge issue for you, send a mail to contactus(at)kvraudio.com and ask to have your KVR account deleted as is your right.

[NateKVR]

Thanks for your openness.
However this transfers personal data of your EU users to the US.
This might be enough for US citizens, but i doubt it fully complies with GDPR.
KVR collects, stores and processes your personal data for providing a service to you. In this context KVR may transmit certain information to commissioned third parties.
Certain information to third parties is too general. You can only do that as part of the service when it is necessary for providing the service. There are strict rules for that. Making money is not a valid reason. A EULA is probably not the explicit consent a EU users would have to give, assuming the legal basis is consent.
These partners will also maintain a similar privacy statement. By sharing personal data with partners, the responsability is not transferred to the partners.
A machine ID is personal data, so is an IP address.
We may use and disclose such aggregated or anonymized data for any purpose But not if the aggregated information is not pseudomized.

Appreciate your candour and insight, thanks. Let me check in with the rest of the team this week and take a look at how we can possibly improve on this or clarify things better.

[ghettosynth]

I'm not entirely sure what you think can be done with a Machine ID. It is an identifier, nothing more and really pretty safe to share. Google it. Plenty of info out there.

As has been explained to you:

A machine ID is personal data, so is an IP address.

You come across as out of touch on privacy issues. I'm not really interested in your opinion on what is "safe to share." What is a good approach is to share only what's necessary and, based on what you've said so far, gathering machineID isn't necessary. So, it's good privacy practice to question your practice of gathering unnecessary information.

[drsyncenstein]

The tone could be a little more friendly

You could for example ask instead;
have you designed this based on the principle of "privacy by design"?
is the software designed on the principle of "Data minimisation"

(Data minimisation is a fundamental principle under the GDPR. It means that you only should collect and process personal data that is absolutely necessary to fulfil your purpose. You need to implement internal procedures and routines to review this on a regular basis.)