LET'S TALK

Privacy Policy

Last updated: April 30, 2026. Effective date: April 30, 2026

1. Introduction

Humming Studios, LLC (“we”, “us”, “our”, or “Humming Studios”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains what personal information we collect, how we use it, who we share it with, the legal bases on which we rely, the rights available to you, and how to contact us.

This Privacy Policy applies to information we collect:

  • On our website at www.hummingstudios.com and any subdomains (the “Website”).
  • Through email, SMS/text messaging, telephone calls, video conferencing, and other electronic communications between you and us.
  • In the course of providing our web development, design, consulting, and related professional services (the “Services”).
  • Through web/written intake forms, discovery calls, contracts, invoices, and project communications.

This Privacy Policy is designed to comply with applicable data protection laws including the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), the German Telecommunications-Telemedia Data Protection Act (TTDSG), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), the Children’s Online Privacy Protection Act (COPPA), the Telephone Consumer Protection Act (TCPA), the CAN-SPAM Act, and applicable 10DLC SMS regulations.

By accessing or using our Website or Services, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller and Contact Information

The “data controller” responsible for your personal data under the GDPR and BDSG, and the “business” responsible under U.S. state privacy laws, is:

Humming Studios, LLC Email: [email protected] Phone: +1 843 240 0015 Website: www.hummingstudios.com

For privacy-related inquiries, including requests to exercise your rights, please contact:

Privacy Contact Email: [email protected] (or [email protected] if a dedicated address is not yet active)

EU/EEA and UK Representatives

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland and have questions about this Privacy Policy or our data practices, you may contact us using the details above. We will respond to your inquiry in accordance with applicable law.

3. Information We Collect

We collect the following categories of personal data:

a) Information you provide directly to us:

  • Identity and contact information: name, email address, telephone/mobile number, postal address, company name, job title.
  • Account and project information: login credentials (where applicable), project briefs, design preferences, file uploads, content for your website.
  • Communication content: messages, emails, SMS/text messages, call recordings (where lawful and disclosed), meeting notes, and feedback.
  • Billing and payment information: billing address, tax identification number where required, and payment method information processed through third-party payment processors (we do not store full payment card numbers).
  • Marketing preferences: your consent or opt-out choices regarding marketing emails, SMS, newsletters, and similar communications.

b) Information collected automatically:

  • Log and device data: IP address, browser type and version, operating system, referring URLs, pages visited, time and date of visits, time spent on pages, language preferences.
  • Cookies, pixels, and similar tracking technologies (see Section 7).
  • Approximate geolocation derived from IP address.

c) Information from third parties:

  • Information from analytics providers, hosting providers, advertising platforms, and CRM/marketing tools used by us.
  • Publicly available information from professional networks (e.g., LinkedIn) when you contact us about a potential engagement.
  • Referral information when an existing client or partner refers you to us.

We do not knowingly collect or process special categories of personal data (such as health data, racial or ethnic origin, religious beliefs, biometric data, or sexual orientation) under Article 9 GDPR. Please do not submit such information to us.

4. How We Use Your Information and Legal Bases (GDPR Art. 6)

We process your personal data for the following purposes and rely on the following legal bases under the GDPR:

Purpose Legal Basis
Responding to inquiries, providing quotes, and pre-contractual communications Art. 6(1)(b) – steps prior to entering a contract
Delivering our web development and design Services Art. 6(1)(b) – performance of a contract
Sending invoices, processing payments, accounting and tax compliance Art. 6(1)(c) – legal obligation; Art. 6(1)(b) – contract
Sending SMS/text messages with project updates, reminders, and account notifications Art. 6(1)(a) – consent; and TCPA/10DLC requirements
Sending marketing emails and newsletters Art. 6(1)(a) – consent (or Art. 6(1)(f) for existing customers under § 7(3) UWG / soft opt-in where applicable)
Operating, securing, and improving the Website Art. 6(1)(f) – legitimate interest in a functioning, secure website
Analytics and performance measurement Art. 6(1)(a) – consent (where required by TTDSG/ePrivacy)
Detecting and preventing fraud, abuse, or security incidents Art. 6(1)(f) – legitimate interest
Defending or pursuing legal claims Art. 6(1)(f) – legitimate interest; Art. 6(1)(c) – legal obligation

For users in the United States, we process personal data as necessary to provide our Services, fulfill our contractual obligations, comply with applicable laws, and pursue our legitimate business interests.

You have the right to withdraw any consent you provide at any time, without affecting the lawfulness of processing carried out before withdrawal.

5. SMS/Text Messaging Disclosures (TCPA & 10DLC)

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes.Information related to text messaging originator opt-in data and consent will not be shared with any third party for any purpose.

We send SMS/text messages only to recipients who have provided express consent through one or more of the following methods: verbal consent during calls or meetings, inbound SMS to our number, opt-in via web form on the Website, written agreement, or email confirmation.

When we collect a phone number through a web form for the purpose of SMS communication, the form will display a clear disclosure stating: the program name (Humming Studios, LLC); the type of messages sent; that message frequency may vary; that message and data rates may apply; that recipients can reply HELP for help and STOP to opt out; and a link to this Privacy Policy.

Message frequency typically ranges from 2 to 6 messages per month. Standard message and data rates may apply.

To opt out of SMS at any time, reply STOP to any message you receive from us. To request help, reply HELP. You may also contact us at the addresses in Section 2 to manage your SMS preferences.

We retain SMS opt-in consent records for compliance and audit purposes for the duration of our relationship and for a reasonable period thereafter (see Section 10).

6. Email and Marketing Communications (CAN-SPAM, GDPR, UWG)

We send marketing emails only to recipients who have either: (a) provided affirmative opt-in consent, or (b) qualify under a legally permitted exception (e.g., the soft opt-in for existing customers under § 7(3) of the German Act Against Unfair Competition (UWG), where conditions are met).

Every marketing email contains an unsubscribe link and our postal contact information, in compliance with the CAN-SPAM Act. To unsubscribe, click the link in any email or contact us at [email protected].

For recipients in Germany and the EU, we honor opt-out requests promptly and without charge.

7. Cookies, Tracking Technologies, and TTDSG/ePrivacy

We use cookies and similar technologies (pixels, local storage, SDKs) to operate the Website, remember your preferences, measure performance, and (where consented) deliver marketing.

In compliance with § 25 TTDSG and the ePrivacy Directive, we obtain prior consent through our cookie banner before storing or accessing any non-essential information on your device. Strictly necessary cookies (e.g., session, security, load-balancing, consent state) are deployed without consent because they are required to provide the service you have requested.

You can manage your preferences at any time via the cookie banner / cookie settings link on the Website, or by configuring your browser to refuse cookies. Refusing non-essential cookies will not affect access to the Website but may limit certain features.

The categories of cookies we use include:

  • Strictly necessary (always active).
  • Functional / preferences (consent-based).
  • Analytics / performance (consent-based).
  • Marketing / advertising (consent-based, where used).

A full, current list of cookies and providers is available in our cookie banner / cookie preferences panel.

8. How We Share Your Information

We do not sell your personal information. We do not share mobile phone numbers, SMS opt-in data, or SMS consent records with third parties or affiliates for marketing or lead-generation purposes.

We share personal data only with:

  • Service providers / processors (Art. 28 GDPR) acting on our documented instructions – for example, web hosting, email delivery, analytics, payment processing, CRM, project management, and accounting providers. These providers are contractually bound to protect your data and process it only for the purposes we specify.
  • Professional advisors such as lawyers, accountants, auditors, and insurers, where reasonably necessary.
  • Authorities and regulators when required by law, court order, lawful government request, or to protect our rights, safety, or property, or those of others.
  • Business transfers in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, in which case we will require recipients to honor this Privacy Policy or notify you of any material change.

A list of our key sub-processors is available on request by emailing [email protected].

9. International Data Transfers

We are based in the United States. If you access our Website or Services from outside the United States, your personal data will be transferred to, stored, and processed in the United States and possibly other countries.

When we transfer personal data of EU/EEA, UK, or Swiss data subjects outside of these regions to a country not deemed adequate by the European Commission, we rely on appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914), supplemented where necessary with additional technical and organizational measures following the EDPB’s recommendations on supplementary measures.
  • The EU-U.S. Data Privacy Framework and its UK Extension and Swiss-U.S. extension, where the recipient is certified.
  • Other lawful transfer mechanisms under Chapter V GDPR.

You may request a copy of the safeguards in place by contacting us at [email protected].

10. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, tax, or reporting requirements.

Typical retention periods:

  • Inquiry and prospect data: up to 24 months from last contact, unless a contract is concluded.
  • Client and project records: for the duration of the engagement and up to 10 years thereafter to comply with German commercial and tax retention obligations (§ 257 HGB, § 147 AO) or applicable U.S. equivalents.
  • Accounting and invoicing data: 10 years from the end of the relevant fiscal year (Germany) / 7 years (typical U.S. standard).
  • Marketing consent and opt-out records: for the duration of consent plus a reasonable period after opt-out to demonstrate compliance.
  • SMS opt-in/opt-out records: retained throughout the relationship and for a reasonable period thereafter to comply with TCPA and 10DLC requirements.
  • Website logs and analytics data: typically up to 14 months.

When personal data is no longer needed, we delete or irreversibly anonymize it.

11. Your Rights Under the GDPR / BDSG (EU, EEA, UK, Switzerland)

If you are located in the EEA, UK, or Switzerland, you have the following rights:

  • Right of access (Art. 15) – obtain confirmation of whether we process your data and a copy of it.
  • Right to rectification (Art. 16) – have inaccurate or incomplete data corrected.
  • Right to erasure / “right to be forgotten” (Art. 17).
  • Right to restriction of processing (Art. 18).
  • Right to data portability (Art. 20).
  • Right to object (Art. 21), including objection to direct marketing at any time.
  • Right to withdraw consent at any time (Art. 7(3)) without affecting prior lawful processing.
  • Right not to be subject to solely automated decisions that produce legal or similarly significant effects (Art. 22). We do not engage in such decision-making.

To exercise these rights, contact [email protected]. We will respond within one month, extendable by two further months for complex or numerous requests, in accordance with Art. 12 GDPR.

You also have the right to lodge a complaint with a supervisory authority. In Germany, the competent supervisory authority depends on your state of residence; a list is available at https://www.bfdi.bund.de. The lead authority for our hypothetical EU establishment, where applicable, will be communicated upon request.

12. Your Rights Under U.S. State Privacy Laws

a) California Residents (CCPA / CPRA)

If you are a California resident, you have the following rights:

  • Right to know what categories and specific pieces of personal information we collect, use, disclose, and (if applicable) sell or share.
  • Right to delete personal information we collected from you, subject to certain exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of sale or sharing of personal information. We do not sell your personal information and do not share it for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.
  • Right to limit use of sensitive personal information. We do not use sensitive personal information for purposes that would trigger this right.
  • Right to non-discrimination for exercising your rights.

We do not knowingly sell or share the personal information of consumers under 16 years of age.

To submit a request, email [email protected] or call +1 843 240 0015. We will verify your identity using information already in our records (e.g., matching email, phone number, or project reference) before fulfilling your request. You may use an authorized agent to submit a request on your behalf with written, signed permission.

b) Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and Other State Residents

Depending on your state of residence, you may have rights to access, correct, delete, port, and opt out of targeted advertising, sale, or certain profiling. We honor verifiable consumer requests submitted via the channels listed above. If we deny a request, you may have the right to appeal; instructions for appeal will be provided in the denial response.

c) “Shine the Light” – California Civil Code § 1798.83

California residents may request information about disclosures of personal information to third parties for those third parties’ direct marketing purposes. We do not make such disclosures.

13. Children’s Privacy (COPPA & GDPR Art. 8)

Our Website and Services are not directed to children under the age of 16, and we do not knowingly collect personal information from children under 16 (under 13 for purposes of COPPA, and under 16 in line with GDPR Art. 8 and § 25 BDSG).

If you are a parent or legal guardian and believe your child has provided us personal information, contact us at [email protected] and we will promptly delete the information.

14. Security

We implement appropriate technical and organizational measures (TOMs) under Art. 32 GDPR to protect your personal data, including: encryption in transit (TLS), access controls, authentication, regular software updates, secure backups, vendor due diligence, and staff training. Despite these measures, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

In the event of a personal data breach affecting your data, we will notify the competent supervisory authority within 72 hours where required by Art. 33 GDPR, and notify affected data subjects without undue delay where required by Art. 34 GDPR or applicable U.S. state breach-notification laws.

15. Automated Decision-Making and Profiling

We do not use your personal data for automated decision-making that produces legal or similarly significant effects within the meaning of Art. 22 GDPR.

16. Links to Third-Party Sites

Our Website may contain links to websites or services not operated by us. We are not responsible for the content, privacy policies, or practices of any third-party site. We encourage you to review the privacy policy of every site you visit before providing any personal information.

17. Do Not Track and Global Privacy Control

Our Website does not respond to “Do Not Track” (DNT) browser signals because no industry standard has been finalized. Where required by law (e.g., CCPA/CPRA), we honor recognized opt-out preference signals such as the Global Privacy Control (GPC) as a request to opt out of sale or sharing of personal information.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will post the updated Privacy Policy on this page and update the “Last updated” date. Where the changes are material, we will provide additional notice (such as by email or a prominent notice on the Website).

19. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data:

Humming Studios, LLC Email: [email protected] (or [email protected]) Phone: +1 843 240 0015 Website: www.hummingstudios.com