Privacy Policy
Last updated: April 27, 2026
D2 Software LLC ("we", "us", "our") operates GPUCtrl (the "Service"), a desktop launcher for GPU-accelerated workflows, and the website at gpuctrl.com. This Privacy Policy explains what information we collect, how we use it, and the rights you have over it.
If anything here is unclear, email us at gpuctrl@gmail.com.
1. Who we are
D2 Software LLC is a North Carolina, USA limited liability company. We are the data controller for the personal information described in this policy.
2. Information we collect
Account information
- Your email address — used as your login identifier and for transactional email.
- A password, stored only as a salted bcrypt hash by our authentication provider. We never see, store, or transmit your password in plain text.
License and trial information
- Trial start and end dates.
- License status (trial, active, expired).
- Date and order ID of any purchase.
Device information
When you sign in to GPUCtrl on a device, the desktop application registers that device with our backend so we can enforce the per-license device limit. We collect:
- A device name (chosen by you or read from your operating system).
- Operating system and version.
- A hashed hardware identifier. The hash is one-way and cannot be reversed to identify your specific hardware.
- Timestamps for device registration, last activity, and sign-out.
Payment information
We do not collect or store payment card details. All payments are processed by Lemon Squeezy (lemonsqueezy.com), our payment processor and merchant of record. From them we receive only your purchase confirmation, billing email, and an order ID.
Technical and access data
- IP address (transient — used by our auth provider for rate limiting and abuse detection).
- Approximate timestamp of authentication events.
- Standard server logs from our website host.
We do not run third-party analytics, advertising trackers, or session-recording tools on this site.
Sensitive personal information
We do not collect "sensitive personal information" as defined under the California Consumer Privacy Act — including Social Security number, precise geolocation, biometric or genetic data, health information, racial or ethnic origin, religious beliefs, account credentials for other services, or the contents of private communications. We have no need for any of it to operate the Service.
3. How we use your information
- To create and authenticate your account.
- To enforce the device limit included with your license.
- To provide customer support.
- To send transactional emails (account verification, password reset, license confirmation, refund confirmation).
- To detect and prevent abuse, fraud, and unauthorized access.
- To comply with legal obligations such as tax recordkeeping and lawful requests.
We do not use your data to train machine learning models, profile you for advertising, or sell it to anyone.
Marketing. We do not send marketing or promotional email by default. If we ever launch an opt-in newsletter or product-update list, you'll opt in explicitly and every message will include a one-click unsubscribe link.
Automated decisions. We do not make decisions about you using only automated processing where those decisions have legal or similarly significant effects. Our abuse-detection systems may flag accounts for human review, but the final decision is always made by a person.
Aggregated data. We may use de-identified or aggregated statistics — for example, "X% of users run NVIDIA GPUs" — that cannot reasonably be linked back to you, including for research and to improve the Service.
4. Legal bases (EEA, UK, and Swiss users)
Where the GDPR or UK GDPR applies, we rely on the following legal bases:
- Performance of a contract — to provide the Service you signed up for.
- Legitimate interests — to secure the Service against abuse and improve it.
- Legal obligation — to retain payment records and respond to lawful requests.
- Consent — for any optional communications. You can withdraw consent at any time.
5. Sub-processors
We share data only with the following service providers, each contractually obligated to protect it:
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase Inc. | Authentication, database, edge functions | USA |
| Netlify Inc. | Website hosting | Global CDN |
| Lemon Squeezy | Payment processing, sales-tax handling, invoicing | USA |
We may also disclose information when legally required (court order, subpoena) or where necessary to protect our rights, property, or the safety of others.
Business transfers. If D2 Software LLC is acquired, merged, sold, or files for bankruptcy, your personal information may be transferred to the acquiring or successor entity as part of that transaction. We will notify you by email beforehand; the acquirer's handling of your data will continue to be governed by a privacy policy at least as protective as this one, or you may delete your account before the transfer takes effect.
Third-party links. This site and the GPUCtrl application link to third-party services (for example, Lemon Squeezy checkout and the GitHub releases page). When you follow those links you become subject to their own privacy practices. We are not responsible for the privacy practices of any third party.
6. International data transfers
Our infrastructure is located in the United States. If you are using GPUCtrl from outside the US (including the EEA, UK, or Switzerland), your data will be transferred to and processed in the US. We rely on Standard Contractual Clauses or equivalent mechanisms with our sub-processors where required.
7. How long we keep your data
- Account data — for as long as your account is active, plus 30 days after deletion to allow recovery.
- License and payment records — up to 7 years to comply with US tax and accounting law.
- Server and authentication logs — 90 days.
- Email correspondence — 2 years after last contact.
8. Your rights
Depending on where you live, you may have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate data.
- Erasure — request deletion ("right to be forgotten").
- Portability — receive your data in a structured, machine-readable format.
- Restriction or objection — limit how we use your data.
- Withdraw consent — for any processing based on consent.
California residents (CCPA/CPRA) additionally have the right to:
- Know what categories of personal information we collect and the purposes.
- Request deletion of personal information.
- Opt out of "sale" or "sharing" of personal information. We do not sell or share your personal information.
- Non-discrimination for exercising your rights.
To exercise any of these rights, email gpuctrl@gmail.com with the subject line "Privacy request" from the email address on your account. We will respond within 30 days.
Verifying your identity. To protect your account, we may ask you to confirm specific information about it before we honor a request — typically by emailing from the address on file or completing a sign-in challenge. If we cannot verify you, we may decline the request.
Authorized agents. Residents of California, Virginia, Colorado, Connecticut, and other states whose privacy laws permit it may designate an authorized agent to make a request on their behalf. The agent must provide signed written authorization, and we may still verify the request directly with you.
Appeals. If we deny your request, we will tell you why. If you live in a state whose privacy law gives you the right to appeal a denial (Virginia, Colorado, Connecticut, and others), you may appeal by replying to our denial email; we will respond to the appeal within 60 days.
9. Security
We protect your data with:
- TLS encryption in transit (HTTPS everywhere on this site).
- Database row-level security policies that prevent any user — including us, through normal application flows — from accessing another user's data.
- Industry-standard password hashing (bcrypt).
- A strict Content Security Policy on this website.
- Limited administrative access — only authorized D2 Software LLC personnel can access the production database, and never your password.
No system is perfectly secure. If a data breach affects you, we will notify you and the relevant authorities as required by law (typically within 72 hours of discovery for GDPR-covered data).
10. Children
GPUCtrl is not directed at children under 16. We do not knowingly collect personal information from anyone under that age. If you believe a child has provided us with personal data, email gpuctrl@gmail.com and we will delete it. Note that account eligibility under our Terms of Service requires you to be at least 18.
11. Cookies and local storage
This website uses localStorage in your browser to keep you signed in. We do not use cookies for advertising, analytics, or tracking. Your authentication session is stored in your own browser and never sent to third parties beyond our authentication provider.
Do Not Track and Global Privacy Control. Some browsers send a "Do Not Track" or "Global Privacy Control" signal. Because we do not sell or share personal information for cross-context behavioral advertising, there is currently nothing for us to enable or disable when we receive either signal. If a future feature ever changes this, we will treat a Global Privacy Control signal as a valid opt-out request as required by California law.
12. Changes to this policy
We may update this Privacy Policy as the Service evolves. When we do, we will:
- Update the "Last updated" date at the top of this page.
- Notify you by email if the changes materially affect your rights.
Your continued use of GPUCtrl after the effective date of an update constitutes acceptance of the updated policy.
13. Contact
For privacy questions, requests, or complaints:
D2 Software LLC
North Carolina, USA
Email: gpuctrl@gmail.com
You also have the right to lodge a complaint with your local data protection authority. EEA users can find their authority at edpb.europa.eu/about-edpb/about-edpb/members_en.
See also: Terms of Service