The open-source free tool, with 100 million users worldwide, is popular with podcast and music editors.
Its updated policy says data can be shared with its Russia-based infrastructure company, WSM, as well as regional law enforcement.
Audacity says the only data it exchanges with its users is software updates and error reports.
But since the updated policy was published last week, there have been angry calls from concerned users to uninstall the product or revert to an older version.
And technology website Fosspost described the most recent version as “possible spyware”.
“One would not expect an offline desktop application to be collecting such data, phoning home and then handing that data to governments around the world whenever they see fit,” it wrote.
Audacity was bought by the Cyprus-based firm Muse Group in April 2021.
Muse head of strategy Daniel Ray told BBC News: “We don’t know anything about our users.
“We don’t want users’ personal information – that doesn’t help us.”
The company, which bought Audacity in April, intended to release more frequent updates and wanted to alert users, Mr Ray said.
And the policy, “written by lawyers, to be understood by lawyers rather than the average person”, was a requirement for any software that sent any form of information back to its creators.
It also stated under-13s could no longer use the Audacity app, to comply with data laws, Mr Ray said
But anyone of any age could still use the product in its offline mode.
The policy says Audacity collects “very limited data” about users – no “direct identifiers” such as names or contact details – and an account profile is not required.
But it may share the personal data it does gather with:
- staff members
- law enforcement, government agencies and regulators
- auditors, advisers and legal representatives of the company
- potential buyers of the business
And while European user data is stored in Europe, it may “occasionally” share data with its headquarters in Russia.
This was to monitor signs of potential distributed-denial-of-service (DDOS), when a platform is deliberately flooded with data requests intended to knock it offline, Mr Ray said.
And individual Internet Protocol (IP) addresses were scrambled, using an encryption technique called hashing.
The company was not seeking to monetise the 21-year-old product, Mr Ray said, but it was seeking to “modernise” it.
“Previously, updates were every few years,” he said, “we want to do them every few weeks.
“If you don’t have ways of informing users about updates they might miss, then you put the burden on the user to keep up with the pace of change”.