Data Processing Addendum (DPA)

When you (the teacher or music school) use Note & Key to handle data about students who live in the EU / UK / EEA, you are the Controller and Note & Key is the Processor within the meaning of GDPR / UK GDPR.

This DPA sets out the terms on which we process that data. It is incorporated into the Terms of Service for any customer who needs to rely on it. If your organization requires a counter-signed copy on its letterhead, email support@noteandkey.app and we'll countersign — at no charge.

You determine the purpose and means of processing your students' personal data on Note & Key. We process that data only on your documented instructions, which are: (a) the actions you take in the app (creating students, uploading recordings, sending invoices, etc.), and (b) what's necessary to deliver the service described on noteandkey.app.

We process the following categories of personal data:

• Student data: name, date of birth, instrument, skill level, lesson schedule, teacher notes, exam history.
• Parent/guardian data: name, email, phone.
• Practice content: audio recordings, video uploads, sheet-music PDFs, photos. Often involves minors.
• Communication: in-app messages, feedback comments, invoice memos.
• Billing metadata: invoice amount, payment method, payment status. Never card numbers.

Categories of data subjects: studio admins, teachers, students (including minors), parents/guardians of students.

We process the data for as long as your studio's account is active. When you delete an account (or we close it for cause), we delete personal data within 30 days. Backups are purged within an additional 90 days.

Anonymized aggregate data (e.g., "total uploads per month across all studios") may be retained indefinitely.

We restrict access to your data to personnel who need it to deliver the service. All personnel are under a written confidentiality obligation. Access is logged.

We do not access your data for any other purpose. We do not train machine-learning models on your data. We do not sell, rent, or analyze it for any third party.

We use the following sub-processors to deliver the service. You authorize this list by accepting this DPA. We notify you of changes at least 14 days in advance via email + on this page; you may terminate the agreement if you reasonably object.

• Supabase Inc. (database, auth, storage). Data stored in US-East or EU-West depending on region. SCC-backed for non-EU transfers.
• Fly.io Inc. (compute / web hosting). Servers in San Jose, CA. SCC-backed.
• Stripe Inc. (when you connect a Stripe account for invoice payments). Stripe is an independent controller for card-payment processing under its own terms, not our sub-processor for that step.
• Resend, Inc. (transactional email delivery for invoices we email). US-based, SCC-backed.
• Apple Inc. and Google LLC (push notifications + app distribution).

We implement technical and organizational measures appropriate to the risk, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Row-level security (RLS) policies in Postgres — every query is scoped to the calling user's studio.
• Service-role keys stored in Fly secrets, never in code.
• Per-user access tokens with short expiry + refresh rotation.
• Logging of access to administrative functions.
• No persistent admin sessions on production databases.

You are responsible for handling requests from your students / parents to exercise rights under GDPR (access, rectification, erasure, restriction, portability, objection). We will assist you, including by:

• Providing a self-service data export per studio in JSON (Settings → Account → Export).
• Permanently deleting a household's account within 30 days of a request (Settings → Account → Delete).
• Answering case-specific questions at support@noteandkey.app.

If we discover a personal-data breach affecting your studio, we will notify you in writing without undue delay and in any case within 72 hours of becoming aware. The notice will include the nature of the breach, the categories and approximate number of subjects affected, likely consequences, and measures taken or proposed.

You are responsible for notifying your supervisory authority and affected individuals under GDPR Articles 33–34.

Our infrastructure is primarily US-based. Where data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, we rely on Standard Contractual Clauses (Commission Decision 2021/914) or the UK International Data Transfer Agreement (IDTA), as applicable.

On termination of the Terms of Service, we delete all personal data within 30 days (production) and 90 days (backups). Anonymized aggregate data may be retained indefinitely.

On reasonable written request and no more than once per year, we will provide a written summary of our security controls and an opportunity to discuss any specific concerns. We don't grant on-site audits as a default for solo-teacher customers; larger institutional customers can request a separate audit clause.

In the event of conflict between this DPA and the Terms of Service, this DPA prevails on data-processing matters.

By creating a studio on Note & Key and storing personal data on it, you accept this DPA. For a counter-signed version on letterhead, email support@noteandkey.app with your organization name and the address of the data protection officer (if any).