Privacy Policy

• Account data: email, name, password hash (handled by Supabase Auth, never stored in plaintext), profile photo if you upload one.
• Studio data: studio name, optional logo, optional Interac e-Transfer email, optional security question/answer used to receive payments.
• Student data: full name, preferred name, optional date of birth, instrument, skill level, lesson rate, parent contact info that the teacher enters. Students under the age of majority do not create their own accounts — see Children's data below.
• Lesson + assignment data: scheduled times, attendance, lesson notes, assignments, recital piece assignments, exam-readiness tracking.
• Uploaded files: audio recordings of practice, video recordings, sheet music PDFs, photos. Stored encrypted at rest in Supabase Storage; access is restricted per student via row-level security policies.
• Payment metadata: invoice amounts, payment method (Interac, cash, etc.), confirmation notes. We do not store credit card numbers. When Stripe is integrated, card data flows directly to Stripe and never touches our servers.
• Communication data: messages exchanged inside the app between teacher and family (when the messaging feature ships).
• Calendar data (if you connect Google Calendar): we read and write events on the specific calendar you authorize. We do not read events outside the lesson scheduling window and never share your calendar with anyone else.
• Technical data: server-side request logs (IP address, user agent, timestamps) retained for security and debugging.

• No advertising identifiers, no IDFA, no tracking pixels.We do not target ads. We do not embed third-party ad SDKs.
• No location data.
• No contacts, browsing history, or other apps' data.
• No biometric data. Face ID / Touch ID, if you enable it, is handled by the iOS Keychain and never leaves the device.

To provide the service:

• Authenticate you and keep your session active.
• Show teachers their students' data and vice versa, scoped per studio via row-level security.
• Deliver practice recordings to the teacher who is assigned to that student.
• Generate invoices and record payments.
• Send transactional messages (lesson reminders, invoice notices, recital announcements) — only ever to people enrolled in your studio.
• Diagnose service issues using server logs.

Music students are often under 13. We handle children's data carefully:

• We do not let children create accounts directly. Only adults (teachers or parents/guardians) sign up.
• A student record is created by a teacher or parent on behalf of the child. The login that accesses the student-side of the app is the parent or guardian's account.
• Parents/guardians can review, export, or delete their child's data at any time from Settings → Account.
• We do not knowingly use a child's data for any purpose beyond providing the requested teaching service.

• Supabase (Postgres database, authentication, file storage). Data centers in the United States and the EU. We choose the region closest to our user base; you can ask which region your studio's data lives in by emailing support@noteandkey.app.
• Google Calendar API (optional, only if you connect it). We use the minimum scope necessary ( calendar.events ). You can disconnect at any time from Settings → Google Calendar; we then revoke our access and delete the stored refresh token.
• Fly.io (or our chosen hosting provider) for the web application. Serves the app's HTML and runs server-side code. Has access to server logs only.
• Apple App Store handles iOS app distribution and (when we ship in-app purchases) payment processing.
• Stripe processes card payments when a teacher connects a Stripe account (via Stripe Connect Express). Funds flow directly between the family and the teacher; we never touch the money or see card numbers. Stripe's own privacy policy applies to data that goes through their checkout flow.
• Resend delivers transactional invoice emails from the app to families. We send only the email address, subject line, and email body. We never share unrelated data.

A consolidated list of all sub-processors lives on the Data Processing Addendum. Cookie disclosure is on the Cookie + Tracking Notice.

We never sell, rent, or trade your personal information to any third party. We do not share student data with anyone outside the studio that the student belongs to.

We retain your data for as long as your account is active. If you delete your account (Settings → Account → Delete account), we:

• Immediately make your data inaccessible to other studio members.
• Delete your auth user, profile, lesson notes, practice uploads, sheet music attachments, recital pieces, exams, invoices, and messages within 30 days.
• Retain anonymized aggregate billing records for tax and audit purposes for up to 7 years, as required by Canadian law.

You have the right to:

• Access your data — export from Settings → Account.
• Correct inaccurate data — edit profile, students, invoices.
• Delete your data — Settings → Account → Delete account.
• Withdraw consent for any optional data use.
• Object to or restrict processing.
• Data portability — request a machine-readable export.
• File a complaint with a privacy regulator. In British Columbia, that's the Office of the Information and Privacy Commissioner for BC. EU residents can complain to their national supervisory authority. California residents have additional rights under the CCPA / CPRA, including the right to opt out of "sale" of personal information (we don't sell).

We use modern security practices: TLS 1.2+ for all traffic, password hashing via bcrypt (handled by Supabase Auth), row-level security policies that scope every database read to the requesting user, signed URLs for storage object access, and minimum-necessary OAuth scopes for any third-party integration. No system is 100% secure; if a breach affects your data we will notify you within 72 hours as required by applicable law.

Your data may be processed in countries outside your residence, including the United States. When we transfer data outside Canada or the EU, we rely on Standard Contractual Clauses (SCC) or other legally recognized transfer mechanisms.

We may update this policy from time to time. When we do, we'll change the "Last updated" date at the top and, for material changes, notify you in-app. Continued use of the service after an update constitutes acceptance.

Questions, requests, or complaints? Email support@noteandkey.app. We aim to respond within 7 business days.

Note & Key · Vancouver, British Columbia, Canada