Privacy Policy
PianistDesk helps music schools and conservatoires coordinate collaborative pianists. Doing that means handling information about students, staff, and the performances a school is preparing. This policy explains what we collect, why, who we share it with, and the choices and rights that apply — with particular care for student records.
1. Scope & who this covers
This policy applies to the PianistDesk websites (including pianistdesk.com) and to the PianistDesk application provided to schools under a subscription (together, the “Service”). It covers three groups of people:
- Coordinators and other school staff who administer a program in the Service;
- Students who submit rehearsal and performance requests, upload scores, and book rehearsal times through the student portal;
- Visitors to our public marketing pages.
Pianists are represented in the Service as records managed by the school; they do not have their own logins in the current version of the Service.
2. Our role: controller vs. service provider
PianistDesk is a business-to-business product. Each school is the institution that decides what student and program information is entered into the Service and how it is used.
- For student and program data inside a school’s account, the school is the data controller and PianistDesk acts as its service provider / data processor. We process that data only to provide and support the Service, on the school’s documented instructions, and as permitted by our agreement with the school and applicable law. We do not sell it and we do not use it to build advertising profiles or to train AI models.
- For information about visitors to our marketing site, and for account-level information we need to run our business (billing contacts, support correspondence), PianistDesk is the controller.
Where a school is subject to GDPR or similar laws, the data-processing terms in our services agreement (a Data Processing Addendum, available on request) govern and prevail over this policy for student and program data.
3. Information we collect
Account & profile information
- Coordinators: name, school email address, and a password (stored only as a salted hash by our authentication provider).
- Students: name and school email address. Students sign in with a one-time code sent to that email rather than a password.
Program & request information
This is the core of the Service and is entered by students and coordinators. It includes, depending on what a school records:
- instrument or voice type, teacher, request type (recital, jury, audition, exam, and similar), repertoire title and composer, performance dates, preferred rehearsal times, and free-text notes;
- pairings between a student and a pianist for a semester, the recurring weekly rehearsal slot, room, and pairing status;
- the workflow status of each request and, where a school uses it, a payment-status label (we do not process payments or store card details).
Uploaded scores
Students and coordinators may upload sheet-music files (typically PDFs). These are stored in a private, access-controlled store and are made available only to the student who owns the request and the coordinators of that school, through short-lived signed links.
Activity and communication logs
- an audit log recording actions taken in the Service — for example a request submitted, a score uploaded, a pairing approved, or a slot booked — with who performed the action and when;
- a record of transactional emailswe send on the school’s behalf (such as request confirmations, pairing notices, booking links, and score reminders), including recipient, template, and delivery status;
- support messages and other correspondence you send us.
Technical information
When you use the Service we and our infrastructure providers automatically process limited technical data needed to operate it securely — for example IP address, browser and device type, and server logs. We use strictly necessary cookies to keep you signed in (see Cookies). We do not use third-party advertising or cross-site tracking cookies.
4. How we use information
We use the information above to:
- provide, maintain, and secure the Service and its core workflows;
- route requests, suggest and record pianist pairings, schedule weekly rehearsal slots, and generate calendar invitations;
- send transactional and operational emails related to a school’s requests and schedule;
- provide customer support, investigate issues, and maintain the audit trail a school relies on;
- prevent, detect, and respond to fraud, abuse, security incidents, and technical problems;
- comply with our legal obligations and enforce our agreements.
We do not sell personal information, we do not share it for cross-context behavioral advertising, and we do not use student or program data to train machine-learning or AI models.
5. Legal bases for processing
Where data-protection law (such as the EU/UK GDPR) requires a legal basis, we rely on the following, depending on context:
- Performance of a contract — to provide the Service to a school and its authorized users;
- Legitimate interests — to secure, support, and improve the Service, where not overridden by your rights;
- Legal obligation — to comply with applicable laws; and
- Consent — where we specifically ask for it.
For student and program data, the school directs our processing and is responsible for the legal basis on which that data was collected from students.
6. Student records & FERPA
For schools in the United States subject to the Family Educational Rights and Privacy Act (FERPA), information a school enters into the Service that constitutes “education records” is handled under the school official exception (34 C.F.R. § 99.31(a)(1)). In that role, PianistDesk:
- performs an institutional service or function for which the school would otherwise use its own employees;
- is under the direct control of the school with respect to the use and maintenance of education records;
- uses education records onlyfor the authorized purpose of providing the Service and does not disclose or re-disclose them to other parties without the school’s authorization, except as required by law; and
- does not use education records for any unauthorized purpose, including advertising or model training.
Schools remain responsible for managing parent and student rights of access and correction under FERPA; we support those obligations by giving coordinators the ability to access, export, correct, and delete records, and by assisting on request. A data protection / student data privacy addendum is available to schools that require one.
7. Children’s privacy
The Service is provided to schools and is not directed to the general public or to children for independent sign-up. Where a school enrolls students who are minors, the school is responsible for obtaining any consent required by law (for example under FERPA or, for children under 13, COPPA) and for authorizing those students’ use of the Service. We act on the school’s instructions with respect to such students’ information and do not knowingly collect information from children except as directed by their school.
8. How we share information
We share information only as needed to run the Service:
- Within a school:a student’s requests, scores, and schedule are visible to that school’s coordinators; a student can see only their own records. Data is strictly separated between schools.
- With pianists:where a school records a pianist’s email, we may email that pianist the limited details needed to coordinate a pairing and rehearsal.
- With subprocessors: infrastructure and email vendors that operate the Service on our behalf, under contract and confidentiality obligations (see below).
- For legal reasons: when required by law, regulation, legal process, or governmental request, or to protect the rights, safety, and security of users, the public, or PianistDesk.
- In a business transfer: if PianistDesk is involved in a merger, acquisition, or sale of assets, information may transfer as part of that transaction, subject to this policy and our agreements.
9. Subprocessors
We use a small set of trusted vendors to deliver the Service. Each is bound by contract to protect the data they process and to use it only to provide their service to us:
- Supabase — managed database, authentication, and file storage for application and uploaded score data;
- Vercel — application hosting and content delivery;
- Resend — delivery of transactional and operational email.
The hosting region for a school’s data, and the current subprocessor list, are available on request and may be specified in a school’s services agreement. We will give notice of material changes to our subprocessors as provided in that agreement.
10. Data retention
We retain school and student data for as long as the school’s account is active and as needed to provide the Service. When a school’s subscription ends, we make its data available for export for a limited period and then delete or anonymize it in accordance with the school’s services agreement, unless a longer period is required by law. Audit and email logs are kept for a reasonable period to support security, dispute resolution, and the integrity of the record. A school may request deletion of specific records at any time, subject to its own legal obligations.
11. Security
We take technical and organizational measures appropriate to the sensitivity of the data, including:
- encryption of data in transit (TLS) and at rest with our infrastructure providers;
- access controls that scope every record to a single school and limit student access to that student’s own data;
- private, access-controlled storage for uploaded scores, served only via short-lived signed links;
- a complete audit log of actions taken in the Service; and
- least-privilege access for our personnel and reputable, security-reviewed vendors.
No method of transmission or storage is perfectly secure. If we become aware of a personal-data breach affecting a school’s data, we will notify the affected school without undue delay and cooperate with it as required by law and our agreement.
12. Your rights & choices
Depending on where you live, you may have rights to access, correct, delete, port, or restrict the processing of your personal information, or to object to it. Because most personal data in the Service belongs to a school’s account, the best route is usually through your school:
- Students: contact your program coordinator to access or correct your records, or to ask that they be deleted.
- Schools (controllers): coordinators can access, export, and delete records directly in the Service, and may contact us for assistance with any data-subject request they receive.
- You may also contact us at hello@pianistdesk.com; where the request concerns a school’s account, we will refer it to that school or act on its instructions.
We will not discriminate against you for exercising these rights. Where required, you also have the right to lodge a complaint with your local data-protection authority.
13. International transfers
We and our subprocessors may process data in countries other than the one in which you are located. Where we transfer personal data internationally, we rely on appropriate safeguards — such as the European Commission’s Standard Contractual Clauses or equivalent mechanisms — and on the data-processing terms in our agreement with the school. Specific hosting locations can be confirmed on request.
14. Cookies
The application uses strictly necessary cookies to keep you authenticated and to keep the Service secure. These are required for the Service to function and cannot be switched off without breaking sign-in. We do not use advertising, analytics-profiling, or cross-site tracking cookies on the application. Our marketing pages likewise avoid third-party advertising trackers.
15. Changes to this policy
We may update this policy from time to time. When we do, we will revise the “Last updated” date above and, for material changes affecting schools, give notice as provided in the applicable services agreement. Your continued use of the Service after an update takes effect means you accept the revised policy.
16. How to contact us
Questions about this policy, or about how we handle student and school data, are welcome:
PianistDeskhello@pianistdesk.com