Legal
Privacy Policy
Last updated: June 14, 2026
This Privacy Policy explains how ClefSync ("we", "us", or "our") collects, uses, and protects information when you visit clefsync.com or join our product waitlist. It is written to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), and other applicable privacy laws.
1. Who we are
ClefSync is instrument-management software for K–12 music programs. For the purposes of GDPR, the data controller responsible for your personal data collected through this website is:
- ClefSync
- Email: jorge@clefsync.com
ClefSync is a pre-launch product. A registered business address will be published on this page once it is established; in the meantime, the email address above is the primary contact for all privacy-related requests.
We do not currently have a designated Data Protection Officer (DPO) or EU representative under GDPR Article 27. If you have any privacy questions, please email the address above.
2. What information we collect
We only collect information from this website that you give us directly or that is necessary to run the site securely:
Waitlist form
- Email address (required)
- Name (optional)
- School or district (optional)
- Role (optional; e.g., administrator, teacher, director)
Automatically collected for security
- Your IP address and a timestamp, used solely for short-window rate limiting (to prevent form spam) and stored only for the minimum period needed for that check.
- Standard server logs maintained by our hosting provider (see "Who we share it with" below).
Analytics (only with your consent)
- If you click Accept on our cookie banner, Google Analytics 4 collects a pseudonymous identifier, pages viewed, referrer, device/browser information, and approximate geolocation derived from IP.
- If you click Decline, or ignore the banner, we set no analytics cookies and do not load Google Analytics.
We do not collect special categories of data (health, religion, biometric, etc.) through this website, and we do not knowingly collect information from children under 16 (see Section 10).
3. How we use your information
- Waitlist communications. We use the email address you provide (plus any optional details) to contact you when ClefSync becomes available to your district, and to send occasional product updates directly related to the waitlist.
- Security and abuse prevention. We use your IP address and timestamps to rate-limit submissions and prevent automated abuse of the form.
- Analytics (consented only). We use Google Analytics to understand which pages are useful, how visitors navigate the site, and where to improve.
We do not sell your personal information, and we do not share it with advertisers or data brokers.
4. Legal basis for processing (GDPR)
Under Article 6 of the GDPR, we rely on the following legal bases:
- Consent (Art. 6(1)(a)). You provide your email to join the waitlist, giving specific, informed, unambiguous consent to receive waitlist communications. You may withdraw this consent at any time (see Section 8).
- Consent (Art. 6(1)(a) + ePrivacy Directive). Analytics cookies load only if you click Accept on the cookie banner.
- Legitimate interests (Art. 6(1)(f)). Short-window IP rate limiting is necessary for the legitimate interest of keeping our signup form safe from spam and abuse. This processing is limited and does not outweigh your rights.
5. Who we share your information with
We share personal data only with service providers ("processors") that help us run the site and the waitlist. They process data on our behalf under written contracts:
| Provider | Purpose | Location |
|---|---|---|
| Google (Firebase Hosting, Cloud Functions, Firestore, Forms, Sheets) | Website hosting; pre-launch waitlist collection (Google Forms → Google Sheets); planned waitlist backend (Cloud Functions → Firestore) at launch | United States |
| Google Analytics | Site usage analytics (consent-gated) | United States |
| Google Fonts & Material Icons | Typography and icons | United States / global CDN |
| Cloudflare (Tailwind CDN) | Static asset delivery (no personal data) | Global CDN |
We may also disclose information if legally required (e.g., in response to a valid subpoena or court order), or to protect the rights, property, or safety of ClefSync, our users, or others.
6. How long we keep your information
- Waitlist entries are kept until you ask us to delete them, or for up to 24 months after our product launches, whichever is sooner. After that, we delete them unless you have become a customer (which would be governed by a separate customer privacy notice).
- Rate-limit records (IP + timestamp) are kept only for the brief window needed for rate limiting and are then automatically purged.
- Google Analytics data follows our GA4 retention setting (currently 14 months).
7. International data transfers
Our infrastructure runs on Google Cloud in the United States (region
us-east1). If you are
in the European Economic Area, United Kingdom, or Switzerland, your data will be
transferred to and processed in the United States. These transfers rely on the
European Commission's Standard Contractual Clauses (SCCs) and Google's
certification under the EU–U.S. Data Privacy Framework, which provide an
adequate level of protection under GDPR.
8. Your rights under GDPR / UK GDPR
If you are in the EEA or UK, you have the following rights regarding your personal data:
- Access — request a copy of the data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure ("right to be forgotten") — ask us to delete your data.
- Restriction — ask us to limit processing while a dispute is resolved.
- Portability — receive your data in a structured, machine- readable format.
- Objection — object to processing based on legitimate interests.
- Withdraw consent — at any time, without affecting pre-withdrawal processing.
- Lodge a complaint with your local supervisory authority (e.g., your national Data Protection Authority in the EU, or the ICO in the UK).
To exercise any of these rights, email jorge@clefsync.com. We will respond within 30 days. We may need to verify your identity before acting on a request.
9. Your rights under CCPA / CPRA (California)
California residents have the following rights:
- Right to know what personal information we have collected, the sources, purposes, and categories of third parties we share it with.
- Right to delete personal information we have collected.
- Right to correct inaccurate personal information.
- Right to opt out of sale or sharing. We do not sell or share your personal information for cross-context behavioral advertising.
- Right to non-discrimination for exercising any of these rights.
To exercise these rights, email jorge@clefsync.com. An authorized agent may submit a request on your behalf with written proof of authorization.
10. Your rights under other US state privacy laws
If you are a resident of a US state with a comprehensive consumer privacy law — including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Delaware (DPDPA), New Hampshire (NHPA), New Jersey (NJDPA), Tennessee (TIPA), Minnesota (MCDPA), Maryland (MODPA), Rhode Island (RIDTPPA), or another state with similar protections — you may have the following rights, subject to the specific law that applies to you:
- Right to access or know what personal data we process about you, the categories of data, and the purposes of processing.
- Right to correct inaccurate personal data.
- Right to delete your personal data.
- Right to data portability — obtain a copy of your data in a portable, machine-readable format.
- Right to opt out of the sale of personal data, targeted advertising, and certain profiling with legal or similarly significant effects. We do not sell personal data, use it for targeted advertising, or perform automated decision-making.
- Right to appeal a denial of a privacy request, where your state's law provides one.
- Right to non-discrimination for exercising any of these rights.
The exact scope, applicability thresholds, and definitions differ by state, and some of these laws exempt small businesses or processing below specified volumes. Regardless of whether a specific state law technically applies to ClefSync, we will honor reasonable access, correction, and deletion requests from any US resident. To exercise any right, email jorge@clefsync.com and include the state you reside in along with the right you wish to exercise. We will respond within the timeframe required by your state's law (typically 45 days, with one extension permitted where allowed).
11. Children's privacy
This website and the waitlist are intended for school staff, administrators, and parents — not for children. We do not knowingly collect personal data from anyone under 16. If you believe a child has submitted information through this site, please email jorge@clefsync.com and we will delete it promptly. Our treatment of student data inside the ClefSync product (including FERPA and COPPA compliance) is governed by a separate product privacy notice and our district data-processing agreement, which are not covered by this page.
12. Cookies and similar technologies
This site sets cookies only after you give consent via the cookie banner. The only cookies used are those set by Google Analytics:
| Cookie | Purpose | Duration |
|---|---|---|
_ga |
Distinguishes unique users for Google Analytics | 2 years |
_ga_XNDZQVKL18 |
GA4 session state | 2 years |
You can change your cookie choice at any time using the
link (also available in the site footer). We use
localStorage to
remember your choice; this is strictly necessary for the site to honor your
preference and does not require consent.
13. Security
We use industry-standard measures to protect your information: HTTPS on all pages,
Google-managed encryption at rest for waitlist data stored in our Google Workspace
(Google Sheets during our pre-launch period; Google Firestore when our branded form
returns), access controls on that data, and modern security headers
(X-Content-Type-Options, X-Frame-Options,
Referrer-Policy). When the branded waitlist form returns, its API will
additionally use CORS restrictions and server-side rate limiting. No method of
internet transmission or electronic storage is 100% secure, but we work to protect
your information and will notify you of any breach as required by applicable law.
14. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. For material changes, we will also contact waitlist subscribers by email.
15. Contact us
Questions, requests, or concerns about this Privacy Policy or your personal data? Email us at jorge@clefsync.com.