Privacy Policy

1. Introduction

MusicLib is operated by Thomas McCarthy ("we," "us," or "our"). We are committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our music library management platform at musiclib.net and the MusicLib iPad application (collectively, the "Service").

By using MusicLib, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use the Service.

2. Information We Collect

2.1 Information You Provide Directly

We collect information you voluntarily provide when using the Service:

• Account Information: Email address, display name, and password (stored as a secure cryptographic hash, never in plain text).
• Profile Information: Optional profile picture you may upload.
• Content You Create: Music scores (PDF files), metadata (titles, composers, arrangers, etc.), collections, setlists, performance logs, notes, and tags.
• Institution Data: If you create or join an institution, we collect organization name, description, member relationships, role assignments, and role configuration.
• Communications: Information you provide when contacting us for support.

2.2 Information Collected Automatically

When you use the Service, we automatically collect certain technical information:

• Log Data: IP address, browser type, operating system, referring URLs, pages visited, and access timestamps.
• Device Information: Device type, screen resolution, and unique device identifiers.
• Usage Data: Features used, actions taken, and interaction patterns within the Service.

2.3 Information from Third Parties

• Google Sign-In: If you choose to sign in with Google, we receive your email address, name, and profile picture from Google. We do not receive or store your Google password.
• Apple Sign-In: If you choose to sign in with Apple (available on iPad), we receive your email address (or a private relay email) and name from Apple. We do not receive or store your Apple password.
• Stripe: If you subscribe to a paid plan, Stripe processes your payment information directly. We receive your Stripe customer ID, subscription status, billing interval, and the last four digits of your payment method. We do not receive or store your full credit card number.

2.4 Cookies and Similar Technologies

We use essential cookies required for the Service to function:

• Authentication Cookies: Secure, httpOnly cookies that keep you logged in.
• Security Cookies: CSRF tokens to protect against cross-site request forgery.
• Preference Cookies: Local storage for your theme preference (dark/light mode) and UI settings.

We do not use third-party advertising cookies, tracking pixels, or analytics services that track you across other websites.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Providing the Service

• Create and manage your account
• Store and organize your music library content
• Enable features like search, collections, setlists, checkouts, reservations, and exports
• Facilitate institution features including member management, custom roles, and shared libraries
• Process subscription payments and manage billing
• Provide background processing such as thumbnail generation and OCR text extraction
• Deliver real-time notifications about library activity

3.2 Communication

• Send essential service communications (account verification, password resets, security alerts, payment confirmations)
• Respond to your support requests and inquiries
• Send product updates and announcements (only with your consent, and you may opt out at any time)

3.3 Improvement and Safety

• Monitor and analyze usage patterns to improve the Service
• Detect, prevent, and address technical issues
• Protect against fraud, abuse, and security threats
• Enforce our Terms of Service

3.4 Legal Compliance

• Comply with applicable laws and regulations
• Respond to lawful requests from public authorities

4. Legal Basis for Processing (For EEA/UK Users)

If you are in the European Economic Area (EEA) or United Kingdom, we process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide the Service you requested (Article 6(1)(b) GDPR).
• Legitimate Interests: Processing for our legitimate business interests, such as improving the Service and ensuring security, where these interests are not overridden by your rights (Article 6(1)(f) GDPR).
• Consent: Processing based on your explicit consent, such as for marketing communications (Article 6(1)(a) GDPR). You may withdraw consent at any time.
• Legal Obligation: Processing necessary to comply with legal requirements (Article 6(1)(c) GDPR).

5. Data Storage and Security

5.1 Where We Store Your Data

Your data is stored on servers operated by Hetzner Online GmbH, located in Germany (European Union). This means your data benefits from GDPR protections regardless of your location.

5.2 Security Measures

We implement appropriate technical and organizational security measures:

• All data transmitted over encrypted connections (TLS/HTTPS)
• Passwords hashed using industry-standard bcrypt algorithm
• Authentication tokens stored in secure, httpOnly cookies
• Payment information processed by Stripe (PCI DSS Level 1 certified) and never stored on our servers
• Database access restricted and protected by firewall
• Account lockout protection against brute-force login attempts
• CSRF protection on all state-changing requests
• Regular security updates and monitoring
• Access to personal data limited to authorized personnel only

5.3 Data Breach Notification

In the event of a data breach that affects your personal data, we will notify you and relevant supervisory authorities as required by applicable law, typically within 72 hours of becoming aware of the breach.

6. Data Sharing and Disclosure

We do not sell your personal information. We only share your information in the following limited circumstances:

6.1 Within Institutions

If you are a member of an institution on MusicLib, other members of that institution may see:

• Your display name and role within the institution
• Your activity related to the institution's library (checkouts, reservations, contributions)
• Content you contribute to the institution's library

The visibility of your activity depends on the institution's role and permission configuration, which is managed by institution administrators.

6.2 Service Providers

We share data with trusted third-party service providers who assist in operating the Service:

• Hetzner Online GmbH (Germany): Server hosting and infrastructure
• Stripe, Inc. (United States): Payment processing for subscriptions. Stripe receives your payment card details directly and is PCI DSS Level 1 certified. See Stripe's Privacy Policy.
• Resend (United States): Transactional email delivery (password resets, account verification, payment notifications)
• Google (United States): OAuth authentication (only if you choose to sign in with Google)
• Apple (United States): Sign in with Apple authentication (only if you choose to sign in with Apple on iPad)

These providers are contractually obligated to protect your data and may only use it to provide services to us.

6.3 Legal Requirements

We may disclose your information if required to do so by law or in response to valid legal requests, such as:

• Court orders or subpoenas
• Government or law enforcement requests
• To protect our rights, property, or safety, or that of our users or the public

6.4 Business Transfers

If MusicLib is involved in a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you of any such change and any choices you may have.

7. International Data Transfers

Your data is primarily stored in Germany (EU). However, some data may be transferred to the United States through our service providers (Stripe for payments, Resend for email, Google and Apple for authentication).

For transfers from the EEA/UK to the US, we rely on:

• Standard Contractual Clauses approved by the European Commission
• The EU-US Data Privacy Framework (where applicable)

By using the Service, you acknowledge and consent to the transfer of your data to these jurisdictions.

8. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Specifically:

• Account Data: Retained until you delete your account
• Content (Scores, Collections, Setlists): Retained until you delete them or your account
• Subscription & Billing Data: Retained for the duration of your subscription and as required for tax and accounting purposes
• Log Data: Retained for up to 90 days for security and debugging purposes
• Backup Copies: May be retained for up to 90 days after deletion for disaster recovery

When you delete your account:

• Your personal data is deleted within 30 days
• Your uploaded content (PDFs, images) is permanently removed from our servers
• Stripe retains transaction records as required by law; we delete our copy of your Stripe customer association
• Anonymized, aggregated usage statistics may be retained indefinitely

9. Your Rights

9.1 Rights for All Users

All users have the following rights:

• Access: View and download your data through the Backup & Restore feature
• Correction: Update your account information through Settings
• Deletion: Delete your account and all associated data
• Portability: Export your entire library in the .musiclib format
• Opt-out: Unsubscribe from marketing communications at any time

9.2 Additional Rights for EEA/UK Users (GDPR)

If you are in the EEA or UK, you also have the right to:

• Object: Object to processing based on legitimate interests
• Restrict Processing: Request limitation of processing in certain circumstances
• Withdraw Consent: Withdraw consent at any time where processing is based on consent
• Lodge a Complaint: File a complaint with your local data protection authority

9.3 Rights for California Residents (CCPA)

If you are a California resident, you have the right to:

• Know: Request disclosure of the categories and specific pieces of personal information we have collected
• Delete: Request deletion of your personal information
• Non-Discrimination: Not receive discriminatory treatment for exercising your privacy rights
• Opt-Out of Sale: We do not sell personal information, but you have the right to opt-out if we ever did

To exercise your CCPA rights, contact us at the email address below.

9.4 How to Exercise Your Rights

To exercise any of these rights, please contact us at thomasmccarthy137@gmail.com. We will respond to your request within 30 days (or sooner if required by law).

10. Children's Privacy

MusicLib is not intended for children under 13 years of age (or under 16 in the EEA). We do not knowingly collect personal information from children under these ages.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. If we discover that a child has provided us with personal information without parental consent, we will delete it promptly.

11. Do Not Track Signals

We do not track users across third-party websites, so we do not respond to Do Not Track (DNT) signals. However, we respect your privacy choices and do not engage in cross-site tracking.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting a notice in the Service
• Sending an email to your registered email address
• Updating the "Last updated" date at the top of this page

Your continued use of the Service after changes are posted constitutes acceptance of the updated policy. We encourage you to review this policy periodically.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Thomas McCarthy
Email: thomasmccarthy137@gmail.com

For GDPR-related inquiries, you may also contact your local data protection authority.