Privacy Policy

Compositorum provides software that lets arts organisations (orchestras, ensembles, schools and similar groups) run their operations. There are two roles to keep in mind:

• For your own account and for the way we operate the platform, Compositorum is the data controller.
• For information an organisation uploads about its members (rosters, attendance, contracts, files and the like), the organisation is the controller and Compositorum acts as a processor on its behalf. If you are a member of an organisation, please also refer to that organisation’s own privacy practices.

We collect the following categories of information:

• Account information — your name, email address and password (stored only as a salted hash), and any profile details you add.
• Sign-in provider information — if you sign in with Google or Microsoft, we receive your name, email address and a provider account identifier. We never receive your Google or Microsoft password.
• Organisation and member data — events, schedules, rosters, seating, attendance, announcements, contracts, payroll references, files, recordings and other content you or your organisation create in the Service.
• Communications — messages you send through in-app chat, RSVPs, support requests, and emails you exchange with us.
• Usage and technical information — log data such as IP address, browser/device type, pages viewed, and performance and error diagnostics, used to keep the Service secure and reliable.
• Connected-service data — if you connect a third party such as Google Calendar or OneDrive, we access only the data needed for that feature (e.g. a dedicated calendar or a designated folder) and only while the connection is enabled.

We collect information directly from you, from your organisation’s administrators, automatically as you use the Service, and from sign-in or integration providers you choose to connect.

• To create and administer your account and your organisation.
• To provide, maintain and improve the features of the Service.
• To send service communications — confirmations, invitations, notifications, RSVPs and security messages. Marketing emails, if any, are sent only with consent and can be unsubscribed at any time.
• To keep the Service secure, prevent fraud and abuse, and diagnose problems.
• To process payments and manage subscriptions (when billing is enabled).
• To comply with our legal obligations and enforce our Terms.

Where the GDPR applies, we rely on the following legal bases: performance of a contract (operating your account), legitimate interests (securing and improving the Service), consent (optional integrations and marketing), and legal obligation.

We do not sell personal information, and we do not share it with advertisers, data brokers or for advertising purposes. Member data lives within your organisation’s isolated records and is not disclosed to other organisations.

We share information only with service providers who help us run the Service, each bound to protect it and use it only on our instructions:

• Supabase — database, authentication and file storage (hosted in Sydney, Australia).
• Vercel — application hosting and delivery.
• Cloudflare — DNS and network security.
• Resend — transactional and notification email delivery.
• Google and Microsoft — only where you choose to sign in with, or connect, those services (e.g. Google Calendar, OneDrive).
• Stripe — payment processing, once billing is enabled. Card details are handled by Stripe and not stored by us.

We may also disclose information if required by law, to protect the rights and safety of users or the public, or in connection with a business transfer, in which case this Policy will continue to apply to your information.

Primary data is stored on Supabase infrastructure in Sydney, Australia (ap-southeast-2) and is encrypted in transit and at rest. Row-level security isolates each organisation’s data from every other organisation. Some providers above may process limited data (such as email delivery metadata or network traffic) outside Australia; where that happens, we take reasonable steps to ensure comparable protection consistent with APP 8 and applicable transfer safeguards.

We keep personal information while your account or organisation is active and as needed to provide the Service. When an account or organisation is closed, we delete or de-identify personal information within a reasonable period (generally within 30 days), except where we must retain certain records to meet legal, accounting or security obligations. Backups are purged on a rolling cycle.

You can access and update most of your information directly in the Service — members at /app/settings and administrators at /admin/settings. Subject to applicable law, you may also request to access, correct, export, or delete your personal information, object to or restrict certain processing, and withdraw consent for optional features.

If your data was provided by an organisation you belong to, we may direct your request to that organisation as the controller. To make a request, contact us at banerjeeneal13@gmail.com. We will respond within the time required by law.

We use strictly necessary cookies to keep you signed in and to keep the Service secure. We do not use advertising or cross-site tracking cookies. Limited, privacy-respecting analytics may be used to understand performance and improve the product.

The Service is designed for organisations and their administrators, not for direct use by children. Where an organisation runs youth or school programs, the organisation is responsible for obtaining any required parental or guardian consent before creating accounts for, or recording information about, minors. We do not knowingly collect personal information directly from children without that consent.

We may update this Policy from time to time. If a change is material, we will give notice in the Service and/or by email at least 14 days before it takes effect, and we will update the version and effective date above. Continued use after a change takes effect means you accept the updated Policy.

Questions, requests or privacy complaints can be sent to banerjeeneal13@gmail.com. We take complaints seriously and will work with you to resolve them. If you are in Australia and are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au. If you are in the EU/UK, you may contact your local data protection authority.