Privacy Policy

We collect the following categories of data:

• Account data: email address, optional display name, date of birth (required for COPPA age verification)
• Practice profile: instrument, skill level, audition targets, excerpts practiced
• Judge submissions: audio recordings submitted for analysis, resulting score breakdowns, and written feedback reports
• Usage data: pages visited, features used, event timestamps, session duration
• Technical metadata: IP address, user agent, device type, browser version
• Payment data: billing email and last-4 card digits via Stripe. We do not store full card numbers.

Your Judge Mode audio is processed in memory and discarded by default once your feedback report is returned. We do not store raw audio files unless you explicitly opt in to practice journal storage. Opting out later deletes any previously stored audio within 30 days.

What your audio touches during processing:

1. Audio is sent to Deepgram for transcription and acoustic feature extraction (pitch, timing, dynamics).
2. Extracted feature data (not raw audio) is passed to Anthropic (Claude) to generate written feedback.
3. The raw audio file is not retained by Deepgram or Anthropic beyond the duration of the request.

If you are a California resident or located in the EU/EEA, audio processing constitutes a data transfer under CCPA and GDPR respectively. By submitting audio you consent to this processing as described. You may withdraw consent at any time by deleting your account.

We use your data to:

• Operate the service and generate feedback reports
• Send transactional emails: magic-link logins, receipts, billing notices, subscription renewal reminders
• Send product emails if you opted in (you can opt out at any time via the unsubscribe link or account settings)
• Debug errors and monitor service health (Sentry crash reports, PostHog usage analytics)
• Detect and prevent fraud, abuse, and acceptable-use violations
• Comply with legal obligations (tax records, COPPA compliance, law-enforcement requests with valid legal process)

We do not sell your data. We do not train third-party AI models on your recordings. We do not use your data for advertising targeting on other platforms.

The following third parties process data on our behalf. Each is contractually bound to handle your data only as needed to deliver their specific service:

• SupabaseDatabase, authentication, and file storage. Hosted on AWS us-east-1.
• StripePayment processing and subscription billing. Handles all card data directly.
• AnthropicClaude language model for generating written audition feedback from extracted audio features.
• DeepgramAudio transcription and acoustic feature extraction (pitch, timing, dynamics). Raw audio is not retained.
• ElevenLabsVoice synthesis for audio playback features where applicable.
• ResendTransactional email delivery (login links, receipts, billing notices, lifecycle emails).
• PostHogProduct analytics and session event tracking. Used to understand feature usage and conversion flows.
• SentryError monitoring and crash reporting. Captures stack traces and request context when the app errors.
• VercelHosting and edge network. All traffic routes through Vercel before reaching our application.

Orchestra Kingdom does not knowingly collect personal information from children under 13. Age is collected at account creation. If a user identifies as under 13, they are blocked from creating an account, and no data beyond the age-gate interaction is stored.

For users between 13 and 17, a parent or guardian must complete age verification before paid features and Judge submissions are available. Until verification is received, we limit data collection to what is strictly necessary to support the account (email, instrument preference). We do not send marketing emails to unverified minor accounts, and we do not pass minor accounts to third-party analytics.

Parents or guardians may request review, correction, or deletion of a minor's account data by emailing privacy@orchestrakingdom.com with subject "Minor account request." We respond within 7 days.

We use first-party cookies for authentication (session tokens issued by Supabase) and for PostHog analytics (a first-party analytics cookie that tracks product events, not advertising behavior). We do not use third-party advertising cookies or sell cookie data to ad networks. You can clear cookies at any time via your browser; doing so will log you out of Orchestra Kingdom.

You have the right to access, correct, export, or delete your account data. To exercise any right, email privacy@orchestrakingdom.com. We respond within 30 days.

California residents (CCPA): You have the right to know what personal information we collect, to delete it, to opt out of its sale (we do not sell personal data), and to non-discrimination for exercising these rights. To submit a CCPA request, email the address above with subject "CCPA request."

EU/EEA residents (GDPR): You have the right to access, rectify, erase, restrict, and port your personal data. You may object to processing and withdraw consent where processing is consent-based (for example, audio analysis). Our legal basis for processing audio is your explicit consent given at submission. You have the right to lodge a complaint with your local supervisory authority (for EU users, this is the data protection authority in your member state).

Data export: Email privacy@orchestrakingdom.com with subject "Data export request." We will deliver a machine-readable file (JSON) of your account, practice history, and feedback reports within 30 days.

Retention periods by data category:

• Audio files (default, no storage opt-in): deleted within minutes of analysis completion
• Audio files (storage opt-in): retained until you opt out or delete your account, then deleted within 30 days
• Feedback reports and practice logs: retained while your account is active, deleted within 30 days of account closure
• Account profile data: retained while active, deleted within 30 days of closure
• Billing records: retained for 7 years for tax and accounting compliance, then deleted
• Server logs: retained for 90 days for security monitoring, then deleted

Data in transit is encrypted via TLS 1.2 or higher. Data at rest is encrypted by Supabase on AES-256. Production system access is role-restricted and logged. If we discover a material data breach affecting your personal information, we will notify affected users within 72 hours by email and describe the scope, what was exposed, and what we are doing about it. To report a security vulnerability, email security@orchestrakingdom.com.

If we materially change how we handle your data, we will email you at least 14 days before the change takes effect. Continued use of the service after the effective date constitutes acceptance. If you disagree, you may close your account before the change takes effect.

Privacy questions: privacy@orchestrakingdom.com. For general legal matters: legal@orchestrakingdom.com. Orchestra Kingdom LLC, 1209 N Orange St, Wilmington, DE 19801.