Privacy Policy

Last updated: May 24, 2026

This Privacy Policy explains how Taras Babyuk, doing business as MusicDesk, a sole proprietorship based in Toronto, Ontario, Canada ("MusicDesk," "we," "us," or "our") collects, uses, discloses, and safeguards personal information when you use the MusicDesk website at musicdesk.io, the MusicDesk application at app.musicdesk.io, and the related software services (collectively, the "Service").

By accessing or using the Service, you agree to the terms of this Privacy Policy. If you do not agree, please do not use the Service.

If you are reading this policy as a parent or student of a music school that uses MusicDesk, please see section 1 — the music school you deal with is the primary point of contact for your personal information.

1. Scope and Our Role

This Privacy Policy applies to personal information we handle in two distinct roles.

When We Act as a Controller

We act as the data controller for personal information that we collect directly from account holders and the users they invite (for example, the name, email, and password of a school owner who signs up for MusicDesk).

When We Act as a Processor for Music Schools

We act as a data processor on behalf of music schools that use the Service when those schools enter information about their families, students, employees, or other third parties into the Service. In that case, the music school is the controller of that information and is responsible for the lawfulness, accuracy, and retention of that processing.

If you are a family member or student whose information has been entered into MusicDesk by a music school, please direct privacy requests (access, correction, deletion, etc.) to the music school. We will support the school in responding to your request.

2. Information We Collect

Personal Information You Provide

When you create an account, book a demo, or contact us, we may collect:

  • Name (first and last)
  • Email address
  • Phone number (if provided)
  • Studio or business name
  • Country or region
  • Timezone
  • Role (e.g., teacher, studio owner, administrator)
  • Account password (stored hashed, never in plain text)
  • Any additional information you voluntarily provide in forms or correspondence

Payment Information

When you subscribe to a paid plan, payment processing is handled by Stripe. We do not store your credit card number or full payment details on our servers. We receive a customer reference, subscription status, and the last four digits of your card from Stripe.

Stripe Connect Onboarding

When a music school connects a Stripe account to collect family payments, additional information (such as legal business name, business address, tax identifiers, and bank account details) is collected and held by Stripe under Stripe's own privacy policy. MusicDesk receives only limited metadata (such as account status, default currency, and country) for operational purposes.

Information Entered by Music Schools

Music schools may enter information into the Service about their teachers, families, and students, including names, contact details, lesson schedules, attendance records, billing amounts, and notes. We process this information on behalf of the school, as described in section 1.

Information Collected Automatically

When you visit our website or use our application, we may automatically collect:

  • IP address (used at signup to detect your country and gate eligibility)
  • Browser type and version
  • Device type and operating system
  • Pages visited and time spent
  • Referring website or source
  • General geographic location (city/region level)
  • Error logs generated when you use the Service

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, secure, and improve the Service
  • Create and manage your account
  • Authenticate users and prevent unauthorized access
  • Process subscription payments to MusicDesk and family payments via Stripe
  • Send transactional emails (e.g., receipts, account notifications, password resets)
  • Respond to your inquiries and provide customer support
  • Send marketing communications (with your consent; you can opt out at any time)
  • Analyze usage patterns to improve the Service
  • Detect, investigate, and prevent fraud, abuse, or violations of our Terms
  • Comply with legal obligations

We do not sell personal information.

4. Lawful Bases for Processing (EEA, UK, and Similar Jurisdictions)

Where the EU/UK General Data Protection Regulation (GDPR) or a similar law applies, our lawful bases for processing are:

  • Contract. Processing necessary to provide the Service to you under our Terms.
  • Legal obligation. Processing required to comply with applicable law (for example, tax retention).
  • Legitimate interests. Processing necessary for our legitimate interests in operating, securing, and improving the Service, where those interests are not overridden by your rights.
  • Consent. Where we ask for and obtain your consent (for example, for marketing communications and certain cookies, as described in section 5).

5. Cookies and Tracking Technologies

We use cookies and similar technologies that differ between our marketing site and our application.

Essential Cookies

Required for the Service to function properly across both the marketing site (musicdesk.io) and the application (app.musicdesk.io). These include authentication cookies to keep you logged in, session-management cookies to protect your session, and preference cookies to remember settings such as your selected organization or timezone.

Analytics Cookies (Marketing Site Only)

On our marketing site (musicdesk.io), we use Google Analytics to understand how visitors interact with the site. Google Analytics collects information such as pages visited, session duration, and general location. This data is aggregated and anonymized.

Product Analytics (Application)

Inside the application (app.musicdesk.io), we use PostHog to understand how account holders and staff use MusicDesk so we can improve it. PostHog records product-usage information such as pages viewed, features used, clicks, your account and organization identifiers, your email address, and general device and location information. We use this only for our own product analytics — we do not sell it or use it for advertising.

PostHog also provides session replay, which reconstructs anonymized recordings of in-app activity to help us diagnose problems and improve usability. These recordings are privacy-masked: text you type into form fields is never captured, and sensitive areas are masked. We do not capture full payment card details (these are handled entirely by Stripe).

Advertising Cookies (Marketing Site Only)

On our marketing site, we use the Meta Pixel (Facebook/Instagram) to measure the effectiveness of our advertising campaigns and to deliver relevant ads. The Meta Pixel may collect data about your browsing activity on our site, which Meta uses in accordance with their privacy policy.

You can manage your cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of the Service.

6. How We Share Your Information

We do not sell, rent, or trade personal information. We share information only as described below.

Service Providers (Sub-Processors)

The following third-party providers process personal information on our behalf, under contractual confidentiality and data-protection obligations:

ProviderPurposeLocation
Supabase, Inc.Database, authentication, and file storageUnited States
Stripe, Inc.Payment processing, including Stripe Connect for family paymentsUnited States
Resend, Inc.Transactional email deliveryUnited States
Vercel, Inc.Application and marketing site hostingUnited States and global edge network
Calendly LLCDemo and meeting schedulingUnited States
Google LLCMarketing site analytics (Google Analytics)United States
PostHog, Inc.In-app product analytics and session replayUnited States
Meta Platforms, Inc.Marketing site advertising measurement (Meta Pixel)United States

Other Disclosures

  • Legal compliance. We may disclose information when required by law, subpoena, or other legal process, or to protect the rights, property, or safety of MusicDesk, our users, or the public.
  • Business transfers. If the MusicDesk business is sold or transferred to a successor (for example, through an asset sale, or a transfer of the business into a future corporate entity that continues to operate MusicDesk), personal information may be transferred as part of that transaction. We will notify affected users of any such change.

7. International Data Transfers

MusicDesk is based in Canada. Many of our service providers are based in the United States, and the Service is delivered through a global edge network. As a result, your personal information may be transferred to and processed in countries outside your country of residence, including countries that may not provide the same level of legal protection as your home country.

Where we transfer personal information out of the EEA, UK, or other regulated regions, we rely on appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms made available by our service providers.

8. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you the Service and for legitimate business and legal purposes. In general:

  • Active accounts. Personal information associated with an active account is retained for the life of the account.
  • Closed accounts. After an account is closed, we retain your data for a reasonable transition period to allow recovery if requested, and then delete or anonymize it, except where longer retention is required for legal, tax, accounting, security, or audit purposes.
  • Backups. Backup copies may persist for a limited period after deletion from primary systems, after which they are overwritten in the normal course of operations.

9. Data Security

We take reasonable technical and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These include:

  • Encrypted connections (HTTPS/TLS) for all traffic to and from the Service
  • Encryption at rest for stored data, where supported by our service providers
  • Hashed passwords (we never store passwords in plain text)
  • Role-based access controls within the Service (account holders, administrators, teachers)
  • Restricted access by MusicDesk personnel, on a need-to-know basis

No system is perfectly secure. If we become aware of a security incident affecting your personal information, we will notify you and the relevant authorities as required by applicable law.

10. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

  • Access. Request a copy of the personal information we hold about you.
  • Correction. Ask us to correct inaccurate or incomplete information.
  • Deletion. Ask us to delete your personal information, subject to legal exceptions.
  • Portability. Receive your information in a structured, machine-readable format.
  • Restriction or objection. Restrict or object to certain processing.
  • Withdraw consent. Where processing is based on consent, withdraw that consent at any time.
  • Opt out of marketing. Opt out of marketing communications at any time.
  • Lodge a complaint. Lodge a complaint with your local data protection authority. In Canada, the relevant authority is the Office of the Privacy Commissioner of Canada. In the EU, the authority is your country's supervisory authority; in the UK, the Information Commissioner's Office.

To exercise any of these rights, contact us at support@musicdesk.io. We may ask you to verify your identity before responding. We will respond within the time required by applicable law (generally 30 days under GDPR, 45 days under CCPA, plus any extensions allowed by law).

If your request relates to family or student data that a music school has entered into the Service, please direct it to the music school. As a processor of that data, we will support the school in fulfilling your request but cannot act on it directly.

11. California Residents (CCPA / CPRA)

If you are a California resident, you have the rights described in section 10 above. The categories of personal information we collect are described in section 2. The purposes for which we use that information are described in section 3. We do not sell personal information. We may share data with the advertising provider listed in section 6 (Meta Platforms) for measuring our marketing-site advertising; under the California Consumer Privacy Act and California Privacy Rights Act, you have the right to opt out of this sharing by contacting us at support@musicdesk.io.

12. Children's Privacy

The Service is intended for use by adults operating music schools (and the staff they invite). We do not knowingly collect personal information directly from children under the age of 16. Music schools that enter information about minor students into the Service are responsible for obtaining any consents required from parents or guardians under applicable law (including, in the United States, COPPA and FERPA where applicable).

If you believe a child has provided us with personal information directly, please contact us at support@musicdesk.io and we will take appropriate steps to delete that information.

13. Third-Party Links

Our Service may contain links to third-party websites or services (e.g., Stripe, Calendly). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. For material changes, we will provide additional notice (for example, by email or by a notice in the Service) before the change takes effect. Your continued use of the Service after any modifications constitutes your acceptance of the updated Privacy Policy.

15. Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at:

MusicDesk
Mailing address: [Pending — replace with virtual mailing address before publishing]
Email: support@musicdesk.io
Website: musicdesk.io