Privacy Policy

1. Information We Collect

1.1 Information You Provide Directly

• Account Information: When you create an account, we collect your name, email address, password, and optional profile photo.
• Organization Information: Organization administrators provide organization names, descriptions, logos, branding preferences, and configuration settings.
• Member Profile Information: Your role, section assignment, voice part, instrument, or other organization-specific designations as configured by your organization's administrator.
• Communications: Messages, files, images, audio recordings, and other content you send through channels, direct messages, and group conversations within the Service.
• Files and Media: Sheet music (PDFs), rehearsal tracks (audio files), images, videos, and other documents you upload to the Service.
• Payment Information: If you are an organization administrator purchasing a subscription, we collect billing information including name, billing address, and payment card details. Payment processing is handled by Stripe, Inc., and we do not store your full credit card number on our servers.
• Feedback and Support: Information you provide when contacting us for support, submitting feedback, or responding to surveys.

1.2 Information Collected Automatically

• Usage Data: We collect information about how you interact with the Service, including pages visited, features used, actions taken, timestamps, and session duration.
• Device Information: Device type, operating system and version, app version, unique device identifiers, and mobile network information.
• Log Data: IP address, browser type, referring/exit pages, and crash reports.
• Push Notification Tokens: If you enable push notifications on the iOS app, we collect your device push token to deliver notifications.
• Audio Playback Data: Playback history, progress, and preferences for rehearsal tracks and other audio content within your organization.

1.3 Information from Third Parties

• Organization Administrators: Your organization's administrator may provide your name and email address when inviting you to join the Service.
• Authentication Providers: If you sign in using a third-party service (e.g., Apple Sign-In), we receive basic profile information as permitted by that provider.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Providing the Service: To create and manage accounts, facilitate communication between organization members, deliver content (rehearsal tracks, sheet music, schedules), and enable collaboration features.
• Organization Administration: To support multi-tenant functionality, allowing organizations to manage members, roles, sections, permissions, and content within their dedicated workspace.
• Communication: To send you transactional notifications (e.g., invitations, password resets, message notifications), push notifications (if enabled), and in-app alerts. We comply with Canada's Anti-Spam Legislation (CASL) and will only send commercial electronic messages with your express or implied consent, and all such messages will include an unsubscribe mechanism.
• Payment Processing: To process subscription payments and manage billing for organization accounts.
• Improvement and Analytics: To understand usage patterns, improve features, fix bugs, and develop new functionality.
• Security: To detect and prevent fraud, abuse, unauthorized access, and other harmful activity.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes.

3. How We Share Your Information

We do not sell your personal information to third parties. We share information only in the following circumstances:

3.1 Within Your Organization

Your profile information, messages, shared files, and activity within an organization workspace are visible to other members of that organization in accordance with the permissions and access controls set by your organization's administrator. Organization administrators have access to member lists, activity data, and content within their organization.

3.2 Service Providers

We engage trusted third-party service providers to perform functions on our behalf, including:

• Supabase, Inc. — Database hosting, authentication, and real-time infrastructure
• Cloudflare, Inc. — Content delivery, file storage (Cloudflare R2), image optimization (Cloudflare Images), and video delivery (Cloudflare Stream)
• Stripe, Inc. — Payment processing and subscription management
• Resend — Transactional email delivery
• Vercel, Inc. — Web application hosting
• Apple Inc. — Push notification delivery (Apple Push Notification service)

These providers are contractually obligated to use your information only as necessary to perform services on our behalf and in accordance with this Privacy Policy.

3.3 Legal Requirements

We may disclose your information if required to do so by law or in good faith belief that such action is necessary to: (a) comply with a legal obligation; (b) protect and defend our rights or property; (c) prevent or investigate possible wrongdoing in connection with the Service; (d) protect the personal safety of users or the public; or (e) protect against legal liability.

3.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.

4. Data Storage and Security

4.1 Data Storage and Cross-Border Transfers

Your data is stored on servers operated by our service providers, which may be located in the United States or other countries outside of Canada. By using the Service, you consent to the transfer of your personal information to jurisdictions outside of Canada, including the United States, where our service providers operate. We ensure that appropriate contractual and security safeguards are in place to protect your information in accordance with applicable Canadian privacy legislation, including PIPEDA and Alberta's PIPA. Organization data, including messages, files, and member information, is logically separated using row-level security policies to ensure that each organization's data is accessible only to authorized members of that organization.

Files and media (audio tracks, sheet music, images, videos) are stored using Cloudflare R2 object storage with appropriate access controls.

4.2 Security Measures

We implement industry-standard security measures to protect your information, including:

• Encryption of data in transit using TLS/SSL
• Encryption of data at rest
• Row-level security policies enforcing multi-tenant data isolation
• Role-based access controls within organizations
• Secure authentication with hashed passwords and optional third-party authentication
• Regular security reviews and monitoring

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

5. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Specifically:

• Account Data: Retained until you or your organization administrator deletes the account.
• Messages and Content: Retained as part of the organization's workspace until deleted by the author, an organization administrator, or upon account/organization deletion.
• Files and Media: Retained until deleted by the uploader, an organization administrator, or upon account/organization deletion.
• Payment Records: Retained as required by applicable financial regulations and tax laws.
• Log and Usage Data: Retained for up to 12 months for analytics and security purposes.

When an organization's subscription is terminated, we retain organization data for a grace period of 30 days to allow for reactivation, after which it is scheduled for deletion.

6. Your Rights and Choices

6.1 Account Information

You may update or correct your profile information at any time through the Service settings. Organization administrators may update organization-level settings and member information.

6.2 Communication Preferences

You may manage push notification preferences through the iOS app settings and your device settings. You may manage email notification preferences through the Service settings.

6.3 Data Access and Portability

You may request a copy of your personal data by contacting us at privacy@sonora.is. Organization administrators may request an export of their organization's data.

6.4 Data Deletion

You may request deletion of your account and personal data by contacting us at privacy@sonora.is. Note that some information may be retained as required by law or for legitimate business purposes (e.g., billing records). Deleting your account will remove your profile and personal data, but messages and content you contributed to an organization may be retained as part of the organization's records at the organization administrator's discretion.

6.5 Canadian Residents (PIPEDA and Alberta PIPA)

Sonora complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) and Alberta's Personal Information Protection Act (PIPA). As a Canadian resident, you have the right to: (a) know what personal information we collect, how it is used, and to whom it has been disclosed; (b) access your personal information held by us; (c) request correction of inaccurate or incomplete personal information; (d) withdraw consent to the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions; and (e) file a complaint with us or with the Office of the Information and Privacy Commissioner of Alberta or the Office of the Privacy Commissioner of Canada. We collect, use, and disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances, and we obtain meaningful consent where required.

6.6 California Residents (CCPA)

If you are a California resident, you have the right to: (a) know what personal information we collect and how it is used; (b) request deletion of your personal information; (c) opt out of the sale of personal information (we do not sell personal information); and (d) not be discriminated against for exercising your rights.

6.7 European Economic Area Residents (GDPR)

If you are located in the EEA, you have additional rights under the General Data Protection Regulation, including the right to access, rectify, erase, restrict processing, data portability, and object to processing. Our legal basis for processing includes performance of a contract, legitimate interests, and consent where applicable. To exercise these rights, contact us at privacy@sonora.is.

7. Children's Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will take steps to delete such information. If you believe a child under 13 has provided us with personal information, please contact us at privacy@sonora.is.

Organizations using the Service for youth programs (e.g., school music programs, youth choirs) are responsible for obtaining appropriate parental or guardian consent in compliance with applicable laws, including Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Alberta's Personal Information Protection Act (PIPA), and the U.S. Children's Online Privacy Protection Act (COPPA) where applicable.

8. Third-Party Links and Services

The Service may contain links to third-party websites or services that are not operated by us. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party websites or services. We encourage you to review the privacy policies of any third-party services you access.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated Privacy Policy on the Service and updating the "Last Updated" date. For material changes, we may also notify you via email or in-app notification. Your continued use of the Service after such changes constitutes acceptance of the updated Privacy Policy.

10. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact our Privacy Officer at:

You also have the right to file a complaint with the Office of the Information and Privacy Commissioner of Alberta (OIPC) or the Office of the Privacy Commissioner of Canada (OPC) if you believe your privacy rights have been violated.