Privacy Policy · Cantaré

1. Scope and Acceptance

1.1 This Privacy Policy describes how Cantare, LLC ("Cantaré," "we," "us," or "our") collects, uses, shares, retains, and protects information in connection with the Cantaré software-as-a-service product, including the Cantaré — Worship edition, the Cantaré — Ensemble edition, the cantare.app marketing and signup websites, the app.cantare.app application runtime, any associated mobile interfaces, any APIs we expose, and all related services (collectively, the "Service").

1.2 By creating an account, signing in, or otherwise using the Service, you agree to this Privacy Policy. If you do not agree, you must not use the Service. Your use of the Service is also governed by our End-User License Agreement (the "EULA"), which is incorporated by reference into this Privacy Policy.

1.3 If you accept this Privacy Policy on behalf of an organization — a church, parish, school, college, music studio, community choir, orchestra, handbell ensemble, or similar organization (each, the "Subscriber Organization") — you represent that you have authority to bind that organization, and "you" refers to both you individually and the Subscriber Organization.

1.4 Capitalized terms not defined in this Privacy Policy have the meanings given in the EULA.

2. Information We Collect

We collect information about Subscribers, Authorized Users, and individuals about whom Subscribers store roster data ("Roster Subjects").

2.1 Account information you provide

When you create an account or invite an Authorized User, we collect:

Name (first and last)
Email address (the account identifier)
Password (hashed; we never store the plain-text password)
Subscriber Organization name
Role within the Subscriber Organization (admin, editor, volunteer, etc.)
Optional profile information: photo, phone number, mailing address, preferred name, pronouns, time zone

2.2 Subscriber Content you create or upload

The Service stores everything you create or upload as part of your use, including:

Service / Performance plans — dates, types, programs, lectionary references, scripture references, hymn or repertoire selections, attribution, accompaniment notes, performer assignments, minister roles, attendance, performance notes
Library inventory — music titles, composers, arrangers, voicings, difficulty ratings, accompaniment types, instrumentation, catalog numbers, publisher information, copies on hand, locations, themes, scripture references, attached PDF scores or audio files
Roster and personnel records — names, contact information, voice parts, vocal ranges, instruments played, ensemble memberships, attendance history, scheduling preferences, accommodations and health considerations Subscriber elects to record, family relationships, audition scores and rubric results, photographs
Communications and notifications — invitations sent, reminders delivered, assignment confirmations
Files uploaded to Supabase storage — score PDFs, art assets, bulletin exports, profile photos
Custom settings and configurations — preferred Bible translation, hymnal selections, template choices, role permissions, custom section labels, custom canonical mappings, billing preferences

2.3 Information about Roster Subjects

Subscriber Organizations frequently use the Service to store information about choir members, congregants, volunteers, students, and other natural persons who are not themselves Authorized Users. Subscribers are responsible for obtaining any required consents, providing any required notice, and complying with all applicable children's privacy and personal-data laws when storing such information. See Section 10 (Children's Data) and Section 11 (Roster Data About Minors).

2.4 Usage and device data we automatically collect

We collect technical and usage information automatically when you use the Service:

Log data: IP address, user-agent string, browser type, operating system, timestamps of requests
Page-view and feature-usage data: which pages you visit, which features you invoke, which buttons you click, how long sessions last
Performance and error data: load times, error messages, stack traces (collected via Sentry; see Section 6)
API usage data per Tenant: number of AI-feature invocations, tokens consumed (tracked in tenant_ai_usage table for billing and abuse-prevention purposes), files uploaded, storage consumed

2.5 Payment information

When you subscribe to a paid plan, our payment processor (Stripe, Inc.) collects payment-card or bank-account information from you directly. Cantaré does not store payment-card numbers. We receive from Stripe only the information necessary to manage your subscription, including a card-token reference, the last four digits of your payment instrument, the card brand, the expiration date, and the billing address.

2.6 OAuth-connected third-party data

If you connect Google Workspace (Google Drive, Sheets, Slides) or Microsoft 365 (OneDrive) via OAuth, we store a refresh token in tenant_settings.google_refresh_token (or its OneDrive equivalent) that lets us access your account for the purposes you authorize. We do not copy your Drive or OneDrive files into our database except as part of explicit user-initiated sync or export operations.

2.7 Communications with us

When you contact us via email, in-app support, feedback forms, or other channels, we collect the content of those communications and any information you provide.

2.8 Cookies and similar technologies

We use a small set of first-party cookies and similar technologies. See Section 15 (Cookies).

3. How We Use Information

We use the information we collect to:

3.1 Provide and operate the Service, including authenticating you, storing your data, processing your requests, delivering AI-feature outputs, sending transactional emails, processing payments, and providing technical support.

3.2 Improve and develop the Service, including diagnosing errors, monitoring performance, analyzing aggregate usage patterns, prioritizing roadmap decisions, and testing new features. Where this involves Subscriber Content, we use it only in the aggregate and only as described in Section 4 (Cross-Tenant Data) or with appropriate de-identification.

3.3 Communicate with you, including sending account confirmations, password-reset emails, billing notices, security alerts, product updates, and (with appropriate consent or as permitted by law) occasional product-news emails. You can opt out of non-transactional emails at any time via the unsubscribe link.

3.4 Enforce our EULA and policies, including investigating suspected violations, suspending or terminating accounts that violate our terms, and preserving our legal rights.

3.5 Comply with legal obligations and respond to lawful requests from authorities.

3.6 Protect the security and integrity of the Service and detect, prevent, and respond to fraud, abuse, and security incidents.

4. Music Library Data, AI Enrichment, and the Cross-Tenant Learning Loop

This section describes a specific class of Cantaré data flows that may be different from what you have seen in other SaaS products. Please read carefully.

4.1 The shared music library

Cantaré operates a shared global music library index — a multi-tenant catalog of factual music metadata used across all Subscriber Organizations. Currently this includes approximately 49,000 hymn records from approximately 800 hymnals (the hymn_index table), along with shared metadata for choral, handbell, orchestra, and other repertoire (in sheet_music_index).

The library contains factual metadata — titles, composers, authors, tune names, meters, scripture references, voicings, difficulty ratings, hymnal appearances, instrumentation, and similar attributes. Factual metadata is not copyrightable under United States law (Feist Publications, Inc. v. Rural Telephone Service Co., 499 U.S. 340 (1991)), and the shared library does not contain any personally identifying information about any Subscriber Organization or Authorized User.

4.2 AI enrichment of music library data

We use Google's Gemini API to enrich the shared music library with additional factual metadata about each piece — for example, expanding scripture references, adding theme tags, classifying difficulty, identifying alternate voicings available for purchase from third-party publishers, listing instrumentation requirements, and similar. AI-enrichment outputs that meet our quality threshold are stored in the global library index and become available to all Subscribers, including you.

You acknowledge and agree that:

AI-enrichment outputs are factual in nature and contain no personally identifying information;
The use of AI-enrichment outputs to enrich the global library benefits all Subscribers, including you, by reducing per-tenant enrichment costs and improving search quality;
AI-enrichment may be inaccurate and should be independently verified before relying on it for any decision with material consequences.

4.3 Hymnary.org data

The shared music library is built in part from data obtained from Hymnary.org, operated by the Christian Classics Ethereal Library (CCEL) at Calvin University. We obtain Hymnary data via two parallel access methods: (a) bulk CSV downloads published by Hymnary.org at https://hymnary.org/widgets and via search-result CSV export, which Hymnary.org has expressly made available for use; and (b) HTML scraping of public Hymnary.org pages as a fallback when bulk CSV returns insufficient data.

The data obtained is cached in our database and surfaced to all Subscribers. We attribute Hymnary.org as the source on every hymn detail page and acknowledge CCEL on cantare.app/credits.

4.4 The slot_aliases cross-tenant learning loop

The Service includes a cross-tenant learning feature that aggregates anonymized label-to-canonical-concept mappings across Subscriber Organizations. The mechanism works as follows:

During a service-history import, when an Authorized User manually maps a previously unrecognized label (for example, "Cherubs" → "Children's Choir Anthem"), the lowercase label string and its canonical mapping are stored in the slot_aliases table at the Tenant level.
When two (2) or more distinct Subscriber Organizations independently map the same label to the same canonical concept, an administrator may promote that mapping to a global-source entry that becomes visible to all Subscriber Organizations.

The stored mappings contain (i) the lowercase label string, (ii) the canonical concept it maps to, and (iii) the optional denomination hint when one was provided. They do not contain Subscriber Organization identity, Authorized User identity, IP addresses, timestamps tied to any individual, or any other personally identifying information.

4.5 Your opt-out rights

You may opt your Tenant out of contributing future mappings to the cross-tenant learning loop at any time from Settings → Privacy & Data.

Note that existing mappings already contributed by your Tenant before the opt-out will remain in the global library because (a) they contain no Subscriber identity, (b) they are factual and uncopyrightable, and (c) the cross-tenant value of the loop derives from the aggregate of multiple Subscribers' contributions and would be undermined by retroactive removal.

You may also opt out of AI enrichment running against your Subscriber Content by disabling the relevant AI features in Settings → Features, in which case (i) we will not invoke AI features on your Subscriber Content unless you explicitly request it, and (ii) any AI-enrichment outputs previously generated for your Subscriber Content will remain in your Tenant for your reference.

5. Legal Bases for Processing (EU/UK Subscribers)

If you are in the European Union, the United Kingdom, or another jurisdiction with similar data-protection law, we rely on the following legal bases:

Contract performance — to provide the Service you signed up for
Legitimate interest — to improve the Service, ensure security, prevent abuse, and engage in non-marketing communications with our customers
Consent — for any marketing communications and for any feature you explicitly enable that involves a new category of data processing
Legal obligation — to comply with applicable law

6. Sharing with Third Parties

We share information with the following categories of third parties.

6.1 Subprocessors and service providers

Our subprocessor list as of the effective date is maintained at cantare.app/subprocessors. Current subprocessors include:

Subprocessor	Purpose	Data shared
Supabase, Inc.	Database, authentication, object storage (US region)	All Subscriber Content, account info, files
Google Cloud / Gemini API	AI features (text and image generation, enrichment, fuzzy match)	Inputs to AI features at the time of invocation; per Google's API terms, Google does not use API inputs to train general-purpose AI models
Google Workspace (optional, Subscriber-connected)	Google Drive / Sheets / Slides integration	Files Subscriber elects to sync or export
Microsoft 365 (optional, Subscriber-connected)	OneDrive integration	Files Subscriber elects to sync or export
Stripe, Inc.	Payment processing, sales-tax calculation and remittance	Payment-card or bank info, billing address, sales-tax classification
Resend, Inc.	Transactional email	Recipient email addresses, email subject and body
Sentry, Inc.	Error monitoring	Stack traces, user-agent, IP, partial Subscriber identifiers; we scrub email-like and obvious-PII patterns from error payloads where feasible
api.bible (American Bible Society)	Scripture text lookup, cached up to 90 days	Scripture references requested
Hymnary.org / CCEL	Hymn metadata source	None — we read public data from Hymnary; we do not transmit Subscriber information to them
Vercel, Inc. or Railway Corp.	Application hosting	Logs, request metadata

We have data-processing agreements (DPAs) or equivalent contractual terms with each subprocessor that processes personal data on our behalf.

6.2 Aggregated and de-identified data

We may use and share aggregated or de-identified data that does not identify any individual or Subscriber Organization for product improvement, research, benchmarking, or marketing — for example, "73% of Cantaré customers planned an Easter Vigil service in 2026."

6.3 Legal disclosures

We may disclose information when we believe in good faith that disclosure is necessary to (a) comply with applicable law, court order, subpoena, or other legal process; (b) protect the rights, property, or safety of Cantaré, our Subscribers, or others; (c) investigate fraud, abuse, or violations of the EULA; or (d) enforce our agreements.

6.4 Business transfers

If Cantaré (or its parent entity, when one exists in the future) is involved in a merger, acquisition, financing, reorganization, bankruptcy, sale of assets, or similar transaction, information may be transferred as part of that transaction. We will notify Subscribers of any such transfer that materially affects how their information is processed.

6.5 No sale of personal data

We do not sell personal data, and we have not sold personal data in the preceding 12 months. "Sale" includes the disclosures defined as "sales" by the California Consumer Privacy Act (CCPA) and similar state laws. We also do not "share" personal data for cross-context behavioral advertising as defined by the CCPA.

6.6 No targeted advertising

We do not use Subscriber Content, Authorized User information, or Roster Subject information for cross-context behavioral advertising, retargeting, or targeted advertising of any kind.

7. International Data Transfers

Our primary infrastructure is hosted in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. Where we transfer personal data from the European Economic Area, the United Kingdom, or Switzerland to the United States, we rely on Standard Contractual Clauses or other lawful transfer mechanisms.

8. Data Retention

8.1 Active retention. We retain Subscriber Content for the duration of your Subscription Term and for thirty (30) days after the end of the Term to permit recovery from accidental deletion.

8.2 Backups. Backups may be retained for up to an additional sixty (60) days for disaster-recovery purposes and are not accessed except for that purpose.

8.3 Account information. Account information (name, email, organization name) is retained for the duration of your Subscription and for ninety (90) days after termination to handle any final billing or support matters, then deleted.

8.4 Cross-tenant aggregate data. As described in Section 4.5, mappings contributed to the slot_aliases global library and AI-enrichment outputs incorporated into the shared hymn_index and sheet_music_index are retained indefinitely because they do not contain Subscriber identity and the cross-tenant value derives from the aggregate.

8.5 Log data and analytics. Server logs and usage analytics are retained for ninety (90) days for security and operational purposes, then aggregated or deleted.

8.6 Legal hold. We may retain information longer if required by law, court order, or to enforce our agreements.

9. Security

9.1 We implement administrative, technical, and physical safeguards designed to protect the information we collect. These include encryption in transit (TLS) and at rest, role-based access controls, multi-tenant data isolation enforced at the database row-level security ("RLS") layer, periodic security audits, multi-factor authentication for administrative access, and incident response procedures.

9.2 No system is perfectly secure. Despite our safeguards, we cannot guarantee absolute security. You agree to notify us promptly at security@cantare.app of any unauthorized access to your account.

9.3 Breach notification. If we become aware of a security incident affecting personal data, we will notify affected Subscribers without undue delay and in accordance with applicable law.

10. Children's Data

10.1 The Service is not directed to children under 13, and we do not knowingly collect personal data directly from anyone under 13 as a Cantaré account holder or Authorized User.

10.2 If you believe we have inadvertently collected personal data from a child under 13 as an account holder, please contact us at privacy@cantare.app and we will delete the data.

10.3 Roster data about children is a separate matter — see Section 11.

11. Roster Data About Minors

11.1 Subscriber Organizations frequently use the Service to store information about choir members, students, congregants, performers, and others — some of whom may be minors (including children under 13). Examples include children's choir rosters, school choral program rosters, and youth-orchestra rosters.

11.2 Subscriber is the data controller for Roster Subject information. Cantaré processes Roster Subject information solely on behalf of Subscriber under Subscriber's instructions. Subscriber represents and warrants that:

(a) Subscriber has the legal right to upload, enter, and process Roster Subject information under all applicable laws including the Children's Online Privacy Protection Act ("COPPA"), the Family Educational Rights and Privacy Act ("FERPA") where applicable, GDPR Article 8 where applicable, and analogous state and international laws;

(b) Subscriber has obtained any required parental, guardian, or individual consents for the collection and storage of Roster Subject information through the Service;

(c) Subscriber has provided Roster Subjects (and where appropriate their parents or guardians) with all required notices about the collection and use of their information, including a Subscriber-specific privacy policy if Subscriber's privacy practices require one;

(d) Subscriber will respond to and honor any request from a Roster Subject (or their parent or guardian) to access, correct, or delete their information, using the tools provided in the Service and supplemented by direct outreach to Cantaré if needed.

11.3 Subscriber is solely responsible for the legal and ethical use of Roster Subject information. Subscriber agrees to indemnify Cantaré per the EULA against any claim arising from Subscriber's failure to comply with this Section 11.

12. Your Privacy Rights

Depending on where you live, you may have additional rights regarding your personal data. We honor these rights to the maximum extent applicable.

12.1 Universal rights

All Subscribers and Authorized Users can:

Access their account data at any time via the Service
Correct inaccurate account data via Settings → Profile
Export Subscriber Content via Settings → Profile and Account → Export
Delete their account and Tenant via Settings → Profile and Account → Delete Account
Opt out of non-transactional emails via the unsubscribe link in any such email
Opt out of the cross-tenant slot_aliases contribution via Settings → Privacy & Data
Disable AI features processing their Subscriber Content via Settings → Features

12.2 California residents (CCPA / CPRA)

If you are a California resident, you have the right to:

Know what categories of personal information we collect, the sources of that information, the purposes for collecting it, and the categories of third parties with whom we share it
Access the specific pieces of personal information we hold about you
Delete personal information we have collected, subject to specified exceptions
Correct inaccurate personal information
Opt out of "sale" or "sharing" of personal information (we do not sell or share, per Section 6.5–6.6, so this opt-out is moot but available)
Limit our use of sensitive personal information (we do not use sensitive personal information beyond what is necessary to provide the Service)
Non-discrimination for exercising your rights

To exercise these rights, contact privacy@cantare.app. We will verify your identity through your account credentials or, for non-account-holders, through reasonable verification questions. We respond within 45 days as required by law, with a possible 45-day extension if needed.

12.3 EU / UK / Swiss residents (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the right to:

Access your personal data
Rectify inaccurate personal data
Erase your personal data ("right to be forgotten"), subject to legal exceptions
Restrict our processing of your personal data
Object to processing based on legitimate interest
Data portability (export in a structured, commonly used, machine-readable format)
Withdraw consent (where processing is based on consent)
Lodge a complaint with your supervisory authority

To exercise these rights, contact privacy@cantare.app. We will respond within 30 days as required by law.

12.4 Virginia, Colorado, Connecticut, Utah, and other state-law residents

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other states with privacy laws have rights similar to those described above. Contact privacy@cantare.app to exercise them; we will respond within the timeframe required by the applicable state law.

12.5 Authorized agent

You may designate an authorized agent to make a request on your behalf. We require evidence of the agent's authority before responding.

13. AI-Specific Privacy Disclosures

13.1 AI features in the Service ("AI Features") are powered by Google's Gemini API. When you invoke an AI Feature, the relevant input data is transmitted from Cantaré to Google for processing and the AI Output is returned to Cantaré for display to you and storage (if applicable) in your Tenant.

13.2 Per Google's published API terms for the Gemini API as of the effective date, Google does not use API inputs to train Google's general-purpose AI models. API inputs may be retained briefly for abuse prevention, content-policy enforcement, and operational purposes, then deleted. Detailed information about Google's API data-handling practices is published at https://ai.google.dev/gemini-api/terms.

13.3 AI-generated outputs displayed to you may include errors, hallucinations, copyrighted material, or content that is otherwise problematic. You are responsible for reviewing and verifying any AI Output before relying on it. See the EULA for further detail.

13.4 We track per-Tenant AI usage (token counts, image generations, request counts) in the tenant_ai_usage table to enforce per-tier quotas and to detect abuse. This usage data is not shared with third parties except as needed to process payment if usage-based billing is enabled.

13.5 Image generation through Google's Nano Banana model is subject to Google's content policy. Inappropriate prompts may be rejected by Google, and Google retains discretion to enforce its content policy.

14. Communications and Email

14.1 Transactional emails — account confirmation, password reset, security alerts, billing notices, invitations sent on your behalf — are part of the Service and cannot be opted out without canceling the Service.

14.2 Product news — we may send occasional emails about new features, important changes, or related announcements. You can unsubscribe at any time using the link in the email.

14.3 Marketing — we do not currently send standalone marketing emails. If we ever do, they will be sent only with consent or where permitted by law, and you can unsubscribe at any time.

15. Cookies and Similar Technologies

15.1 We use a small set of first-party cookies, including:

Authentication cookies — to keep you signed in (essential; cannot be disabled if you want to use the Service)
Preference cookies — to remember UI preferences such as theme, language, or sidebar state
Analytics cookies — first-party only; we measure aggregate page views and feature usage; we do not use third-party advertising cookies

15.2 You can control cookies through your browser settings. Disabling essential cookies will prevent you from signing in to the Service.

15.3 Do Not Track. Some browsers offer a "Do Not Track" signal. We do not currently respond to Do Not Track signals because there is no industry consensus on how to do so; however, we do not engage in cross-context behavioral advertising regardless of the signal you send.

16. Third-Party Links

The Service may contain links to third-party websites or services (for example, Hymnary.org canonical pages, publisher pages where alternate voicings can be purchased, or external sheet-music vendors). We are not responsible for the privacy practices or content of any third-party site. Review their privacy policies before providing information.

17. Changes to This Privacy Policy

17.1 We may update this Privacy Policy from time to time. When we do, we will update the date at the top, increment the version in src/lib/eula.js, and prompt you to re-accept at next sign-in.

17.2 We will provide reasonable advance notice of material changes through one or more of: email to your account address, in-app notice, posting on cantare.app, or required re-acceptance.

17.3 Continued use of the Service after the effective date of an updated Privacy Policy constitutes acceptance.

18. Children Under 16 (Specific to EU)

For EU Subscribers and Authorized Users, where Article 8 of the GDPR applies and the age threshold in your member state is higher than 13, we treat all minors at or below the local threshold the same way as Section 10 — we do not knowingly collect personal data from them as account holders.

19. Contact Us

For privacy questions, requests, or complaints:

Privacy email: privacy@cantare.app
General support: hello@cantare.app
Mail: Cantare, LLC, [Huntsville registered-agent address — to be inserted at registration]

For Subscribers in the EU/UK who require a designated representative under GDPR Articles 27 or UK GDPR equivalent: (Reserve until attorney review — if Subscriber base in EU/UK reaches the threshold requiring a representative, one must be designated and named here.)

For data-protection supervisory authority complaints in the EU, see your country's data protection authority website. In the UK, see the Information Commissioner's Office (ICO) at https://ico.org.uk.

End of Privacy Policy paralegal draft. Awaiting attorney markup. Open items for counsel: (i) registered-agent address insertion at §19; (ii) confirmation that the Section 4 cross-tenant data disclosure is comprehensive and defensible; (iii) confirmation that the §11 indemnification of Cantaré for Roster Subject mishandling is enforceable; (iv) state-law-specific addenda (Texas TDPSA, Oregon OCPA, and other 2025/2026 state laws may need separate sections); (v) GDPR Article 27 representative designation if EU Subscriber base develops; (vi) annual or biennial review cycle for subprocessor list and breach-notification timelines as state laws evolve.