Privacy Policy

Effective Date: April 18, 2026 · Last Updated: April 18, 2026

This Privacy Policy describes how The Piano Project ("we," "us," or "our"), operated from the State of Utah, USA, collects, uses, shares, and safeguards information when you visit or register on pianoproject.app (the "Platform") and participate in our Social Media Challenge (the "Service"). By using the Platform, you agree to the practices described in this Policy.

    The short version: We only collect what we need to run the Challenge —
    your contact details, your own posts and progress, and payment info via Stripe. We don't sell
    your data. We use trusted services to send emails and SMS on our behalf. You can opt out,
    export, or delete your data anytime by emailing us.
  

1. Information We Collect

1.1 Information You Provide Directly

When you register and participate, we collect:

Account basics: Full name, email address, phone number, password (stored as a one-way bcrypt hash — we never see or store it in plain text).
Profile / onboarding: Business name, Facebook profile URL, website URL (optional), industry/niche, personal challenge goal.
Daily log entries: Post links, whether you posted, went live, tagged other participants, engaged with others' content, notes, and any additional text you submit.
Referrals & feedback: Information you provide when referring friends or submitting testimonial/written feedback.
Direct messages: Content of DMs sent between participants within the Platform.

1.2 Information Collected Automatically

Session cookie: A single server-side session cookie to keep you signed in. We do not use third-party tracking cookies, advertising cookies, or analytics cookies.
IP address & request metadata: Collected by our rate-limiter and hosting provider (Railway) for security and abuse prevention.
Usage data: Login timestamps, login streaks, last-seen time, and aggregate performance stats (points, ranks) are stored to power the Platform's features.
Email open tracking: Emails we send include a 1×1 pixel used solely to record whether the email was opened. No browser-side tracking beyond this.
SMS delivery status: Twilio reports delivery/read status callbacks to us for messages we send you.

1.3 Payment Information

If a challenge entry fee is enabled, payments are processed by Stripe, Inc. We never see or store full credit-card numbers, CVCs, or banking details. We store only: Stripe payment intent ID, amount, currency, and payment status for receipting and reconciliation. Stripe's privacy practices are described at stripe.com/privacy.

2. How We Use Your Information

To create and maintain your account and authenticate logins.
To operate the Challenge — scoring, streaks, leaderboards, planner, directory.
To send transactional messages: approval notifications, daily reminders, weekly reports, password resets, and challenge-related updates (email and SMS).
To send marketing or re-engagement messages (you may opt out at any time).
To respond to your inquiries, support requests, and feedback.
To prevent fraud, abuse, or violations of our Terms.
To comply with legal obligations.

3. Third-Party Service Providers

We share only what's necessary with these trusted sub-processors:

Provider	Purpose	Data shared
Stripe	Payment processing	Name, email, payment details (processed by Stripe directly)
Twilio	SMS sending & receiving	Phone number, message content, delivery status
Resend / SMTP	Email delivery	Email address, name, email content
Railway	Application hosting & database storage	All stored data (encrypted in transit via HTTPS)
Facebook	Link storage only — no integration	None sent by us. Your Facebook URL is stored as text.
Printify	Merchandise fulfillment (if applicable)	Name, shipping address, order details

We do not sell, rent, or trade your personal information to any third party for advertising or marketing purposes.

4. Cookies

We use a single session cookie to keep you authenticated. It is set with httpOnly and sameSite flags and is cleared when you log out or when the session expires. We do not use analytics, advertising, or third-party tracking cookies.

5. Communications & Opt-Out

SMS: Reply STOP to any text message at any time to unsubscribe from all SMS, including reminders and marketing. Reply HELP for support. Standard message and data rates may apply.
Email: You may unsubscribe from marketing emails using the link at the bottom of any such email, or by emailing us directly. Transactional emails (password resets, account alerts) cannot be unsubscribed while your account is active.
Admins may also manually remove you from drip sequences at your request.

6. Data Security

All data is transmitted over HTTPS (TLS).
Passwords are hashed with bcrypt (one-way, salted) — never stored in plain text.
Sessions are stored server-side in our encrypted database.
Rate limiting protects authentication endpoints from brute force.
Cross-Site Request Forgery (CSRF) protection is enforced on state-changing requests.
Daily encrypted database backups are emailed to the administrator for disaster recovery.

No internet service is 100% secure. You acknowledge that transmitting information carries inherent risk. We promptly notify affected users of any breach that materially impacts their data.

7. Data Retention

We retain your data for as long as your account is active and as needed to provide the Service. Typical retention:

Account + profile data: Until you request deletion or we terminate your account.
Daily log entries & points: Preserved for the duration of the challenge and historical leaderboards.
Message logs (email/SMS sent or received): Up to 12 months.
Payment records: Retained for 7 years for tax and accounting purposes.

Upon deletion request, we delete or anonymize your personal information within 30 days, except where retention is required by law (e.g., tax records) or to resolve disputes.

8. Your Rights

Depending on where you live, you may have the following rights regarding your personal information:

Access: Request a copy of the personal information we hold about you.
Correction: Request we correct inaccurate or incomplete information.
Deletion: Request we delete your personal information.
Opt-out of marketing: At any time, by SMS STOP or email unsubscribe.
Portability: Receive your data in a portable format.
Non-discrimination: We will not discriminate against you for exercising any of these rights.

8.1 California Residents (CCPA / CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA, including the right to know what categories of personal information we collect, the sources, the business purposes, and the third parties with whom we share it — all described above. We do not "sell" or "share" personal information as those terms are defined under the CCPA.

8.2 Utah Residents (UCPA)

As a Utah-based business, we comply with the Utah Consumer Privacy Act (UCPA). Utah residents have the right to access, delete, and opt out of targeted advertising and the sale of personal data. We do not engage in either.

8.3 Other US States

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and other states with comprehensive privacy laws have substantially similar rights. Contact us to exercise any of them.

8.4 International Visitors (GDPR)

If you access the Platform from the European Economic Area, the United Kingdom, or elsewhere outside the United States, your information will be transferred to and processed in the US. You have rights under the GDPR including access, rectification, erasure, restriction, portability, and objection. Our legal basis for processing is typically (a) your consent, (b) performance of the Service contract, and (c) our legitimate interests in operating the Service securely.

To exercise any right, email pianoprojectchallenge@gmail.com with the subject line "Privacy Request." We will verify your identity and respond within 30 days.

9. Children's Privacy

The Platform is not directed to children under 13 and we do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has submitted information, contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or applicable law. The "Last Updated" date at the top will reflect any revision. Material changes will be communicated via email or an in-app notice before they take effect.

11. Contact

If you have questions, concerns, or requests about this Policy or your personal information:

Email: pianoprojectchallenge@gmail.com
Subject line: "Privacy Request" for faster routing.

This Privacy Policy should be read alongside our Terms & Conditions.