How we collect, use, and protect your personal information. We aim to do the right thing by default — this policy lays out how.
Last updated: February 8, 2026 · Effective immediately
MMS Art Studio ("we", "us", "our") is an online music academy based in Seattle, Washington, USA. We operate the website mmsartstudio.com and the Smart Virtual Classroom platform.
We are the data controller for the personal information we collect about you when you use our Service.
Account information: name, email address, optional phone number, password (stored as a salted hash, never in plain text), profile photo (optional).
Lesson information: bookings, schedules, attendance, payment status, instructor notes, assignments, and your submitted practice files.
Recording information: with your explicit consent, audio and video recordings of lessons. Acknowledgment of consent is logged with timestamp, IP, user-agent, and policy version for our compliance audit trail.
Payment information: handled directly by Stripe — we never see your full card number. We retain only a token reference and the last four digits to display on receipts.
Technical information: IP address, browser type, device identifiers, pages visited, and cookies used to keep you signed in and to power core features.
Communication: messages between you and your instructor or our admin team, sent via the Service.
To deliver lessons, schedule sessions, process payments, and provide the core features of the Service.
To send you transactional emails (booking confirmations, password resets, lesson reminders) and, with your consent, occasional product updates and newsletters.
To maintain a safe environment — for example, by logging recording acknowledgments to demonstrate compliance with privacy laws.
To improve the Service through aggregated analytics — we use PostHog with cross-origin iframe recording disabled. Individual lesson recordings are never used for analytics.
Performance of a contract: to deliver lessons you have booked and paid for.
Consent: for recording lessons, marketing emails, and optional analytics — you may withdraw consent at any time.
Legal obligation: to retain payment records for tax purposes.
Legitimate interests: to keep the Service secure, prevent fraud, and improve our product.
We do not sell your personal information. We share data only with the third parties strictly required to operate the Service:
• Stripe (payment processing) — your card details, billing address, transaction amount.
• Daily.co (video classroom) — your name and call ID for each session.
• Resend (transactional email) — your email and message content.
• Google (sign-in via Google OAuth, only if you choose it) — name, email, profile photo.
• PostHog (anonymized usage analytics) — events with no recording payload.
• Our instructors and admin staff — as required to deliver lessons and provide support.
We may disclose information if required by law, subpoena, or to protect the rights, property, or safety of users or the public.
We require parental or guardian consent for students under 13. Parents/guardians sign up on behalf of minors and remain responsible for monitoring lesson content and recordings.
We do not knowingly collect personal information from children under 13 outside the parent-supervised account flow. If you believe we have, please email us immediately.
Lessons may be recorded only with explicit acknowledgment from every participant. The first time you join a recordable session, you will see a one-time consent dialog.
When the recording policy materially changes, we increment a policy version and re-prompt all users for fresh acknowledgment. The full audit log is available to administrators for compliance reviews.
Recordings are encrypted at rest, accessible only to the participating student and instructor, and retained for 90 days unless you request earlier deletion.
We use a session cookie (httpOnly, Secure, SameSite=None) to keep you signed in.
We use localStorage to remember UI preferences (theme, dismissed onboarding tour) and the active session token for authenticated API requests.
You can clear cookies and localStorage from your browser settings at any time. Doing so will sign you out.
Account data: retained while your account is active. You may request deletion at any time.
Booking & payment records: retained for 7 years as required for accounting and tax purposes.
Recordings: 90 days unless you request earlier deletion or longer retention for archival/educational use.
Audit logs (recording-consent): retained indefinitely as required for legal compliance.
Depending on your jurisdiction, you may have the right to: access the personal data we hold about you; request correction of inaccurate data; request deletion ("right to be forgotten"); object to processing; request portability; withdraw consent.
To exercise any of these rights, email mullermusicseattle@gmail.com. We will respond within 30 days.
You also have the right to lodge a complaint with a supervisory authority such as the California Attorney General (USA), the ICO (UK), or your local Data Protection Authority (EU).
We use industry-standard security measures: HTTPS everywhere, salted password hashes, encrypted data at rest, principle-of-least-privilege access controls, and routine security reviews.
No system is 100% secure. If we ever experience a data breach, we will notify affected users and applicable authorities within the timeframes required by law.
Our infrastructure is hosted in the United States. If you are accessing the Service from outside the US, your data will be transferred to and processed in the US under standard contractual clauses where applicable.
We will notify you of material changes via email or a prominent banner on the Service. The "Last updated" date below reflects the most recent revision.
For privacy questions or data-rights requests, contact us at mullermusicseattle@gmail.com or by mail at MMS Art Studio, Privacy Office, Seattle, Washington, USA.