Privacy Policy

1. Who we are

Upbeat is operated from South Africa. For privacy purposes, our primary regulator is the Information Regulator of South Africa, and we are guided by the Protection of Personal Information Act (“POPIA”). For users in the European Union and the United Kingdom, we apply the General Data Protection Regulation (“GDPR”) in the same spirit. For users in California, we acknowledge the rights granted by the CCPA.

2. Two kinds of people in this policy

Upbeat is used by ensemble directors and managers to organise their groups. That means there are two distinct relationships in this policy:

• Account holders — the people who sign up to Upbeat (typically directors, conductors, or ensemble managers). We collect information directly from them.
• Members — the people whose information account holders enter into Upbeat (choir members, audition candidates, guardians of minor members, contacts). We process this information on behalf ofthe account holder’s organisation.

Different rights and obligations apply to each. Where this matters below, we say so.

3. Information we collect from account holders

When you create and use an Upbeat account, we collect:

• Account information — your name, email address, password (stored hashed), and basic preferences.
• Authentication metadata — sign-in times, the provider you used (e.g. email or Google), and security signals like IP address used to detect abuse.
• Organisation settings — the name and configuration of your organisation, your role in it, and the list of members and admins.
• Billing information — when paid plans are introduced, billing details handled by our payment processor (we will name them here when this happens).
• Usage telemetry — basic page-view data via Vercel Analytics. We do not use cross-site tracking, advertising identifiers, or third-party advertising cookies.
• Support correspondence — emails or messages you send us.

4. Information account holders enter about members

Account holders enter information about the people they manage. This typically includes:

• names, contact information, and voice part or instrument;
• attendance records, event participation, and notes;
• audition results and notes;
• repertoire assignments and uploaded files (e.g. scores, recordings).

We process this information only on the instructions of the account holder’s organisation, in our role as a processor under POPIA and as a data processor under Article 28 GDPR. The organisation is the controller of this data; we are the processor.

5. Our commitments to members

Whatever account holders do with their workspace, we make these commitments to the members whose information sits inside it. We do not:

• market or send promotional messages to members;
• profile members, score them, or build behavioural models of them;
• sell, rent, or share member data with third parties for advertising;
• use member data to train artificial intelligence or machine learning models;
• access member data outside the organisation it belongs to, except where strictly necessary to operate the Service or comply with law.

6. Children's data

Choirs and ensembles often include minors. Upbeat does not give accounts to minors — only adults (16+) can register. Where minors are managed in Upbeat, their guardians are typically added as members of the organisation and interact with the platform on their behalf.

Account holders are responsible for obtaining the consent of a parent or guardian before entering a minor’s information into Upbeat, as required by POPIA section 35 and Article 8 of the GDPR. We do not knowingly process children’s data outside of this controller-instructed context.

7. Legal bases (for users in the EU and UK)

Where the GDPR applies, we rely on the following legal bases:

• Performance of a contract — to provide the Service to account holders.
• Legitimate interests — to keep the Service secure, prevent abuse, and improve how it works (balanced against your rights).
• Legal obligation — where we are required to keep records or respond to lawful requests.
• Consent — for anything that requires it; you can withdraw consent at any time.

8. Sub-processors

We use the following third parties to operate Upbeat. We have data-processing terms in place with each of them and choose them for their security and privacy posture.

Before adding a new sub-processor that has access to personal information, we will update this page and notify account holders by email at least 30 days in advance.

9. Where data is stored and cross-border transfers

Our primary database is hosted in the United States. If you use Upbeat from the European Union, the United Kingdom, or South Africa, your information is transferred to and stored in the United States.

For users in the EU and UK, these transfers rely on the Standard Contractual Clauses approved by the European Commission, in place with our sub-processors. For users in South Africa, we rely on the contractual safeguards permitted by POPIA section 72(1)(b).

10. How long we keep your information

We keep your information for as long as your account is active. When you close your account, we soft-delete it: your data is hidden from the Service and recoverable for 30 days, after which it is permanently deleted from our active systems. Encrypted backups are rotated and roll off within 90 days.

When an account holder deletes a member from an organisation, that member’s record follows the same schedule: 30-day recovery window, then permanent deletion, with backups expiring within 90 days.

Some information may be kept for longer where the law requires it (for example, financial records for tax purposes once paid plans are introduced).

11. Security

We use industry-standard technical and organisational measures to protect your information:

• all data in transit is encrypted with TLS;
• data at rest is encrypted by our database and storage provider;
• tenant isolation is enforced at the database level using row-level security;
• access to production systems is least-privilege and logged;
• production data is not used on developer machines.

No system is perfectly secure. If we ever discover a personal-information breach that is likely to harm you, we will notify you and the relevant regulator as required by law.

12. Your rights

Subject to the laws that apply to you, you have the right to:

• access the personal information we hold about you;
• correct information that is inaccurate or out of date;
• delete your information (subject to legal retention obligations);
• object to certain processing, or restrict how we process your information;
• port your information to another service in a structured, machine-readable form;
• withdraw consent where we relied on it.

To exercise any of these rights, email privacy@cue-upbeat.com. We will respond within the time required by the law that applies to you (30 days for POPIA and GDPR).

If you are a member (your information was entered by a director or organisation), please contact that organisation first — they are the controller of your information and best placed to action your request. If they cannot, or you cannot reach them, contact us and we will help.

13. Cookies

Upbeat uses only cookies that are strictly necessary to operate the Service — primarily for keeping you signed in. We do not use advertising or tracking cookies. Because we only use essential cookies, we do not show a cookie consent banner.

14. Complaints

If you are unhappy with how we have handled your information, please email us first so we can try to put it right. You also have the right to complain to a regulator:

• South Africa — the Information Regulator (inforegulator.org.za).
• European Union — your local data-protection authority.
• United Kingdom— the Information Commissioner’s Office (ico.org.uk).

15. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you by email and post a notice in-app at least 30 days before the changes take effect. The current version is always available at this page.