1. What this policy covers
Clefwise is a web-based music teaching business management platform available at clefwise.app. This policy explains how Clefwise collects, uses, stores, and protects personal information.
Teachers who use Clefwise to manage their studios are independent businesses. They are responsible for their own privacy practices with their clients. Clefwise acts as a data processor on behalf of teachers for the student and parent data they enter into the platform.
This policy covers the data that Clefwise (the platform) processes. It does not cover how individual teachers handle personal information outside of the platform.
2. Information we collect
Account information
Name, email address, and password (hashed — never stored in plain text). For teachers: studio name and business details. Your role (teacher or parent).
Student information (provided by teachers)
First and last name, date of birth, instruments played, skill level, guardian details (name, email, phone, relationship, home address), profile photo, and referral source.
Health information
Allergy and other health-related notes that a parent or teacher chooses to record about a student. This is sensitive information under the Australian Privacy Principles — see “Teacher responsibilities” in our Terms of Service.
Lesson & practice data
Lesson schedules, attendance, cancellations, lesson notes and feedback (written by teachers), practice logs (instrument, duration, date), and achievements.
Financial data
Invoice amounts, due dates, and payment status. Payment method type and transaction references. Stripe account identifiers for teachers receiving payments. Credit card numbers are handled directly by Stripe and never touch Clefwise servers.
Communication data
Messages between teachers and parents, and announcements sent by teachers.
Technical data
IP addresses (for rate limiting and security only), authentication session cookies, Google Calendar OAuth tokens (encrypted, only if you opt in to calendar sync), and device push tokens (if you use the Clefwise iOS app). We also collect first-party performance telemetry — the page route (with identifiers stripped), your browser's user agent, and your account id — to monitor and improve app speed. It is used only for internal performance diagnostics and is never shared or sold. Clefwise does not use third-party tracking cookies or analytics services.
3. How we use your information
- Providing the service — displaying schedules, lesson notes, practice data, and invoices.
- Transactional emails — invoice delivery, lesson reminders, event reminders, and announcements.
- Payment processing — facilitating payments between parents and teachers via Stripe.
- Calendar sync — syncing lessons with Google Calendar (only if you connect your account).
- Security — rate limiting, fraud prevention, and session management.
We do not sell, rent, or share your personal information with advertisers or data brokers.
4. Third-party services
Clefwise uses the following third-party services to operate the platform:
| Service | Purpose | Data shared |
|---|---|---|
| Supabase | Database, authentication, file storage | All account and service data (encrypted at rest, hosted in Australia — Sydney, ap-southeast-2) |
| Stripe | Payment processing | Invoice amounts, payer email, teacher account details, and the child's full name in the checkout line-item description |
| Resend | Email delivery | Recipient email addresses, and email content — which can include a child's name in invoice emails and announcements |
| Google (optional) | Calendar sync | Teacher's Google email and encrypted OAuth tokens; if sync is on, the child's name and instrument appear in the lesson event title on the teacher's calendar |
| Apple (APNs) | iOS push notifications | Device push tokens and notification text, which can include a child's name on a lock screen |
| Upstash | Rate limiting | Client IP addresses on public routes (used as rate-limit keys) |
| Vercel | Hosting & content delivery | All requests and server logs, which may contain personal information |
| Anthropic (optional) | AI schedule import (only when this feature is enabled) | Uploaded timetable photos and the extracted details, which can include children's names |
5. Google Calendar data
Connecting Google Calendar is entirely optional. If you connect it, Clefwise requests only the minimum Google Calendar permissions needed for two features, and nothing more:
- See your events (the calendar.readonly permission) — so your existing commitments appear as busy time on your Clefwise schedule and you don't book a lesson over them.
- Manage lesson events (the calendar.events permission) — so lessons you schedule in Clefwise appear on your Google Calendar and update or disappear when you change or cancel them. Clefwise only creates, edits, and deletes the events it added — never your other events.
How we store it. Your Google authorization tokens are encrypted (AES-256-GCM) and stored only to keep the sync working; busy-time details we read are stored solely to display your schedule. You can disconnect at any time in Settings — this revokes Clefwise's access with Google and deletes the stored tokens and synced calendar data.
How we share it — we don't. Clefwise does not sell or transfer your Google Calendar data to anyone, does not use it for advertising, and does not use it to train machine-learning or AI models. No Clefwise staff member reads your calendar data except with your explicit consent (for example, to help with support) or where required by law.
Clefwise's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
6. Children's data
Clefwise may store personal information about minors (students under 18). This data is provided by teachers or parents, not collected directly from children.
Students do not have their own Clefwise account today — a student-facing app is planned for a future release. Teachers create and enter each student's details directly (studio-scoped). A parent creates a portal account by accepting an invite from the teacher, which links them to their child's existing student record and gives them visibility over that data.
For this student data, Clefwise acts as a processor: the teacher decides to record it and is responsible for having the authority — and any parental notice or consent their situation requires — to do so. See “Teacher responsibilities” in our Terms of Service.
Clefwise does not collect personal information directly from children. Student information is entered by teachers, who warrant they have the authority and any parental consent required to record it (see our Terms). If you believe a child's data has been recorded without appropriate consent, contact us at support@clefwise.app.
7. Data security
- Row-level security ensures users can only access data within their own studio or family.
- OAuth tokens are encrypted with AES-256-GCM.
- Files are served via time-limited signed URLs from private storage buckets.
- Rate limiting is applied to public-facing endpoints.
- Security headers are configured (Content Security Policy, HSTS, X-Frame-Options).
8. Data retention
- Messages: Hard-deleted after 2 years, or when both parties delete them.
- Practice logs: Retained for 3 years, then deleted.
- Activity feed: 6-month retention.
- Account deletion: Teachers can delete their account and all associated studio data at any time via account settings. Parent and student data associated with that studio is also removed.
Some data may persist in encrypted backups for up to 30 days after deletion.
9. Your rights
Under the Australian Privacy Principles, you have the right to:
- Access your personal information held by Clefwise.
- Correct inaccurate or outdated information.
- Request deletion of your account and associated data.
- Withdraw consent for optional features (e.g. Google Calendar sync).
To exercise these rights, email support@clefwise.app. We will respond within 30 days.
10. Cross-border data
Your core Clefwise data (database, authentication, file storage) is hosted with Supabase in Australia (Sydney, ap-southeast-2) and stays onshore. Some services we rely on to operate the platform — Stripe, Resend, Google, Apple, Upstash, Vercel, and (only when the AI schedule-import feature is enabled) Anthropic — are based overseas and may process a limited slice of data outside Australia, as described in “Third-party services” above. These providers maintain appropriate data protection safeguards. By using Clefwise, you consent to this transfer where necessary to provide the service.
11. Changes to this policy
We may update this policy from time to time. For material changes, we will notify you via email. The “Last updated” date at the top reflects the most recent revision. Continued use of Clefwise after notification constitutes acceptance.
12. Contact us & complaints
For privacy questions or to exercise your rights:
- Email: support@clefwise.app
- Entity: Jackson Connor Pawelski trading as Clefwise
If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC).