Our Privacy Policy

PRIVACY POLICY

1. Introduction

1. 1. Theoretical Limited (“we”) are committed to ensuring that all Personal Data we handle is processed according to legally compliant standards of data protection and data security.

1. 1. This policy applies to the use of the Muso software via our mobile application (“App”) and the Muso website software via our website at www.theoretical.xyz (“Site”). These terms take effect once you have downloaded or streamed a copy of the App onto your mobile telephone or handheld device (“Device”) and you start to use of any of the services accessible through the App or once you access the services available through the Site (“Services”).

1. 1. The Services allows student users (the “Students”) to test and build their knowledge of music theory and to allow teachers (the “Teachers”) to test and improve the Students’ knowledge using quizzes and other generated homework tasks.

1. 1. This policy governs the way in which we will collect and process your Personal Data. To this end, we will adhere to the principles of data protection, as detailed in the Data Protection Act 1998 (prior to 25 May 2018) and the General Data Protection Regulation (EU 2016/679) (from 25 May 2018) (the “Data Protection Laws”). To the extent that terms are defined in the Data Protection Laws the same definitions shall apply in this policy.

1. 1. For the purposes of the Data Protection Laws, the Data Controller is Theoretical Limited.

1. Data protection principles

1. 1. Specifically, the Data Protection Laws require that Personal Data:

1. 1. 1. (a)is processed fairly and lawfully and transparently and, in particular, shall not be processed unless specific conditions are met;

1. 1. 1. (b)is collected for specified, explicit and legitimate purposes as set out in the Data Protection Laws, and shall not be processed in any further manner incompatible with that purpose or those purposes;

1. 1. 1. (c)is adequate, relevant and limited to what is necessary in relation to those purpose(s);

1. 1. 1. (d)is accurate and, where necessary, kept up to date;

1. 1. 1. (e)is not be kept for longer than is necessary;

1. 1. 1. (f)is kept in a form which permits identification of the data subject for no longer than is necessary for the purpose(s);

1. 1. 1. (g)is processed in accordance with the rights of data subjects under the Data Protection Laws; and

1. 1. 1. (h)is kept secure by us, taking appropriate technical and other measures to prevent unauthorised or unlawful processing or accidental loss or destruction of, or damage to, Personal Data.

1. How we use your personal data

3.1. In this Section 3 we have set out:

(a) the general categories of personal data that we may process;

(b) the purposes for which we may process personal data; and

(c) the legal bases of the processing.

3.2 We will collect information in the following ways:

1. 1. 1. (a)Information you give us (“submitted data”). The submitted data may include information you give us about you by filling in forms on the App or Site. It includes information you provide when you register to use the Services, download or register an App, subscribe to any of our Services, search for the App, share data via any social media functions, and when you report a problem with an App, the Site or our Services. The information you give us upon registration which may include your name, address, e-mail address and phone number, the Device’s phone number, age, username, password and other registration information, including financial and credit card information. The legal basis for this processing is the performance of a contract when you sign up to use the Services or our legitimate interests, namely the proper administration of our App, our Site and Services.
      2. (b)Information we get from your use of our services (“usage data“). We collect information about the Services that you use and how you use the Site and our App. When you use the Services we automatically collect and store information. This information may include your browser type and version, referral source, length of visit, test results, homework results, page views and navigation paths, as well as information about the timing, frequency and pattern of your use of the Services.

The usage data we process may include device-specific information, including the type of mobile device you use, a unique device identifier (for example, your Device’s IMEI number, the MAC address of the Device’s wireless network interface), mobile network information or your mobile operating system.

This usage data may be processed for the purposes of analysing the use of the Services. The legal basis for this processing is our legitimate interests, namely the proper administration of our App, our Site and Services.

1. 1. 1. (c)We may process information contained in or relating to any communication that you send to us (“correspondence data“). The correspondence data may include the communication content and metadata associated with the communication. Correspondence data would also include where we send you marketing communications by email (subject to you having consented to receive such emails). The correspondence data may be processed for the purposes of communicating with you and record-keeping. The legal basis for this processing is consent.
      2. (d)We may store and use the quiz test results of our users in an anonymised and aggregated form (“benchmarking data“).The benchmarking data is anonymised and aggregated and used for the purposes of benchmarking and evaluating our Students on a general basis. The legal basis for this processing is this processing is our legitimate interests, namely the performance and development of our Services.

3.3 In addition to the specific purposes for which we may process your personal data set out in this Section 3, we may also process any of your personal data where such processing is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

4. Providing your personal data to others

Student and Teacher interaction

4.1 When Students and Teachers register to use the Services we will ask them both to provide a username. The username of the Student will be seen and shared with the Teacher who the student selects or the Teacher to whom the Student is assigned. This for the purposes of facilitating the teaching and the administration of the Services.

4.2 We may disclose a Student’s submitted data and usage data to Teachers in order to share test and homework results and to facilitate oversight of Student users progression and completion of assigned tasks by Teacher users.

4.3 Students should be aware that Teachers may have the ability to download and store Student records relating to Student performance on the tasks and quizzes they have completed. This is for Teachers to be able to monitor performance of their Students. The records will include the Student’s marks or results, the time and date that the task or quiz was completed and the Student name or username.

Professionals

4.4 We may disclose your personal data to our insurers and/or professional advisers insofar as reasonably necessary for the purposes of obtaining and maintaining insurance coverage, managing risks, obtaining professional advice and managing legal disputes.

Third party processors

4.5 We will disclose the submitted data, cookie data and usage data to Google for the purpose of utilising Google’s Firebase Cloud Firestore service and Google’s Firebase Authentication service. The Firebase Cloud Firestore service allows us to store all of the data we require to provide the Services. The Firebase Authentication services allows us to create a user identity library to authenticate users of the App or Site and to support authentication of users of the App or Site using passwords and popular federated identity providers like Google, Facebook and Twitter. Google’s privacy policy can be viewed here: www.google.com/policies/privacy/

4.6 We may disclose the submitted data and/or the usage data to our payment service provider, Stripe Payments Europe Ltd, so that it can process your payments on our behalf. Stripe Payments Europe Ltd’s privacy policy can be viewed here: www.stripe.com/gb/privacy

Others

4.7 We may disclose your personal data to third parties in the event that we sell or buy any business or assets, in which case we will disclose your personal data to the prospective seller or buyer of such business or assets.

4.8 In addition to the specific disclosures of personal data set out in this Section 4, we may also disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

5. International transfers of your personal data

5.1 In this Section 5, we provide information about the circumstances in which your personal data may be transferred to countries outside the European Economic Area (EEA).

5.2 The provider of our authentication system, Google, and our payment processer, Stripe, are situated in the United States. The European Commission has made an “adequacy decision” with respect to the data protection laws of the United States based upon the adequacy of the EU-U.S. Privacy Shield. Transfers to the United States will be protected by the EU-U.S. Privacy Shield which implements appropriate safeguards for protecting the fundamental rights of anyone of the EU whose personal data is transferred to the United States.

6. Parental Consent

6.1 This Section 6 sets out our parental consent policies and procedure, which are designed to safeguard child users of the Services.

6.2 We require parental consent before we will authorise the creation of an account of any user under the age of 13. The individual who holds parental responsibility for the potential user of the Services will be required to create a separate supervisory account on the App or Site at the point of registration. This is to allow parents to provide consent for their child to use the Services and for us to process their child’s personal data in accordance with this policy and thereafter to enable them to monitor the usage of the Services by their child. We will not authorise any account of a user under the age of 13 before parental consent is provided. If a supervisory account is closed or terminated at any time by a parent we will need to also suspend the child’s account.

7. Retaining and deleting personal data

7.1 This Section 7 sets out our data retention policies and procedure, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal data.

7.2 Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

7.3 In some cases it is not possible for us to specify in advance the periods for which your personal data will be retained. In such cases, we will determine the period of retention based on the following criteria:

(a) the period of retention of usage data will be determined based on whether there is continued usage of the Services by you and after you cease to use the Services for a period of 2 years.

(b) the period of retention of submitted data will be determined based on whether there is continued usage of the Services by you and after you cease to use the Services for a period of 2 years.

(c) the period of retention of correspondence data will be determined based on whether there is an ongoing relationship as a result of the initial enquiry.

(d) the period of retention of quiz data (in its aggregated and anonymised form) is indefinitely.

7.4 Notwithstanding the other provisions of this Section 7, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

8. Your rights

8.1 In this Section 8, we have summarised the rights that you have under the Data Protection Laws. Some of the rights are complex, and not all of the details have been included in our summaries. Accordingly, you should read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights.

8.2 Your principal rights under data protection law are:

(a) the right to access;

(b) the right to rectification;

(c) the right to erasure;

(d) the right to restrict processing;

(e) the right to object to processing;

(f) the right to transfer your personal data;

(g) the right to complain to a supervisory authority; and

(h) the right to withdraw consent.

8.3 You have the right to confirmation as to whether or not we process your personal data and, where we do, access to the personal data, together with certain additional information. That additional information includes details of the purposes of the processing, the categories of personal data concerned and the recipients of the personal data. Providing the rights and freedoms of others are not affected, we will supply to you a copy of your personal data.

8.4 You have the right to have any inaccurate personal data about you rectified and, taking into account the purposes of the processing and to have any incomplete personal data about you completed.

8.5 In some circumstances you have the right to the erasure of your personal data without undue delay. Those circumstances include: the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed; you withdraw consent to consent-based processing; the processing is for direct marketing purposes; and the personal data has been unlawfully processed. However, there are certain general exclusions of the right to erasure. Those general exclusions include where processing is necessary: for exercising the right of freedom of expression and information; for compliance with a legal obligation; or for the establishment, exercise or defence of legal claims.

8.6 In some circumstances you have the right to restrict the processing of your personal data. Those circumstances are: you contest the accuracy of the personal data; processing is unlawful but you oppose erasure; we no longer need the personal data for the purposes of our processing, but you require personal data for the establishment, exercise or defence of legal claims; and you have objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, we may continue to store your personal data. However, we will only otherwise process it: with your consent; for the establishment, exercise or defence of legal claims; for the protection of the rights of another natural or legal person; or for reasons of important public interest.

8.7 You have the right to object to our processing of your personal data on grounds relating to your particular situation, but only to the extent that the legal basis for the processing is that the processing is necessary for: the performance of a task carried out in the public interest or in the exercise of any official authority vested in us; or the purposes of the legitimate interests pursued by us or by a third party. If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.

8.8 You have the right to object to our processing of your personal data for direct marketing purposes (including profiling for direct marketing purposes). If you make such an objection, we will cease to process your personal data for this purpose.

8.9 You have the right to object to our processing of your personal data for scientific or historical research purposes or statistical purposes on grounds relating to your particular situation, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

8.10 To the extent that the legal basis for our processing of your personal data is consent, and such processing is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.

8.11 If you consider that our processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement.

8.12 To the extent that the legal basis for our processing of your personal information is consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.

8.13 You may exercise any of your rights in relation to your personal data by writing to us, in addition to the other methods specified in this Section 8. Our contact details are contained in Section 13.

8.14 Our App and Site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates (including, but not limited to, websites on which the the Services are advertised). If you follow a link to any of these websites, please note that these websites and any services that may be accessible through them have their own privacy policies and that we do not accept any responsibility or liability for these policies or for any personal data that may be collected through these websites or services, such as contact and location data. Please check these policies before you submit any personal data to these websites or use these services.

9. About cookies

9.1 A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.

9.2 Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.

9.3 Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.

10. Cookies that we use

10.1 We use cookies for the following purposes:

(a) Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.

(b) Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).

(c) Targeting cookies. These cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.

(d) Strictly necessary cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website.

11. Cookies used by our service providers

11.1 Our service providers use cookies and those cookies may be stored on your computer when you visit our Site.

11.2 We use Google Firebase Authentication to authenticate uses of the Services.  Google Firebase Authentication gathers information about our Site and our App use by means of cookies. The information gathered is used to authenticate users of the Services. Google’s privacy policy is available at: https://www.google.com/policies/privacy/.

12. Managing cookies

12.1 Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can however obtain up-to-date information about blocking and deleting cookies via these links:

(a) https://support.google.com/chrome/answer/95647?hl=en (Chrome);

(b) https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences (Firefox);

(c) https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies (Internet Explorer); and

(d) https://support.apple.com/kb/PH21411 (Safari).

12.2 Blocking all cookies will have a negative impact upon the usability of many websites.

12.3 If you block cookies, you will not be able to use all the features on our Site or App.

13. Amendments

13.1 We may update this policy from time to time by publishing a new version on our Site which will also be made available via a link within the App.

13.2 You should check this page occasionally to ensure you are happy with any changes to this policy.

14. Our contact details

14.1 Muso is owned and operated by Theoretical Limited.

14.2 We are registered in England and Wales under registration number 11073915 and our registered office is at 30 Market Place, Swaffham, Norfolk, PE37 7QH. Our email address is [email protected].

14.3 You can contact us by post or email using the addresses given above.