Privacy Policy

1. Introduction

OGA SAAS ("we," "us," or "our") operates a music school management software-as-a-service platform at ogasaas.com. This Privacy Policy explains what data we collect, why we collect it, how we use and protect it, and what rights you have regarding your personal information.

By accessing or using OGA SAAS, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.

2. Information We Collect

Account Information

When you create an account, we collect your name, email address, and password. If you create an organization, we also collect your school or business name, subdomain preference, and branding preferences.

Usage Data

We automatically collect information about how you interact with the Service, including pages visited, features used, timestamps, browser type, operating system, IP address, and device identifiers.

Payment Information

Payment processing is handled entirely by Stripe. We do not store credit card numbers, CVVs, or other sensitive payment credentials on our servers. We receive and store billing-related metadata such as subscription status, plan type, and transaction IDs.

Student Data

Organization owners and authorized staff enter student and family data into the platform, including names, contact information, enrollment records, attendance, lesson schedules, progress notes, and guardian details. This data is entered and managed by the organization; we process it on their behalf.

Communications

We collect the content of emails, messages, and other communications sent through the platform's built-in email and messaging features.

3. How We Use Information

We use the information we collect for the following purposes:

• Provide the Service: Operate, maintain, and deliver the OGA SAAS platform and all its features, including scheduling, CRM, student management, and reporting.
• Send transactional emails: Deliver account confirmations, password resets, invoices, lesson reminders, and other Service-related notifications.
• Improve the product: Analyze usage patterns and feedback to enhance features, fix issues, and develop new functionality.
• Customer support: Respond to your questions, troubleshoot issues, and provide technical assistance.
• Billing: Process payments, manage subscriptions, and handle invoicing through our payment processor.
• Security: Monitor for fraud, abuse, and unauthorized access to protect you and the platform.
• Legal compliance: Comply with applicable laws, regulations, and legal processes.

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

4. Data Processing for Organizations

OGA SAAS operates under a data processor/data controller model:

• Organizations as data controllers: When a music school or studio uses OGA SAAS, the organization is the data controller for the student, family, and staff data they enter into the platform. The organization determines what data to collect and how it is used within the Service.
• OGA SAAS as data processor: We act as a data processor, handling organization data on their behalf solely to provide the Service. We process this data according to the organization's instructions and these Terms.
• Organization responsibility: Organizations are responsible for ensuring they have appropriate consent and legal basis to collect and store personal data of their students, families, and staff. This includes compliance with applicable data protection laws in their jurisdiction.

5. Third-Party Services

We use the following trusted third-party services to operate our platform. Each has its own privacy policy governing how it handles data:

• Supabase (Database & Auth) Provides database hosting, user authentication, and backend infrastructure. Stores account data, organization data, and application data in secure PostgreSQL databases. Supabase Privacy Policy
• Stripe (Payments) Securely handles all payment card processing. We never store full credit card numbers on our servers. Stripe Privacy Policy
• Resend (Email) Delivers transactional and marketing emails on behalf of your organization. Processes email addresses and message content for delivery. Resend Privacy Policy
• Cloudflare (Hosting & CDN) Provides content delivery, DDoS protection, and DNS services. May process IP addresses and request metadata for security purposes. Cloudflare Privacy Policy
• Google Analytics (Analytics) Collects anonymized usage data on our marketing pages to help us understand traffic patterns and improve the website experience. Can be opted out via browser settings or the Google Analytics opt-out extension. Google Privacy Policy

We only share the minimum data necessary with these providers for them to perform their services.

6. Cookies & Tracking

Session Cookies

We use essential session cookies to maintain your authenticated session, remember your preferences, and ensure the platform functions correctly. These cookies are required for the Service to operate and cannot be disabled without impacting functionality.

Analytics (GA4)

We use Google Analytics 4 (GA4) on our public marketing pages to understand how visitors interact with our website. GA4 collects anonymized data including page views, session duration, and traffic sources. You can opt out of Google Analytics by using the Google Analytics Opt-out Browser Add-on or by configuring your browser's cookie settings.

No Third-Party Ad Tracking

We do not use cookies or tracking technologies for third-party advertising. We do not participate in ad networks or allow third-party advertisers to place cookies on our platform.

7. Data Retention

• Active accounts: We retain your personal data and organization data for as long as your account is active and as needed to provide the Service.
• Canceled accounts: After account cancellation, your data remains available for export for 30 days. After this period, all organization data is permanently deleted from our systems.
• Email logs: Transactional and marketing email logs (delivery status, timestamps, recipient addresses) are retained for 90 days for troubleshooting and deliverability analysis, then purged.
• Aggregated data: Anonymized, aggregated data that cannot identify you or your organization may be retained indefinitely for analytics and service improvement.
• Legal requirements: We may retain certain records beyond the above periods where required by applicable law.

8. Data Security

We take the security of your data seriously and implement multiple layers of protection:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS/SSL.
• Encryption at rest: Data stored in our databases is encrypted at rest using industry-standard encryption.
• Row-Level Security (RLS): Every database table is protected by row-level security policies that enforce strict data isolation between organizations.
• Encrypted API keys: All third-party API keys and secrets are stored as encrypted environment variables, never in source code.
• No plain-text passwords: User passwords are hashed using industry-standard algorithms. We never store or have access to your plain-text password.
• Regular security reviews: We perform regular reviews and updates to our infrastructure and security practices.

While we strive to protect your personal information, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security but are committed to using commercially reasonable measures to protect your data.

9. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Access

You may request a copy of the personal data we hold about you.

Correction

You may request correction of inaccurate or incomplete personal data.

Deletion

You may request deletion of your personal data ("right to be forgotten"). We will comply unless we are legally required to retain certain records.

Data Portability

You may request your data in a structured, commonly used, machine-readable format. You can also export your data at any time through the Service's built-in export features.

Opt-Out of Marketing Emails

You can opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email or by updating your email preferences in your account settings.

Under GDPR (EU/EEA/UK)

If you are located in the European Economic Area or the United Kingdom, you additionally have the right to restrict processing, object to processing based on legitimate interests, and withdraw consent at any time where processing is based on consent.

Under CCPA (California)

If you are a California resident, you have the right to know what personal information we collect, request its deletion, and opt out of the sale of personal information. Note: we do not sell personal information. You have the right to exercise these rights without receiving discriminatory treatment.

How to Exercise Your Rights

To exercise any of the above rights, please contact us at privacy@ogasaas.com. We will respond to your request within 30 days.

10. Children's Privacy

OGA SAAS is a business management tool designed for use by adults (18 years or older) who operate music schools and studios. The Service is not directed at children and we do not knowingly collect personal information directly from individuals under 18.

Student data that may include information about minors is entered into the platform by authorized organization administrators and staff. Organizations acting as data controllers are responsible for obtaining appropriate consent from parents or legal guardians before entering any minor's personal information into the system.

In accordance with the Children's Online Privacy Protection Act (COPPA), we do not knowingly collect personal information directly from children under 13 without verifiable parental consent. If you believe a child's information has been entered without proper consent, please contact us at privacy@ogasaas.com and we will promptly address the matter.

11. International Data Transfers

OGA SAAS is based in the United States. Your data is stored and processed primarily in the United States through our infrastructure provider, Supabase.

If you are accessing the Service from outside the United States, please be aware that your data will be transferred to, stored, and processed in the United States where data protection laws may differ from those in your jurisdiction.

EU/EEA Users

For users in the European Union and European Economic Area, data transfers to the United States are conducted in compliance with applicable data protection regulations. Our infrastructure provider, Supabase, maintains standard contractual clauses and appropriate safeguards for international data transfers. By using the Service, you consent to the transfer of your data to the United States.

12. Changes to Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes:

• We will update the "Last updated" date at the top of this page.
• We will notify account holders via email at least 30 days before significant changes take effect.
• We will provide a summary of changes where practical.

We encourage you to review this page periodically to stay informed about how we protect your data. Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.

13. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: