Privacy Policy & Data Security

1. Introduction and General Information

We appreciate your interest in Chorilo. Data protection is a high priority for us. In this privacy policy, we inform you about the processing of your personal data when using our website and our service "Chorilo".

Responsible for the processing of your personal data is Chorilo - Melanie Schneider, Tränkstraße 3, 65558 Holzheim, Germany. For questions regarding data protection or exercising your rights, please contact us via email at datenschutz@chorilo.com.

2. Visiting Our Website

2.1 Provision of the Website

For the purpose of providing our website, we process technically necessary data such as IP address, access time, browser information, operating system, and language settings of all website visitors. This processing is technically required to enable the use of our website (Art. 6(1)(b) GDPR). The data is deleted after the end of your visit, unless individual data is further processed for other purposes (e.g., security).

2.2 Security and Attack Detection

For the purpose of detecting and defending against attacks on our website and technical infrastructure (e.g., hacking, denial-of-service attacks), we process access data such as IP addresses, access time, visited subpage(s), and transferred data volume of all website visitors. This processing serves to fulfill our legal obligation to take protective measures and our legitimate interest in maintaining the security of our systems (Art. 6(1)(c) and (f) GDPR). The data is generally deleted seven (7) days after the end of your visit to our website, unless an attack attempt is detected. In case of a detected attack attempt, the data will be processed further for complete technical and, if necessary, legal investigation.

3. Cookies

3.1 General Information about Cookies

We use cookies on our website and in our service "Chorilo". Cookies are small text files stored on your device. They allow us to store certain user-related information in connection with the use of our services and to recognize your computer upon a return visit.

Some cookies are technically necessary for you to move freely on the website and use its features (necessary cookies). Other cookies help us understand how visitors use our website to improve it (analytics cookies, currently not in use). Session cookies store information about your activities and are deleted when you close the browser. Persistent cookies remain stored for a longer period.

3.2 Cookies within Chorilo

For the purpose of providing the "Chorilo" service, we set necessary cookies. A SessionID cookie stores a random identification number to recognize the correctly authenticated user. Another cookie stores the selected language setting. A CSRF cookie stores another random identification number to secure data transmission against certain attacks (Cross-Site Request Forgery). This processing is technically necessary to enable the secure use of the service (Art. 6(1)(b) GDPR). No data is transferred to third parties. These cookies are usually deleted at the end of the browser session, unless a different setting in your web browser provides for earlier deletion.

4. Use of Our Service "Chorilo"

4.1 Processed Data and Purpose

For the purpose of providing the "Chorilo" service and fulfilling the user agreement, we process the following data for all users: Name, first name, email address, password hash, language, and time zone. For choir directors additionally: Choir name, abbreviated choir name, choir size, and choir voices. For singers additionally: Choir name of the choirs the singer belongs to, and choir voice.

Additionally, all users can voluntarily provide address and date of birth details, and upload a photo. Furthermore, usage data is processed, particularly content and commitments for appointments, uploaded files (sheet music, documents), and communication data within rehearsal sessions.

This data is processed to manage user administration and authentication, enable communication among users of a choir, and facilitate the use of the service's functions (e.g., appointment management, sheet music management, rehearsal session features). The legal basis is the fulfillment of the user agreement (Art. 6(1)(b) GDPR).

4.2 Recipients of Data

a) Other Choir Members

Certain data (name, first name, email [optional], photo [optional], choir voice, appointment commitments) are visible to other members of the respective choir to enable organization and communication within the choir.

b) Hosting

All aforementioned personal data are stored and processed on servers of DigitalOcean LLC, 101 Avenue of the Americas, New York, NY 10013, USA, as a data processor (Art. 28 GDPR) to technically provide the "Chorilo" service (hosting). The server location is in the EU (Frankfurt am Main). Data transfer to the USA is based on Standard Contractual Clauses and supplementary measures to ensure an adequate level of data protection (Art. 46 GDPR).

c) Email Dispatch (System Mails)

Name, first name, and email address are transferred to The Rocket Science Group LLC (Mailchimp), 675 Ponce De Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA, as a data processor (Art. 28 GDPR) to technically implement the dispatch of system emails (e.g., password reset, invitations). Data transfer to the USA is based on Standard Contractual Clauses and supplementary measures (Art. 46 GDPR).

d) Email Processing (Support)

When you contact us via email (e.g., at support@chorilo.com), your email address and the content of your inquiry are processed via servers of STRATO AG, Otto-Ostrowski-Straße 7, 10249 Berlin, Germany, as a data processor (Art. 28 GDPR) to receive and respond to your inquiry. The legal basis is the processing of your request (Art. 6(1)(b) GDPR) or our legitimate interest in providing customer support (Art. 6(1)(f) GDPR).

e) Error Tracking (Sentry)

To detect and analyze technical errors in our application, we use the Sentry service from Functional Software, Inc., 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA. In case of an error, technical data such as device information, operating system, browser, and potentially anonymized parts of user interactions and an anonymized user ID may be transmitted to Sentry. This serves our legitimate interest in improving the stability and functionality of our service (Art. 6(1)(f) GDPR). Data transfer to the USA is based on Standard Contractual Clauses (Art. 46 GDPR).

Storage Duration

We store your personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by law.

Data related to your user account (such as profile data, ensemble memberships, uploaded sheet music) is stored as long as your account is active. If you delete your account, this data will be removed according to our data deletion policies, subject to legal retention obligations.

Usage data and technical logs are typically kept for a short period (e.g., 7 to 30 days), unless longer storage is necessary for error analysis or security reasons.

Processing of Telephone Inquiries

When you contact us by phone, whether for general inquiries or customer support, we process the data you provide, such as your name, phone number, customer number (if applicable), and the content of your request. This processing is necessary to handle your request according to Art. 6(1)(b) GDPR. After processing is complete, we restrict processing to the specific purpose (e.g., contract fulfillment, new customer acquisition). Once the purpose is fulfilled and legal retention periods (e.g., commercial and tax law) have expired, your data will be automatically deleted.

Processing of Inquiries via Social Media

If you contact us via our profiles on social networks (e.g., Facebook, Twitter, LinkedIn, Xing), we process the data you have stored in your respective profile to handle your request according to Art. 6(1)(b) GDPR. After processing is complete, we restrict processing to the specific purpose. Once the purpose is fulfilled and legal retention periods have expired, your data will be deleted.

New Customer Acquisition and Direct Marketing

To inform potential customers about our products and services, we may contact company employees by phone, mail, email, or via platforms like Xing and LinkedIn. In doing so, we process data such as name, contact details (postal address, email, phone number, platform identifier), position in the company, and information about potential interest in our offerings. We obtain this data either directly from you (e.g., at trade fairs, via contact forms) or from publicly accessible sources (platform profiles, directories), where permissible.

The processing of this data is based on our legitimate interest (Art. 6(1)(f) GDPR) in direct marketing and increasing our sales, but only if you have not objected and the contact is within reasonable expectations and does not constitute unreasonable harassment. You can object to the use of your data for direct marketing at any time. We will delete your data or terminate the connection on platforms if you object, if there is no longer any interest, or if a response is permanently absent.

Maintenance and Administration of IT Systems

To ensure the functionality and security of our IT systems, our IT service providers may potentially access personal data during maintenance work. These accesses are strictly limited to what is necessary and are carried out in compliance with strict confidentiality agreements and technical and organizational measures to protect your data. The legal basis is our legitimate interest (Art. 6(1)(f) GDPR) in the stable and secure operation of our services.

Data Security

We implement comprehensive technical and organizational measures to protect your data from unauthorized access, loss, or misuse. These include encryption technologies, access controls, and regular security reviews. Despite all efforts, absolute security cannot be guaranteed for data transmission over the internet.

Your Rights as a Data Subject

You have the right to access information about the personal data concerning you (Art. 15 GDPR).

You can request the correction of inaccurate data (Art. 16 GDPR).

Furthermore, you have the right to erasure (Art. 17 GDPR) and restriction of processing (Art. 18 GDPR) of your data.

If data processing is based on your consent or a contract for data processing exists and the data processing is carried out using automated procedures, you may have a right to data portability (Art. 20 GDPR). If you have consented to the processing, you can withdraw your consent at any time with effect for the future. The lawfulness of the processing carried out based on the consent until withdrawal is not affected by the withdrawal.

You also have the right to lodge a complaint with a data protection supervisory authority about our processing of your personal data.

Changes to This Privacy Policy

We reserve the right to adapt this privacy policy so that it always complies with current legal requirements or to implement changes to our services in the privacy policy, e.g., when introducing new services. The new privacy policy will then apply to your next visit.

Responsible Entity

The responsible entity according to data protection laws is: