Privacy Policy

Downbeat LLC ("Downbeat," "we," "us," or "our") provides a software platform for the management of marching band, concert band, color guard, and related music program operations (the "Service"). This Privacy Policy explains what information we collect, how we use it, and the rights you have with respect to your information.

This Policy applies to the Downbeat website at https://www.downbeatapp.com and any Downbeat-branded application or service that links to it.

Our Privacy Commitment

Downbeat is a service built for schools and educational institutions. We structure this Privacy Policy around a clear and simple set of promises:

Student education records are used only to provide the Service to the school that provided them. We do not sell, rent, or share student education records. We do not use student education records for advertising, profiling, or to train Downbeat's or any third party's artificial intelligence models.
The educational institution owns its data. Student records, roster information, assignment history, inventory data, and anything else entered into the Service by a Customer remain the exclusive property of that Customer. We store and process Customer Data solely on the Customer's instructions.
We do not sell personal information. This applies to all users of the Service, not just students.
We are transparent about our sub-processors. A complete and current list is maintained in the "Sub-Processors" section below.
Marketing communications, if any, are limited to administrators and prospects—not students, and not parents or guardians who use the Service to view their student's records—and include a clear opt-out in every message.

The remainder of this Policy describes how these commitments are implemented in practice.

1. Definitions

Account Holder means an adult (18 or older) who registers an account to access and use the Service on behalf of an educational institution. This typically includes band directors, administrators, volunteers, and staff members.

Customer means the educational institution, school district, band program, or other organization that has entered into a subscription with Downbeat and on whose behalf the Service is operated.

Customer Data means all data submitted to, stored in, or generated by the Service by or on behalf of a Customer, including student roster information, inventory records, assignment history, uploaded files, and related records.

Guardian Portal User means an individual identified by a Customer as a parent, legal guardian, or other authorized adult contact for a student, who accesses the Service through a magic-link authentication flow to view records relating to that student. Guardian Portal Users do not hold Accounts and do not pay for the Service.

Student Education Records means any Customer Data that constitutes an "education record" as defined under the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g.

Sub-Processor means a third-party service provider engaged by Downbeat to process Customer Data or Personal Data in connection with the Service.

Personal Data means information that identifies, relates to, describes, or could reasonably be linked with a particular individual.

Service means the Downbeat platform, including the website, applications, APIs, and any related functionality provided by Downbeat LLC.

You means the individual accessing or using the Service.

2. Information We Collect

We collect information in four distinct categories, each governed by different rules.

2.1 Student Education Records (collected on behalf of schools)

When a Customer uses the Service to manage its program, Account Holders enter information about students enrolled in the Customer's program. This information may include:

Student first and last name
Grade level or class year
Student identification number (where provided by the Customer)
Ensemble, section, and part assignments
Instrument, uniform, and equipment assignments
Damage reports and repair history associated with assigned items
Fee obligations and payment status
Email address (where provided for program communications)
Photographs uploaded by Account Holders or End Users to document equipment condition, damage, or inventory. Such photographs may incidentally include students; where a student is identifiable, the photograph is treated as part of that student's record and is subject to the FERPA commitments below

Downbeat does not directly solicit information from students. Student Education Records are provided to Downbeat by the Customer (typically by an Account Holder such as a band director) and are processed by Downbeat solely on the Customer's behalf. See the "FERPA Compliance" section below for the full governing framework.

2.2 Account Holder Information

When an adult registers an account with the Service, we collect:

First and last name
Email address
Password (stored only in hashed form)
Role within the organization (e.g., director, assistant director)
Billing information, where the Account Holder is responsible for paying for the Service (processed by Stripe; see "Payments" below)
Communications with Downbeat support

2.3 Visitor and Prospect Information

When you visit the Downbeat website or submit a contact form, we may collect:

Information you voluntarily provide (name, email, organization, message content)
IP address, browser type, device identifiers, and pages visited
Referring URL and approximate geographic location derived from IP address
Information transmitted by cookies and similar technologies (see "Cookies")

2.4 Guardian Portal User Information

The Service includes a Guardian Portal that allows parents, legal guardians, and other authorized adult contacts to view records relating to a specific student in a Customer's program. Guardian Portal Users do not create Accounts; they sign in by entering their email address and clicking a single-use, time-limited link sent to that email.

For Guardian Portal Users, we process the following information:

Guardian first and last name (provided by the Customer)
Guardian email address (provided by the Customer; used to authenticate access via magic link)
Guardian phone number, where provided by the Customer (not used for authentication)
The link between the guardian and the student or students whose records the guardian is authorized to view (provided by the Customer)
Magic link tokens (stored only in hashed form, expire after 15 minutes, single-use)
Session tokens (stored only in hashed form, expire after 30 days of inactivity)
IP address and user-agent string captured at the time of magic link request and session creation, used solely for security monitoring, rate limiting, and abuse detection

Guardian contact information is provided to Downbeat by the Customer, not collected directly from the guardian. Guardian-specific security data (magic link tokens, session tokens, IP addresses, user-agent strings) is collected directly from the guardian's device when they use the Guardian Portal, and is used by Downbeat exclusively for security purposes. This security data is not surfaced to the Customer institution or to any Account Holder. The Customer can see whether a guardian has activated the portal and can revoke a guardian's active sessions at any time, but cannot view IP addresses, login timestamps, or session counts for any guardian.

2.5 Information from Public-Facing Forms

The Service includes certain public forms that a Customer may make available without requiring an account or magic-link authentication — for example, damage report forms for students or parents, and volunteer signup pages. Information submitted through these forms flows directly into the Customer's instance of the Service and is treated as Customer Data of that institution. Downbeat does not use this information for any purpose other than delivering it to the Customer.

3. FERPA Compliance

Downbeat provides services to educational institutions, including K–12 schools, colleges, and universities. In the course of providing these services, Downbeat processes Student Education Records on behalf of the Customer and operates as a "school official" with a "legitimate educational interest" in those records, as those terms are used in FERPA, 20 U.S.C. § 1232g and 34 C.F.R. Part 99.

3.1 School Official Designation

By entering into a subscription or Data Privacy Agreement with Downbeat, the Customer designates Downbeat as a school official performing an institutional service or function for which the Customer would otherwise use employees. In this capacity, Downbeat agrees to the following:

Direct control. Downbeat operates under the direct control of the Customer with respect to the use and maintenance of Student Education Records. The Customer determines what data is entered into the Service, who may access it, and when it is deleted.
Authorized use only. Downbeat uses Student Education Records solely for the purpose for which they were disclosed — to provide and maintain the Service for the Customer.
No re-disclosure. Downbeat does not re-disclose Student Education Records to any third party except (a) Sub-Processors acting under written contract on Downbeat's behalf, (b) as directed in writing by the Customer, (c) to Guardian Portal Users designated by the Customer as authorized to view a specific student's records, consistent with FERPA's school-official exception, or (d) as required by law.
No advertising or profiling. Downbeat does not use Student Education Records to serve advertising, to build profiles about students, or to train artificial intelligence or machine learning models.
No sale. Downbeat does not sell, rent, lease, or trade Student Education Records.
No combination with other data. Downbeat does not combine Student Education Records with personal information collected through non-educational services.

3.2 Guardian Access Under FERPA

FERPA permits an educational institution to share education records with a student's parent or eligible student. The Guardian Portal is a mechanism by which the Customer institution exercises that disclosure on its own behalf, with Downbeat acting as the school official providing the disclosure infrastructure. The Customer institution determines which guardians are authorized to access which students' records and remains responsible under FERPA for the appropriateness of those designations.

3.3 Data Privacy Agreement

Prior to processing Student Education Records for a Customer, Downbeat requires the Customer to execute a Data Privacy Agreement (DPA) that governs the handling of student data in greater detail, including specific commitments regarding access, security, audit, breach notification, and deletion. Customers may request a copy of Downbeat's standard DPA by contacting mason@downbeatapp.com.

3.4 Data Deletion on Cancellation

Upon termination of a Customer's subscription, Downbeat retains Customer Data (including Student Education Records and Guardian Portal User information) for 30 days to allow the Customer to export its data, after which all such data is permanently deleted from active systems. Residual copies may remain in encrypted backups for a limited period consistent with Downbeat's backup schedule (typically 30 days) and are not restored except as required for security, disaster recovery, or legal compliance. A Customer may request earlier deletion by contacting mason@downbeatapp.com.

3.5 Changes to This Policy or the DPA

Downbeat will notify Customers in writing (by email to the Account Holder of record) in advance of any material change to this Privacy Policy or to the standard DPA that affects the handling of Student Education Records. Customers will have a reasonable opportunity to review the change before it takes effect.

3.6 Reporting FERPA Concerns

If you believe that Student Education Records have been handled in violation of FERPA, please contact mason@downbeatapp.com. We also encourage you to contact the relevant educational institution, which is the party responsible for FERPA compliance under the statute.

4. How We Use Information

The purposes for which we use information depend on the category of data collected.

4.1 Student Education Records

Student Education Records are used only to provide and maintain the Service to the Customer that provided them. This includes displaying records to authorized Account Holders and to authorized Guardian Portal Users, generating assignment and inventory reports, producing damage reports, processing fee status, and delivering service-related emails to Account Holders and authorized guardians about records maintained in the Service.

Student Education Records are not used to send marketing communications, to profile students, to train machine learning models, to serve advertising, or for any other purpose.

4.2 Account Holder Information

We use Account Holder information to:

Create, maintain, and secure Account Holder accounts
Provide and improve the Service
Process subscription payments
Respond to support requests
Send transactional emails (e.g., password resets, receipts, security notifications, service announcements)
Send product update announcements, newsletters, and promotional emails about Downbeat, where the Account Holder has not opted out
Comply with legal obligations and enforce our agreements

Every marketing email from Downbeat includes a one-click unsubscribe link. Transactional and security emails are sent regardless of marketing preferences because they are required to operate the Service.

4.3 Visitor and Prospect Information

We use visitor and prospect information to:

Operate and improve the Downbeat website
Respond to inquiries submitted via contact forms
Send marketing communications to individuals who have expressed interest in Downbeat, where permitted by applicable law
Analyze website usage in aggregate

4.4 Guardian Portal User Information

We use Guardian Portal User information solely to:

Authenticate access to the Guardian Portal via magic link
Display the records the Customer has authorized the guardian to view
Send transactional emails relating to the guardian's portal access (e.g., the magic link itself, and, where the Customer enables them, fee reminder emails or damage event notifications about the guardian's student)
Monitor for security events, enforce rate limits, and detect abuse

We do not send marketing emails to Guardian Portal Users. Guardian email addresses are not added to any Downbeat marketing list under any circumstances.

5. Sub-Processors

Downbeat uses a limited set of third-party sub-processors to deliver the Service. Each sub-processor is bound by a written agreement that restricts the use of Customer Data to the provision of services to Downbeat. All sub-processors listed below operate from data centers located in the United States.

Sub-Processor	Function	Data Categories
Supabase, Inc.	Primary database, file storage, and authentication	All Customer Data, Account Holder credentials, Guardian Portal User session and token data
Vercel, Inc.	Application hosting, content delivery, and request routing	All data in transit; request logs (IP, user agent, path)
Stripe, Inc.	Subscription billing and payment processing	Billing contact information, payment method tokens (we do not store card numbers)
Resend Inc.	Transactional and marketing email delivery	Recipient email addresses and message content, including guardian magic link emails

Outbound email from hello@downbeatapp.com is relayed via Google (Gmail SMTP) through our Resend configuration; as a result, Google may process the metadata and content of such outbound email in the course of delivery.

Downbeat will update this list prior to adding a new sub-processor that processes Customer Data and, where required by a Customer's DPA, will provide advance notice of any such change.

6. Cookies and Similar Technologies

We use cookies and similar technologies for the following purposes:

Essential cookies that authenticate users (including Guardian Portal Users), maintain session state, and enable the Service to function. These cookies cannot be disabled without breaking the Service.
Preference cookies that remember settings and choices across visits.
Analytics cookies that help us understand how the Service is used in aggregate, where used. We do not use cookies for cross-site tracking or targeted advertising.

You may control cookies through your browser settings. Disabling essential cookies will prevent you from using the Service.

7. Data Retention

We retain information only for as long as necessary to provide the Service, comply with legal obligations, or resolve disputes. Specific retention periods are as follows:

Customer Data (including Student Education Records): retained for the duration of the Customer's subscription, plus 30 days after cancellation to allow for export, after which Customer Data is permanently deleted from active systems. Encrypted backups may persist for up to 30 additional days.
Account Holder information: retained for the duration of the account relationship and for up to 12 months thereafter to resolve disputes and meet recordkeeping obligations.
Guardian magic link tokens: retained for 15 minutes from issuance, after which they expire and become unusable. Consumed and expired tokens are retained briefly for audit purposes and then deleted.
Guardian portal session tokens: retained for up to 30 days from last use; revoked sessions are retained for 7 days for audit and then deleted.
Rate-limit and security telemetry (IP addresses, user-agent strings): retained for up to 24 hours.
Support correspondence: retained for up to 24 months from the date of ticket closure.
Usage and request logs: retained for up to 12 months for security monitoring and troubleshooting.
Financial and transaction records: retained for up to 7 years from the date of the transaction to comply with tax and accounting obligations.
Marketing list membership: retained until you unsubscribe or until 24 months after your last engagement, whichever is earlier.

Where permitted, we may retain anonymized or aggregated statistical data indefinitely for analytics purposes. Such data cannot be linked back to an identifiable individual.

8. Data Security

We use commercially reasonable administrative, technical, and physical safeguards to protect information, including:

Encryption of data in transit using TLS
Encryption of data at rest within our Sub-Processors' infrastructure
Role-based access controls, with access limited to personnel who require it to perform their job
Multi-tenant isolation of Customer Data, enforced at the database policy layer
Secure password hashing (credentials are never stored in plaintext)
Magic-link authentication for Guardian Portal Users, with single-use tokens, 15-minute expiry, hashed storage, and per-IP and per-guardian rate limiting
30-day session lifetime with sliding-window expiry and immediate Customer-initiated revocation for Guardian Portal sessions
Regular application and dependency updates

No method of electronic storage or transmission is 100% secure, and we cannot guarantee absolute security. If you have reason to believe your account has been compromised, contact mason@downbeatapp.com immediately.

9. Data Breach Notification

In the event of a confirmed unauthorized access to or disclosure of Customer Data, Downbeat will notify the affected Customer without undue delay, and in any event within 72 hours of becoming aware of the incident, at the email address associated with the Customer's Account Holder of record. Notification will include, to the extent known: the nature of the incident, the categories and approximate number of records affected, the likely consequences, and the steps Downbeat has taken or plans to take in response.

Downbeat will cooperate with the Customer's reasonable requests for additional information and will not issue notifications directly to students, parents, eligible students, or Guardian Portal Users except at the direction of the Customer or as required by law.

10. Data Transfers

Downbeat operates in the United States, and all Customer Data is stored and processed in the United States by our Sub-Processors. If you access the Service from outside the United States, you consent to the transfer and processing of your information in the United States.

11. Your Rights

11.1 Rights Regarding Student Education Records

Under FERPA, rights of inspection, amendment, and consent regarding Student Education Records belong to the parent (or, once the student is 18 or enrolled in a postsecondary institution, to the eligible student), and are exercised through the educational institution — not through Downbeat. Requests to inspect, correct, or delete Student Education Records should be directed to the Customer. Downbeat will assist the Customer in fulfilling such requests as provided in the applicable DPA.

11.2 Rights Regarding Account Holder, Visitor, and Guardian Portal User Information

You may request to access, correct, or delete Personal Data that we hold about you as an Account Holder, visitor, or Guardian Portal User by contacting mason@downbeatapp.com. We may decline a request where retention is necessary to comply with a legal obligation or to resolve a dispute.

Guardian Portal Users specifically may request that their active sessions be revoked at any time. Customers may also revoke a guardian's active sessions through the Customer's administrative interface. Note that the underlying contact information used to grant a guardian access (name, email, phone) is provided by, and controlled by, the Customer institution; requests to remove or correct that contact information should be directed to the Customer in the first instance, and Downbeat will assist as required.

You may unsubscribe from marketing emails at any time via the unsubscribe link in any such email or by contacting us. Guardian Portal Users do not receive marketing emails from Downbeat under any circumstances.

12. California Residents (CCPA / CPRA)

The California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), grants California residents certain rights with respect to their personal information.

Downbeat does not sell Personal Information and does not share Personal Information for cross-context behavioral advertising. This applies to all categories of Personal Information, including Student Education Records, Account Holder information, Guardian Portal User information, and visitor information.

Downbeat has not sold or shared Personal Information in the preceding 12 months.

12.2 Categories of Personal Information Collected

CCPA Category	Collected?	Purpose
A. Identifiers (name, email, IP address)	Yes	Account management, Service operation, guardian authentication
B. California Customer Records information	Yes	Billing, Service operation
C. Protected classification characteristics	No	—
D. Commercial information (purchase history)	Yes	Billing
E. Biometric information	No	—
F. Internet/network activity	Yes	Service operation, security
G. Geolocation data (precise)	No	—
H. Sensory data	No	—
I. Professional/employment information	No	—
J. Non-public education information (FERPA)	Yes	Service operation on behalf of Customer
K. Inferences/profiles	No	—
L. Sensitive personal information	No	—

12.3 Rights of California Residents

Subject to certain exceptions, you have the right to:

Know what Personal Information we collect and how we use it
Access the specific Personal Information we hold about you
Request deletion of your Personal Information
Request correction of inaccurate Personal Information
Opt out of the sale or sharing of Personal Information (inapplicable because Downbeat does not sell or share Personal Information)
Limit the use of sensitive Personal Information (inapplicable because Downbeat does not collect sensitive Personal Information)
Not be discriminated against for exercising these rights

To exercise these rights, contact mason@downbeatapp.com. We will verify your identity using information reasonably necessary to confirm that you are the person about whom we have collected Personal Information.

Note: Rights regarding Student Education Records are exercised through the educational institution under FERPA, not through the CCPA/CPRA. Downbeat is not the "business" for purposes of Student Education Records; the Customer institution is the controller.

13. Children's Privacy

Downbeat is not directed to children, and Account Holder accounts are available only to individuals 18 years of age or older. Guardian Portal access is also limited to adults; the Customer institution is responsible for verifying that any individual to whom guardian access is granted is an adult parent, legal guardian, or other authorized contact. We do not knowingly collect personal information directly from children under 13 without verifiable consent from the child's parent, guardian, or educational institution.

Information about children enrolled in a Customer's program may be entered into the Service by an Account Holder (for example, a band director entering a roster). In that case, the information is treated as Student Education Records under FERPA, and the Customer institution — not Downbeat — is responsible for ensuring that any required notices or consents have been provided to parents.

If you are a parent or guardian and you believe that your child's information has been entered into the Service in error, please contact the educational institution directly. You may also contact mason@downbeatapp.com and we will work with the institution to address your concern.

14. Third-Party Links

The Service may contain links to third-party websites, including external payment platforms (such as Venmo, PayPal, or Cash App) when a Customer has configured fee payment links to those platforms. Downbeat is not responsible for the content or privacy practices of third-party websites, and we encourage you to review the privacy policies of any site you visit. When you follow a payment link from the Guardian Portal, you leave the Service and the destination platform's terms and privacy policies apply.

15. Changes to This Policy

We may update this Privacy Policy from time to time. For changes that materially affect the handling of Customer Data or Student Education Records, we will notify Customers by email in advance of the effective date. For other changes, we will update the "Last updated" date at the top of this Policy and post the revised version at https://www.downbeatapp.com/privacy.

16. Contact Us

If you have questions about this Privacy Policy or our handling of your information, you can reach us at:

Downbeat LLC
Email: mason@downbeatapp.com