Privacy Policy – Tootology

1. Who we are

Tootology ("we", "us" or "our") provides an online platform that helps brass‑instrument players learn musical notation. We are the data controller responsible for the personal data we collect through www.tootology.com (the "Site") and any related mobile or desktop applications (together, the "Service").

If you have any questions about this policy or how we handle your personal data, please contact:

Email: contact@tootology.com
Postal address: Data Protection Officer, Tootology, 17 Montrose Avenue, Leeds, LS7 2EW, United Kingdom

If you are unhappy with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) – ico.org.uk – or your local supervisory authority.

2. The data we collect

We collect and process the following categories of data:

Identity & contact data – e‑mail address, display name (optional) and password (hashed).
Profile data – instrument(s) selected, learning goals, progress records, achievements and in‑app preferences.
Usage data – interactions with lessons, answers submitted, date/time stamps, and feature use.
Technical data – IP address, browser type and version, time‑zone setting, operating system, device identifiers and similar diagnostic information.
Marketing & communications data – your preferences in receiving product updates or community e‑mails.
Cookies and similar technologies – see section 7 Cookies.

We do not intentionally collect any special categories of personal data (such as health information) or data about children under 13. If you believe we have gathered such data in error, please contact us so we can delete it.

3. How & why we use your data

Under the UK GDPR we must have a lawful basis for each use of your personal data. We rely on:

Purpose / activity	Type of data	Lawful basis
Create and administer your account; provide core learning features	Identity, Profile, Usage, Technical	Performance of a contract (Terms of Service)
Personalise lessons and track your progress	Profile, Usage	Performance of a contract; Legitimate interests (to improve learning efficacy)
Respond to support queries	Identity, Usage	Performance of a contract
Send service messages (e.g., password resets, changes to our terms)	Identity	Legal obligation
Send optional product news & practice tips	Identity, Marketing	Consent (you may withdraw at any time)
Analyse usage to improve and secure the Service	Technical, Usage	Legitimate interests (to keep our Service safe and relevant)

4. Sharing your data

We limit disclosure of your personal data and only share it where necessary:

Service providers – trusted third‑party companies that host our servers (e.g., Amazon Web Services in the EU/UK), provide analytics, e‑mail delivery or customer‑support software. These processors must process your data only on our instructions and subject to strict security obligations.
Legal or regulatory authorities when required by law or to protect our rights, property or safety.
Business transfers – in the unlikely event of a merger, acquisition or asset sale, subject to confidentiality safeguards.

Where we transfer personal data outside the UK or European Economic Area, we ensure an adequate level of protection through UK adequacy regulations or SCCs.

5. Security

We employ technical and organisational measures designed to safeguard your data, including encryption in transit (HTTPS), hashing of passwords with industry‑standard algorithms, role‑based access controls and regular security reviews.

Despite our efforts, no internet transmission is ever completely secure. Please keep your account password confidential and contact us immediately if you suspect unauthorised access.

6. Data retention

We keep personal data only for as long as necessary to fulfil the purposes described above:

Account data – while your account is active and for up to 12 months after deletion, to allow reactivation or to resolve disputes.
Usage logs – up to 24 months for security and analytics.
Marketing preferences – until you withdraw consent or unsubscribe.
Back‑ups – securely deleted within 35 days of creation.

We may keep anonymised or aggregated data indefinitely as it no longer identifies you.

7. Cookies & similar technologies

Our Site uses cookies and local storage in accordance with the UK Privacy and Electronic Communications Regulations (PECR). Cookies help us remember your settings, measure traffic and, with your permission, tailor marketing.

7.1 Types of cookies

Strictly necessary – essential for the Site to operate (e.g., log‑in tokens, load‑balancing). These cannot be disabled.
Analytics – collect aggregated statistics so we can improve performance and content.
Marketing – only set if you opt‑in; used to display relevant ads or measure campaign effectiveness.

7.2 Managing cookies

You may manage or withdraw your consent at any time via the “Cookie preferences” banner or through your browser settings. Guidance is available at aboutcookies.org.

8. Your rights

You have the following rights under data‑protection law (subject to conditions):

Access – receive a copy of the personal data we hold about you.
Rectification – correct inaccurate or incomplete data.
Erasure – ask us to delete your data (“right to be forgotten”).
Restriction – pause our processing of your data.
Objection – object to processing based on legitimate interests or direct marketing.
Portability – receive your data in a usable electronic format.
Withdraw consent – where we rely on consent, you may withdraw it at any time.

To exercise any of these rights, e‑mail privacy@tootology.com. We normally respond within one month.

9. Children

Our Service is not directed at children under 13. If we learn that we have collected personal data from a child without verified parental consent, we will delete that information promptly.

10. Changes to this policy

We may update this Privacy Policy from time to time. Any material changes will be notified by e‑mail (if applicable) and the “Last updated” date will be revised.