Privacy Policy

1. Data Controller

DrumDojo is the data controller for personal data collected through this service.

Contact: privacy@drumdojo.app [placeholder — update with your address]

2. Data We Collect

We collect only what is necessary to provide the DrumDojo service:

• Account data: email address, display name, avatar image
• Authentication tokens: session tokens and OAuth identifiers (for Google sign-in)
• Practice data: BPM logs, Katas you create or save
• Session data: cookies required for login and service operation

We do not collect advertising data, browsing history, or device fingerprints.

3. Purpose of Processing

• Account creation and authentication
• Practice tracking — storing BPM logs and Katas
• Content creation — allowing you to create and share Katas
• Service delivery — providing the DrumDojo platform
• Service improvement — analysing aggregate usage to improve the product

4. Legal Basis (GDPR)

We process your data under the following legal bases as defined by the General Data Protection Regulation (GDPR):

• Consent (Art. 6(1)(a)): functional cookies and Google OAuth, where you tick the consent checkbox at signup
• Contract performance (Art. 6(1)(b)): account data and practice data necessary to deliver the service you signed up for
• Legitimate interests (Art. 6(1)(f)): aggregate analytics for service improvement — these are anonymised and cannot identify you individually

5. Data Retention

• Account data is retained while your account is active
• Upon account deletion request, all personal data (account, BPM logs, Katas) is deleted within 30 days
• Anonymised aggregate data may be retained for analytical purposes

6. Third-Party Processors

We use the following sub-processors. Each has a Data Processing Agreement in place:

• Cloudflare — hosting, database (D1), CDN, and Workers compute. Data may be processed globally under Cloudflare's EU-US Data Privacy Framework commitments.
• Google — OAuth authentication (Google Sign-In). Processed under Standard Contractual Clauses.
• Resend — transactional email (verification emails, password reset). EU data centre options available.
• Stripe — payment processing for Sensei collection purchases (Phase 4 / future). Stripe is PCI-DSS Level 1 certified.

7. Cookies

DrumDojo uses two categories of cookies:

• Strictly necessary cookies: session cookie required for login. No consent needed — these are essential for the service to function.
• Functional cookies: cookies set by Google OAuth when you use "Continue with Google". These require your consent and you can withdraw it at any time via the cookie banner.

We do not use tracking or advertising cookies.

8. Your Rights under GDPR

As a data subject under the General Data Protection Regulation, you have the following rights:

• Right to access: request a copy of the personal data we hold about you
• Right to rectification: correct inaccurate personal data
• Right to erasure ("right to deletion"): request deletion of your account and all associated data
• Right to data portability: receive your data in a machine-readable format (data export)
• Right to withdraw consent: withdraw consent for functional cookies at any time via the cookie banner
• Right to lodge a complaint: complain to your national supervisory authority if you believe we are processing your data unlawfully

To exercise any of these rights, email privacy@drumdojo.app.

9. International Data Transfers

Some of our sub-processors (Cloudflare, Google) may transfer data outside the European Economic Area. These transfers are protected by the EU-US Data Privacy Framework (Cloudflare) and Standard Contractual Clauses (Google), in compliance with GDPR Chapter V.

10. Changes to This Policy

We will notify you of material changes to this Privacy Policy via email before the changes take effect. Continued use of DrumDojo after notification constitutes acceptance of the updated policy.