Your privacy is fundamental to our commitment to providing exceptional piano education. This policy explains how we collect, use, and protect your personal information.
Last updated: July 1, 2025 | Effective Date: July 1, 2025
Saniya, the founder and primary instructor of Saniya School of Music, is herself a minor (under 18 years of age). All business operations, contractual commitments, and data-handling responsibilities are carried out under the direct supervision and authority of her parent/legal guardian, who serves as the School’s Data Controller and primary contact for all privacy-related matters.
Saniya School of Music adheres to three guiding principles: data-minimisation, transparency, and security. We operate under the New York SHIELD Act, the federal Children’s Online Privacy Protection Act (COPPA), the Family Educational Rights and Privacy Act (FERPA) where applicable, and when lessons are taken from abroad the EU/UK General Data Protection Regulation (GDPR). We collect only the information needed to verify age, run lessons, and keep families informed; we never sell, rent, or trade any personal data. All faculty and support staff sign confidentiality agreements and complete annual privacy-protection training.
Parent/Guardian Contact: Name, email address, and phone number.
Student Details: First name and birth year (ages 5–15 only).
Lesson Records: Progress notes and optional audio/video recordings for pedagogical review.
Payment Confirmation: Last four digits of the card and transaction ID (full card data remains with our PCI-DSS processor).
Technical Data: IP address, browser type, basic device info, and essential cookies for security and site performance.
Account Management: Verify age eligibility, obtain parental consent, and maintain student rosters.
Lesson Delivery: Schedule sessions, tailor instruction, and track musical progress.
Communication: Send reminders, progress reports, recital notices, and limited in-house marketing (opt-out anytime).
Payments & Compliance: Process tuition securely and meet tax or audit requirements.
Safety & Legal: Protect the integrity of our website and studio and comply with court orders or legal obligations.
Encryption: All data in transit is protected with TLS/SSL; passwords are strongly hashed.
Access Control: Role-based permissions and multi-factor authentication for staff consoles.
Secure Infrastructure: SOC-2 / ISO-27001 certified hosting with firewalls, intrusion monitoring, and nightly backups.
Regular Audits & Response: Quarterly vulnerability scans plus an incident-response plan that meets SHIELD-Act timelines.
Access & Portability: Request a copy of the personal data we hold in a machine-readable format.
Correction: Have inaccurate or incomplete records amended.
Deletion: Ask for erasure of data not subject to legal-retention duties (e.g., accounting).
Restriction & Objection: Limit or object to certain processing, including marketing communications.
Consent Withdrawal: Revoke any previously granted consent (e.g., lesson recordings) at any time.
Essential Cookies: Maintain secure log-in sessions and virtual-lesson functionality.
Analytics Cookies: Aggregate site-usage metrics to improve performance and detect errors.
Preference Cookies: Remember settings such as preferred time-zone or instrument view.
No Third-Party Ad Trackers: We do not deploy behavioural-advertising or social-media pixels; cookie settings can be adjusted in your browser.
Lesson Records & Recordings: Retained for 2 academic years after the final session, then securely erased (unless you request earlier deletion).
Transaction Records: Stored for 7 years to satisfy IRS and New York tax-record requirements.
Security Logs: Held for up to 12 months for fraud detection and system diagnostics, then anonymised or deleted.
Marketing Data: Retained until you unsubscribe or request deletion.
Standard Contractual Clauses (SCCs) or equivalent safeguards protect all cross-border data transfers.
Right to Be Informed: Clear notice of every purpose and legal basis for processing.
Right to Restrict or Object: Pause or stop certain processing where legitimate-interest grounds are contested.
Right to Lodge a Complaint: EU/UK residents may contact their local supervisory authority; U.S. residents may contact the NY Attorney General.
We are fully compliant with the General Data Protection Regulation (GDPR) and other international privacy laws. As a data subject, you have specific rights regarding your personal information:
You have the right to know what personal data we process and why.
You can request a copy of all personal data we hold about you.
You can ask us to correct any inaccurate or incomplete data.
You can request deletion of your personal data under certain conditions.
If you have any questions about this privacy policy, your data rights, or how we handle your information, please don't hesitate to contact us. We're committed to transparency and will respond to your inquiries promptly.