SightReader SightReader

Privacy policy

Last updated: 10 May 2026

This policy explains what personal data SightReader collects, why we collect it, and what you can do about it. We’ve tried to keep it short and plain. If anything is unclear, email hello@sightreader.app and we’ll explain.

Who we are

SightReader ( sightreader.app ) is operated by Bret Cameron, sole trader, based in London, United Kingdom. For the purposes of UK GDPR and the Data Protection Act 2018, we are the data controller for the personal data described below.

Contact for any privacy matter: hello@sightreader.app.

What we collect

Account information

  • Your email address and (where the provider supplies them) display name and profile photo from your chosen sign-in provider (Google, Microsoft, or the email magic-link).
  • An internal user ID we generate, plus role (most users are simply user).
  • Onboarding answers (skill level, weekly goal) if you complete the intro flow.

Practice data

  • Sessions you complete: which piece, accuracy, timing, star rating, the notes you played.
  • Settings you adjust (tempo, transposition, key signatures).
  • Pieces you upload (MusicXML files), if any. These are stored against your account.
  • Connected MIDI device names (e.g. "Yamaha P-45") so we can show them in the picker. We don’t capture audio.

Payment data

If you upgrade to Pro, billing is handled by Stripe. We never see your card details — Stripe sends us only the customer ID, subscription status, and currency. Stripe’s own privacy policy applies to their processing.

Technical data

  • IP address and approximate location (country/city) at request time.
  • Browser, OS, and device type from your User-Agent.
  • Pages you view, buttons you click, and errors you encounter.

Communications

When we send you email (welcome, drip onboarding, weekly digest if you’re an admin) we log the send and any subsequent bounce or complaint. If you reply to one of our emails, we keep the thread.

Lawful bases for processing

Under UK GDPR Article 6, the lawful bases we rely on are:

  • Contract — to provide the service you signed up for: account management, practice tracking, billing, sign-in.
  • Legitimate interests — to keep the service secure, fix bugs (Sentry), understand which features get used (PostHog), and reach you about meaningful product changes. We’ve balanced these against your rights and consider the impact minimal.
  • Consent — for non-essential marketing email beyond service updates. Every marketing email includes an unsubscribe link. You can revoke consent at any time in your account or via the unsubscribe link.
  • Legal obligation — to retain billing records (Stripe) for HMRC tax purposes.

How we use your data

  • To create your account and let you sign in.
  • To save your practice progress and serve daily-practice picks tailored to your level.
  • To take payment for Pro and remember whether you’re entitled to Pro features.
  • To send transactional email (sign-in links, receipts, account changes).
  • To send onboarding and product email (welcome, drip), which you can unsubscribe from at any time.
  • To debug crashes, monitor performance, and detect abuse.
  • To produce aggregate, non-identifying statistics about how the product is used (e.g. "how many users completed Grade 1 last week").

We do not sell your personal data. We do not run third-party advertising and never share your data with advertisers.

Sub-processors

We use a small number of suppliers to deliver the service. Each is bound by a contract (Data Processing Addendum) requiring them to handle your data only on our instructions and apply appropriate security measures.

  • Supabase (database & authentication storage) — hosted in the EU.
  • Cloudflare (hosting, DNS, WAF) — global edge with traffic typically served from the UK/EU for UK visitors.
  • Amazon Web Services — S3 (MusicXML library storage), CloudFront (CDN in front of the library), and SES (transactional and marketing email; recipient address and email body are processed). We use the eu-west-2 (London) region.
  • Stripe — payment processing (UK & global).
  • Google and Microsoft — only when you choose those providers to sign in. They learn that you signed in to SightReader; we receive your email, display name, and avatar.
  • PostHog (product analytics) — EU cloud (eu.i.posthog.com).
  • Sentry (error monitoring) — Frankfurt, Germany (de.sentry.io).

International transfers

Most of our processing happens in the UK or EU. Where a sub-processor is based outside the UK (e.g. Stripe, parts of AWS, Google, Microsoft), transfers rely on the UK International Data Transfer Agreement, the EU Standard Contractual Clauses with the UK Addendum, or an adequacy decision (such as the UK–US Data Bridge), as applicable. You can ask us for a copy of the relevant transfer mechanism by emailing hello@sightreader.app.

Retention

  • Account & practice data — kept while your account is active. If you delete your account, we remove personally identifying fields within 30 days; aggregate, anonymous practice statistics may persist.
  • Email logs — kept for 12 months for deliverability diagnostics, then deleted.
  • Payment records — kept for at least 6 years to comply with HMRC record-keeping rules.
  • Magic-link tokens — single-use, expire after 30 minutes, hashed at rest.
  • Crash & analytics events — kept for 90 days (Sentry) and 12 months (PostHog) respectively, then deleted.

Your rights

Under UK GDPR you have the right to:

  • Ask for a copy of the personal data we hold about you (right of access).
  • Correct anything that’s wrong (rectification).
  • Ask us to delete your data, including your account (erasure / "right to be forgotten").
  • Restrict or object to certain processing.
  • Receive your data in a portable format (data portability).
  • Withdraw consent at any time, where we relied on consent.
  • Lodge a complaint with the Information Commissioner’s Office (ICO) if you think we’ve handled your data badly. We’d appreciate the chance to address it first — email hello@sightreader.app.

You can exercise most of these rights directly in your account page (delete account, export data, edit profile). For anything not self-serve, email us — we aim to respond within 30 days.

Cookies and similar technologies

We group cookies into three categories. You can change your choices any time on the Cookie settings page.

Strictly necessary

Always on. The site doesn’t work without these, so they’re exempt from consent.

  • Authentication — a session cookie set by Auth.js so you don’t have to sign in on every page load.
  • CSRF protection — a short-lived cookie to prevent forged requests.
  • Language preference — a cookie that remembers your chosen language so the site renders in the right locale next visit.
  • Cookie consent record — local storage holding your cookie-category choices, so we don’t prompt you on every visit.
  • Preferences — local storage to remember UI choices like volume or preferred clef.
  • Crash monitoring — Sentry sets a session ID to tie related errors together. No personal data; required for site health.

Analytics

Set only if you opt in. PostHog drops a first-party cookie and a localStorage entry to count unique users and measure feature use. EU-hosted, IP-masked.

Marketing

No marketing cookies are active today. We’ll list any here as we add them, and the category stays off by default until you opt in.

To change your choices, visit Cookie settings (also linked in the site footer).

Children

SightReader is suitable for piano students of all ages, but we don’t knowingly collect personal data from children under 13. In line with the ICO’s Age Appropriate Design Code, anyone under 13 in the UK should ask a parent or guardian to set up the account on their behalf. If you believe a child has signed up without permission, email hello@sightreader.app and we’ll delete the account.

Security

We protect your data with industry-standard measures: TLS in transit, encryption at rest at our database and storage providers, hashed (not plain-text) magic-link tokens, row-level security in the database so users can only read their own records, regular dependency updates, and least-privilege service credentials. No system is impenetrable — if we detect a breach affecting your data, we’ll notify you and the ICO without undue delay, as required by law.

Changes to this policy

We may update this policy when the product or our suppliers change. The "Last updated" date at the top of the page is the source of truth. For material changes (new data categories, new sub-processors that meaningfully change the privacy picture) we’ll email active users at least 14 days before the change takes effect.

Contact

Questions, requests, or complaints: hello@sightreader.app. We aim to reply within three working days (UK time).

If we can’t resolve your complaint, you can contact the Information Commissioner’s Office — the UK’s data protection regulator — at ico.org.uk/make-a-complaint.