Privacy Policy
Effective Date: February 18, 2026
Last Updated: June 18, 2026
MelodyMap (“we,” “us,” “our”) is operated by Second Difference Solutions LLC, a West Virginia limited liability company. We are the data controller for the personal information described in this Policy. This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use the MelodyMap website at melodymap.io and related services (the “Service”).
MelodyMap is reachable from the European Union and the United Kingdom. We aim to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), and similar U.S. state laws. Where these laws conflict, we apply the standard that is more protective of you.
Please read this Policy carefully. If you do not agree with it, please do not use the Service.
1. Information We Collect
1.1 Information from Students and Users
When you use MelodyMap as a student, parent, or visitor, we may collect:
- Search queries and location data: When you search for music educators, we collect the location or address you enter and your search terms to return relevant results. If you choose to use the “Use my location” feature, your device’s GPS coordinates are sent to our server to find nearby music educators. We do not store your precise GPS coordinates beyond processing the search request; only the general search area is logged for analytics.
- Pre-Enrollment Request information: If you submit a Pre-Enrollment Request, we collect the student’s name, contact email, contact phone number, the instruments and lesson type you are interested in, and any optional message you include. If the student is a minor, the parent or guardian submits the request on the student’s behalf, supplies the contact details, and confirms they consent to sharing the minor’s information with the selected Educator. This information is shared directly with the Educator you selected so they can contact you about lessons.
- Anonymized usage data: We collect a small amount of usage data to keep the site fast, understand which educators are getting found, and improve search results. This data is anonymous in the sense that it does not identify you personally: we use a short-lived random session identifier that resets when you close the tab, the analytics layer does not store your IP address with your events or session record, and we do not persist any cross-session “returning visitor” identifier. We collect: pages visited, search-result clicks, the Educator you opened or pre-enrolled with, your approximate region, and device type (mobile / tablet / desktop).
1.2 Information from Educators
When you create an Educator account and profile, we collect:
- Account information: Name, email address, and password (managed through Firebase Authentication).
- Business profile information: Business name, address, phone number, website, lesson types, instruments taught, service descriptions, and any other information you provide in your Educator profile.
- Imported business data: With your authorization, we import publicly available business data from Google Places, including ratings, reviews, hours of operation, and photos.
- Payment information: If you enroll in the Referral Program or subscribe to a paid tier, your payment card details are collected and processed by Stripe. MelodyMap does not store your full card number — only the last four digits and card type are retained for display purposes in your dashboard.
- Referral Program data: Enrollment status, card on file identifier, terms acceptance, and referral transaction history.
1.3 Information Collected Automatically
For all visitors, we automatically collect:
- Log data: Browser type, operating system, and general access patterns. Server logs may briefly contain a full IP address before the analytics layer truncates it; raw server logs are retained for no more than 30 days for security and abuse prevention.
- Anonymized analytics: Page views, search events, and search-result clicks are batched and sent to our own analytics endpoint. See Section 1.1 (“Anonymized usage data”) for what is and is not collected. We do not currently use Google Analytics. If we add it back or add Google Ads conversion tracking, we will ask for your consent first via an on-screen banner before any third-party tracking script loads.
- Storage we use: A small set of items in your browser’s storage that keep the Service working: a Firebase Authentication session token (if you are signed in), a per-tab session identifier for analytics, and your UI preferences. We do not set any third-party tracking cookies. See Section 6 for more details.
2. How We Use Your Information
2.1 Student and User Data
We use student and user information to:
- Provide search results for music educators based on your location query
- Deliver your Pre-Enrollment Request to the selected Educator
- Analyze search and usage patterns to improve the platform (using anonymized, aggregated data)
- Communicate with you regarding a Pre-Enrollment Request you submitted, if necessary
2.2 Educator Data
We use Educator information to:
- Display your business in the MelodyMap directory: Your profile information (business name, location, services, imported Google Places data) is displayed publicly in search results and on your directory listing to help students find music educators.
- Advertising and promotion: We use your business information to create and display directory listings, landing pages, and promotional content — including in search results, location-based pages, email campaigns, and social media — to attract students to the MelodyMap platform. Your profile information is the basis for this advertising content.
- Process referral fees and subscriptions: We use your payment information (via Stripe) to charge referral fees when Pre-Enrollment Requests are received and to process subscription payments.
- Communicate with you: We send notifications related to your account, Pre-Enrollment Requests, billing, and platform updates.
- Improve the platform: We analyze aggregated Educator data to improve search relevance, directory quality, and overall user experience.
2.3 Analytics and Platform Improvement
We log search events and click events to understand how the platform is used and to improve search result quality. Analytics data is aggregated and not used to personally identify individual users.
4. Data Retention
4.1 Student / Visitor Data
- Anonymized analytics events: Retained for up to 24 months, then deleted. Aggregated reports derived from these events may be retained longer because they do not identify you.
- Raw server logs (including full IP): Retained for no more than 30 days for security, abuse prevention, and debugging.
- Rate-limit records: To prevent abuse of public endpoints (search, place-details), we briefly store a caller’s IP address in a separate rate-limit collection keyed by IP + endpoint + time-window. These records auto-delete within 2 days and are never linked to analytics events or visitor sessions; they are used only to throttle excessive requests.
- Pre-Enrollment Requests: Contact information submitted via Pre-Enrollment Requests is shared with the Educator and retained for up to 24 months so we can investigate disputes about referral charges or delivery. You can ask us to delete this record at any time after the Educator has contacted you; see Section 7.
4.2 Educator Data
- Profile information: Retained for as long as your Educator account is active. If you delete your account or request removal, we will delete your profile data within a reasonable timeframe, except as required for legal or billing record-keeping.
- Payment records: Transaction records are retained as required by applicable tax and financial regulations.
- Imported Google Places data: Cached data is refreshed periodically (typically every 14–30 days) and is removed when your profile is deleted.
4.3 Analytics Data
Aggregated, anonymized analytics data may be retained indefinitely and does not constitute personal information.
5. Data Security
We implement reasonable technical and organizational measures to protect your information, including:
- HTTPS encryption for all data in transit
- Firebase Authentication for secure account access
- Stripe PCI-compliant payment processing (MelodyMap never stores full card numbers)
- Firestore security rules restricting data access to authorized users
- Security headers (HSTS, X-Frame-Options, X-Content-Type-Options) on all pages
No system is completely secure. While we strive to protect your information, we cannot guarantee absolute security.
7. Your Rights
7.1 Rights Available to Everyone
Regardless of where you live, you can contact us at info@melodymap.io to:
- Access a copy of the personal information we hold about you
- Correct inaccurate or incomplete information
- Delete your personal information, subject to legal retention requirements
- Receive a portable copy of your data
- Opt out of any non-essential tracking or marketing communications
We will respond within 30 days. If we need more time (e.g. to look up data across multiple systems), we will tell you and explain why.
7.2 Additional GDPR / UK GDPR Rights (EEA + UK Residents)
If you are in the European Economic Area or the United Kingdom, you also have the right to:
- Restrict processing while a dispute about accuracy or lawful basis is resolved
- Object to processing we carry out on the basis of legitimate interests
- Not be subject to solely automated decisions that produce legal or similarly significant effects on you (we do not currently make such decisions)
- Withdraw consent at any time, for any processing we carry out on the basis of consent. Withdrawal does not affect the lawfulness of processing that happened before you withdrew
- Lodge a complaint with your local Data Protection Authority. In Ireland, that is the Data Protection Commission; in the UK, it is the Information Commissioner’s Office (ICO)
7.3 Lawful Bases (GDPR / UK GDPR)
Under GDPR and UK GDPR, every processing activity needs a lawful basis. Ours are:
| Processing activity | Lawful basis |
|---|---|
| Operating your Educator account, billing, providing the Service | Contract (Article 6(1)(b)) |
| Pre-Enrollment Requests submitted by visitors | Consent of the visitor (Article 6(1)(a)); for minors, consent of the parent or guardian under Article 8 |
| Anonymized site analytics | Legitimate interests (Article 6(1)(f)) — running and improving the directory; the data is anonymous so the impact on you is minimal |
| Fraud prevention, security, abuse monitoring (raw server logs) | Legitimate interests (Article 6(1)(f)) |
| Any future third-party tracking (e.g. Google Analytics, Google Ads) | Consent (Article 6(1)(a)) — collected via the on-screen banner before the script loads |
| Responding to legal process or regulator requests | Legal obligation (Article 6(1)(c)) |
7.4 Educator Account Deletion
Educators may request full account and profile deletion by contacting info@melodymap.io. Upon deletion:
- Your profile will be removed from the public directory
- Your account data will be deleted from Firebase Authentication
- Payment records will be retained only as required by law
- Cached Google Places data associated with your profile will be purged
8. Children’s Privacy
MelodyMap is intended for adults who are searching for music lessons, including parents and guardians searching on behalf of a minor child.
- Educator account creation is restricted to users who are at least 18 years old.
- Pre-Enrollment Requests on behalf of a minor must be submitted by the parent or guardian. The form asks whether the student is a minor; when “yes” is selected, the parent or guardian must provide their own name as the contact and confirm they consent to sharing the minor’s information with the selected Educator. This is the parental-consent mechanism required by GDPR Article 8 (for EU/UK residents) and the U.S. Children’s Online Privacy Protection Act (COPPA), for any child under 13.
- We do not knowingly allow a minor under 13 to create their own account or submit a Pre-Enrollment Request on their own behalf. If we learn that we have collected information directly from a child under 13 without verifiable parental consent, we will delete it promptly.
If you believe a child has provided us with personal information, please contact info@melodymap.io.
9. Data Breach Notification
If we discover a personal-data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the appropriate Data Protection Authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33 (and the UK GDPR equivalent), and
- Notify affected users by email without undue delay when the breach is likely to result in a high risk to your rights, with a clear description of what happened, what data was involved, and what steps to take.
We maintain an internal incident-response procedure to support this.
10. State-Specific Disclosures (U.S.)
10.1 California Residents (CCPA / CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act, including the right to know what personal information we collect, the right to request deletion, the right to correct inaccurate information, and the right to opt out of the sale or sharing of personal information. MelodyMap does not sell personal information and does not share it for cross-context behavioral advertising.
10.2 Virginia, Colorado, Connecticut, and Other State Privacy Laws
Residents of states with comprehensive privacy laws (Virginia, Colorado, Connecticut, Utah, Texas, and similar) may have additional rights similar to those described in Section 7. To exercise them, contact us at info@melodymap.io.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last Updated” date at the top of this page. For Educators with active accounts, we will provide notice through the Educator Dashboard or via email. Continued use of the Service after changes are posted constitutes acceptance of the revised policy.
12. Contact Us
If you have questions or concerns about this Privacy Policy or our data practices, please contact us at:
MelodyMap (Second Difference Solutions LLC)
174 Norwood Drive
Falling Waters, WV 25419
United States
Email: info@melodymap.io
Website: melodymap.io
Please use the email address above for GDPR / UK GDPR / CCPA rights requests so we can route them to the right person quickly.