Last updated: January 26, 2026
This policy applies to the Sostenutoo website, the Sostenutoo iOS mobile application (App Store), and the Sostenutoo Android mobile application (Google Play Store).
This Privacy Policy describes how Sostenutoo collects, uses, stores, and protects your personal data when you use our orchestra and musical ensemble management platform.
We are committed to protecting your privacy and processing your data in compliance with the General Data Protection Regulation (GDPR), Apple App Store requirements, and Google Play Store policies.
Sostenutoo - Micro-entreprise (sole proprietorship under French law)
Representative: Rémi Lecomte
Contact email: commerce.remilecomte@gmail.com
Support: support@sostenutoo.com
If you choose to sign in with Google:
We do not access any other Google data (contacts, calendar, Drive, etc.).
If you choose to sign in with Apple:
Apple Sign In respects your privacy: you control which information is shared with our service. We do not access any other Apple data.
When sheet music is uploaded by orchestra administrators:
When you use the chat and announcement features in the mobile applications:
Visibility: Messages, images, and announcements are visible only to active members of your orchestra.
Retention: Messages and images are retained indefinitely until manually deleted by their author or an administrator.
Image storage: Photos shared in chat are securely hosted on Supabase Storage (EU - Paris), in a dedicated bucket isolated per orchestra. Images are compressed upon upload to optimise performance.
The Sostenutoo iOS application may request access to:
The application does not collect and does not automatically sync your calendar or photo data. All actions are manual and initiated by you.
The Sostenutoo Android application uses the following permissions:
Important: Photo access is strictly limited to your manual selection. The application cannot browse or access your photos without your explicit action.
| Purpose | Legal Basis |
|---|---|
| Account creation and management | Performance of contract |
| Access to your orchestra's programmes and sheet music | Performance of contract |
| Event management and absence declarations | Performance of contract |
| Email communication (invitations, notifications) | Legitimate interest |
| Communication between members (chat and announcements) | Performance of contract |
| Platform improvement | Legitimate interest |
| Security and fraud prevention | Legitimate interest |
Administrators, coordinators, and founders of your orchestra can see:
Chat and announcements: Chat messages are visible to all active members of your orchestra. Announcements are visible based on the roles targeted by the author (all musicians, conductors only, etc.).
Other musicians cannot access your personal data (email, instrument) unless shared via chat.
| Service | Usage | Location |
|---|---|---|
| Supabase | Database, authentication, sheet music storage | 🇪🇺 European Union (Paris, France) |
| Netlify | Website hosting | 🇺🇸 United States (GDPR-compliant via contractual clauses) |
| Resend | Transactional email delivery | 🇺🇸 United States (GDPR-compliant) |
| Stripe | Payments (orchestra subscriptions) | 🇪🇺 / 🇺🇸 (GDPR and PCI-DSS compliant) |
We never sell your data to third parties.
Some of our sub-processors (Netlify, Resend, Stripe) may process data in the United States. These transfers are governed by:
Your main database remains hosted in France (Paris) via Supabase.
| Data Type | Retention Period |
|---|---|
| Active account data | As long as the account is active |
| Data after account deletion | 90 days then permanently deleted |
| Connection logs | 1 year |
| Support emails | 5 years |
| Billing data (Stripe) | 10 years (legal accounting obligation) |
| Chat messages and announcements | As long as the account is active, or until manually deleted |
| Images shared in chat | As long as the account is active, or until the message containing the image is manually deleted |
When an orchestra is deleted, all associated sheet music, events, programmes, messages, and announcements are permanently deleted.
When you leave an orchestra, your absence declarations for that orchestra are deleted. Your personal data (account, profile) remain intact. Your chat messages remain visible (with your name) to preserve conversation continuity, unless manually deleted before your departure.
You can delete your own messages (text and images) at any time from the mobile application. Deleting a message containing an image permanently removes the image from storage within 24 hours. Administrators can also delete any message in case of inappropriate content.
In accordance with the GDPR (General Data Protection Regulation — EU Regulation 2016/679) and the French Loi Informatique et Libertés (French Data Protection Act), you have the following rights:
To exercise your rights: Send an email to support@sostenutoo.com with the subject line "GDPR — [Your request]".
We will respond within 7 business days.
We implement the following measures:
We only use cookies and local storage that are strictly necessary:
No tracking, advertising, or analytics cookies are used.
Note: Google Analytics may be added in the future with a consent option.
Sostenutoo is a service designed for managing orchestras and musical ensembles. There is no age restriction for using the service, as it does not collect sensitive data and is used in a supervised educational and cultural context (music schools, conservatories, amateur orchestras).
If you are a parent or legal guardian and wish to obtain information about your child's data, please contact us at support@sostenutoo.com.
In the event of a data breach likely to result in a risk to your rights and freedoms, we commit to:
This policy may be updated. In the event of a substantial change:
For any questions about this policy:
Email: support@sostenutoo.com
To file a complaint with the supervisory authority:
CNIL — Commission Nationale de l'Informatique et des Libertés (French Data Protection Authority)
3 Place de Fontenoy - TSA 80715 - 75334 Paris Cedex 07
www.cnil.fr