Privacy Policy

Effective date: June 1, 2026

Overview

Backstage Baton LLC ("Backstage Baton," "we," "us," or "our") operates a multi-tenant membership management platform at app.backstagebaton.com for community bands, orchestras, choirs, and ensembles. This Privacy Policy describes how we collect, use, store, share, and protect personal information when you use our website, platform, or SMS notification service (the "Service").

Our Role: Controller vs. Processor

Backstage Baton supports the privacy frameworks of the GDPR (EU/UK) and the CCPA/CPRA (California). For purposes of those laws:

  • When you submit a demo request, sign up for an account, or pay for a subscription, Backstage Baton is the data controller (GDPR) and business (CCPA/CPRA) for that information.
  • For the member data a subscribing organization enters into the Service — names, contact details, instruments, ensemble assignments, attendance, photos, and similar fields — the subscribing organization is the data controller / business and Backstage Baton acts as a data processor / service provider, processing that data only on the organization's documented instructions and to provide the Service.

We do not sell or share personal information for cross-context behavioral advertising (as those terms are defined under the CCPA/CPRA), and we do not rent personal information.

Subscribing organizations may request a Data Processing Addendum (DPA) at legal@backstagebaton.com. Our DPA covers GDPR Article 28 obligations, CCPA service-provider commitments, sub-processor flow-down, breach notification, and the EU/UK Standard Contractual Clauses where applicable.

What We Collect

We collect the categories of personal information below. We do not knowingly collect Social Security numbers, government ID numbers, biometric identifiers, precise geolocation, or health/medical records through the Service.

From visitors and demo requesters:

  • Name
  • Email address
  • Organization name (optional)
  • Organization type (Community Band, Orchestra, Choir, etc.)
  • Organization size

From organization owners and billing contacts:

  • Owner name and email
  • Mailing address for the organization (street, city, state, ZIP, county)
  • Stripe-issued customer reference IDs (we do not store credit card numbers; Stripe holds those)
  • Nonprofit EIN, where you apply for the nonprofit discount
  • Records of acceptance of our terms (timestamp, IP address, user agent)

From platform users (members of subscribing organizations):

  • First and last name
  • Email address
  • Phone number (mobile, used for SMS notifications)
  • Mailing address (street, city, state, ZIP, county)
  • Birthday (optional)
  • Instrument(s) and ensemble assignments
  • Member status, member type, and role within the organization
  • Emergency contact name, phone, email, and relationship
  • Parent or guardian (proxy) contact name, email, phone, and relationship — when an organization routes a member's communications to a proxy
  • Attendance records (performances and rehearsals)
  • Profile photo (optional)
  • SMS consent timestamp, IP, and user agent (recorded only after affirmative opt-in)
  • Audit-log snapshots of changes to a member's record (retained for change forensics)

CCPA categories. For California consumers, the categories above map to: identifiers, contact information, commercial information (subscription plan, billing history), demographic data including age (birthday is collected when provided), internet or other network activity information (limited to access logs), audio/visual information (profile photos), and professional or employment-related information (where a member provides it on their bio). We do not draw inferences from this data for profiling purposes.

How We Use Your Information

We use the information described above to:

  • Respond to demo requests and schedule product walkthroughs
  • Operate, secure, and provide the Backstage Baton membership management platform
  • Send SMS notifications on behalf of your organization (rehearsal reminders, schedule changes, performance updates, cancellation notices)
  • Send transactional emails (account setup, password reset, email verification, weekly digest, welcome and onboarding drip, billing notifications)
  • Process payments and manage subscriptions via Stripe
  • Provide AI-assisted features (smart import, music library enrichment, setlist suggestions, weekly digest composition) by transmitting necessary inputs to Anthropic
  • Maintain an audit trail of changes for security and operational forensics
  • Improve the Service based on aggregate usage patterns
  • Comply with legal obligations, enforce our Terms, and protect our rights and the rights of others

We will not sell, rent, or share your personal information with third parties for their own marketing purposes.

Legal bases for processing (GDPR):

  • Performance of a contract — operating the Service for organizations that subscribe, processing payments and renewals.
  • Legitimate interests — securing the Service, preventing abuse, responding to demo requests, improving the product, and protecting our rights.
  • Consent — SMS notifications (sent only after a member's affirmative opt-in). You may withdraw SMS consent at any time.
  • Legal obligation — tax and accounting records, response to lawful requests, compliance with privacy laws.

SMS Messaging & Phone Numbers

Backstage Baton sends SMS text messages to organization members on behalf of subscribing organizations. These messages include rehearsal reminders, schedule changes, performance updates, cancellation notices, and other time-sensitive organization communications.

Consent:

SMS notifications are off by default. Members explicitly opt in themselves by logging into their account, navigating to Notification Preferences, toggling SMS on for a notification type, and agreeing to a consent disclosure that includes message frequency, STOP/HELP instructions, and "Msg & data rates may apply." Consent is recorded server-side with a timestamp, IP address, and user agent. See our SMS program page for the full A2P 10DLC disclosure shown at opt-in.

Opt-out:

You may opt out of SMS messages at any time by replying STOP to any message. You may also disable SMS notifications in your account settings, or contact your organization administrator to update your preferences.

Help:

Reply HELP to any SMS message for support information, or email support@backstagebaton.com.

Message frequency & rates:

Message frequency varies based on your organization's activity (typically 1–10 messages per month). Backstage Baton does not charge for SMS messages, but your mobile carrier's standard messaging rates apply.

Sub-processors & Third-Party Services

We engage the following sub-processors to deliver the Service. Each processes personal data only as needed to provide its function and under contractual confidentiality and security obligations. All current processing occurs in the United States.

  • Amazon Web Services (AWS) — cloud hosting, database, file storage, container registry, logging. The primary store of record for all Customer Data. See AWS's Privacy Notice.
  • Twilio — SMS message delivery. Twilio processes phone numbers and message content solely to deliver text messages on behalf of your organization. See Twilio's Privacy Notice.
  • Twilio SendGrid — transactional and notification email delivery, including the inbound parse webhook used to capture weekly-digest reply text from leadership. Processes recipient names, email addresses, and message content.
  • Stripe — subscription billing and payment processing. Stripe processes billing contact information and payment-method data directly; we do not store credit card numbers. See Stripe's Privacy Notice.
  • Anthropic — AI-assisted features including smart import, music library enrichment, setlist suggestions, and weekly digest composition. Under Anthropic's commercial/API terms, inputs submitted via the API are not used to train Anthropic's models, and we limit inputs to what each feature requires. See Anthropic's Privacy Notice.

A current list of sub-processors is maintained at /sub-processors.

Notice of sub-processor changes. Before we add a new sub-processor that processes member personal data, we will update the sub-processors page and aim to notify organization owners and administrators at least 30 days in advance. Customers on enterprise contracts may object on reasonable data-protection grounds; the parties will work in good faith to address the objection. To subscribe to sub-processor change notices, email privacy@backstagebaton.com.

We do not share your personal information with any third parties for their marketing purposes.

Cookies & Analytics

Our marketing site does not currently use third-party analytics, advertising trackers, or marketing cookies. The Backstage Baton platform uses HTTP-only session cookies (and a short-lived JWT access token / longer-lived refresh token) solely for authentication. If we add analytics or marketing tracking in the future, we will update this policy and, where required, provide a consent mechanism.

Data Retention

  • Demo request information — retained for up to 12 months after your inquiry, then deleted or anonymized.
  • Active subscriber data — retained for the duration of your organization's active subscription.
  • After a member is removed or an organization cancels — Customer Data is retained for 90 days to allow re-activation or export, then deleted (subject to the legal/tax exception below). CSV export is available on all plans at any time.
  • Billing, invoice, and tax records — retained for the period required by applicable tax, accounting, and consumer-protection law (typically up to 7 years in the United States), regardless of the 90-day window.
  • Audit log entries — retained for the duration of the organization's account; may contain historical snapshots of personal data for change forensics.
  • Backups — daily encrypted database snapshots with a rolling 7-day retention.

Data Security

We implement industry-standard security measures, including:

  • Encryption in transit (TLS 1.2 or higher) and at rest for the database and object storage
  • Hashed passwords (bcrypt) and short-lived JWT access tokens with HTTP-only refresh cookies
  • Role-based access control (RBAC) and enforced multi-tenant isolation — every request is bound to the authenticated organization's data
  • Rate limiting and anti-abuse controls on public and authentication endpoints
  • Least-privilege access for personnel and contractors
  • AWS infrastructure with provider physical, network, and availability controls
  • Logging and monitoring, including request timing and slow-query monitoring
  • Automated tests, including cross-tenant isolation tests

No system is perfectly secure. We work to mitigate risk and to respond promptly to any incident that affects your data. Our DPA describes our breach-notification commitments to organization customers.

Children's Privacy

Backstage Baton is a tool that organizations — including youth, school, and community ensembles — use to manage their members, some of whom may be minors. The Service is not directed to children, we do not knowingly collect personal information directly from children through our marketing website, and the platform is intended for use by an organization's administrators rather than directly by children.

When a subscribing organization is a school or youth ensemble, that organization is the operator responsible for the member information it enters and for obtaining any consent required by law before adding a member's information — including verifiable parental or guardian consent for children under 13 under the Children's Online Privacy Protection Act (COPPA), and any consent required by state law or by FERPA where the organization is an educational institution. Backstage Baton processes that information only on the organization's behalf.

To support youth ensembles, the platform lets an organization route a member's communications to a parent or guardian (a "communication proxy") instead of contacting the member directly. Proxy contact details are treated as sensitive and are visible only to organization leadership.

If you are a parent or guardian and believe a child's information has been provided to us without appropriate consent, or you would like that information reviewed or removed, contact us at privacy@backstagebaton.com. We will work with you and the relevant organization to address your request promptly.

Your Rights

Subject to applicable law, you have the following rights with respect to personal information about you:

  • Right to know / access — request a copy of the personal data we hold about you.
  • Right to rectification — request correction of inaccurate or incomplete data.
  • Right to deletion / erasure — request that we delete personal data about you, subject to retention required for legal, tax, or accounting compliance.
  • Right to data portability — request a portable copy of your data (CSV export is available in-app).
  • Right to restrict or object — under the GDPR.
  • Right to opt out of SMS — at any time by replying STOP or updating your account settings.
  • Right to non-discrimination — under the CCPA/CPRA, we will not discriminate against you for exercising these rights.

How to exercise. Email privacy@backstagebaton.com from the address on file, or contact your organization's administrator for member-level data. We will respond within 30 days (or as required by applicable law — for example, the CCPA's 45-day window, extendable by 45 additional days when reasonably necessary). We may need to verify your identity. Under the CCPA/CPRA you may use an authorized agent (we will require written authorization). If you are a member of a subscribing organization, your data is controlled by that organization and we will forward your request to them where appropriate.

GDPR — right to lodge a complaint. If you are in the EU, UK, or Switzerland, you have the right to lodge a complaint with your local supervisory authority.

International Data Transfers

Backstage Baton is based in the United States and processes data in the United States on AWS infrastructure. If you are located outside the United States, your information will be transferred to and processed in the United States, which may have data-protection laws different from those in your jurisdiction. For transfers from the European Economic Area, the United Kingdom, or Switzerland, our DPA incorporates the relevant Standard Contractual Clauses by reference and the parties will complete the required annexes at execution.

Member Contact-Sharing within an Organization

Inside the platform, organizations can choose how members' email addresses and phone numbers are shared with their band peers. The default is configurable per organization and per channel ("all band" / "section only" / "private"), and each member may override the default for their own email and phone in their account settings. Organization administrators always see member contact information; section leaders always see contact information for the members in their section. Sharing preferences do not affect the obligations in this Privacy Policy.

Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the State of Colorado, United States.

Changes to This Policy

We may update this Privacy Policy from time to time. If we make significant changes, we will post the updated policy on this page with a revised effective date and, for material changes that affect your rights, notify organization owners by email. Continued use of the Service after the effective date of an update constitutes acceptance.

Contact Us

Privacy questions and rights requests: privacy@backstagebaton.com
Legal and DPA requests: legal@backstagebaton.com
General support: support@backstagebaton.com

Backstage Baton LLC · Highlands Ranch, CO, United States · EIN 41-4595541

← Back to home