Privacy policy

The German version of this document is legally binding. This translation is provided for convenience only.

As of: 29 March 2026

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

Yannick Stein
Auf’m Bruch 6
59929 Brilon
Email: [email protected]

2. Overview of processing operations

This privacy policy provides information about the processing of personal data when using the website notenarchiv.com as well as the web-based platform and mobile app “Notenarchiv” (hereinafter jointly referred to as the “Service”).

3. Data collected

3.1 Visiting the website (notenarchiv.com)

This website is a purely static information page. We do not use cookies, no tracking and no analytics tools. No forms are used for data collection. When visiting the website, only technically necessary server log files are recorded (see section 4).

3.2 Registration and account management (app)

  • Club name
  • First name, surname and email address of the contact person
  • IP address and user agent at registration (proof of agreement to the terms)
  • Role within the club (admin, librarian, member)
  • Assigned instruments

3.3 Use of the Service (app)

  • Uploaded files (sheet music as PDF)
  • Metadata of the sheet music (title, composer, category, etc.)
  • Access logs (timestamps, pages visited)

3.4 Authentication (app)

  • WebAuthn/passkey credentials (public key, credential ID)
  • Magic link tokens (temporary, valid for max. 15 minutes)
  • JWT tokens (in the user’s browser storage)

3.5 Subscription and billing (app)

  • Selected plan and subscription status
  • Billing address (if provided)
  • Payment information (invoice number, payment status)

4. Server log files

The hosting provider (Cloudflare) automatically collects and stores information in so-called server log files, which your browser transmits automatically. These are:

  • Browser type and browser version
  • Operating system used
  • Referrer URL
  • IP address
  • Time of the server request

This data is not merged with other data sources. The collection of this data is based on Art. 6 (1) lit. f GDPR. The website operator has a legitimate interest in the technically error-free presentation and provision of its website.

ProcessingLegal basis
Registration and account managementArt. 6 (1) lit. b GDPR (performance of a contract)
Use of the ServiceArt. 6 (1) lit. b GDPR (performance of a contract)
AuthenticationArt. 6 (1) lit. b GDPR (performance of a contract)
BillingArt. 6 (1) lit. b GDPR (performance of a contract)
Access logsArt. 6 (1) lit. f GDPR (legitimate interest in security)
Logging agreement to the termsArt. 6 (1) lit. f GDPR (legitimate interest in proof)
Email notificationsArt. 6 (1) lit. b GDPR (performance of a contract)

6. Processors (third-party providers)

We use the following processors:

6.1 Cloudflare, Inc.

  • Purpose: Hosting the website, bot protection during registration (Cloudflare Turnstile)
  • Data: IP address, browser information (anonymised)
  • Storage: No permanent storage of personal data
  • Location: Worldwide, standard contractual clauses pursuant to Art. 46 (2) lit. c GDPR
  • Info: https://www.cloudflare.com/privacypolicy

6.2 Hetzner Online GmbH

  • Purpose: Hosting the application and storing the data (servers and S3 object storage)
  • Location: Germany (data centres in Nuremberg and Falkenstein)
  • Data protection: Data processing agreement concluded pursuant to Art. 28 GDPR
  • Info: https://www.hetzner.com/legal/privacy-policy

6.3 Resend Inc. (where activated)

  • Purpose: Sending emails (login links, notifications)
  • Data: Email address, first name
  • Location: USA, standard contractual clauses pursuant to Art. 46 (2) lit. c GDPR
  • Info: https://resend.com/legal/privacy-policy

6.4 OpenAI, LLC (only when AI recognition is activated)

  • Purpose: AI-powered instrument recognition on PDF pages
  • Data: Individual PDF page images are temporarily transmitted to the OpenAI API
  • Storage: OpenAI does not permanently store data transmitted via the API for training purposes in accordance with its own Data Usage Policy (for API usage)
  • Location: USA, standard contractual clauses pursuant to Art. 46 (2) lit. c GDPR
  • Note: AI recognition is deactivated by default and is only activated at the customer’s request. The customer can deactivate its use at any time in the settings.
  • Info: https://openai.com/policies/privacy-policy

7. Data transfer

Personal data is only passed on to third parties:

  • to the processors named in section 6
  • where we are legally obliged to do so (e.g. by order of a court)

No transfer for advertising purposes or to other third parties takes place.

8. Storage period

DataStorage period
Account and usage dataFor the duration of the contract
After the end of the contract30 days (data available for download)
After the 30 days have elapsedIrreversible deletion
Billing data10 years (statutory retention period pursuant to § 147 AO)
Agreement to the terms (proof)3 years after the end of the contract (limitation period)
Access logs90 days

9. Cookies and local storage

  • Cookies: The Service does not use tracking cookies or advertising cookies. No cookies are passed on to third parties.
  • Local storage (localStorage): JWT authentication tokens and the selected organisation are stored in the user’s browser storage. This data is technically necessary for the functionality of the Service.
  • A cookie banner is not required, as only technically necessary storage technologies are used.

10. Rights of data subjects

Every data subject has the following rights:

  • Access (Art. 15 GDPR): You can request information about the data we have stored about you.
  • Rectification (Art. 16 GDPR): You can request the rectification of inaccurate data.
  • Erasure (Art. 17 GDPR): You can request the erasure of your data, provided there are no statutory retention obligations.
  • Restriction (Art. 18 GDPR): You can request the restriction of processing.
  • Data portability (Art. 20 GDPR): You can receive your data in a common, machine-readable format.
  • Objection (Art. 21 GDPR): You can object to the processing of your data.

To exercise your rights, please contact the email address named in section 1.

11. Right to lodge a complaint

In the event of breaches of the GDPR, you have the right to lodge a complaint with a supervisory authority. The competent supervisory authority is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Postfach 20 04 44
40102 Düsseldorf
https://www.ldi.nrw.de

12. Security measures

We take appropriate technical and organisational measures to protect your data:

  • Encrypted data transmission (HTTPS/TLS)
  • Passwordless login via WebAuthn/passkeys (phishing-resistant)
  • Tenant separation (multi-tenant architecture with strict data isolation)
  • Regular security updates
  • Access controls and role-based permissions

13. Contacting us by email

If you contact us by email, your enquiry including all personal data resulting from it (name, email address, content of the enquiry) will be stored and processed by us for the purpose of handling your request. We do not pass on this data without your consent.

The processing of this data is based on Art. 6 (1) lit. b GDPR, provided your enquiry is connected with the performance of a contract or is necessary for carrying out pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective handling of the enquiries addressed to us (Art. 6 (1) lit. f GDPR).

14. Changes to this privacy policy

We reserve the right to adapt this privacy policy in order to bring it into line with changed legal situations or changes to the Service. The respective current version can be viewed on this page and in the app.