Privacy Policy.

This Privacy Policy explains how Padforms handles personal data collected through the Padforms website at padforms.com and the Padforms desktop application for macOS and Windows.

Padforms is operated from Leeds, United Kingdom. For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, Padforms is the data controller for personal data processed in connection with the service.

You can reach us through the contact form on our website for any questions about this policy or about how we handle your data.

If you join the notify-me list on padforms.com, we collect your email address and the model of MIDI controller you told us you own. We use this information to send you launch updates, occasional product news, and to plan which controllers we prioritise supporting.

We use third-party analytics to understand how visitors find and use padforms.com: which pages and features are helpful, where people run into friction, and how the site can be improved. We use two analytics providers for this: PostHog and Google Analytics. These services receive information such as the pages you view, the approximate location derived from your IP address, your device and browser type, and how you move through the site, and they may store cookies or similar identifiers in your browser.

Analytics cookies are not needed for the site to function, so we set them only after you accept them through the cookie banner shown on your first visit. Until you accept, no analytics cookies are set and no analytics data is collected about your visit. You can change or withdraw your choice at any time using the cookie controls in the site footer. If you decline, padforms.com still works normally. Apart from analytics, the site sets only the essential cookies required for it to operate, and we do not use it to display third-party advertising.

To use Padforms you need to create an account. When you sign up we collect your email address and a password (stored only as a salted hash, never in plain text). We may also collect basic device information such as your operating system version and the application version, which helps us diagnose compatibility issues.

When you use the app, your practice progress, settings, and lesson history are currently stored locally on your computer. We are building optional cloud sync, and once that ships we will sync that data to our servers so you can move between machines. Cloud sync will be opt-in and clearly described before you enable it.

If you opt in to sending crash reports or diagnostic logs, we will receive technical information about errors, such as stack traces, the action you were performing, and basic system information. We do not enable diagnostic reporting without your consent.

We do not record audio from your microphone, and we do not transmit raw MIDI input from your controller off your device.

We rely on consent for sending marketing and launch emails to people who join the notify-me list, for setting non-essential analytics cookies on the website, and for optional diagnostics or crash reporting. You can withdraw consent at any time.

We rely on performance of a contract for creating and operating your account, delivering the app, and (once available) providing cloud sync.

We rely on legitimate interests for keeping the service secure, preventing abuse, and improving the product. Where we rely on legitimate interests we have considered your rights and freedoms and concluded that our use is proportionate. You can object at any time.

We rely on legal obligation where we are required to retain or disclose information to comply with law.

Notify-me email addresses are kept until the public launch of Padforms. After launch we will delete the notify-me list unless you have separately opted in to ongoing product emails.

Account data is kept while your account is active. If you delete your account, we will remove your personal data within 30 days, except for limited records we are required to keep for legal, tax, or fraud-prevention purposes. Backups containing your data are rotated out within 90 days.

Diagnostic and crash report data, where you have opted in, is retained for up to 12 months and then deleted or fully anonymised.

Analytics data collected through the website is retained in line with the standard retention settings of our analytics providers, after which it is deleted or kept only in aggregated form that does not identify you.

We use a small number of trusted service providers to run Padforms. These may include providers of website hosting and content delivery (for example, a platform such as Vercel or Cloudflare), transactional email delivery (for example, a provider such as Postmark or Resend), and authentication and account management (for example, a provider such as Clerk or Supabase). For the website analytics described in section 02, we use PostHog and Google Analytics.

We choose providers that offer appropriate technical and organisational safeguards, and we put contracts in place that require them to process personal data only on our instructions. We will update this section if our set of providers changes materially.

Some of our service providers process data outside the United Kingdom, including in the European Economic Area and the United States. Where data is transferred outside the UK, we rely on appropriate safeguards such as the UK International Data Transfer Agreement, the EU Standard Contractual Clauses with the UK Addendum, or transfers to countries the UK government recognises as providing an adequate level of protection.

You can ask us to give you access to the personal data we hold about you, correct inaccurate or incomplete data, delete your data (the right to erasure, subject to limited exceptions), or provide a copy in a portable, machine-readable format.

You can object to processing based on legitimate interests, opt out of marketing at any time, and withdraw consent where we rely on it (without affecting processing carried out before withdrawal).

You can lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk. We would appreciate the chance to address your concerns first, but you have the right to go directly to the ICO.

To exercise any of these rights, use the contact form on our website. We will respond within one month and may ask for information to verify your identity.

Padforms is not directed at children under 16, and we do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

We take reasonable technical and organisational measures to protect personal data, including encryption in transit, hashing of passwords, restricted access to production systems, and routine review of our providers.

No internet-connected system is perfectly secure, however, and we cannot guarantee absolute security. If we ever become aware of a personal data breach that affects you, we will notify you and the ICO in line with our legal obligations.

If we make material changes to this policy we will update the date above and, where appropriate, notify you by email or via an in-app notice. We encourage you to review this page from time to time.

Questions, requests, or complaints about this policy can be sent through the contact form on our website.