Privacy Policy

Effective date: September 19, 2023
Welcome to Orchestra, where we prioritize your privacy. Please read this Privacy Policy to understand how we handle your personal data. By accessing or using Orchestra in any way, you acknowledge and consent to the practices and policies described below.
Please keep in mind that your use of Orchestra is always subject to our Terms of Use, which incorporates this Privacy Policy. Any terms used in this Policy without definitions are as provided in the Terms of Use.
If you require this Privacy Policy in an alternative format, please contact us at [email protected].
As we continuously strive to enhance Orchestra, we may need to update this Privacy Policy periodically. When we make such changes, we will notify you through our website, email communication, or other suitable means. If you have chosen not to receive legal notice emails from us (or have not provided your email address), please note that these legal notices still apply to your use of Orchestra, and you are responsible for reviewing and understanding them. If you continue to use Orchestra after any changes to the Privacy Policy have been posted, you agree to accept all modifications.
This Privacy Policy addresses how we handle Personal Data collected when you access or use Orchestra. "Personal Data" refers to any information that identifies or pertains to a specific individual, including data referred to as "personally identifiable information" or "personal information" under applicable data privacy laws, rules, or regulations. Please note that this Privacy Policy does not cover the practices of companies we do not own or control or individuals we do not manage.

Personal Data

Categories of Personal Data We Collect
The following chart outlines the categories of Personal Data that we collect, both currently and over the preceding 12 months:

Sources of Personal Data for Orchestra
At Orchestra, we collect Personal Data from various sources, including:

From You

• When you directly provide information to us.
• During the account creation process or when using Orchestra.
• When you voluntarily input information in open-text fields within Orchestra or respond to surveys or questionnaires.
• When you contact us via email or other means.
• When you use Orchestra, and certain information is collected automatically.
• Through the use of Cookies (defined in our Cookie Policy).
• If you download our mobile application or use a location-enabled browser, we may receive information related to your location and mobile device, where applicable.
• If you download and install specific applications and software made available by Orchestra, we may collect information transmitted from your computing device for the purpose of providing you with Orchestra. This may include data about your login status and availability to receive updates or alerts.

From Third Parties

• Vendors
• We may utilize analytics providers to assess your interactions and engagement with Orchestra, and third parties might assist us in delivering customer support.
• Vendors may provide information for lead generation and user profile creation.
• Social Media Networks

Our Commercial or Business Purposes for Collecting or Disclosing Personal Data at Orchestra
At Orchestra, we collect and disclose Personal Data for various commercial or business purposes, including:

Providing, Customizing, and Enhancing Orchestra

• Creating and managing user accounts and profiles.
• Processing orders, transactions, and billing.
• Delivering requested products, services, or information.
• Addressing user support and assistance requests related to Orchestra.
• Enhancing Orchestra through testing, research, internal analytics, and product development.
• Personalizing Orchestra, website content, and communications based on user preferences.
• Ensuring fraud protection, security, and debugging.
• Fulfilling other business purposes disclosed at the time of data collection or as required by applicable data privacy laws, such as the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA).

Marketing and Promoting Orchestra

• Marketing and offering Orchestra's services.

Communication with Users

• Responding to user inquiries and messages.
• Contacting users when necessary or upon request.
• Sending information and updates related to Orchestra.
• Sending emails and communications based on user preferences or content that aligns with user interests.

Compliance with Legal Requirements and Enforcement of Legal Terms

• Meeting our legal obligations as mandated by applicable laws, regulations, court orders, or legal processes, including the prevention, detection, and investigation of security incidents and potential illegal or prohibited activities.
• Safeguarding the rights, property, or safety of users, Orchestra, or other parties.
• Enforcing agreements with users.
• Responding to claims of content violations or third-party rights infringement.
• Resolving disputes.

We will not collect additional categories of Personal Data or use the collected Personal Data for materially different, unrelated, or incompatible purposes without providing notice to users.

How We Share Your Personal Data at Orchestra
Orchestra may disclose your Personal Data to various categories of service providers and other parties as outlined in this section. Depending on applicable state laws, some of these disclosures may be considered a "sale" of Personal Data. For more details, please refer to the state-specific sections below.

Service Providers
These parties assist us in offering Orchestra and performing essential business functions, including:

• Hosting, technology, and communication providers.
• Analytics providers.
• Support and customer service vendors.
• Product fulfillment and delivery providers.
• Payment processors.

Our payment processing partner, Stripe, Inc. ("Stripe"), may collect your payment card information, provided voluntarily by you, to facilitate payment processing. Please refer to Stripe's terms of service and privacy policy for details regarding its use and storage of your Personal Data.

Parties Authorized, Accessed, or Authenticated by You

• Third parties you engage with or access through Orchestra. For example, when you join an Orchestra organization or forum and subsequently share your Personal Data with other members or administrators of that organization or forum.
• Social media services.

Google Applications
In addition to the standard privacy practices outlined above, please note the following restrictions when providing access to Google user data to Orchestra:

• We only use Google data access (read, write, modify, or control) to facilitate the use of Orchestra and do not transfer this data to others unless it is necessary to provide and enhance these features, comply with applicable laws, or as part of a merger, acquisition, or asset sale.
• We do not utilize this Google user data for advertising purposes.
• Human access to this data is restricted unless we obtain your affirmative agreement for specific messages, such access is necessary for security reasons (e.g., investigating abuse), to comply with applicable laws, or for internal operational purposes. Even then, access is granted only after aggregating and anonymizing the data.

Legal Obligations
Orchestra may share any collected Personal Data with third parties in alignment with the activities described under the "Meeting Legal Requirements and Enforcing Legal Terms" section in the "Our Commercial or Business Purposes for Collecting Personal Data" section above. Additionally, if you share Personal Data through an Orchestra organization, that organization may be allowed to share your Personal Data according to their litigation discovery policies.

Business Transfers
In the event of a merger, acquisition, bankruptcy, or other business transaction in which a third party assumes control of Orchestra (in whole or in part), all collected Personal Data may be transferred to that third party. We will make reasonable efforts to notify you before your data becomes subject to different privacy and security policies and practices in such instances.

Non-Personal Data
Orchestra may create aggregated, de-identified, or anonymized data from the Personal Data collected. This process involves removing information that identifies a specific user. Such aggregated, de-identified, or anonymized data may be used for lawful business purposes, including analysis, improvement of Orchestra, and business promotion. However, we will not share such data in a manner that could personally identify you.

Tracking Tools, Advertising, and Opt-Out
Orchestra uses tracking technologies like cookies, pixel tags, web beacons, clear GIFs, and JavaScript ("Cookies") to enhance your experience on our platform. Cookies help our servers recognize your web browser, analyze usage patterns, and improve Orchestra.
Cookies are small data files placed on your device (computer, tablet, phone) when you access Orchestra. We may also supplement the information we collect with data received from third parties, including those that have placed their own Cookies on your devices. Please note that, at this time, Orchestra does not support "Do Not Track" requests from browsers.
Learn more about our use of Cookies in our Cookie Policy.

Data Security
Orchestra implements physical, technical, organizational, and administrative security measures to protect your Personal Data from unauthorized access, use, and disclosure. These measures are tailored to the type of Personal Data collected and how it is processed.
You can further protect your data by selecting and safeguarding your password or sign-on mechanism, limiting access to your devices and browsers, and signing out after using your account. While we strive to secure your data, please be aware that no method of data transmission over the internet or data storage is entirely secure.

Data Retention
Orchestra retains Personal Data about you as necessary to provide our services or perform our business or commercial purposes related to data collection. When determining retention periods for specific data categories, we consider factors such as the source of the data, the purpose of collection, and legal obligations. In some instances, we may retain Personal Data for longer periods, particularly if required by legal obligations, dispute resolution, fee collection, or as permitted or mandated by applicable laws, rules, or regulations. Additionally, we may retain information in a de-identified or aggregated form that does not personally identify you. If you have questions regarding data security or retention, please contact us at [email protected]. For data shared through an Orchestra organization, the third-party administrator retains shared Personal Data in accordance with their data retention policies.
For example:

• Profile information and credentials are retained as long as you have an active account.
• Payment data is retained for the duration required for processing purchases or subscriptions.
• Device/IP data is retained for the necessary duration to ensure the proper functioning, effectiveness, and efficiency of our systems.

Personal Data of Children
As stated in our Terms of Use, we do not knowingly collect or solicit Personal Data from children under the age of 13. If you are under 13, please do not attempt to register for our services, provide Personal Data, or use our services. If we become aware of collecting Personal Data from a child under 13, we will promptly delete the information. If you believe a child under 13 may have provided Personal Data to us, please contact us at [email protected].

California Resident Rights
If you are a California resident, you have specific rights as outlined in this section. Please refer to the "Exercising Your Rights" section below for guidance on how to exercise these rights. If we process Personal Data as a service provider on behalf of a customer, you should contact the entity that initially collected your Personal Data to address your rights concerning such data.
In cases of conflict between this section and any other part of this Privacy Policy, the provision offering greater protection for Personal Data to California residents will prevail. For inquiries about this section or whether these rights apply to you, please contact us at [email protected].

Access
You have the right to request specific information about the collection and utilization of your Personal Data over the past 12 months. Upon request, we will provide you with the following details:

• Categories of Personal Data collected about you.
• Sources from which this Personal Data was obtained.
• Business or commercial purposes for collecting or selling your Personal Data.
• Categories of third parties with whom we have shared your Personal Data.
• Specific pieces of Personal Data collected about you.

If we have disclosed your Personal Data to third parties for business purposes in the past 12 months, we will identify the categories of Personal Data shared with each category of third-party recipient. If your Personal Data has been sold in the past 12 months, we will identify the categories of Personal Data sold to each category of third-party recipient.

Deletion
You can request the deletion of the Personal Data we have collected about you. However, under the CPRA, this right is subject to specific exceptions. For instance, we may need to retain your Personal Data to provide you with services, complete requested transactions, or if deletion involves disproportionate effort. In such cases, we may deny your deletion request.

Correction
You can request corrections to any inaccurate Personal Data we have collected about you. Nevertheless, under the CPRA, there are exceptions to this right. For example, if we determine, based on the totality of circumstances, that your data is correct, we may deny your request.

Exercising Your Rights
To exercise these rights, you or your Authorized Agent (defined below) must submit a request that (1) provides sufficient information to verify your identity and (2) describes your request in enough detail for us to understand and respond to it. Such requests meeting both criteria will be considered "Valid Requests." We may not respond to requests that do not meet these criteria. Personal Data obtained in a Valid Request will only be used to verify your identity and process your request. An account is not required to submit a Valid Request.
We aim to respond to Valid Requests within 45 days of receipt. We will not charge you unless your Valid Request(s) is considered excessive, repetitive, or manifestly unfounded. If we determine that a fee is warranted, we will inform you of the fee and provide an explanation before processing your request.
You can submit a Valid Request through the following methods:
Email us at: [email protected]
You can also authorize an agent (an "Authorized Agent") to exercise these rights on your behalf. To do so, provide written permission to your Authorized Agent to act on your behalf, and we may request a copy of this written permission from your Authorized Agent when they make a request for you.

Personal Data Sales
We do not sell your Personal Data and have not engaged in such sales over the past 12 months.

Personal Data Sharing
Under the CPRA, California residents have specific rights regarding the sharing of Personal Data for cross-contextual behavioral advertising. We do not share your Personal Data for cross-contextual behavioral advertising and have not done so in the past 12 months. To our knowledge, we do not share the Personal Data of minors under 16 years of age for cross-contextual behavioral advertising purposes.

Non-Discrimination
We will not discriminate against you for exercising your rights under the CPRA. We will not deny you access to our goods or services, charge different prices or rates, or offer a lower quality of goods and services based on your exercise of CPRA rights. However, we may offer different service tiers with varying prices, rates, or quality levels in accordance with applicable data privacy laws, including the CPRA, based on the value of the Personal Data we collect from you.

Other State Law Privacy Rights

California Resident Rights
California residents have the right to request that we prevent the disclosure of their Personal Data to third parties for direct marketing purposes. To make such a request, please contact us at [email protected].

Nevada Resident Rights
If you are a Nevada resident, you have the right to opt out of the sale of certain Personal Data to third parties who intend to license or sell that Personal Data. You can exercise this right by contacting us at [email protected] with the subject line "Nevada Do Not Sell Request" and providing your name and the email address associated with your account. Please note that we do not currently engage in the sale of Personal Data as defined in Nevada Revised Statutes Chapter 603A.

European Union Data Subject Right

UK and EU Residents
If you are a resident of the European Union ("EU"), United Kingdom, Lichtenstein, Norway, or Iceland, you may have additional rights under the EU General Data Protection Regulation (GDPR) concerning your Personal Data.

Contact Information
For any questions or comments regarding this Privacy Policy, the collection and usage of your Personal Data, or your rights and choices concerning such collection and usage, please feel free to contact us at:
[email protected]