Privacy Policy
Last updated: April 27, 2026
Music Juries (the “Service”) is operated by Taveren Labs LLC (“we,” “us,” or “our”), a Texas limited liability company. The Service provides jury scheduling, faculty evaluation, repertoire management, and reporting for college and university music programs. This Privacy Policy describes what personal information we collect through the Service, how we use it, with whom we share it, and the choices available to you.
If your institution has signed a Master Services Agreement or Data Processing Addendum with Taveren Labs LLC, that agreement controls in the event of any conflict with this page.
1. Who is responsible for your information
For users at an institutional customer, the institution is the data controller of student educational records under the Family Educational Rights and Privacy Act (FERPA, 20 U.S.C. § 1232g). Taveren Labs operates as the institution’s “school official with a legitimate educational interest” and processes student records only on the institution’s instructions.
2. Information we collect
- Account information: your name, email address, institutional affiliation, role (student, faculty, administrator, accompanist), and an internal numeric user identifier.
- Academic records (provided by your institution): course enrollments, jury sign-ups, repertoire sheets, evaluations, scores, and faculty comments. Optionally, profile photo and phone number if you choose to add them.
- Uploaded files: if your program uses the score-upload feature, the score PDFs you upload for faculty review.
- Usage and security data: log entries with timestamps, IP address at authentication time, browser type, pages accessed, and audit records of administrative actions. Used for security monitoring, abuse investigation, and operational troubleshooting.
- Cookies and similar technologies: a small number of strictly-necessary and preference cookies. See the Cookie Policy below.
We do not collect Social Security numbers, dates of birth, payment card numbers, health information, biometric identifiers, location data, or anything else not listed above. The Service does not include advertising, third-party analytics that track you across other sites, or social-media plugins that fingerprint visitors.
3. How we use information
- To operate the Service for your institution — scheduling, evaluation, repertoire tracking, and reporting.
- To secure the Service, investigate abuse or unauthorized access, and comply with legal obligations.
- To communicate with you about the Service (notifications, password resets, scheduled-maintenance alerts, security advisories).
- To generate aggregated, non-identifying analytics for institutional administrators (e.g., completion rates, throughput).
We do not sell personal information, share it for third-party advertising, or use it for purposes materially beyond those listed without institutional authorization.
4. Subprocessors with whom we share information
Personal information is shared only with the following subprocessors, each under a written data-processing agreement that binds them to comparable security and confidentiality obligations:
- Amazon Web Services (AWS) — primary hosting (compute and DNS) and encrypted backup storage. Location: United States.
- Anthropic PBC — AI inference for two product features (repertoire-completion suggestions and scheduling-context completion). Requests sent to Anthropic include scheduling-context fields needed for the feature to function, such as student first and last names, instrument, division, and time slot. We do not send email addresses, grades, faculty evaluation comments, or uploaded files to Anthropic. Per Anthropic’s commercial API terms, Anthropic does not train its models on Service inputs. Location: United States.
- Brevo (Sendinblue SAS) — transactional email (password resets, scheduled notifications). Receives recipient name, email address, and notification content. Location: European Union.
We will notify institutional customers in advance of adding a new subprocessor or making a material change to an existing one, except where an emergency change is required for security reasons.
5. AI features and data
The Service includes optional AI-assisted features (repertoire completion, scheduling suggestions). These features call the Anthropic Claude API; the data sent is described in § 4 above. Anthropic’s commercial-API terms prohibit using inputs or outputs to train their models, and Anthropic’s current attestations are published at trust.anthropic.com.
An institution-level kill-switch can disable every AI call across the Service for an institution; institutional administrators may request activation by contacting ai@taverenlabs.com.
6. Legal framework
- FERPA (20 U.S.C. § 1232g): the Service operates as a “school official” with a “legitimate educational interest”; institutions retain custody of education records.
- U.S. state privacy laws: we comply with applicable state privacy laws where institutional customers are located, including but not limited to Texas and Florida.
- GDPR / UK GDPR: not currently in scope. The Service does not have EU or UK data subjects as primary users today. If an institution onboards EU or UK users, this Privacy Policy and the underlying processor arrangements will be reviewed and amended before processing begins.
7. Security
We protect personal information using a layered set of technical and organizational controls:
- Encryption in transit: TLS 1.2 or greater (TLS 1.3 preferred) on all public endpoints.
- Encryption at rest: block storage and backups are encrypted at rest with AES-256 and versioned.
- Access control: role-based authorization (student, faculty, administrator, super-administrator, accompanist), brute-force lockout, CSRF protection on every state-changing request.
- Operational controls: centralized logging, audit retention, multi-factor authentication on administrative accounts, secrets stored outside source control, and automated dependency-CVE monitoring.
Detailed security controls are documented in our institutional Information Security, Incident Response, and Vulnerability Management policies, available to institutional customers on request.
8. Data retention and deletion
| Data type | Retention |
|---|---|
| Active student records | Duration of institution’s license + 7 years (matches academic-record retention) |
| Graduated / inactive user records | Retained 7 years per institutional transcript policy, then purged |
| Application logs | Up to 90 days |
| Authentication logs | Up to 12 months |
| Database backups | Daily rolling backups on host; encrypted off-host archival for the term of the institutional license |
| Session tokens | Purged on logout or after 30 days of inactivity |
Institutions may request earlier deletion or full data export at any time by contacting privacy@taverenlabs.com. We respond within 30 days of receiving a confirmed institutional request.
9. Your rights and choices
End users should direct access, correction, or deletion requests to their institution, which is the custodian of their educational records under FERPA. Tenant administrators may request, on behalf of their institution:
- Export of all institutional data in machine-readable format (within 30 days of request)
- Bulk deletion of identified records (within 30 days)
- Suspension of any subprocessor with respect to the institution’s data, subject to service-level implications
Submit institutional requests to privacy@taverenlabs.com.
10. Children’s privacy
The Service is intended for use within higher-education music programs and is not directed to children under 13. We do not knowingly collect information from children under 13. If you believe a child under 13 has provided information through the Service, please contact us immediately.
11. Breach notification
If we determine that personal information processed on behalf of an institutional customer has been subject to a security incident, we will notify the affected institution’s designated contact within the timeframe required by the institution’s contract and by applicable law, with the information needed for the institution to meet its own notification obligations to affected individuals.
12. Changes to this Privacy Policy
We may update this Privacy Policy as the Service evolves. Material changes will be posted on this page with an updated “Last updated” date, and institutional customers will be notified at least 30 days before the effective date.
13. Contact
Taveren Labs LLC · Texas, United States
- Privacy inquiries: privacy@taverenlabs.com
- Security inquiries: security@taverenlabs.com
- AI / model-governance inquiries: ai@taverenlabs.com
- Accessibility inquiries: accessibility@taverenlabs.com
Terms of Service
Last updated: April 27, 2026
These Terms of Service (the “Terms”) govern your access to and use of the Music Juries service (the “Service”), operated by Taveren Labs LLC (“we,” “us,” or “our”). If you are using the Service through an institutional license, your institution’s signed Master Services Agreement (“MSA”) controls in the event of any conflict with these Terms.
1. Acceptance
By accessing or using the Service, you agree to these Terms. If you are using the Service on behalf of an institution, you represent that you are authorized to bind that institution. If you do not agree to these Terms, do not access or use the Service.
2. Description of the Service
The Service is a multi-tenant software-as-a-service platform for academic music programs, providing jury scheduling, faculty evaluation, repertoire management, and reporting features. The Service is delivered exclusively over HTTPS through standard web browsers and is hosted on Amazon Web Services (AWS) in the United States.
3. Eligibility and account types
The Service is intended for use by individuals affiliated with a higher-education institution that has licensed the Service for its music program. Account types include student, faculty, accompanist, administrator, and super-administrator. Account provisioning is performed by your institution; Taveren Labs does not create end-user accounts directly except for institutional administrators on license activation.
4. Account responsibilities
- You are responsible for maintaining the confidentiality of your credentials.
- You are responsible for all activity under your account.
- You will notify us promptly at security@taverenlabs.com if you become aware of unauthorized access.
- You will not share, sell, or transfer your credentials, and you will use multifactor authentication where the Service or your institution requires it.
5. Acceptable use
You agree not to:
- Probe, scan, or test the vulnerability of the Service or any related infrastructure without prior written authorization (see security@taverenlabs.com for our coordinated-disclosure path).
- Upload content that infringes third-party intellectual-property rights, violates applicable law, or contains malicious code.
- Use the Service to harass, harm, or impersonate others, or to engage in academic dishonesty in violation of institutional policy.
- Interfere with or disrupt the integrity, performance, or availability of the Service.
- Reverse-engineer, decompile, or disassemble any part of the Service, except to the extent expressly permitted by applicable law.
- Use the Service to train AI or machine-learning models, scrape repertoire or evaluation data in bulk, or build a competing service.
6. Institutional data and ownership
The institution that licenses the Service retains all ownership of and intellectual-property rights in its institutional data — including student records, evaluations, repertoire entries, and uploaded files. Taveren Labs processes institutional data only on the institution’s instructions, consistent with FERPA’s “school official” framework and any signed Data Processing Addendum. End users do not gain ownership of institutional data through their use of the Service.
Taveren Labs claims no rights to use institutional data for any purpose other than operating, securing, and improving the Service for that institution, and will not use institutional data to train AI or machine-learning models without institutional authorization.
7. Our intellectual property
The Service, including all software, interfaces, designs, documentation, and content provided by Taveren Labs, is owned by Taveren Labs LLC and its licensors and is protected by copyright, trademark, and other laws. These Terms do not grant you any rights in our trademarks, logos, or service marks. Open-source components incorporated in the Service are governed by their respective licenses.
8. Subscription, fees, and billing
The Service is billed at the institutional level under the institution’s MSA. End users do not pay Taveren Labs directly for use of the Service.
9. Suspension and termination
We may suspend or terminate access to the Service in the case of: (a) a material breach of these Terms; (b) a confirmed security incident requiring containment; (c) institutional license expiration or non-payment per the MSA; or (d) a legal or regulatory order requiring suspension. Where practicable, we will provide notice to the affected institution before suspending or terminating service.
10. Service availability
We make commercially reasonable efforts to keep the Service available and to perform planned maintenance during academic-calendar low-traffic windows. Service-level commitments, if any, are specified in the institution’s MSA. The Service is not guaranteed to be uninterrupted or error-free.
11. Disclaimers
EXCEPT AS EXPLICITLY STATED IN A SIGNED MSA, THE SERVICE IS PROVIDED “AS IS” AND “AS AVAILABLE” WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. WE DO NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED, ERROR-FREE, OR FREE OF HARMFUL COMPONENTS, OR THAT ANY DATA WILL BE SECURE OR NOT LOST OR ALTERED.
12. Limitation of liability
TO THE FULLEST EXTENT PERMITTED BY LAW, TAVEREN LABS LLC’S AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO THESE TERMS OR THE SERVICE WILL NOT EXCEED THE FEES PAID BY THE INSTITUTION TO TAVEREN LABS FOR THE SERVICE IN THE TWELVE MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM. IN NO EVENT WILL TAVEREN LABS BE LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, INCLUDING LOST PROFITS, LOST DATA, OR BUSINESS INTERRUPTION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF CERTAIN DAMAGES, SO PORTIONS OF THIS SECTION MAY NOT APPLY TO YOU.
13. Indemnification
You agree to defend, indemnify, and hold harmless Taveren Labs LLC, its officers, employees, and agents from and against any claims, damages, costs, and expenses (including reasonable attorneys’ fees) arising out of: (a) your violation of these Terms; (b) your violation of applicable law; or (c) content you upload or actions you take that infringe third-party rights. Taveren Labs will indemnify the institution for third-party claims that the Service, as provided, infringes a U.S. patent or copyright, on terms specified in the MSA.
14. Governing law and jurisdiction
These Terms are governed by the laws of the State of Texas, without regard to its conflict-of-laws principles. Any dispute arising out of or relating to these Terms or the Service will be brought exclusively in the state or federal courts located in Tarrant County, Texas, and you consent to the personal jurisdiction of those courts. Nothing in this section limits an institution’s rights under a signed MSA that specifies different governing-law or venue terms.
15. Dispute resolution
Before filing suit, the parties will attempt in good faith to resolve any dispute through informal discussion, with a written notice describing the dispute sent to security@taverenlabs.com. The parties agree to confer within 30 days of such notice. If the dispute is not resolved within 60 days of notice, either party may proceed to litigation.
16. Changes to these Terms
We may update these Terms as the Service evolves. Material changes will be posted here with an updated “Last updated” date, and institutional customers will receive at least 30 days’ notice. Your continued use of the Service after the effective date constitutes acceptance.
17. Contact
Taveren Labs LLC · Texas, United States · security@taverenlabs.com