Privacy Policy
Effective Date: March 31, 2026 Last Updated: June 20, 2026
Trio Creations, LLC ("Trio," "we," "us," or "our") operates the Trio music studio management platform available at musicaltrio.com (the "Service"). This Privacy Policy explains what information we collect, how we use it, and your rights.
We do not sell your personal information. We never have and never will.
1. Who This Policy Applies To
This Privacy Policy applies to:
- Studio owners and teachers who create Trio accounts
- Students (age 13 and older) who access the student portal
- Parents and guardians who are contacted via the platform
- Visitors to musicaltrio.com
Age Requirement: Trio is intended for users aged 13 and older. The student portal is age-gated to users 13+. If you believe a child under 13 has provided information to us, contact us at info@musicaltrio.com and we will promptly delete it.
Teachers may add student records for students of any age on behalf of those students. When a teacher creates or manages a student record, the teacher is responsible for ensuring appropriate authorization for that data.
Media of younger students. When a parent or guardian uploads photos, videos, or audio of a child under 13 through the family portal, the parent is providing that media on behalf of their child under their own parental authority. Trio does not solicit or accept media uploads directly from children under 13. Studios are responsible for obtaining any required family consent before enabling media features for their studio's students. If you have questions about media your child's studio collects through Trio, contact the studio directly or reach us at info@musicaltrio.com.
2. Information We Collect
Information You Provide Directly
Teachers / Studio Owners:
- Name and email address (required to create an account)
- Studio name and business information
- Lesson rates and billing preferences
- Student records: names, contact information, lesson schedules
- Lesson notes, attendance records, and student progress information
- Payment method for your Trio subscription (processed by Stripe — we do not store full card or bank account numbers)
Students (13+) accessing the Student Portal:
- Name and email address
- Lesson schedule and preferences
- Lesson history and attendance
Parents and Families (when paying a studio through Trio):
- The payment method you use to pay your studio — card details or, for ACH bank payments, bank account information and your authorization (mandate) to debit the account. Bank accounts are linked and verified through Stripe, including Stripe Financial Connections. Trio does not store full card or bank account numbers.
Waitlist / Marketing:
- Email address (if you sign up for updates at musicaltrio.com)
Content and Media You Upload:
- Photos — profile pictures for studios, teachers, students, and family members
- Practice videos and audio — short videos or audio that students or families record or upload to document practice, including session or "spontaneous" practice videos
- Lesson-note attachments — audio, video, image, or PDF files a teacher attaches to a lesson note
- Practice and engagement data — practice logs, the optional mood indicator you can attach to a practice entry (a self-reported, optional selection), streaks, and earned badges
Uploaded media and files are stored in our database storage provider (Supabase) and, like all studio data, are access-controlled so that only the user's own studio can view them.
Account Authentication:
When you sign in, we process the credentials for your chosen sign-in method — magic-link email, SMS one-time code, and/or a passkey. If you enable a passkey (WebAuthn), your device creates a public/private key pair and shares only the public key with us (through Supabase Auth). The private key and any biometric you use to unlock it — such as a fingerprint or face — never leave your device and are never transmitted to or stored by Trio.
Information Collected Automatically
When you use Trio, we automatically collect:
- Usage analytics via Vercel Analytics and Google Analytics (GA4): page views, feature interactions, session data, traffic sources, and performance data. Vercel Analytics does not use tracking cookies or fingerprinting.
- Log data: IP address, browser type, pages visited, and timestamps
- Device information: device type, operating system, and browser version
Cookies: We use essential cookies for authentication and session management. We also use Google Analytics cookies (_ga, _ga_XXXXXXXX) to understand how users navigate Trio. These are analytics cookies only — we do not use advertising or behavioral targeting cookies. You can opt out of Google Analytics tracking at https://tools.google.com/dlpage/gaoptout.
3. How We Use Your Information
We use your information to:
- Provide, maintain, and improve the Trio platform
- Process payments and send invoices via Stripe
- Send lesson reminders and notifications — email via Resend; SMS via Twilio; web push notifications via your browser vendor's push service, based on your preferences
- Power the AI lesson note compilation feature ("Ask Trio") — see Section 5
- Respond to your support requests and communicate about your account
- Send marketing updates and product news to subscribers (you can unsubscribe anytime)
- Analyze usage patterns to make Trio better
4. Information Sharing and Third Parties
We do not sell your personal information.
We share information with third-party service providers only as necessary to operate Trio. These providers are contractually required to protect your data and may only use it for the services they provide to us.
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Database and authentication | User accounts and student records |
| Vercel | App hosting and infrastructure | Usage analytics and server logs |
| Stripe | Payment processing | Teacher subscription billing and family payments to studios (card and ACH bank debit); Stripe is PCI-DSS compliant — we never see or store full card or bank account numbers |
| Stripe Financial Connections | Bank-account verification for ACH payments | Bank account details a family links to pay a studio by ACH |
| Resend | Transactional email | Name and email address for notifications, reminders, and invoices |
| Twilio | SMS notifications | Phone number, for users who enable SMS reminders |
| Browser push services (Apple, Google, Mozilla, Microsoft) | Web push notification delivery | Encrypted notification payload, routed through the push service operated by your browser vendor, for users who opt in to push notifications |
| Loops | Marketing email | Email address for waitlist and opt-in subscribers only |
| OpenRouter | AI lesson note compilation | Student names and lesson notes when you use "Ask Trio" (see Section 5) |
| Google LLC (Analytics) | Website usage analytics | Page views, session data, device info, IP address (anonymized by Google) |
| Cloudflare | DNS and email routing | Domain routing only; no personal data |
| Your chosen AI provider (via MCP) | Connected AI assistant | Studio data (students, families, schedules, lesson notes, invoices) when a Max-plan owner/admin connects an external AI assistant — see the MCP Privacy Addendum below |
We may also disclose information:
- When required by law, court order, or valid government request
- To protect the rights, safety, or property of Trio, our users, or the public
- In connection with a business transaction such as a merger or acquisition (with notice to affected users)
5. AI Feature — "Ask Trio"
Trio offers an optional AI-powered lesson note compilation feature called "Ask Trio." When you use this feature:
- Student names and your lesson notes are sent to OpenRouter, a third-party AI routing service, for processing.
- We do not send contact information (email addresses, phone numbers) or payment information to OpenRouter.
- OpenRouter operates with data privacy enabled, which means your data is not retained or used to train AI models by OpenRouter. However, your data does pass through OpenRouter's infrastructure and may be processed by OpenRouter's upstream AI inference providers. For full details, see OpenRouter's Privacy Policy.
Using "Ask Trio" is entirely optional. You can write and manage lesson notes at any time without using the AI feature.
If you prefer that student data not be processed by OpenRouter, simply do not use the "Ask Trio" feature.
6. Data Retention
- Active accounts: We retain your data for as long as your account is active.
- Cancelled accounts: If you cancel your subscription, we retain your data for 30 days so you can export it. After 30 days, your account and all associated student records are permanently deleted. To request earlier deletion, contact info@musicaltrio.com.
- Uploaded media and files: Photos, videos, audio files, and lesson-note attachments are retained for as long as the associated studio account is active. When a studio account is cancelled or deleted, all uploaded media is deleted on the same schedule as other account data (30 days after cancellation, or earlier on request). Parents may request deletion of their child's media at any time by contacting their studio or emailing info@musicaltrio.com.
- Financial records: Transaction and invoice records may be retained for up to 7 years to comply with applicable tax and accounting requirements.
- Marketing email: If you unsubscribe from marketing emails, we will remove you from our mailing list promptly. We may retain your email address on a suppression list to ensure you are not inadvertently re-added.
7. Your Rights and Choices
You have the right to:
- Access your data — request a copy of the information we hold about you
- Correct inaccurate information in your account
- Delete your account and associated data (see Section 6 for retention timelines)
- Export your data before your account is deleted
- Opt out of marketing email at any time by clicking "Unsubscribe" in any Trio email
- Disable SMS notifications in your account settings at any time
To exercise any of these rights, email info@musicaltrio.com.
8. California Residents (CCPA)
If you are a California resident, the California Consumer Privacy Act gives you additional rights:
- Right to know what personal information we collect, use, and share
- Right to delete your personal information
- Right to opt out of sale — we do not sell personal information
- Right to non-discrimination for exercising your rights
To submit a CCPA request, email info@musicaltrio.com with the subject line "CCPA Request."
9. Data Security
We take reasonable steps to protect your information, including:
- SSL/TLS encryption for all data in transit
- Row-level security in our database, ensuring each teacher can only access their own studio's data
- Access controls limiting who within Trio can access user data
- Secure authentication via magic-link email, SMS one-time codes, and passkeys (WebAuthn)
No method of transmission or storage is completely secure. If you believe your account has been compromised, contact us immediately at info@musicaltrio.com.
In the event of a data breach that may affect your rights, we will notify affected users promptly and in accordance with applicable law.
10. Third-Party Links
Trio may link to third-party sites or services (for example, Stripe's payment pages). This Privacy Policy does not apply to those sites. We encourage you to review the privacy policies of any third-party services you use.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top of this page and notify you by email for significant changes.
12. SMS and Text Messaging
This section describes how Trio handles mobile phone numbers and SMS messages, including the consent, opt-out, and program details required by U.S. carrier rules (CTIA Messaging Principles and Best Practices) and Twilio's A2P 10DLC program. The SMS Messaging Program details are also described in our Terms of Service.
- What we collect. Mobile phone numbers provided by parents or guardians, adult students, or studio staff. Phone numbers are collected (a) on the public studio application form at
musicaltrio.com/s/{slug}/apply, (b) at the parent portal sign-in atmusicaltrio.com/auth/login(used to send one-time login verification codes), or (c) by your music studio when adding you as a family contact in Trio. - How we use it. We send (i) one-time login verification codes; (ii) account notifications tied to your family's enrollment, including lesson reminders, schedule changes, attendance updates, and billing notifications; (iii) one-time onboarding invitations from your studio; and (iv) direct customer-care messages from your music teacher. We do not send marketing, promotional, contest, or affiliate SMS through Trio.
- Who it is shared with. Phone numbers are shared with the music studio that enrolled your family (because the messaging is sent on your studio's behalf) and with Trio's SMS provider (Twilio) for delivery. We do not sell or share phone numbers with third parties for their own marketing or messaging. Phone numbers are never sold, rented, leased, or otherwise transferred to third parties for unrelated purposes.
- How to opt out. Reply STOP (or STOPALL, UNSUBSCRIBE, CANCEL, END, or QUIT) to any SMS message from Trio to opt out. Opt-out takes effect immediately at the carrier level and is also recorded in Trio's database. To opt back in, reply START (or YES, UNSTOP). You can also toggle SMS preferences per recipient in the parent portal at musicaltrio.com/member.
- Help. Reply HELP to any SMS message from Trio for assistance, or email support@musicaltrio.com.
- Retention. Phone numbers are retained for as long as your family's enrollment is active and for a reasonable period thereafter for compliance, support, and audit purposes. Opt-out records are retained for the duration required by applicable law.
- Inbound SMS replies. SMS replies you send to your studio are stored as part of your conversation history with the studio. Replies sent from numbers we cannot identify are stored in operational logs for diagnostic purposes only and are not visible to any studio.
Message and data rates may apply.
13. Push Notifications
This section describes how Trio handles web push notifications, which are an opt-in channel separate from email and SMS. Push notifications let Trio deliver short, time-sensitive alerts to your device (browser or installed PWA) about your lessons, messages, payments, and other transactional events.
- What we collect. When you opt in to push notifications on a device, your browser issues Trio a push subscription that includes (i) a device-specific push subscription endpoint URL, (ii) the public encryption keys (
p256dhandauth) required to encrypt notification payloads to that device, (iii) best-effort platform information derived from your browser's user-agent string, and (iv) timestamps for when the subscription was created and last seen. - How we use it. We use the subscription only to deliver push notifications about lessons, messages, payments, and other transactional or operational events tied to your Trio account. We do not send marketing, promotional, contest, or affiliate push notifications through Trio.
- How it is stored. Push subscription records are stored in Trio's database (the
push_subscriptionstable), scoped to your studio. When you opt out, or when the push service informs us that the subscription is no longer valid (an HTTP410 Goneresponse), the record is soft-deleted. - Who it is shared with. To deliver a notification, Trio sends the encrypted payload to the push service operated by your browser vendor (for example, Apple Push Notification service for Safari, Firebase Cloud Messaging for Chrome and Edge, and Mozilla autopush for Firefox). The push service routes the notification to your device. We do not share notification content with third parties beyond what is technically required for delivery, and we do not sell, rent, or lease push subscription information.
- User controls. Push is opt-in per device. You explicitly grant permission the first time you enable notifications on each device. You can opt out at any time from Settings → Notifications in Trio, and you can also revoke permission at the operating system or browser level at any time.
- Retention. Active push subscription records are retained for as long as the subscription is valid — typically until you opt out, until the push service marks the subscription as gone, or until the subscription expires. Soft-deleted records are retained per Trio's existing data retention policy (see Section 6) for audit and abuse-prevention purposes.
14. Contact Us
Questions, requests, or concerns about your privacy?
Trio Creations, LLC info@musicaltrio.com
Model Context Protocol (MCP) Privacy Addendum
Effective Date: June 1, 2026 Last Updated: June 1, 2026
This addendum supplements the Trio Privacy Policy and describes how your studio data is handled when you connect an AI assistant to Trio using the Model Context Protocol (MCP). Capitalized terms not defined here have the meanings given in the main Privacy Policy.
1. What This Addendum Covers
When a studio owner or admin connects an external AI assistant (such as Claude, ChatGPT, or Cursor) to Trio through MCP, that assistant can read studio data on your behalf. This addendum explains what data is shared, where it goes, and the controls available to you.
2. What Data Is Shared
A connected AI assistant can read the same studio data your Trio role already permits you to access. The specific categories are:
| Category | Examples |
|---|---|
| Students & profiles | Names, ages, instruments, enrollment status |
| Families & contacts | Parent/guardian names, email addresses, phone numbers |
| Lessons & schedule | Lesson times, calendar events, makeup credits |
| Attendance | Attendance records, absences |
| Lesson notes | Free-text progress notes written by teachers |
| Invoices & billing | Invoice amounts, payment status, unpaid balances |
| Messages | Studio conversations and message history |
| Staff & availability | Team member names, roles, availability slots |
| Practice & library | Practice logs, compositions, library items |
All access is read-only. A connected assistant cannot create, modify, or delete any data in your studio.
What is NOT shared: Trio does not transmit your payment method details (credit card numbers, bank accounts) through MCP. Payment processing is handled entirely by Stripe and is never exposed to connected AI assistants.
3. How Data Flows
When you approve a connection, the following happens:
- You authorize access through a consent screen that names the requesting application and lists the data categories above.
- Trio issues a credential to the approved application. The credential is time-limited (24-hour access tokens, 30-day refresh tokens) and stored as a cryptographic hash — never in plain text.
- The application makes requests to the Trio MCP server using that credential. Trio verifies the credential, checks that your plan, role, and feature settings still qualify, and returns the requested data.
- Data leaves Trio. The response is delivered to the AI application, which forwards it to its AI provider for processing. Once data leaves Trio, it is outside Trio's control.
4. Third-Party Processing
This is the key difference between MCP and other Trio features. With built-in features like "Ask Trio," Trio chooses the AI provider (OpenRouter) and negotiates data-handling terms on your behalf. With MCP, you choose the AI provider, and your data is processed under that provider's terms and privacy practices — not Trio's.
Trio has no contractual relationship with the AI provider you connect. We cannot guarantee how they store, retain, use, or delete your data. Before connecting an AI assistant, review its provider's privacy policy.
5. Consent and Family Permission
Before Trio completes a connection, you must:
- Review the data categories that will be shared
- Confirm that you have permission from your students' families (or parents/guardians of minors) to share their data with the connected application
Studio owners bear responsibility for obtaining family consent. The form of consent you obtain is a matter between you and your families and should be appropriate for your jurisdiction and the sensitivity of the data. We recommend informing families that you use an AI assistant connected to your studio management system and explaining what data the assistant can access.
6. Children's Data
Trio's MCP server is available only to studio owners and admins (adults). Children do not interact with the MCP server directly. However, student records — including records of minors — are among the data categories a connected assistant can read.
If your studio serves students under 13, be aware that sharing their data with a third-party AI provider may implicate the Children's Online Privacy Protection Act (COPPA) or similar laws in your jurisdiction. Trio's consent screen asks you to confirm that you have appropriate family authorization before proceeding.
7. Your Controls
- Enable or disable MCP. The feature is off by default. You can enable or disable it at any time from your studio settings. Disabling it immediately revokes all connected applications.
- Revoke individual connections. Go to Settings → Connected Apps to view active connections and revoke any you no longer want.
- Automatic safeguards. Trio automatically revokes connections if your studio downgrades from the Max plan, the MCP feature is disabled, or your owner/admin role is removed.
8. Audit Logging and Monitoring
Every request a connected AI assistant makes is logged. The audit record includes:
- Which tool was called and when
- The session and studio involved
- The volume of data returned (row count and byte size)
- Whether the request succeeded or failed
Request arguments are stored as cryptographic hashes, not in plain text, to support incident response without creating a secondary store of personal information. Trio monitors for anomalous access patterns (such as unusually high data volume) and may revoke connections to protect studio data.
9. Data Retention for MCP Records
- Session records (which applications are connected, when they were authorized, and revocation history) are retained for the life of your account plus the standard post-cancellation retention period described in the main Privacy Policy.
- Audit logs (tool invocation records) are retained for incident response and compliance purposes. These logs contain hashed arguments and metadata — not raw personal information.
- Data sent to AI providers is outside Trio's retention control. Refer to your AI provider's privacy policy for their retention practices.
10. Your Rights
Your existing rights under the main Privacy Policy — including the right to access, correct, delete, and export your data — apply to MCP-related records. If you are a California resident, your CCPA rights (described in the main Privacy Policy) extend to MCP session and audit data.
To exercise any of these rights, email info@musicaltrio.com.
11. Changes to This Addendum
We may update this addendum as the MCP feature evolves. Changes will be reflected in the "Last Updated" date above. For material changes, we will notify you by email or by posting a notice in Trio, consistent with the notification practices described in the main Privacy Policy.
12. Contact Us
Questions about how MCP handles your data? Contact us at:
Trio Creations, LLC info@musicaltrio.com