Privacy Policy

1. Information We Collect

We process data required for ballet production management:

• Administrative: Name, business email, and billing info.
• Dancer/Staff Data: Contact info, physical measurements, health/injury status, visa/citizenship info, performance history, and union details.
• Technical: IP address and usage logs via Vercel and Sentry.
• AI Processing: When using integrated AI features, relevant data (such as union contracts) may be processed by Anthropic.
• Google Calendar Data: When you connect your Google account, we access your Google Calendar events and schedule data solely to provide schedule synchronization features within Prima.

2. Third-Party Services and Data Processors

We rely on subprocessors (listed below) to run PRIMA. Each provides their own service and may process personal data on our instructions or as an independent controller, as described in their policies.

• Clerk (clerk.com) — authentication and user identity. Privacy policy
• InstantDB (instantdb.com) — real-time database and data storage. Privacy policy
• Stripe (stripe.com) — payment processing and billing. Privacy policy
• Sentry (sentry.io) — error tracking and monitoring. Privacy policy
• Resend (resend.com) — transactional email delivery. Privacy policy
• Anthropic (anthropic.com) — AI features, including union rules document parsing and schedule assistance. Privacy policy
• AeroDataBox via RapidAPI (aerodatabox.com) — flight status and travel data. API access runs through RapidAPI's marketplace, which may process marketplace account details and technical request metadata. RapidAPI privacy policy
• Vercel (vercel.com) — hosting and infrastructure. Privacy policy
• Google (google.com) — Google Calendar integration when you connect your account (optional, user-initiated). Privacy policy

3. Sharing, Transfer, and Disclosure of Google User Data

When you authorize Prima to access your Google Calendar, we handle that data as follows:

• We do not sell Google user data to any third party.
• We do not share Google user data with third parties for advertising, marketing, or any purpose unrelated to providing the Prima scheduling service.
• Limited internal use: Google Calendar data is accessed only by Prima's backend infrastructure (hosted on Vercel) and stored transiently in InstantDB solely to render and synchronize your schedule within the app. No other subprocessors receive raw Google Calendar data.
• No transfer for AI/ML training: Google user data is never transferred to Anthropic or any other party for the purpose of training, improving, or developing AI or machine learning models.
• Legal disclosure: We may disclose data if required by law, court order, or to protect the rights and safety of our users or the public, in which case we will notify you to the extent permitted by law.
• Business transfer: In the event of a merger, acquisition, or sale of assets, Google user data would only be transferred to a successor that agrees to honor this policy and the Google API Services User Data Policy.

4. Legal Basis and Usage

We process data for Contractual Necessity (providing the service) and Legal Obligation (tax/labor reporting). For sensitive data (health/measurements), we rely on your Explicit Consent provided at the time of entry. We use Google Calendar via OAuth for schedule synchronization.

5. Data Protection Mechanisms for Sensitive Data

We apply the following technical and organizational measures to protect personal data, with heightened controls for sensitive categories (health status, physical measurements, visa/citizenship):

• Encryption in transit: All data transmitted between your browser, our servers, and subprocessors is encrypted using TLS 1.2 or higher.
• Encryption at rest: Personal data stored in InstantDB is encrypted at rest. Automated backups are stored in encrypted snapshots.
• Access controls: Access to personal data is restricted to authorized Prima personnel on a need-to-know basis. Administrative access requires multi-factor authentication.
• Sensitive data isolation: Health, injury, and measurement data is treated as a special category. It is only accessible to users within your organization who have been explicitly granted access, and is never exposed to third-party subprocessors except where strictly necessary for service operation.
• Google OAuth tokens: Google access tokens and refresh tokens are stored encrypted and are never logged, exposed in URLs, or transmitted to any third party. You may revoke Prima's access to your Google account at any time via your Google account security settings.
• Subprocessor controls: All subprocessors handling personal data are bound by Data Processing Agreements (DPAs) requiring appropriate technical and organizational security measures.
• Incident response: In the event of a data breach affecting your personal data, we will notify affected users and relevant supervisory authorities as required by applicable law (GDPR Article 33/34, PIPEDA).

6. Data Retention and Deletion

Upon contract termination, data is deleted from active production databases immediately. Residual data persists in encrypted, automated system snapshots for a maximum of 30 days for disaster recovery purposes, after which it is permanently overwritten. Google Calendar access tokens are revoked and deleted upon disconnection of the integration or account termination.

7. Google API Services: Limited Use Disclosure

Prima's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• Prima uses Google Calendar data only to provide and improve the scheduling features within the Prima application that you explicitly requested by connecting your Google account.
• We do not use Google user data to serve advertisements.
• We do not allow humans to read Google user data unless we have your affirmative agreement, it is necessary for security purposes, it is necessary to comply with applicable law, or our use is limited to internal operations and the data has been aggregated and anonymized.
• We do not use or transfer Google user data for purposes that are not disclosed in this Privacy Policy.

8. Subprocessors, Agreements, and Security

Third-party vendors we use are listed in our Subprocessor List. A GDPR Article 28-style processing framework is described in our Data Processing Agreement. Security practices are summarized on our Security page.

9. Your Rights

If you are in the European Union or European Economic Area, the rights below apply to you under the GDPR. If you are in the United Kingdom, equivalent rights apply under the UK GDPR. We will respond to valid requests in line with applicable law.

• Right to access your data — You can ask what personal data we hold about you and receive a copy in many cases.
• Right to correct inaccurate data — You can ask us to fix personal data that is wrong or incomplete.
• Right to delete your data — You can ask us to erase your personal data when the law allows (for example, when it is no longer needed or you withdraw consent where consent was required). You can also start a deletion request by emailing support@theprima.app.
• Right to restrict processing — You can ask us to limit how we use your personal data in certain circumstances.
• Right to data portability — Where processing is based on contract or consent and done by automated means, you can ask for a structured, commonly used copy of certain data so you can move it to another service where technically feasible.
• Right to object to processing — You can object to certain processing, including where we rely on legitimate interests (subject to exemptions under law).
• Right to withdraw consent at any time — Where we process data based on your consent, you can withdraw it without affecting the lawfulness of processing before withdrawal.
• Right to lodge a complaint with a supervisory authority — You may complain to the data protection regulator where you live or work if you believe we have not handled your data lawfully.

Contact

For privacy inquiries or to exercise your rights, contact: