Evergreen Strings Studio

Privacy Policy

Effective date: April 18, 2026 Last updated: April 19, 2026

This is the long version of how I handle your information. The plain-English summary lives in section 2. If anything here raises a question, email me and I’ll answer it in plain sentences.

1. Who we are

Evergreen Strings Studio (“Evergreen Strings Studio,” “we,” “us,” or “our“) is a private music-education studio operated by Emily Gasper in Brownsburg, Indiana, United States. This Privacy Policy explains how we collect, use, disclose, and protect personal information when you visit evergreenstringsstudio.com (the “Site“), submit a message or sign-up through the Site, or otherwise interact with us online.

If you have questions about this policy, contact us at:

  • Email: emily@evergreenstringsstudio.com
  • Mail: Evergreen Strings Studio, 7230 Arbuckle Commons, Brownsburg, IN 46112

2. Summary (plain-language)

  • We are a one-person music studio. We collect the minimum information needed to respond to your message and deliver lessons.
  • To run the Site we rely on third-party tools for hosting, email, forms, scheduling, analytics, communication, and similar operational purposes. The categories of providers we use are listed in §10. Specific vendors change from time to time as we try and retire tools.
  • We do not knowingly collect personal information from children under 13. Parents or guardians submit inquiries on behalf of minor students.
  • We do not sell your personal information and we do not “share” it for cross-context behavioral advertising as those terms are defined by the CCPA/CPRA. We do not share your information with data brokers.
  • You can ask us to access, correct, or delete your information at any time. See §13.

3. Information we collect

3.1 Information you provide directly

When you use a form on the Site (including any contact, inquiry, sign-up, or scheduling form we may operate), or communicate with us by email, text, or phone, we may receive:

  • Parent or guardian (or adult student) name.
  • Parent or guardian (or adult student) email address and, optionally, phone number.
  • Prospective student’s first name and age.
  • Current musical experience level and what the student is hoping to work on.
  • Preferred lesson times, scheduling notes, and any free-text message you choose to include.

We deliberately do not ask for a student’s full legal name, home address, school, birth date, or any other identifier that is not necessary to schedule a first lesson.

3.2 Information collected automatically

When you visit the Site, our hosting provider and the operational tools listed in §10 may automatically collect:

  • Server logs: IP address, browser user-agent, pages viewed, timestamps, referring URL.
  • Performance and cache cookies (for example, from a caching layer) set to deliver pages efficiently.
  • Site-functional cookies set by WordPress if you log in or comment.
  • Analytics and product-usage data — aggregate traffic counts, page views, session information, and performance metrics, collected through privacy-respecting analytics or monitoring tools we may deploy from time to time. Where feasible we configure such tools to minimize or anonymize IP addresses and to exclude cross-site tracking.
  • Form-protection records — when you submit a form we may record the submitting IP address temporarily so we can block abusive traffic. These records are automatically purged.

We do not use fingerprinting or ad-retargeting cookies, and we do not load advertising pixels from ad networks. If we later change that, we will update this policy and, where consent is required by law in your jurisdiction, request your consent before such tracking is loaded.

3.3 Information we do not collect through the Site

  • We do not request, store, or knowingly receive financial account numbers, Social Security numbers, driver’s-license numbers, passport numbers, health records, or biometric data through the Site.
  • We do not collect precise geolocation. Coarse location may be inferred from IP address in ordinary server logs.

4. How we use your information

We use the information above for the following purposes, and only for these purposes:

1. To respond to your message and schedule a first lesson. 2. To communicate about lessons — scheduling, recital notices, policy updates — once you are enrolled as a student or parent of a student. 3. To operate, secure, analyze, and improve the Site, including logging abusive or malformed requests and understanding how visitors use the Site in aggregate. 4. To comply with applicable law, respond to lawful requests from authorities, and enforce our Terms of Service.

We do not use your information for cross-context behavioral advertising, targeted advertising, or automated decision-making that produces legal or similarly significant effects.

5. Legal bases for processing (EU/UK visitors)

If you are in the European Economic Area, the United Kingdom, Switzerland, or a comparable jurisdiction with a legal-basis regime, the bases on which we process your information are:

  • Consent — you have voluntarily submitted a form or contacted us, or consented to optional cookies where consent is required.
  • Contract — processing is necessary to take steps at your request prior to entering into a services agreement (a first lesson or ongoing lessons).
  • Legitimate interests — operating a secure, functional website, understanding site usage in aggregate, and responding to enrolled-family communications, balanced against your privacy rights.
  • Legal obligation — where we are required to process information to comply with applicable law.

You can withdraw consent at any time by emailing emily@evergreenstringsstudio.com. Withdrawal does not affect processing that already happened.

6. Children’s privacy (COPPA compliance)

We teach children. We take their privacy seriously.

  • The Site is not directed to children under 13, and we do not knowingly collect personal information directly from children under 13.
  • All inquiries and sign-ups must be submitted by a parent or legal guardian. Our forms ask for the parent’s email, not the child’s.
  • Beyond a prospective student’s first name and age, we do not request or retain identifying information about minors through the Site.
  • If you are a parent or guardian and believe we have collected information from your child that violates the Children’s Online Privacy Protection Act (COPPA), please email emily@evergreenstringsstudio.com and we will promptly delete that information and confirm deletion.
  • Once a student is enrolled, we maintain only the information strictly necessary to deliver instruction and communicate with the family: parent contact details, lesson schedule, tuition records, and lesson-progress notes. Lesson-progress notes are kept for teaching continuity and are not shared outside the studio without written parental consent, except as required by law.

7. How we share information

We share personal information only in the following circumstances:

1. Service providers and processors. We share information with third-party tools and providers that help us operate the Site, schedule lessons, communicate with families, accept payments (when applicable), and analyze how the Site is performing. Each provider is bound by its own terms and, where legally required, by a data-processing agreement that limits processing to the purposes we authorize. Categories of providers are described in §10. 2. Legal compliance. We may disclose information if required by law, subpoena, court order, or regulatory request, or to protect the rights, property, or safety of the studio, its students, the public, or ourselves. 3. Business transfer. In the unlikely event that the studio is sold, merged, or reorganized, personal information may be transferred to the acquiring entity subject to this policy or a successor policy offering equivalent protection. 4. With your consent. Any other sharing will happen only with your explicit, case-by-case consent — for example, using a student’s recital photo on our website or social media.

We do not sell personal information, and we do not “share” personal information for cross-context behavioral advertising as those terms are defined by the CCPA/CPRA. We do not share personal information with data brokers, advertisers, or marketing networks.

8. Analytics and measurement

We may use privacy-respecting analytics, error-monitoring, heatmap, or session-telemetry tools to understand how the Site performs and how visitors use it. Where these tools are used:

  • We configure them to minimize or anonymize personal data where possible (for example, truncated IP collection).
  • We do not combine analytics data with advertising identifiers or cross-site trackers.
  • In jurisdictions where such tools require consent before loading (for example, the EU/UK under the ePrivacy Directive), we will obtain that consent through a banner or similar mechanism before loading non-essential analytics.

What’s active today. We run a first-party, server-side pageview counter built into our own WordPress plugin. It records the page path, the device class (phone / tablet / desktop), the referring website’s hostname, and a visitor identifier that is a SHA-256 hash of a salt that rotates every twenty-four hours combined with your IP address and browser family. No cookies are set. No third-party services receive data. Your IP address is never stored in plaintext, and because the hashing salt rotates daily, the identifier cannot be linked to a visitor across days. Raw rows are deleted after thirty days. Aggregate counts (total visits per page, top referrers, phone-vs-desktop split) are emailed to the studio owner in a daily internal digest.

The current category list in §10 reflects what’s in use. You can always ask us what specific tool is active at a given time.

9. Cookies and similar technologies

We use cookies and similar technologies for a few purposes:

  • Strictly necessary — to keep the Site functional (session, caching, CSRF protection, form protection). Cannot be disabled without degrading the Site.
  • Functional — to remember non-essential preferences if you make any.
  • Analytics — set by any analytics or measurement tool we operate (see §8). In the EU/UK/jurisdictions requiring consent, these load only after consent.
  • Third-party embeds — embedded third-party content (maps, video players, forms) may set cookies from those third parties when you interact with them.

We do not use advertising or retargeting cookies.

You can manage cookies through your browser’s settings and, where we operate a consent banner, through that banner. Disabling strictly necessary cookies may prevent parts of the Site from loading correctly.

10. Third-party processors (by category)

The Site runs on third-party infrastructure. We do not operate the underlying servers, and we use a range of software-as-a-service tools to run a small studio efficiently. Specific vendors may change over time; the categories of processors we may use include:

  • Web hosting, CDN, and DNS — to serve the Site.
  • Transactional email and outbound messaging — including transactional email providers, SMTP relays, SMS providers, and the mail transport built into WordPress.
  • Forms, scheduling, and inquiry intake — form builders, scheduling/booking tools, calendar tools, and inquiry-intake platforms.
  • Customer relationship management (CRM) and studio administration — tools for tracking inquiries, enrollments, attendance, and communication history.
  • Payment processing and invoicing — if and when the studio accepts payment online, through a PCI-compliant payment processor. No card data is stored on the Site.
  • Analytics, performance monitoring, error reporting, and site search — as described in §8.
  • Content delivery, embedded maps, and embedded video — including maps and media embeds from third-party providers.
  • Security and abuse-prevention — CAPTCHA providers, bot-detection services, and rate-limiting services.
  • Productivity and AI assistance — business-productivity suites, AI writing/summarization/transcription tools, and similar tools used internally to draft replies, manage the studio calendar, or prepare teaching materials. Information you submit may be processed by such tools in the ordinary course of responding to you. We do not feed identifying information about minors into public AI tools.
  • Backup and disaster recovery — backup providers that store encrypted copies of the Site and the studio’s operational data.

Each provider operates under its own privacy policy and, where legally required, a data-processing agreement. A current list of the specific vendors in use is available on request by emailing emily@evergreenstringsstudio.com.

If we introduce a new category of processor that materially changes how we handle personal information, we will update this policy and, where legally required, obtain your consent before the change takes effect.

11. International transfers

Because our hosting and SaaS providers operate data centers in multiple regions, your information may be processed outside your country of residence, including in the United States, the United Kingdom, the European Union, Canada, and other regions where our providers operate. Where applicable, we rely on Standard Contractual Clauses, the UK International Data Transfer Agreement, the EU-U.S. Data Privacy Framework, or equivalent safeguards offered by our providers to ensure your information receives a level of protection consistent with the law of your jurisdiction.

12. Retention

We retain personal information only as long as needed for the purposes described in this policy:

  • Inquiries that do not lead to enrollment — up to 12 months, then deleted or anonymized.
  • Enrolled-student records — while the student is enrolled, plus up to 7 years for tax and business-records purposes, after which non-essential information is deleted.
  • Server and security logs — retained by the relevant provider per its own policy, typically 30–180 days.
  • Form-protection and rate-limit records — automatically purged on a short cycle.
  • Financial records — retained per Indiana and federal recordkeeping requirements (typically 7 years).
  • Recital photos/videos used with consent — retained until you withdraw consent, at which point we will delete them within 30 days.

You can request earlier deletion at any time. See §13.

13. Your rights

Regardless of where you live, you may ask us to:

  • Access the personal information we hold about you.
  • Correct information that is inaccurate.
  • Delete information we no longer need.
  • Opt out of future, non-essential communications.
  • Obtain a portable copy of information you provided, where applicable law gives you that right.

Additional rights apply depending on your residence:

13.1 California (CCPA/CPRA)

California residents may request disclosure of the categories and specific pieces of personal information we have collected, the categories of sources and recipients, and the business or commercial purposes for collecting or sharing it. California residents may also:

  • Request deletion of personal information (subject to permitted exceptions).
  • Request correction of inaccurate personal information.
  • Opt out of any “sale” or “sharing” of personal information. We do not “sell” or “share” personal information as those terms are defined under the CCPA.
  • Limit the use of sensitive personal information. We do not use sensitive personal information for purposes that would trigger this right.
  • Designate an authorized agent to act on your behalf.
  • Be free from retaliation for exercising any of these rights.

13.2 European Economic Area, United Kingdom, Switzerland

You have rights to access, rectification, erasure, restriction of processing, data portability, and objection (including objection to processing based on legitimate interests). You may withdraw consent at any time, and you may lodge a complaint with your local supervisory authority.

13.3 Other U.S. state laws

Residents of states with comprehensive privacy laws (including Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Minnesota, Montana, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, Virginia, and others enacted since) may exercise substantially similar rights. We respond to verified requests within the timeframe required by applicable law.

13.4 Canada (PIPEDA / provincial equivalents)

Residents of Canada may request access to and correction of personal information, and may withdraw consent (subject to legal and contractual restrictions). You may also file a complaint with the Office of the Privacy Commissioner of Canada or the applicable provincial authority.

13.5 How to exercise

Email emily@evergreenstringsstudio.com with a clear description of your request and enough information for us to verify your identity. We respond within the timeframe required by applicable law (generally 30–45 days, with one extension permitted where the law allows).

14. Security

We take reasonable and appropriate technical and organizational measures to protect personal information against loss, misuse, unauthorized access, disclosure, alteration, and destruction:

  • HTTPS/TLS for all Site traffic.
  • Form protection (rate-limiting, anti-bot, and challenge mechanisms).
  • Access controls on the WordPress admin with strong passwords and, where supported, multi-factor authentication.
  • Regular security updates to the Site’s platform, theme, and plugins.
  • Vendor selection criteria that prioritize providers with documented security practices.

No method of transmission or storage is 100% secure. We cannot guarantee absolute security, and we encourage you to take common-sense precautions (unique passwords, up-to-date browsers, skeptical review of suspicious email).

15. Do-Not-Track and Global Privacy Control

Our Site does not respond to legacy Do-Not-Track browser signals because there is no industry consensus on how to interpret them. Where required by law (including for California residents), we treat a browser Global Privacy Control (GPC) signal as a valid opt-out of “sale” or “sharing” of personal information. Because we do not sell or share personal information for cross-context behavioral advertising, a GPC signal changes nothing about how we handle your data, but we honor it as a valid opt-out signal nonetheless.

16. Links to other sites

The Site may link to third-party websites and embed third-party content (for example, map and video embeds, external sign-up forms, social media, and affiliated organizations). We are not responsible for the privacy practices of those sites. Review their policies before submitting information.

17. Changes to this policy

We will post material changes to this policy on this page and update the “Last updated” date at the top. Where a change materially expands how we collect or share personal information, we will, where legally required, give advance notice and obtain your consent before the change takes effect for you. For significant changes, we may additionally notify enrolled families by email. Your continued use of the Site after an update constitutes acceptance of the revised policy to the extent permitted by law.

18. Contact

Questions, requests, or complaints about this policy can be directed to:

  • Email: emily@evergreenstringsstudio.com
  • Mail: Evergreen Strings Studio, 7230 Arbuckle Commons, Brownsburg, IN 46112

If you believe we have not addressed your concern, you may have a right to file a complaint with a relevant regulator (the FTC in the United States, your state attorney general, your national or provincial data-protection authority, or the EU supervisory authority where you reside).