Privacy Policy
Effective: June 2026 • Document Ref: TR-PRIV-9.0
At TempoRevenue, we engineer the revenue layer between a music retailer's back office and its customers, and we treat the data that flows through that layer as a regulated, isolated asset. This Privacy Policy explains what data we process, on whose behalf, and the engineering protocols that govern its handling across our services: the Music-Retail Storefront Audit, Checkout Guard, Platform Performance Maintenance, Music Storefront Design, the Rental Enrollment Engine, AI Sales Architecture, and any enterprise Native Mobile engagement.
This Policy works alongside our Terms of Service, which governs the commercial relationship. Where the two address the same subject, this Policy controls on data-handling matters. Capitalized terms not defined here have the meaning given in the Terms of Service.
1. Our Role: Who Controls What
A clear allocation of responsibility is the foundation of this Policy.
- The Client is the Controller. For the personal data of the Client's own customers, leads, and rental applicants ("End-User Data"), the music retailer is the data controller. The retailer determines why and how that data is used. TempoRevenue does not own End-User Data and does not use it for its own purposes.
- TempoRevenue is the Processor. When we build, sync, host, or monitor a Client's commerce infrastructure, we process End-User Data solely on the Client's documented instructions, strictly to perform the engagement. Our processing activities, and the bilateral data-protection commitments that bind them, are set out in the applicable engagement and data-processing terms.
- TempoRevenue is a Controller only for its own business data. We are an independent controller solely for the limited business-contact and account-access data we collect to manage our direct relationship with the Client, described in Section 2.
2. Data We Process & Why
We operate on a principle of minimum viable collection: we process only the data strictly necessary to deliver a given engagement.
- Client Operational Data: Business contact information, authorized-user identities, domain and DNS access, platform/CMS credentials, and (for an enterprise Native Mobile engagement only) App Store Connect / Google Play Console access required for deployment. We are the controller of this category.
- Commerce & Catalog Data: Brand assets, product catalogs (price, specifications, SKU), inventory records, and the API credentials used to build and synchronize storefronts. For a Music Storefront Design, this is limited to the assets and credentials needed to construct and publish the presentation layer; the Client's existing checkout and transactional system remains wholly under the Client's control and is not accessed beyond what the Client expressly provides. We process this category as the Client's processor.
- Synchronization Data (Active-e / Shopify): Inventory, order, and serialized-item records exchanged between the retailer's own licensed Tri-Tech Active-e module and Shopify. TempoRevenue configures, orchestrates, and monitors this exchange using the retailer's own licensed tools and mature, off-the-shelf sync applications; we do not operate a shared cross-client data pipeline. (See Section 4.)
- Rental Enrollment Data: For a Rental Enrollment Engine engagement, the data a parent or guardian enters to complete a school-instrument enrollment — including information about a minor student. This category is subject to the heightened protections in Section 5.
- Technical Telemetry: Performance and stability signals (page-load metrics, Core Web Vitals, error and crash logs, sync-job success rates) used solely to maintain delivered performance. (See Section 6.)
3. AI Sales Architecture — Data Isolation Protocol
Our AI Sales Architecture grounds responses in the Client's own catalog using Retrieval-Augmented Generation (RAG) with a validation layer engineered to reduce inaccurate output. The data handling behind it is governed by the following commitments.
We use enterprise-grade model APIs under terms that do not permit the provider to train its public foundation models on the Client's inputs and outputs. The Client's catalog data, pricing guardrails, and conversation logs are not used to train public AI models. The Client's brand intelligence remains the Client's.
Each response is retrieved from the relevant Client's own catalog and inventory context. We do not pool, cross-reference, or commingle one retailer's data with another's to answer a query. (See Section 4.)
The accuracy of AI output depends on the data the Client supplies for ingestion. The Client is responsible for ensuring its ingested catalog and inventory data are accurate, current, and cleared for this use.
4. Bilateral Data Isolation & the Knowledge Moat
Because we serve multiple retailers in the same vertical, isolation between Clients is a strict architectural and legal commitment, not a best-effort promise. It is also how we maintain compliance with competition law.
- No cross-client commingling. Every engagement is governed by a bilateral data-protection arrangement under which we do not share, pool, benchmark, or expose any Client's transactional parameters, lease rates, inventory balances, pricing, or identifiable End-User Data to or with any other Client. We do not operate a shared transactional database across retailers.
- Competition-law posture. This bilateral isolation is designed to keep our work within the bounds of Section 1 of the U.S. Sherman Act by preventing the exchange of competitively sensitive information among competing retailers.
- What we may aggregate. Any insight product we publish is built only from public-domain industry sources (such as NAMM and Music Trades indices) and from anonymized metrics that individual Clients have separately and affirmatively consented to contribute. Where we publish an aggregated industry report, it draws solely from those public and consented sources and never reconstructs an individual retailer's confidential figures.
- Frontend isolation. Storefronts we build read exclusively from the Shopify Storefront API. They do not query the Client's AIM/AIMsi installation, ERP, or on-premise databases directly, which keeps the latency-sensitive customer experience decoupled from back-office systems.
5. Hosting, Telemetry & the Performance Mandate
When we host a storefront, run a Checkout Guard migration, or provide ongoing monitoring under an active support or maintenance engagement, traffic and signals pass through infrastructure we manage on the Client's behalf.
We monitor technical telemetry — load metrics, Core Web Vitals, error and crash logs, push-delivery rates where applicable, and synchronization stability — solely to maintain the performance we delivered and documented. We do not inject proprietary advertising trackers, harvest End-User browsing histories, or track device location for advertising. TempoRevenue is a performance-infrastructure provider, not a data broker, and we do not sell or share End-User Data.
6. Payments & Checkout Privacy
We never hold the vault. TempoRevenue does not process, capture, or store End-User payment credentials (card numbers or bank details). Checkout and transaction data are handled by the Client's designated, PCI-compliant payment processor (such as Shopify Payments or Stripe). Our Checkout Guard work operates above that layer: we engineer and harden the checkout experience and its custom logic, while the payment data itself flows directly to the Client's processor.
Device-level wallets. Where an engagement integrates Apple Pay or Google Wallet, those rely on operating-system tokenization. We build the secure bridge to those services; we do not intercept, log, or store wallet tokens or biometric authentication.
7. Lead Capture & Handoff
When a storefront or AI Sales Architecture captures a lead (such as a name, phone number, or high-ticket inquiry), that data is routed to the Client's designated sales channel or CRM.
TempoRevenue acts as a secure conduit. The Client remains the sole owner of all leads captured on its own assets.
8. Retention, Export & Destruction
The Client may take its data and leave at any time. We retain data only as long as needed to deliver the engagement, or as required by law.
- • The Client may request a full export of its custom frontend codebase, AI configurations, sync configuration, and captured leads. Where an enterprise Native Mobile engagement produced native source code, that source is included in the export.
- • Where TempoRevenue holds administrative ownership of Apple App Store or Google Play Store applications built for the Client under an enterprise engagement, that ownership is transferred back to the Client on termination.
- • Within 15 days of offboarding, we execute a cryptographic wipe of the Client's specific vector databases, hosted assets, API keys, and credentials from our active environments, subject to any short, documented retention required for legal or backup-rotation purposes.
9. Sub-Processors
To deliver our services we rely on a limited set of reputable infrastructure and platform providers acting as sub-processors, which may include cloud hosting and edge delivery (such as Amazon Web Services and Cloudflare), the Client's own commerce platform (Shopify), the Client's licensed back-office and synchronization tooling (Tri-Tech AIM / Active-e and the off-the-shelf sync applications selected for the engagement), and the enterprise AI model provider used for an AI Sales Architecture. Each is engaged under terms designed to uphold the protections described in this Policy. The Client's own license relationships with these providers remain the Client's responsibility.
10. Regulatory Compliance & Individual Rights
Our systems are engineered to support compliance with major privacy frameworks, including the GDPR and the CCPA/CPRA, through data minimization, role separation, and enterprise-grade encryption across our hosting, synchronization, and AI environments. Because TempoRevenue typically acts as a processor on the Client's behalf, requests from individual end users to access, correct, or delete their data are directed to the relevant Client as the data controller; we support our Clients in responding to such requests as required by law.
11. Changes to This Policy & Contact
We may update this Policy prospectively to reflect changes in our services or legal obligations; material changes will be posted here with a revised effective date. Questions about this Policy or a data-handling matter can be directed to TempoRevenue through the contact details listed on our site.