We use the information we collect to:

• Operate, maintain, and improve the Coryo platform and its features
• Authenticate your identity and secure your account against unauthorized access
• Process and manage your subscription and payments
• Enable collaboration features, project sharing, and team management
• Deliver and personalize platform features (e.g., formation detection, video and audio overlay, rehearsal scheduling)
• Screen uploaded video, audio, and image content for prohibited material using automated moderation systems
• Detect and prevent account sharing, ban evasion, storage abuse, and other violations of our Terms of Service
• Analyze session patterns, concurrent logins, and device signals to identify potential policy violations
• Communicate with you about your account, platform updates, and support requests
• Send transactional emails (confirmations, password resets, subscription notices)
• Send marketing communications — you may opt out at any time
• Comply with applicable legal obligations and enforce our Terms of Service
• Analyze aggregate, anonymized usage patterns to improve the platform

To maintain a fair and secure Platform for all users, we collect and process certain signals specifically to detect abuse, enforce our Terms of Service, and protect Platform integrity. This processing is in our legitimate interests as a SaaS provider and is disclosed here in full.

We share your information only in the following limited circumstances:

Service providers: We share data with trusted third-party vendors who help us operate the Platform, including cloud infrastructure (Supabase), payment processing (Stripe), content moderation, and analytics services. These providers are contractually bound to process your data only to provide services to us and may not use it for their own purposes.

Collaborators: Content and profile information you share within a Coryo project is visible to your authorized project collaborators as you configure within the Platform. You control who has access to your projects.

Legal requirements: We may disclose your information if required to do so by law, court order, subpoena, or government authority, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, or to investigate fraud or a security breach.

Business transfers: If JLSS is involved in a merger, acquisition, reorganization, or sale of all or substantially all of our assets, your information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

Enforcement: We may share account and usage information with legal counsel or relevant authorities in connection with enforcement of our Terms of Service, including investigation of abuse, fraud, or intellectual property violations.

With your consent: We may share your information for any other purpose with your explicit prior consent.

We retain your personal information for as long as your account is active or as needed to provide you services. Specific retention practices:

• Account data: retained for the lifetime of your account and deleted or anonymized within 90 days of account closure
• User Content (formations, videos, audio): deleted upon account closure or as described in our data retention policy, subject to any legal hold requirements
• Session and abuse-detection signals: retained for up to 12 months to support ongoing fraud and abuse prevention
• Moderation logs: retained for up to 24 months for legal compliance and audit purposes
• Payment records: retained as required by applicable tax and financial regulations (typically 7 years)
• Communications and support records: retained for up to 3 years

You may request deletion of your personal data at any time (see Section 6). We may retain certain data beyond these periods where required by law, to resolve disputes, prevent fraud, or enforce our agreements.

We do not guarantee data availability after account closure — you are responsible for maintaining your own backups of content you upload to the Platform.

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: request a copy of the personal data we hold about you
• Correction: request that we correct inaccurate or incomplete data
• Deletion: request deletion of your personal data (subject to legal obligations and legitimate retention needs)
• Portability: request your data in a structured, machine-readable format
• Restriction: request that we restrict processing of your data in certain circumstances
• Objection: object to processing based on our legitimate interests
• Withdrawal of consent: withdraw consent at any time where processing is based on consent (without affecting the lawfulness of prior processing)
• Marketing opt-out: unsubscribe from marketing emails at any time using the link in any email or by contacting us

Canadian residents have rights under PIPEDA, including the right to access and correct personal information we hold about you. Residents of other jurisdictions may have additional rights under applicable local law (e.g., GDPR for EEA residents, CCPA for California residents).

To exercise any of these rights, contact us at inquiries@pcoryo.com. We will respond within 30 days. We may need to verify your identity before processing your request.

We implement industry-standard technical and organizational security measures to protect your information, including:

• Encryption in transit using TLS for all data transmitted between your browser and our servers
• Encryption at rest for stored data, including uploaded media files
• Role-based access controls limiting employee and system access to personal data
• Session management controls, including timeout and concurrent session monitoring
• Regular security reviews and vulnerability assessments
• Infrastructure hosted on Supabase (SOC 2 Type II certified)

Despite these measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security against all threats. If you believe your account has been compromised or you have identified a security vulnerability, contact us immediately at inquiries@pcoryo.com.

Coryo is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13 without verifiable parental consent, we will take steps to delete that information promptly.

Users between 13 and 18 may use Coryo only with the consent of a parent or legal guardian, who agrees to these Terms on their behalf. If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us at inquiries@pcoryo.com.

Coryo is operated from Canada. Your information may be processed and stored in Canada and/or the United States by us and our service providers (including Supabase and Stripe). By using Coryo, you consent to the transfer of your information to these jurisdictions, which may have different data protection laws than your country of residence.

Where applicable, we rely on appropriate legal mechanisms (such as standard contractual clauses or adequacy decisions) when transferring personal data internationally.

We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or Platform features. When we make material changes, we will update the "Last Updated" date at the top of this document and provide notice via email or in-app notification at least 14 days before the changes take effect.

For non-material changes (such as clarifications or formatting), we may update this policy without advance notice. Your continued use of Coryo after any update constitutes acceptance of the revised policy. If you do not agree to the updated policy, you must stop using the Platform and may close your account.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: