How we treat your data

Trust Centre

The full posture: child safety, security, certifications, residency, and incident response. Public, dated, audit-ready.

Why a public trust posture matters

We sell to two audiences who care intensely about how their data is handled. Parents adding their kids to our family app want clarity on where advertising is absent and how child data is protected. Music schools doing procurement reviews want a dossier they can hand to the IT department before approving the spend. The fastest way to serve both is to publish the full posture rather than scatter it across PDFs, sales calls, and back-channel emails.

This Trust Centre is the canonical reference for everything we do in this space. It’s updated whenever we change practice (with the date of change visible at the bottom of each page). It links out to the specific legal documents, privacy notice, terms of service, family privacy notice, where the legally-binding text lives.

If you’re reviewing us as part of a procurement process, start with the page most relevant to your concern. If you’re a parent making a buying decision for your family, child safety is the right entry point. If you’re a school IT lead, start with compliance and security.

The six pillars

Security →

The controls we operate today: encryption, RLS, access control, backup + restore, vulnerability management, incident response, breach-notification timelines, and the security contact path.

Privacy →

What we collect, why, how long we keep it, and what you can do about it. Australian Privacy Principles + GDPR + GDPR-K + COPPA posture in plain English.

Child safety →

How we design products for children: kids never have accounts, no ads, no third-party analytics that profile children. The Australian National Principles for Child Safe Organisations applied to software.

Compliance →

Per-framework status: ISO 27001, ISO 9001, ISO 14001, ISO 27701, COPPA, GDPR-K, APPs, FERPA, PCI-DSS. Standards we already meet first, then certifications in flight.

Sub-processors →

Every category of third party that touches Crescender data, what they see, what region they operate in. Bound by Data Processing Addenda; vendor identities disclosed under DPA.

What we don’t do

Some things are easier to communicate as a hard negative. These commitments apply to child-facing surfaces and family data:

No advertising in Family. My Crescender Family and child-facing surfaces do not show ads and do not include advertising SDKs. Other Crescender products may include advertising for non-paying users.
No third-party analytics that profile children. Our kid surfaces ship with no analytics SDKs that could build a profile of a child’s behaviour for resale or advertising targeting.
No data sales. We don’t sell, rent, or share user data with third parties for their own use. Our sub-processor list is short, categorised by function (cloud database, diagnostics, payments, push, transactional email), and bound by data-processing agreements. Specific vendor identities are disclosed to schools and enterprises under DPA.
No dark patterns. No streak-shaming. No guilt notifications. No “rate us in the App Store” nag. No upsell modals between screens.
No global data movement for storage. User data is stored in Australia, on globally recognised public cloud infrastructure. We don’t replicate it to U.S. or EU regions for “performance” or any other reason.
No locking you in. Every account can export everything via Settings → Export. Every account can be permanently deleted via Settings → Delete account (30-day grace period, then irrecoverable).

A planning workspace with notebooks and a calendar.

Got a procurement question we haven’t answered?

Email hello@crescender.com.au and we’ll answer specifically (and probably add it to the trust pages for everyone else).