PRIVACY POLICY

Musical Form Institute

Effective Date: February 28, 2026

1. Introduction

This Privacy Policy describes how Muse Foundry LLC, doing business as Musical Form Institute ("MFI," "we," "our"), collects, uses, and protects information when you interact with our websites, including musicalform.org and registry.musicalform.org (collectively, the "Site"), and when you participate in the Certificate of Embodied Production™ (CEP) certification process.

MFI operates a certification program for sound recordings. Our interactions with individuals fall into two categories: general visitors who browse the Site and Registry, and certification participants (artists and label representatives) who submit information as part of the CEP certification process. This policy covers both.

2. Information We Collect

2.1 Website and Registry Browsing (All Visitors)

When you visit the Site or browse the public Registry, we collect limited information:

- Google Analytics data. We use Google Analytics to measure Site usage (for example, pages viewed, time spent on pages, referral sources, browser type, device information, and approximate location derived from IP address). Google Analytics typically uses cookies and similar technologies to collect this information.

- Server and security logs. Like most websites, our servers may receive information such as your IP address, browser type, and the date/time of your request.

- No user accounts are required to view the public Registry.

Choices and controls:

You can control cookies through your browser settings. You can also opt out of Google Analytics by installing Google’s opt-out browser add-on: https://tools.google.com/dlpage/gaoptout. You may also be able to limit Google’s use of data from partner sites via Google’s ad settings: https://adssettings.google.com.

We do not use information collected via the Site to deliver targeted advertising. If our analytics configuration changes in a way that materially affects how personal information is collected or used, we will update this policy.

2.2 Certification Process (Artists and Label Representatives)

When you participate in the certification process, including by signing an attestation through our clickwrap system, we collect the following:

- Full name (as entered by the signer)

- Email address (provided by the submitting label or entered directly)

- Attestation selections (which tracks were attested and which were withdrawn)

- Signature timestamp (date and time of signing)

- IP address at the time of signing

- Browser user agent string at the time of signing

- Token identifier linking the signing event to a specific certification batch

This information is collected when you click the attestation link in your email and complete the signing form on registry.musicalform.org/attest.

2.3 Audio Files

Master audio files may be submitted to MFI by label partners as part of the certification review process. Audio files are not collected from artists directly through the Site. Audio files are submitted via secure file transfer links provided to label contacts.

2.4 Information We Do Not Collect

- We do not collect payment or financial information through the Site. Certification fees are invoiced separately.

- We do not collect DAW session files or stems. At most, a session screenshot may be requested from the submitting label.

- We do not require user accounts or passwords for Registry access.

3. How We Use Your Information

3.1 Certification Processing

We use certification-process information:

- To verify the identity of the signer and associate the attestation with the correct recordings.

- To create a durable, tamper-evident audit trail for each certification decision. The attestation record serves as evidence that the signer affirmed the production methods used.

- To send attestation invitation emails to the artist email address provided by the submitting label.

- To communicate with label contacts regarding batch status, certification decisions, and related operational matters.

3.2 Fraud Prevention and Integrity

IP address and user agent data are collected to support the integrity of the attestation process. This data provides evidence that the attestation was completed using a web browser and helps identify potentially unauthorized or fraudulent signing activity.

3.3 Site Improvement

Google Analytics and similar aggregate measurements may be used to understand Site usage patterns and improve the Site.

3.4 No Marketing Use

We do not use personal information collected through the certification process for marketing purposes. We do not sell or rent personal information. We also do not share personal information for cross-context behavioral advertising.

4. Who We Share Information With

MFI shares information only in the following limited circumstances:

- Service providers. We use vendors to operate the Site and certification workflow (for example, website hosting, database services, email delivery, automation, and secure file storage). These vendors process information on our behalf to provide their services to us.

- Google Analytics. Site usage information is shared with Google Analytics as described above.

- Third-party audio analysis providers. As part of the review process, audio files may be transmitted to third-party audio analysis services for screening (including AI-generated content detection). These providers return analysis results to MFI. We do not authorize service providers to use submitted audio for their own product training or marketing purposes. Provider handling and retention policies vary; additional details are available to applicants upon request.

- Public Registry. Certified recordings are listed in the public Registry with the artist name, track title, CEP ID, ISRC, genre (if provided), certification date, and standards version. Signer email addresses, IP addresses, and user agent data are never published in the Registry.

- Label partners. Certification decisions (Certified, Denied, Withdrawn) are communicated to the submitting label. The attestation audit log (including signer name and signing timestamp) may be shared with the label as part of the certification record.

- Legal compliance. We may disclose information if required by law, subpoena, or legal process, or if we believe disclosure is necessary to protect the rights, safety, or property of MFI, our users, or the public.

We do not share personal information with other third parties outside the categories above.

5. Data Retention

We retain information for as long as reasonably necessary to operate the Site and to administer and defend the integrity of the certification program, subject to applicable law. In practice:

- Website analytics. Google Analytics data is retained according to our Google Analytics account settings and then deleted or anonymized on a rolling basis.

- Attestation and certification records. Attestation audit logs and core certification records are maintained on a long-term basis because the certification program relies on a durable, tamper-evident audit trail.

- Public Registry entries. Registry entries for certified recordings are maintained as a public record. If a certification is revoked, the Registry entry is updated to reflect the revocation.

- Audio files. Master audio files are retained only as long as needed for review and quality control. Unless we have a legitimate need to retain longer (for example, to address a dispute, appeal, or legal hold), we delete master audio files within 30 days after a certification decision.

6. Data Security

MFI uses reasonable administrative, technical, and physical safeguards to protect personal information, including access controls and least-privilege access for internal systems. Where supported by our vendors, data is transmitted over encrypted connections (HTTPS/TLS).

No system is completely secure. While we take reasonable measures to protect your information, we cannot guarantee absolute security.

7. Your Rights

If you have participated in the certification process and wish to understand what personal information MFI holds about you, you may contact us at the address below. We will respond to reasonable requests within 30 days.

Please note the following limitations:

- Attestation Log records cannot be modified or deleted. The audit trail is write-once by design. This is necessary to maintain the integrity of the certification process.

- Public Registry entries for certified recordings reflect the certification decision and are maintained as a public record. If a certification is revoked, the Registry entry is updated to reflect the revocation.

- If you believe your personal information was submitted to MFI in error (for example, if a label provided an incorrect email address), contact us and we will work to correct the issue where appropriate.

If you are a California resident and you submit a request, we will process it consistent with applicable law. Because we do not sell personal information or share it for cross-context behavioral advertising, a "Do Not Sell or Share" opt-out request should have no practical effect on our operations. If your browser sends a Global Privacy Control (GPC) signal, we will treat it as a request to opt out of sale or sharing of personal information in a manner consistent with applicable law.

8. Children

The Site and certification process are not directed at individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete it.

9. International Users

MFI is based in the United States. If you access the Site or participate in the certification process from outside the United States, your information may be transferred to and processed in the United States and other jurisdictions where our service providers operate. Where required by law, we will use appropriate safeguards for cross-border transfers.

10. Changes to This Policy

MFI may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. If we make material changes to how we handle personal information, we will make reasonable efforts to notify affected individuals (for example, by posting a notice on the Site or by email if appropriate).

11. Contact

If you have questions about this Privacy Policy or wish to make a request regarding your personal information, contact us at:

Musical Form Institute
Muse Foundry LLC
info@musicalform.org
Mailing address:
PO Box 12734, Tucson, AZ 85732