Privacy policy
Effective May 2, 2026.
VenueSync, Inc. ("VenueSync," "we," "our," or "us") takes privacy seriously. This policy explains what personal information we collect, why we collect it, how we use it, who we share it with, and what rights you have over it.
Last updated: May 2, 2026 Effective: May 2, 2026
This policy applies to:
- The VenueSync web application at venue-sync.com
- The VenueSync mobile application for iOS and Android
- Any other VenueSync product or service that links to this policy
Use of VenueSync is subject to our Terms of Service and Acceptable Use Policy. This policy does not apply to third-party services you connect to VenueSync, or to the event data you manage on behalf of your own clients using VenueSync's tools (that relationship is governed by our Data Processing Agreement).
1. Who we are
VenueSync, Inc. is a Delaware corporation. For purposes of the GDPR and UK GDPR, we are the data controller of the personal information we collect about you directly. For personal information you upload to VenueSync on behalf of your vendors, guests, or clients, we are a data processor acting on your instructions.
Contact: VenueSync, Inc. 7506 NW 115th Terrace, Parkland, FL 33076 privacy@venue-sync.com
EU/UK Representative: VenueSync is a US-based controller. For EU/UK inquiries, contact privacy@venue-sync.com.
2. Information we collect
2.1 Information you give us directly
| Category | Examples | Why we need it |
|---|---|---|
| Account information | Name, email address, phone number, role (planner, venue, captain, vendor) | To create and manage your account |
| Business information | Company name, venue name, studio name, business address | To associate your account with your venue or studio |
| Event data | Event names, dates, locations, timelines, floor plans, vendor briefs, run-of-show details, COI documents, messages between event participants | To deliver the core VenueSync service |
| Payment information | Billing name, billing address, last four digits of payment card | Processed by Stripe; we never see or store full card numbers |
| Communications | Emails and messages you send to our support team | To respond to your requests and improve the service |
| Profile details | Trade/specialty (for vendors), headshot if provided | To personalize your experience and your brief |
2.2 Information we collect automatically
| Category | Examples | Why we collect it |
|---|---|---|
| Usage data | Features used, screens viewed, buttons tapped, timestamps of key actions (milestone marked, brief opened, vendor checked in) | Product analytics, to improve the service |
| Device information | Device model, operating system version, app version | Crash reporting and compatibility |
| Log data | IP address, browser type, referring URL, session duration | Security monitoring, fraud detection |
| Push token | Expo push token or APNs/FCM device token | To deliver push notifications (Ready Signals alerts, message notifications) |
| Crash and performance data | Stack traces, error messages, performance metrics | Crash reporting via Sentry |
2.3 Information we receive from third parties
| Source | Information received | Purpose |
|---|---|---|
| Apple (Sign in with Apple) | Name and email (or Apple private relay address) you choose to share | Account creation |
| Google (Sign in with Google) | Name and email address | Account creation |
| Stripe | Subscription status, billing events, payment method type | Billing and access management |
We do not purchase data from third-party data brokers. We do not receive data from advertising networks. We do not access your device contacts, photos, or calendar unless you explicitly use a feature that requires it.
3. How we use your information
| Purpose | Legal basis (GDPR) | CCPA category |
|---|---|---|
| Providing and operating the VenueSync service | Contract — necessary to perform the subscription agreement | Service provision |
| Account creation and authentication | Contract | Account management |
| Delivering push notifications (Ready Signals, messages, COI alerts) | Contract / Legitimate interests | Service provision |
| Billing, invoicing, and payment processing | Contract / Legal obligation | Financial information |
| Customer support | Legitimate interests | Service provision |
| Product analytics and improvement | Legitimate interests | Internal research |
| Security monitoring and fraud detection | Legitimate interests / Legal obligation | Security |
| Communicating about material changes to the service | Legitimate interests / Legal obligation | Communications |
| Marketing communications (optional) | Consent — you can opt out at any time | Marketing |
| Complying with legal obligations | Legal obligation | Compliance |
We do not use your personal information for targeted advertising, sale to third parties, or profiling for automated decision-making that produces legal or similarly significant effects on you.
4. Who we share your information with
We share personal information only as described here. We never sell it.
4.1 Within VenueSync events
VenueSync is a shared platform. When you participate in an event, other participants can see certain information about you based on your role:
- Your name and role are visible to all participants on the event.
- Your vendor brief is visible to the planner and venue who created the event.
- Your messages are visible only to the participants in that specific thread.
- Your personal phone number and personal email address are never visible to other participants. All communication goes through VenueSync.
- Your COI documents are visible to the planner and venue on the event, not to other vendors.
4.2 Service providers (processors)
| Processor | Purpose | Location | Data shared |
|---|---|---|---|
| Amazon Web Services | Hosting, storage, database infrastructure | United States | All event and account data |
| Supabase, Inc. | Authentication, database, real-time API | United States | Account data, session tokens, authentication records |
| Stripe | Payment processing | United States | Billing information, subscription status |
| Twilio | SMS fallback for Ready Signals alerts | United States | Phone number, message body |
| Apple Push Notification Service | iOS push notifications | United States | Push token, notification payload |
| Firebase Cloud Messaging | Android push notifications | United States | Push token, notification payload |
| Sentry | Crash and error reporting | United States | Stack traces, device info, anonymized user ID |
| PostHog | Product analytics | United States / EU | Usage events, anonymized user ID |
| Cloudflare | CDN, DDoS protection | United States | IP address, request metadata |
We do not allow any processor to use your data for any purpose other than providing services to us. The full sub-processor list is maintained at venue-sync.com/legal/sub-processors.
4.3 Legal requirements
We may disclose personal information if required by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of VenueSync, our users, or the public. We will notify affected users of any such disclosure to the extent permitted by law.
4.4 Business transfers
If VenueSync is acquired, merged, or undergoes a change of control, personal information may be transferred to the acquiring entity. We will notify you before your personal information is transferred and becomes subject to a different privacy policy.
5. Data retention
| Data type | Retention period | Reason |
|---|---|---|
| Account information | Duration of account + 90 days after deletion | Recovery window; then purged |
| Event data | Duration of account + 90 days | Recovery window; then purged |
| Event messages | Duration of account + 90 days; threads auto-close 30 days after event end | Thread closure policy |
| COI documents | Duration of account + 90 days | Recovery window |
| Payment and billing records | 7 years | Legal and tax obligations |
| Audit logs | 3 years | Security and compliance |
| Crash and analytics data | 12 months rolling | Product improvement; then aggregated/anonymized |
| Marketing consent records | Until consent withdrawn + 3 years | Compliance documentation |
After the retention period expires, data is permanently deleted from active systems within 30 days and from backup systems within 90 days thereafter.
6. Per-event messaging and thread closure
VenueSync's per-event messaging feature routes all communication between planners and vendors through the app. Threads are automatically closed (read-only) 30 days after an event's end date. After the thread closure date, no new messages can be sent, but existing messages remain readable within the VenueSync app until your account is deleted.
Your personal phone number is never shared with other participants on an event, and vendors cannot contact you outside the platform after the event has concluded.
7. Security
- Encryption in transit: All data transmitted between your device and VenueSync servers is encrypted via TLS 1.2 or higher.
- Encryption at rest: Data stored on AWS is encrypted at rest using AES-256.
- Access control: Role-based access within events ensures vendors see only their own data.
- Vulnerability management: We conduct periodic security assessments and maintain a responsible disclosure process.
- SOC 2 Type II: In progress. We will update this policy when certification is complete.
No system is perfectly secure. If you believe your VenueSync account has been compromised, contact security@venue-sync.com immediately.
Data breach notification: In the event of a data breach affecting your personal information, we will notify you and, where required, the relevant supervisory authority, within the timeframes required by applicable law (72 hours under GDPR).
8. International data transfers
VenueSync is based in the United States. If you are in the European Economic Area, the United Kingdom, or Switzerland, your personal information will be transferred to and processed in the United States.
We rely on the following safeguards:
- EU Standard Contractual Clauses (SCCs): Incorporated into our data processing agreements with EU-based customers and processors.
- UK International Data Transfer Agreement (IDTA): For transfers from the United Kingdom.
9. Your rights
To exercise any of these rights, email privacy@venue-sync.com with the subject line "Privacy Request — [Right]." We will respond within 30 days.
Rights available to everyone
| Right | What it means |
|---|---|
| Access | Request a copy of the personal information we hold about you |
| Correction | Ask us to correct inaccurate or incomplete information |
| Deletion | Ask us to delete your personal information, subject to retention obligations |
| Data portability | Receive your data in a structured, machine-readable format |
| Withdraw consent | Where processing is based on consent, withdraw it at any time |
Additional rights for EU/UK residents (GDPR / UK GDPR)
| Right | What it means |
|---|---|
| Restrict processing | Ask us to limit how we use your data in certain circumstances |
| Object to processing | Object to processing based on legitimate interests |
| Lodge a complaint | File a complaint with your national supervisory authority |
Additional rights for California residents (CCPA/CPRA)
| Right | What it means |
|---|---|
| Know | Request the categories and specific pieces of personal information collected, sources, purposes, and third parties |
| Opt out of sale/sharing | We do not sell or share personal information for cross-context behavioral advertising. You may still submit a Do Not Sell or Share request to privacy@venue-sync.com. |
| Limit sensitive personal information | Request that we limit use of your sensitive personal information to purposes necessary to provide the service |
| Non-discrimination | We will not discriminate against you for exercising any CCPA right |
| Opt-out confirmed | If you submit a Do Not Sell or Share request, we will provide visible confirmation it has been honored within 15 business days |
Rights for residents of other US states
Virginia (VCDPA), Colorado (ColoPA), Connecticut (CDPA), Texas (TDPSA), and residents of the 20+ other US states with comprehensive privacy laws as of 2026 have rights to access, correct, delete, obtain a portable copy of, and opt out of the sale or targeted advertising use of their personal information. Contact privacy@venue-sync.com to exercise any right. If we deny your request, you may appeal by emailing with the subject "Privacy Request Appeal."
10. Children
VenueSync is not directed at children under 13 years of age. We do not knowingly collect personal information from anyone under 13. If you believe we have collected information from a child under 13, contact privacy@venue-sync.com.
11. Cookies and tracking technologies
| Type | Purpose | Can you opt out? |
|---|---|---|
| Strictly necessary | Session management, authentication, security | No — required for the service to function |
| Functional | Remembering your preferences | Yes — browser settings |
| Analytics | Aggregate product usage via PostHog | Yes — email privacy@venue-sync.com or use browser Do Not Track |
| Advertising cookies | We do not use advertising or retargeting cookies | N/A |
The VenueSync mobile app does not use browser cookies. It uses a device identifier (Expo push token) solely for push notifications.
12. Sign in with Apple and Google
When you use Sign in with Apple, Apple may provide us with your name and email (or a private relay address). We store only what you share and do not request access to any other Apple services. When you use Sign in with Google, Google provides your name and email. We do not request access to Gmail, Drive, Calendar, or any other Google service.
13. Changes to this policy
We review this policy at least once every 12 months. If we make a material change, we will notify you by email and with an in-app notice at least 30 days before the change takes effect.
14. Contact us
Email: privacy@venue-sync.com Post: VenueSync, Inc., 7506 NW 115th Terrace, Parkland, FL 33076 Response time: Within 30 days of receipt