This Privacy Policy explains how StubGuys collects, uses, and protects your information. It brings together our complete data-protection commitments — our core policy, a plain-English data-protection overview, California-specific rights, the data-processing terms that apply to organizers and to our vendors, and the current list of sub-processors we rely on. It is written to describe accurately what we do today; items that only apply once a described feature is fully launched are marked [AT LAUNCH].
Privacy Policy
1. Introduction
1.1 StubGuys Services
StubGuys LLC ("StubGuys," "we," "us") operates an event platform that lets Organizers create, grow, and operate events, and lets Attendees discover events, buy tickets, and keep the connections they make through StubConnect. Our products are available on the web, in our attendee and organizer mobile apps, and through admin and support channels (collectively, the "Services").
1.2 Who's Who
"Organizers" use the Services to create and manage events. "Attendees" (or "Consumers") use the Services to discover, register for, and attend events and to connect with other attendees. Depending on the context, StubGuys acts as a data controller (for data we decide how to process, such as your StubGuys account) or as a processor/service provider on behalf of Organizers (for registration data an Organizer collects for its event). Questions: privacy@stubguys.com.
1.3 Where We Are Today
StubGuys' apps currently run substantially on demonstration data. Account sign-up uses Firebase Authentication (operated by Google); real account credentials are created and stored once authentication is active for your account. Certain features shown in our interface — including identity verification, bank/payout connection, card payment entry, and StubConnect profile matching — are visually present in the app but do not yet transmit or permanently store the data you enter. Those sections say so explicitly below, and we will update this policy before that changes.
2. Application
This Privacy Policy covers our collection, use, disclosure, transfer, and storage of Personal Data through the Services. It does not cover Organizers' independent processing of attendee data outside our platform — Organizers are independently responsible for their own privacy practices, and our Data Processing Addendum for Organizers governs their use of data obtained through StubGuys.
3. Personal Data We Collect
3.1 From All Users
Information you provide: name, email address, password, profile details, preferences, and communications with us. Information collected automatically: [AT LAUNCH] device and browser data, IP address, app version, pages and screens viewed, referral source, and interaction data, once a diagnostics or analytics tool is integrated — we operate none today (see the Cookie Statement for cookies and similar technologies).
3.2 From Organizers
[AT LAUNCH] Business and identity verification data required to pay you: legal name or entity details, tax identifiers, beneficial ownership where required, and payout account details, verified through a bank-connection provider once integrated. We do not and will not store full card or bank account numbers on our own servers — payment credentials will be tokenized directly by our payment processor. The identity-verification and payout-connection screens in the organizer app are visual only today: no document, bank, or card data is actually captured, transmitted, or stored.
3.3 From Attendees
[AT LAUNCH] Order and ticket data (events, ticket types, amounts, wallet credit activity), refund and resale activity, check-in records, and any registration information an Organizer requests during checkout. Organizers control the registration questions for their events; we process responses on the Organizer's behalf. If you use StubConnect, we process your opt-in profile, group memberships, matches, messages, and the connections you choose to keep. StubConnect requires your affirmative, separate consent before your profile is created or shown to other attendees, and you control your discoverability. StubConnect profile creation and live matching are not yet active; today the feature is a display-only preview.
3.4 From Sales Prospects
If you engage with our sales team we may collect contact details, company information, and your event business needs.
4. How We Use Personal Data
4.1 To Provide the Services
Processing orders and payments, delivering tickets with unique QR codes, handling refunds, transfers, and face-value resale, running payouts, powering check-in, and operating StubConnect. [AT LAUNCH] for payments, payouts, and live StubConnect matching, as described above.
4.2 StubGuys AI
StubGuys AI features (such as price suggestions, event recommendations, and organizer insights) are designed to be grounded in real platform data and to respect data tenancy — an Organizer's AI would never see another organization's data. We do not sell your Personal Data to train third-party models. [AT LAUNCH] — AI features are not yet integrated into the product.
4.3 Internal Business Purposes
Security, fraud prevention, service improvement, and legal compliance. [AT LAUNCH] Analytics describing product usage (for example, purchase and connection events) once an analytics tool is integrated — we operate none today.
4.4 StubGuys and Organizer Marketing
[AT LAUNCH] With your consent where required, we intend to send product updates and event recommendations, and to let Organizers use our email tools to contact their attendees (the Organizer, not StubGuys, would be the sender and responsible for compliance and for honoring unsubscribes). No marketing or organizer-to-attendee email tooling is connected to a live email vendor today. You will be able to opt out of marketing at any time without affecting transactional messages.
4.5 Inferences
[AT LAUNCH] We may infer event interests from your activity to improve recommendations, once such a feature is built. You will be able to reset or disable personalized recommendations in settings.
5. How We Share Personal Data
- With Organizers — when you buy a ticket, the Organizer receives your order information and registration responses for that event, under the Data Processing Addendum for Organizers.
- With other attendees via StubConnect — only what you choose to share; we never disclose your contact details to another attendee without your action.
- With service providers (Sub-Processors) — today, this is limited to our authentication and hosting infrastructure provider, Google (Firebase / Google Cloud Platform), and Google Maps for map display. [AT LAUNCH] As payment, identity-verification, communications, or analytics vendors are integrated, we will name each one here and in our Sub-Processors list before they process real data.
- For legal reasons — to comply with law, enforce our terms, or protect rights, safety, and the integrity of the Services.
- Corporate transactions — in a merger, acquisition, or asset sale, with notice of any material change to this Policy.
We do not sell your Personal Data, and we do not share it for cross-context behavioral advertising.
6. International Transfers
[AT LAUNCH] Where Personal Data is transferred out of the European Economic Area, the United Kingdom, or Switzerland, we will rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses and the UK Addendum. [NEEDS SPEC: confirm hosting regions and finalize transfer mechanism with legal counsel.]
7. Security and Retention
We protect Personal Data with encryption in transit (TLS) and, for data held in Firebase, Google's at-rest encryption and access controls. [AT LAUNCH] As payment, identity-verification, and analytics integrations go live, each will be evaluated for appropriate encryption at rest and access controls before launch, consistent with the sensitivity of the data involved. No method of transmission or storage is 100% secure; report concerns to security@stubguys.com. See the retention schedule below.
7.1 Data Retention Schedule
We retain personal information only as long as necessary for the purposes described in this policy, or as required by law. [PLACEHOLDER — the retention periods below are policy defaults pending final review by StubGuys' legal/compliance team before publication.]
- Account data (profile, credentials) — retained for the life of your account, then deleted or anonymized within 30 days of account deletion, except where longer retention is required by law.
- Orders and ticket/transaction records — retained for 7 years, consistent with standard financial-recordkeeping requirements.
- Support tickets — retained for 2 years after resolution for quality and legal purposes.
- StubConnect profile and matches — retained until you delete your StubConnect profile, or automatically after 12 months of inactivity, whichever comes first.
- Logs (device/diagnostic/usage logs, once collected) — retained for 90 days.
- Marketing consent and contact records — retained until you unsubscribe, solely to honor your opt-out thereafter.
The full retention schedule, including rationale and legal basis for each category, is maintained in StubGuys' internal DATA_RETENTION.md policy document and will be kept in sync with this section.
8. Your Rights and Choices
Depending on your location, you may have rights to access, correct, delete, port, or restrict processing of your Personal Data, and to object to certain processing. [AT LAUNCH] We are building in-app self-service tools for these rights (profile edits, marketing opt-out, StubConnect visibility, account deletion, data export). Until those ship, exercise any of these rights by emailing privacy@stubguys.com, and we will honor your request within the timelines required by applicable law (for example, one month under GDPR, extendable once by two further months for complex requests). We will not discriminate against you for exercising your rights. California residents: see the StubGuys & California Data Protection notice for CCPA/CPRA-specific disclosures.
9. Children
The Services are not directed to children under 13 (or the higher age required by local law), and we do not knowingly collect Personal Data from them. StubConnect is intended for users 18 and older. [AT LAUNCH] We intend to implement an age-attestation step before granting access to StubConnect; no such gate exists yet. If you believe a child has provided us Personal Data, contact privacy@stubguys.com and we will delete it.
10. Changes to This Policy
We will post any changes here and update the date above. For material changes we will provide prominent notice (email or in-product) before they take effect.
11. Contact
StubGuys LLC, Attn: Privacy, [NEEDS SPEC: registered business address] — privacy@stubguys.com.
Data Protection Overview
This overview summarizes how StubGuys LLC approaches data protection across the platform, and where to find the detailed documents. It is a guide, not a contract; the linked documents control.
1. The Documents
Document
Who it's for
What it covers
Privacy Policy
Everyone
What we collect, why, sharing, rights
Cookie Statement
Everyone
Cookies and similar technologies
DPA for Organizers
Organizers
StubGuys as processor of event registration data
DPA for Vendors & Sub-Processors
Our vendors
Flow-down obligations to our processors
Sub-Processors
Organizers & Consumers
Third parties that process data for us
California Data Protection
California residents
CCPA/CPRA-specific disclosures
2. Roles in Plain Language
When you create a StubGuys account, browse events, or use StubConnect, StubGuys decides how your data is used — we are the controller. When you register for a specific event, the Organizer decides what to ask and why — the Organizer is the controller of those answers and StubGuys processes them on the Organizer's behalf under the DPA for Organizers.
3. Security by Design
Encryption in transit (TLS) and Google-managed at-rest protection for data held in Firebase today. [AT LAUNCH] Tenant isolation on every query, least-privilege audited access, append-only financial ledgers, idempotent money operations, tokenized payments through a PCI-DSS-compliant processor (we will never store card or bank numbers ourselves), signed webhooks, and rate limiting/bot protection on on-sales — these controls are part of our design for the payments and payouts features, which are not yet integrated.
4. StubGuys AI and Your Data
[AT LAUNCH] StubGuys AI features are designed to be grounded in real platform data, respect tenancy (one organization's AI would never see another's data), and never take money-moving actions without explicit human approval. We do not sell your data, and we will not permit AI vendors to train third-party models on it. No AI feature is integrated into the product today.
5. Your Controls
[AT LAUNCH] Self-service profile edits, marketing opt-outs, StubConnect discoverability and connection controls, data export, and account deletion are planned for account settings. Until they ship, contact privacy@stubguys.com for any of these requests.
California Data Protection
This notice explains how StubGuys LLC supports compliance with the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, "CCPA"), for both Organizers and Consumers. Capitalized terms have the meaning given in our Terms of Service and Privacy Policy.
1. Our Dual Role Under the CCPA
StubGuys processes a Consumer's personal information both as a "business" (for Consumer accounts, discovery, StubConnect, and platform integrity we control) and as a "service provider" on behalf of Organizers (for event registration data Organizers collect through their event pages). Our goal is to make it easy for Organizers to comply with the CCPA when they use StubGuys.
2. A Data Processing Addendum for Organizers
As a service provider processing personal information on behalf of Organizers, StubGuys contractually commits — in the Data Processing Addendum for Organizers, incorporated into the Merchant Agreement — to not sell or share that personal information, to use it only to provide the Services, and to support Organizers in responding to consumer rights requests. No separate signature is required; the DPA applies automatically to every Organizer.
3. Individual Rights
California residents have rights to know, access, correct, delete, and port their personal information; to opt out of sale or sharing (StubGuys does not sell personal information — we do not currently operate any advertising technology, so this right is not yet applicable in practice, and we honor the Global Privacy Control where relevant); to limit use of sensitive personal information; and to non-discrimination. Exercise these rights by emailing privacy@stubguys.com; self-service tools in account settings are planned (see Section 8/10 of the Privacy Policy). For registration data controlled by an Organizer, we will route your request to the Organizer or assist them in fulfilling it, as the CCPA requires of a service provider.
4. Additional Information
The categories of personal information we collect, our purposes, our retention schedule, and our Sub-Processors are described in the StubGuys Privacy Policy and the StubGuys Sub-Processors document. Questions: privacy@stubguys.com.
Data Processing Addendum — Organizers
Overview and Definitions
This Data Processing Addendum ("DPA") is incorporated into the StubGuys Terms of Service and Merchant Agreement between StubGuys LLC ("StubGuys") and the Organizer. It governs the processing of Consumers' Personal Data in connection with the Services. "Data Protection Laws" means all applicable privacy and data protection laws, including the EU and UK GDPR, the California Consumer Privacy Act as amended by the CPRA ("CCPA"), and other applicable U.S. state privacy laws. "SCCs" means the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), and "UK Addendum" means the UK International Data Transfer Addendum issued under Section 119A of the UK Data Protection Act 2018.
1. Applicability and Roles
StubGuys processes Consumers' Personal Data in two capacities. (a) As an independent controller/business — for Consumers' StubGuys accounts, platform-wide discovery and recommendations, StubConnect (which is consent-based and Consumer-controlled), fraud prevention, product analytics and improvement, and legal compliance. (b) As a processor/service provider on behalf of the Organizer — for event registration data the Organizer collects through its event pages, attendee lists, check-in records, and email tools the Organizer uses. Section 2 applies where StubGuys acts as the Organizer's processor or service provider.
The Organizer is the controller/business of the registration data it collects and is responsible for providing its own privacy notice, establishing a lawful basis for its processing, and honoring Consumer rights requests directed to it.
2. Data Processing Clauses (StubGuys as Processor)
2.1 Instructions
StubGuys will process Organizer-controlled Personal Data only on the Organizer's documented instructions — which consist of the Agreement, this DPA, and the Organizer's configuration of the Services — unless required by law, in which case StubGuys will inform the Organizer unless legally prohibited. StubGuys will inform the Organizer if, in its opinion, an instruction infringes Data Protection Laws.
2.2 No Sale; Limited Use
Acting as a service provider, StubGuys will not sell or share (for cross-context behavioral advertising) Organizer-controlled Personal Data, will not retain, use, or disclose it outside the direct business relationship or for any purpose other than providing the Services (or as permitted by the CCPA), and will not combine it with Personal Data received from other sources except as permitted for the business purposes of the Services. StubGuys certifies that it understands and will comply with these restrictions.
2.3 Confidentiality and Security
StubGuys ensures persons authorized to process the data are bound by confidentiality, and implements appropriate technical and organizational measures, including encryption in transit, role-based least-privilege access, and audit logging. [AT LAUNCH] Tenant isolation on every query, idempotent and append-only financial records, and periodic security testing are part of our design for features not yet integrated. Payment credentials will be tokenized by a PCI-DSS-compliant payment processor once integrated; StubGuys does not and will not store card or bank numbers.
2.4 Sub-Processors
The Organizer generally authorizes StubGuys to engage the Sub-Processors listed in the StubGuys Sub-Processors document. StubGuys will provide at least 30 days' notice of new Sub-Processors (via the Sub-Processors page and email where subscribed) and imposes data protection obligations no less protective than this DPA on each Sub-Processor, remaining liable for their performance. The Organizer may object on reasonable data protection grounds; if StubGuys cannot offer a reasonable alternative, the Organizer may terminate the affected Services as its exclusive remedy.
2.5 Assistance
Taking into account the nature of processing, StubGuys will assist the Organizer with (a) responding to Consumer rights requests (the platform provides self-service export and deletion tooling), (b) security of processing, breach notification, and (c) data protection impact assessments and consultations with supervisory authorities.
2.6 Personal Data Breach
StubGuys will notify the Organizer without undue delay after becoming aware of a Personal Data Breach affecting Organizer-controlled Personal Data, and will provide information reasonably required for the Organizer's own notification obligations as it becomes available.
2.7 Deletion and Return
Upon termination of the Agreement, StubGuys will delete or return Organizer-controlled Personal Data at the Organizer's election, except where retention is required by law (including append-only financial ledgers, which are retained as required for audit and tax purposes).
2.8 Audit
StubGuys will make available information reasonably necessary to demonstrate compliance with this DPA, including summaries of third-party audits and certifications, and will allow audits by the Organizer or its mandated auditor where required by Data Protection Laws, subject to reasonable notice, frequency, confidentiality, and security requirements.
3. International Transfers
Transfers of Personal Data from the European Economic Area are made under the SCCs (Module Two: controller-to-processor, or Module Three: processor-to-processor, as applicable), which are incorporated by reference; the Organizer is the data exporter and StubGuys the data importer. For UK transfers, the UK Addendum applies and amends the SCCs as set out therein; if the UK issues an updated addendum, the updated version controls. For Swiss transfers, the SCCs apply with the modifications required by the Swiss Federal Data Protection Act, with the Swiss Federal Data Protection and Information Commissioner as the competent authority. Annexes describing the parties, processing, and security measures are completed by the Agreement, this DPA, and the Sub-Processors document.
4. Precedence and Liability
If this DPA conflicts with the Agreement, this DPA controls as to data protection. Where the SCCs conflict with this DPA, the SCCs control. Each party's liability under this DPA is subject to the limitations of liability in the Agreement, except where prohibited by Data Protection Laws.
Data Processing Addendum — Vendors & Sub-Processors
Overview
This Data Processing Addendum ("DPA") applies to vendors, service providers, contractors, and their subcontractors ("Vendor") that process StubGuys Data in connection with services provided to StubGuys LLC ("StubGuys") under an underlying agreement (the "Agreement"). The categories of personal data and data subjects are those described in the Agreement and applicable statements of work.
1. Definitions
"Applicable Privacy Laws" means all privacy and data protection laws applicable to the processing, including the EU and UK GDPR, the ePrivacy Directive 2002/58/EC, the Swiss FADP, the CCPA/CPRA, and other U.S. state privacy laws, each as amended. "StubGuys Data" means any data — including Personal Data — provided to Vendor by or on behalf of StubGuys, or collected or accessed by Vendor in connection with the Agreement. "New EU SCCs" means the clauses annexed to Commission Implementing Decision (EU) 2021/914; "UK SCC Addendum" means the UK International Data Transfer Addendum issued under Section 119A of the UK Data Protection Act 2018.
2. Role of the Parties
As between the parties, StubGuys is the controller or business (or acts on behalf of controllers, including Organizers) and Vendor is a processor or service provider. StubGuys is obligated contractually and under Applicable Privacy Laws to flow down data protection obligations to its processors; the obligations in this DPA apply to Vendor regardless of whether Vendor is a processor or sub-processor. Vendor will immediately inform StubGuys if, in its opinion, an instruction infringes Applicable Privacy Laws.
3. Vendor Obligations
- Process StubGuys Data only on documented instructions from StubGuys and solely to provide the contracted services; no independent rights in StubGuys Data are created or derived.
- Not sell or share StubGuys Data, and not retain, use, or disclose it outside the direct business relationship with StubGuys or for any purpose other than performing the Agreement, except as permitted by Applicable Privacy Laws.
- Not combine StubGuys Data with data from other sources except to perform the services.
- Ensure personnel are bound by confidentiality obligations and receive appropriate privacy and security training.
- Implement and maintain technical and organizational security measures appropriate to the risk, including encryption in transit and at rest, access controls, logging, vulnerability management, and secure development practices.
- Not engage a subcontractor to process StubGuys Data without StubGuys' prior written authorization; flow down obligations no less protective than this DPA and remain fully liable for subcontractor acts and omissions.
- Notify StubGuys without undue delay (and in any event within 48 hours) of any actual or suspected Personal Data Breach affecting StubGuys Data, and cooperate fully in investigation and remediation.
- Assist StubGuys in responding to data subject rights requests, demonstrating compliance, and conducting privacy and data protection impact assessments.
- Delete or return all StubGuys Data at termination of the Agreement or upon request, and certify deletion, except where retention is required by law.
- Make available information necessary to demonstrate compliance and permit audits (including inspections) by StubGuys or its mandated auditor, subject to reasonable notice and confidentiality.
4. International Data Transfers
Where Vendor processes Personal Data transferred from the European Economic Area, the New EU SCCs are incorporated by reference (Module Two where StubGuys acts as controller; Module Three where StubGuys acts as processor). StubGuys is the Data Exporter and Vendor the Data Importer; the Annexes are completed by the Agreement, this DPA, and the applicable statement of work.
Switzerland. For transfers subject to the Swiss FADP, the New EU SCCs apply with the adaptations required by the FDPIC: references to the GDPR are read as references to the FADP, the competent supervisory authority is the FDPIC, and data subjects in Switzerland may enforce their rights in Switzerland.
United Kingdom. For transfers subject to UK data protection law, the UK SCC Addendum is incorporated and amends the New EU SCCs as set out therein; if the UK issues an updated addendum, the updated version controls. In Table 2 the Approved EU SCCs are the New EU SCCs as incorporated above; in Table 3 the Annexes are as completed above; in Table 4 either party may end the Addendum as set out in its Section 19.
Transfer assessments. Vendor will cooperate with transfer impact assessments and implement supplementary measures where reasonably required, and will notify StubGuys if it becomes subject to a government access request concerning StubGuys Data unless legally prohibited, in which case it will use best efforts to obtain a waiver of the prohibition.
5. Liability and Precedence
Vendor is fully responsible and liable to StubGuys for the acts and omissions of its subcontractors. This DPA controls over conflicting terms of the Agreement as to data protection; the SCCs control over this DPA where they conflict. Nothing in the Agreement limits either party's liability with respect to a data subject's rights under the SCCs.
Sub-Processors
StubGuys LLC works with the third parties ("Sub-Processors") listed below to provide specific functionality within the StubGuys Services. To provide that functionality, these Sub-Processors may access Personal Data as defined in the Data Processing Addendum for Organizers. Each Sub-Processor is bound by a data protection agreement consistent with our DPA. We provide at least 30 days' notice before adding a new Sub-Processor; subscribe to updates at stubguys.com/legal/sub-processors.
This list reflects the vendors actually integrated in StubGuys' current architecture today. We do not pre-list vendors that are not yet under contract or integrated — as new sub-processors are added (for example, a payment processor, identity-verification vendor, or analytics tool), we will name them here before they process real data, per Section 2.4 below. [NEEDS SPEC: confirm executed vendor agreements before publication.]
Business Infrastructure
- Google LLC (Firebase / Google Cloud Platform) — authentication and application hosting infrastructure
- Google LLC (Google Maps Platform) — map display for event and venue locations
- [PLACEHOLDER: hosting/CDN provider for the marketing website, if different from the above]
No payment processor, bank-verification vendor, identity-verification (KYC) vendor, SMS/email delivery vendor, AI inference vendor, analytics/observability tool, or support-ticketing vendor is integrated today. Each will be named in this section — and only after being placed under contract — before it begins processing real user data.