Privacy Policy

Festa (“we,” “us,” “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our platform, website, and services (collectively, the “Platform”).

Key Commitment: We do NOT sell your personal information to third parties. We only share data as necessary to operate the Platform and provide services.

1. Information We Collect

1.1 Information You Provide Directly

Account Information:

• Name (first and last name)
• Email address
• Phone number
• Date of birth (to verify you are 18+)
• Password (encrypted and hashed, never stored in plain text)
• Profile photo (optional)
• Physical address (optional, for event planning)

Event Information:

• Event names, dates, times, and locations
• Guest counts and event details
• Service preferences and requirements
• Special instructions for service providers

Payment Information:

• Payment method details (processed and stored by Stripe, not by Festa)
• Billing address
• Transaction history and amounts
• Stripe Customer ID (a reference token, not your actual card information)

Business Information (for Service Providers):

• Business name, category, and description
• Business address and geographic coordinates
• Business phone and email
• Service descriptions, pricing, and availability
• Business photos and marketing content
• Stripe Connected Account ID for payouts
• Tax identification information (collected by Stripe)

Communications Preferences:

• Email notification preferences
• SMS notification opt-in/opt-out
• Marketing communication preferences

1.2 Information Collected Automatically

• Device Information: Device type, operating system, browser type and version
• Usage Data: Pages viewed, features used, time spent on Platform, click patterns
• IP Address: For security, fraud detection, and approximate location
• Cookies and Tracking: Session cookies, authentication tokens, analytics cookies
• Location Data: Approximate location from IP address (we do not track real-time GPS location)

1.3 Information from Third Parties

• OAuth Providers (Google): Name, email, profile photo when you sign in with Google
• Stripe: Payment verification, identity verification, payout status
• Public Sources: Business information verification (for business accounts)

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 Core Platform Services

• Create and manage your account
• Process bookings between users and service providers
• Facilitate payments and payouts via Stripe
• Generate and verify event passcodes for service completion
• Enable communication between users and businesses
• Provide customer support and respond to inquiries

2.2 Transactional Communications

• Send booking confirmations and status updates
• Notify you of business responses and payment confirmations
• Send event reminders and passcode information
• Deliver important account and security notifications
• Process refund requests and dispute resolutions

2.3 Platform Improvement and Analytics

• Analyze platform usage patterns (aggregated and anonymized)
• Improve search results and recommendations
• Develop new features and services
• Conduct A/B testing and user experience research
• Monitor platform performance and fix technical issues

2.4 Security and Fraud Prevention

• Detect and prevent fraud, spam, and abuse
• Verify user identity and age (18+ requirement)
• Investigate suspicious activity and policy violations
• Secure accounts and protect against unauthorized access
• Comply with legal obligations and law enforcement requests

2.5 Marketing (With Your Consent)

• Send promotional emails about new features and services (opt-in only)
• Share event planning tips and inspiration (opt-in only)
• Provide personalized service recommendations
• You can opt-out at any time via account settings or email unsubscribe links

4. Data Retention

We retain your information for different periods depending on the type of data and purpose:

• Active Accounts: Retained as long as your account is active
• Deleted Accounts: Personal data anonymized or deleted within 30 days of account closure
• Transaction Records: Retained for 7 years for tax, accounting, and legal compliance
• Dispute Records: Retained for the duration of the dispute plus 1 year
• Marketing Data: Deleted immediately upon opt-out
• Backup Data: May exist in backups for up to 90 days, then permanently deleted
• Legal Holds: Data subject to legal proceedings retained until resolution

5. Your Privacy Rights

Depending on your location, you have the following rights regarding your personal information:

5.1 Rights for All Users

• Access: Request a copy of the personal data we hold about you
• Correction: Update or correct inaccurate information via account settings
• Deletion: Request deletion of your account and personal data
• Opt-Out of Marketing: Unsubscribe from promotional emails and SMS at any time
• Data Portability: Request your data in a machine-readable format

5.2 GDPR Rights (EU/EEA/UK Users)

If you are in the European Union, European Economic Area, or United Kingdom, you have additional rights:

• Right to Restriction: Restrict processing of your data under certain conditions
• Right to Object: Object to processing based on legitimate interests
• Right to Lodge a Complaint: File a complaint with your local data protection authority
• Automated Decision-Making: Right to opt-out of automated decision-making (we do not use automated profiling)

5.3 CCPA Rights (California Users)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA):

• Know: Request disclosure of what personal information we collect, use, and share
• Delete: Request deletion of your personal information
• Opt-Out of Sale: We do not sell personal information, so this right is not applicable
• Non-Discrimination: We will not discriminate against you for exercising your rights

5.4 How to Exercise Your Rights

To exercise any of these rights, contact us at:

• Email: privacy@festapr.com
• Account Settings: Manage most preferences directly in your account
• Email Unsubscribe: Click “unsubscribe” in any marketing email

We will respond to verified requests within 30 days (45 days for complex requests). We may require identity verification to protect your privacy.

5.5 Limitations on Deletion

We may not be able to delete all data if we need to retain it for:

• Completing transactions or providing requested services
• Complying with legal obligations (e.g., tax records for 7 years)
• Detecting fraud or security incidents
• Resolving ongoing disputes or claims

6. Data Security Measures

We implement industry-standard security measures to protect your information:

• Encryption in Transit: All data transmitted via HTTPS/TLS encryption
• Encryption at Rest: Database encryption for stored personal information
• Password Security: Passwords hashed using bcrypt (never stored in plain text)
• Access Controls: Role-based access restrictions for Festa employees
• Authentication: Secure session management with HttpOnly cookies and JWT tokens
• Token-Based Access: Secure access tokens for email confirmation links (SHA-256 hashed)
• Regular Audits: Security assessments and vulnerability testing
• Stripe PCI Compliance: Payment data handled by PCI-DSS Level 1 certified Stripe

Data Breach Notification: In the unlikely event of a data breach affecting your personal information, we will notify you and applicable authorities within 72 hours as required by law.

7. Cookies and Tracking Technologies

We use cookies and similar technologies to provide and improve our services:

7.1 Types of Cookies

• Essential Cookies: Required for login, authentication, and core platform functionality (cannot be disabled)
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Help us understand how users interact with the Platform (anonymized data)
• Performance Cookies: Monitor platform performance and loading times

7.2 Cookie Management

You can manage cookies through your browser settings. Note that disabling essential cookies may prevent you from using certain features of the Platform.

7.3 Do Not Track

We do not currently respond to “Do Not Track” browser signals, but we do not track you across third-party websites.

8. Third-Party Services and Links

8.1 Payment Processing (Stripe)

All payment processing is handled by Stripe, Inc. Your payment information is subject to Stripe's Privacy Policy (available at stripe.com/privacy). Festa does not store your full credit card numbers or CVV codes.

8.2 Communication Services

• SendGrid: Transactional email delivery (subject to SendGrid's privacy policy)
• Twilio: SMS and WhatsApp messaging (subject to Twilio's privacy policy)

8.3 OAuth Providers

If you sign in with Google, your use of Google's authentication is subject to Google's Privacy Policy. We only receive the information you authorize Google to share (name, email, profile photo).

8.4 External Links

Our Platform may contain links to third-party websites. We are not responsible for the privacy practices of these external sites. Please review their privacy policies before providing information.

9. International Data Transfers

Festa operates primarily in the United States. If you access the Platform from outside the U.S., your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

For EU/EEA users, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Your explicit consent where necessary

10. Children's Privacy

Our Platform is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18. We collect date of birth during registration to verify age.

If we discover that we have inadvertently collected information from a user under 18, we will delete that information immediately. If you believe we have collected information from a minor, please contact us at privacy@festapr.com.

11. California “Shine the Light” Law

California Civil Code Section 1798.83 permits California residents to request information about disclosure of personal information to third parties for direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by:

• Posting the updated Privacy Policy on the Platform with a new “Last Updated” date
• Sending email notification to your registered email address
• Displaying a prominent notice on the Platform

Material changes will be effective 30 days after notice is provided. Continued use of the Platform after the effective date constitutes acceptance of the updated Privacy Policy.

13. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: