VenueStatus

Privacy Policy

DRAFT — REQUIRES LEGAL REVIEW BEFORE GOING LIVE. This is a first draft authored to meet the baseline requirements of Google AdSense, COPPA, GDPR, CCPA, CAN-SPAM, and US carrier A2P 10DLC SMS rules. It is not legal advice. See README.md for the review path.

Effective Date: [EFFECTIVE DATE]

VenueStatus ("VenueStatus", "we", "us", or "our") is operated by Darksoft LLC d/b/a VenueStatus, [DARKSOFT LLC ADDRESS]. This Privacy Policy explains how we collect, use, share, and protect information in connection with the website at venuestatus.com, our mobile applications, our APIs, and any related services (collectively, the "Service").

By using the Service, you agree to this Privacy Policy. If you do not agree, do not use the Service.

1. Audience and roles

The Service has two distinct user types, and the data we collect differs for each:

  • Org Admins — staff of a sports organization, parks-and-rec department, or similar organization (an "Organization" or "Org") who use our admin app to update statuses and notes. Org Admins create accounts and authenticate.
  • Public Viewers — parents, coaches, players, and members of the public who view an Organization's status page on venuestatus.com. Public Viewers do not create accounts. They may optionally subscribe to free notifications via push, email, or SMS.

2. Information we collect

2.1 From Org Admins (authenticated users)

When an Org Admin signs up or uses the Service, we collect:

  • Account information: name, email address, and (if signing in with Google or Apple) the identifier returned by that provider.
  • Organization information: organization name, slug, timezone, locations, venues, statuses, notes, and announcements created by the admin.
  • Billing information: for Pro and Enterprise plans, payment information is collected and processed by Stripe, Inc. We never see or store full payment card details. We retain metadata returned by Stripe (last 4 digits, card brand, billing email, subscription status).
  • Usage information: authentication events, status changes, edits, and other actions taken in the admin app, retained for security, audit, and product analytics.

2.2 From Public Viewers (unauthenticated users)

When a Public Viewer visits an Organization's public page, we collect:

  • Notification subscription endpoints — only if the viewer opts in:
    • Push: an anonymous Firebase Cloud Messaging (FCM) token issued by their browser.
    • Email: the email address they provide, after a double-opt-in confirmation.
    • SMS: the phone number they provide (in E.164 format), after a carrier opt-in confirmation.
  • Local preferences: items the viewer "favorites" are stored in their browser's localStorage, on their device. We do not transmit or store favorites on our servers.

We do not require Public Viewers to create accounts.

2.3 Automatically collected

When anyone visits venuestatus.com, our service providers may automatically collect:

  • IP address, user-agent, referrer, and approximate location derived from IP.
  • Pages visited and timestamps, for performance monitoring and analytics.
  • Cookies and similar identifiers (see §5. Cookies and similar technologies).

2.4 Information from third parties

We receive information from:

  • Stripe — billing, subscription, and tax-residency data for paying Organizations.
  • Google FCM, Twilio, Resend — delivery receipts, bounces, and unsubscribe events for notifications.
  • Google AdSense — aggregate ad-performance metrics for Free-tier pages.
  • Authentication providers (Google, Apple) — email and a stable identifier if an Org Admin uses social sign-in.

3. How we use information

We use information to:

  • Provide, operate, and maintain the Service.
  • Authenticate Org Admins and enforce role-based permissions.
  • Display Organization-published statuses and notes on the public Service.
  • Deliver notifications that Public Viewers opted in to receive.
  • Process payments and manage subscriptions for Pro and Enterprise plans.
  • Detect, investigate, and prevent fraud, abuse, and security incidents.
  • Comply with legal obligations, including subpoenas, lawful requests, and tax/billing requirements.
  • Improve the Service through aggregated, de-identified analytics.

We do not sell personal information.

4. How we share information

We share information only as described below:

4.1 Service providers

We share information with vendors who help us operate the Service. These vendors are contractually limited to using the data only for purposes we direct. Current providers:

| Provider | Purpose | | --- | --- | | Supabase | Database, authentication, real-time, storage | | Vercel | Hosting for venuestatus.com | | Stripe | Payment processing, subscriptions, tax | | Resend | Transactional email delivery | | Twilio | SMS delivery | | Google Firebase Cloud Messaging | Web and mobile push delivery | | Google AdSense | Advertising on Free-tier public pages | | Google Funding Choices | Cookie consent management | | Sentry | Error reporting | | Vercel Analytics | Aggregate web-vitals analytics |

4.2 Public Service

Statuses, notes, and announcements that an Organization publishes are intentionally public. They appear on the Organization's public page, in the JSON API at https://venuestatus.com/api/v1/orgs/{slug}.json, and in any embeddable widgets the Organization installs on its own websites.

4.3 Legal requirements

We may disclose information if required by law, subpoena, court order, or to protect our rights, the safety of users, or the integrity of the Service.

4.4 Business transfers

If VenueStatus is acquired, merged, or sold, information may transfer to the successor entity under this Privacy Policy or a successor policy with at least equivalent protections.

4.5 With your consent

For any sharing not described above, we will ask for your consent.

5. Cookies and similar technologies

The Service uses cookies and similar technologies for the following purposes:

  • Strictly necessary — authentication for Org Admins; CSRF and session integrity. These cannot be disabled while using the admin app.
  • Performance — Vercel Analytics measures aggregate web-vitals (LCP, CLS, INP) for the public page. No personal identifiers are stored.
  • Advertising — on Free-tier Organization pages, Google AdSense places cookies to serve ads. Because the entire venuestatus.com domain is configured as child-directed for advertising purposes, AdSense serves non-personalized ads only — no remarketing, no behavioral targeting based on user profiles. See §7. Children's Privacy.

EEA, UK, and Swiss visitors see a consent banner powered by Google Funding Choices on first visit and may opt out of non-essential cookies.

6. Notification preferences

Public Viewers control their own notification subscriptions:

  • Email: every email contains a one-click unsubscribe link tied to that specific subscription.
  • SMS: reply STOP to any message to unsubscribe (US carrier requirement); reply HELP for support information. Standard message and data rates may apply.
  • Push: revoke browser permissions in your device settings to stop push notifications.

You may manage all your subscriptions for a given email or phone number from the preferences link in any notification.

7. Children's Privacy

VenueStatus's primary audience is youth-sports organizations, schools, and parks-and-rec programs whose communities include minors. We take this seriously:

  • The entire venuestatus.com domain is configured as "child-directed content" in Google AdSense. As a result, all advertising on Free-tier pages is non-personalized and contextual only. No remarketing, no behavioral profiling, no cross-site tracking.
  • We do not knowingly collect personal information directly from children under 13. If we learn we have inadvertently collected such information, we will delete it promptly. Parents who believe their child has provided personal information to us may contact privacy@venuestatus.com for review and removal.
  • Public Viewers can optionally provide their email address or phone number to receive notifications. If a parent learns that a child under 13 has provided such information, the parent may unsubscribe and request deletion using the contacts in §13.

8. Your rights and choices

Depending on where you live, you may have the following rights with respect to your personal information:

  • Access — request a copy of the information we hold about you.
  • Correction — ask us to correct inaccurate information.
  • Deletion — ask us to delete your information ("right to be forgotten" / GDPR Article 17, CCPA right to delete).
  • Portability — receive your information in a portable format.
  • Objection / restriction — object to or restrict certain processing.
  • Opt-out of sale or sharing — VenueStatus does not sell personal information, and does not share for cross-context behavioral advertising.

To exercise any of these rights, contact privacy@venuestatus.com. We will respond within the timeframe required by applicable law (typically 30–45 days).

8.1 California residents (CCPA / CPRA)

In addition to the rights above, California residents have the right to non-discrimination for exercising privacy rights. The categories of personal information we collect, the purposes, and the categories of third parties with whom we share are described in §2, §3, and §4 respectively.

8.2 EEA / UK / Swiss residents (GDPR / UK GDPR)

Our legal bases for processing are: (a) contract for providing the Service to Org Admins and processing notifications Public Viewers requested; (b) legitimate interests for security, fraud prevention, and aggregate analytics; (c) consent for advertising cookies on Free-tier pages and any optional features that ask for it; (d) legal obligation for billing records and lawful requests.

You have the right to lodge a complaint with your local supervisory authority.

9. Data retention

We retain information for as long as necessary to provide the Service and comply with our legal obligations:

  • Org account data — for the life of the Organization. When an Org is soft-deleted (see Terms of Service §10), data is retained for 30 days for restoration, then permanently deleted. GDPR right-to-erasure requests are honored immediately, bypassing the grace period.
  • Notification subscriptions — until the viewer unsubscribes, or until the parent Organization is hard-deleted.
  • Billing records — retained as required by tax and accounting law (typically 7 years in the US).
  • Logs — retained for up to 90 days for security and debugging.

10. Security

We use industry-standard technical and organizational measures to protect information, including encryption in transit (TLS), encryption at rest for our databases, role-based access controls (Postgres Row-Level Security), and audited service-provider relationships. No system is perfectly secure, however, and we cannot guarantee absolute security.

If you believe your account or personal information has been compromised, contact security@venuestatus.com immediately.

11. International users

VenueStatus is operated from the United States. If you access the Service from outside the US, your information will be transferred to, stored, and processed in the US and other countries where our service providers operate. By using the Service, you consent to such transfers. EEA transfers rely on Standard Contractual Clauses where applicable.

12. Changes to this policy

We may update this Privacy Policy from time to time. The "Effective Date" at the top reflects the latest revision. Material changes will be announced via in-app notification to Org Admins and (where reasonable) by notice on venuestatus.com. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

13. Contact us

For privacy questions, requests, or complaints: