Legal

Privacy Policy

How we collect, use, protect, and share your information. Written in plain English wherever the law allows, and in careful legal language where it does not.

Last updated: [DATE — must be filled in] · Effective date: [DATE]

⚠ Draft Notice. This privacy policy is a working draft. Items in [BRACKETS] must be replaced with your actual business details (legal entity name, address, DPO/EU representative contact, hosting region, etc.) before this policy is published. Have a qualified privacy attorney review the final version before it goes live.

1. Introduction & who we are

This Privacy Policy explains how [LEGAL ENTITY NAME], doing business as "The Booth Pulse" (together with our affiliates, "The Booth Pulse," "we," "us," or "our"), collects, uses, discloses, and protects personal information when you visit our website, use our software-as-a-service platform, or otherwise interact with us (collectively, the "Services").

Our registered office is located at [REGISTERED BUSINESS ADDRESS]. If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, our EU/UK representative for purposes of the General Data Protection Regulation (GDPR) and UK GDPR is [EU REPRESENTATIVE NAME AND ADDRESS]. If you are located in Canada, our Chief Privacy Officer for purposes of the Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec's Law 25 is [DPO NAME], reachable at [dpo@yourdomain.com].

By using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of it, please do not use the Services.

2. Scope of this policy

This policy applies to personal information we collect through:

  • Our website at [www.yourdomain.com] and all associated subdomains.
  • Our web application, mobile applications, and any related APIs.
  • Email, chat, phone, or other direct communications you have with us.
  • Third-party services you connect to your account (such as payment processors, e-commerce platforms, and analytics providers).

It does not apply to third-party websites, applications, or services that we link to but do not operate. Those third parties have their own privacy practices, and we are not responsible for them.

3. Information we collect

3.1 Information you provide directly to us

  • Account information: Your name, email address, password (stored as a salted cryptographic hash — we never see your plaintext password), business name, and profile photo if you provide one.
  • Billing information: Payment card details, billing address, and tax ID where applicable. Payment card numbers are collected and stored exclusively by our payment processor, Stripe, Inc. We receive only a truncated token identifier — we never see or store your full card number.
  • Business content you upload: Inventory records (artwork titles, images, dimensions, materials, prices), sales records, customer contact information (names, emails, phone numbers, and notes), commission details, festival records, expense receipts, follow-up notes, and any other content you enter into the Services.
  • Communications: Messages you send us through email, in-app chat, contact forms, or customer support requests.

3.2 Information collected automatically

  • Device and connection data: IP address, browser type and version, operating system, referring URL, device identifiers, and language settings.
  • Usage data: Pages viewed, features used, time spent, click paths, error logs, and diagnostic data used to detect bugs and improve the Services.
  • Cookies and similar technologies: See Section 13 — Cookies & tracking.

3.3 Information from third-party integrations

If you connect a third-party platform to your account (see Section 7), we receive information from that platform as authorized by you, subject to that platform's own privacy policy and terms. Examples include transaction records from Stripe or Square, order data from Shopify, and site analytics from WordPress or Wix.

3.4 Information we do not knowingly collect

  • Government-issued identification numbers (except tax IDs you voluntarily provide for billing).
  • Biometric identifiers.
  • Health or medical information.
  • Precise geolocation data (we use approximate, IP-derived location only).
  • Information from users we know to be under the age of 16.

4. How we use your information

We use the personal information we collect for the following purposes only:

  • Providing the Services: Creating and maintaining your account, storing and displaying your business data, computing analytics on your data for your own dashboards, sending transactional emails (password resets, receipts, service notifications), and providing customer support.
  • Improving the Services: Analyzing aggregated, de-identified usage patterns to improve features, fix bugs, and develop new functionality. We do not train machine learning models on your customer lists, contact information, private notes, or any other content that identifies your buyers or contacts.
  • Billing and payment: Processing subscription payments through Stripe and, where applicable, other payment processors listed in Section 6.
  • Security and fraud prevention: Detecting, investigating, and preventing security incidents, fraud, abuse, unauthorized access, and violations of our Terms of Service.
  • Legal compliance: Complying with applicable laws, responding to lawful requests from public authorities, enforcing our agreements, and protecting our rights and the rights of others.
  • Marketing (with consent where required): Sending you occasional product updates, tips for using the Services, and educational content about running an art business. You can opt out of marketing emails at any time by clicking the unsubscribe link in any such email.

We do not sell your personal information to third parties. We do not share your personal information with third parties for cross-context behavioural advertising. We do not disclose your customer lists, follow-up notes, or business content to other users, competitors, aggregators, or data brokers.

If you are located in the EEA, the UK, or Switzerland, our legal bases for processing your personal information under the GDPR and UK GDPR are:

  • Performance of a contract (Art. 6(1)(b) GDPR) — to provide the Services you subscribed to.
  • Legitimate interests (Art. 6(1)(f) GDPR) — for improving the Services, ensuring security, and communicating with you about your account. We have assessed that our legitimate interests are not overridden by your rights and freedoms.
  • Consent (Art. 6(1)(a) GDPR) — for non-essential cookies, marketing communications where required, and any processing that requires explicit consent. You may withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c) GDPR) — to comply with applicable tax, accounting, anti-money-laundering, and other legal requirements.

6. How we share information & subprocessors

We share personal information only with the categories of recipients listed below, and only to the extent necessary for the purposes described in this policy. All subprocessors are contractually required to protect your information at a standard no less protective than this policy, are bound by data processing agreements that meet GDPR Article 28 requirements, and are prohibited from using your information for their own purposes.

6.1 Current subprocessors

Subprocessor Purpose Data processed Location
Supabase Inc. Database hosting, authentication, storage All account & business content United States [CONFIRM REGION]
Stripe, Inc. Subscription billing and payment processing Payment method, billing address, tax ID United States, EU
[EMAIL PROVIDER — e.g. Postmark, SendGrid] Transactional email delivery Email address, message content United States, EU
[HOSTING/CDN — e.g. Cloudflare, Vercel] Content delivery, DDoS protection, edge caching IP address, request metadata Global edge network
[SUPPORT PLATFORM — if used] Customer support ticketing Email, support conversation content United States

An up-to-date list of subprocessors is maintained at [www.yourdomain.com/subprocessors]. We will provide at least 30 days' advance notice of the addition or replacement of any subprocessor with material access to personal information.

6.2 Other categories of recipients

  • Legal and regulatory authorities — when required by valid legal process (subpoena, court order, or other lawful demand). We will contest overbroad requests and, unless legally prohibited, notify you of any such request affecting your data.
  • Advisors — accountants, auditors, insurers, and legal counsel who are bound by professional confidentiality obligations.
  • Business transferees — if we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal information may be transferred as part of that transaction, subject to standard confidentiality protections. You will be notified of any such change of control.

7. Third-party platform integrations

The Booth Pulse offers optional integrations with the following third-party platforms. These integrations are entirely at your discretion. When you connect a third-party platform to your account, you authorize us to exchange information with that platform for the purposes you have selected.

Important legal notice: The third-party platforms listed below are independent businesses that we do not own, operate, or control. Their handling of your personal information is governed by their own terms of service and privacy policies, not by this Privacy Policy. We are not responsible for their acts, omissions, security practices, data breaches, or downtime. Before connecting any third-party platform, please review its own privacy policy carefully. Your use of any third-party platform is at your own risk.

7.1 Payment processors

  • Stripe, Inc. — When you subscribe to a paid plan, when your customers purchase artwork through your public portfolio, or when you accept commissions, payments are processed by Stripe. We share the transaction amount, currency, and a customer identifier with Stripe. Stripe's privacy policy: stripe.com/privacy.
  • PayPal Holdings, Inc. — If you enable PayPal as a payment option, transaction data will be shared with PayPal in accordance with your PayPal account settings. Privacy policy: paypal.com/legalhub/privacy-full.
  • Block, Inc. (Square) — If you import Square transaction data or enable Square as a checkout option, order, transaction, and refund data is shared with Block, Inc. Privacy policy: squareup.com/legal/general/privacy.

7.2 E-commerce & website platforms

  • Shopify Inc. — If you connect a Shopify store, we import product listings, order history, and customer data as authorized by you. Privacy policy: shopify.com/legal/privacy.
  • Squarespace, Inc. — If you connect a Squarespace site, we import inventory and order data as authorized by you. Privacy policy: squarespace.com/privacy.
  • Wix.com Ltd. — If you connect a Wix site, we import inventory and order data as authorized by you. Privacy policy: wix.com/about/privacy.
  • WordPress / Automattic Inc. — If you connect a WordPress or WooCommerce site, we import inventory, order, and analytics data as authorized by you. Privacy policy: automattic.com/privacy.

7.3 Your responsibilities when using third-party integrations

You are solely responsible for:

  • Ensuring that you have all necessary rights, consents, and lawful bases to share data with us from the third-party platforms you connect. This includes any consent required from your own customers under GDPR, CCPA/CPRA, PIPEDA, or other applicable law.
  • Reviewing and accepting the terms of service and privacy policies of each third-party platform you connect.
  • Configuring the permissions and scopes granted to The Booth Pulse when authorizing an integration.
  • Notifying us promptly if you revoke authorization from a third-party platform, so that we can cease attempting to sync data.

You agree to indemnify and hold The Booth Pulse harmless from any claim, loss, liability, or expense (including reasonable attorneys' fees) arising from your failure to comply with the obligations in this Section 7.3, from any breach of the third-party platform's terms of service caused by your use of our integrations, or from any dispute between you and a third-party platform.

8. Your privacy rights by jurisdiction

Depending on where you live, you may have specific rights under applicable data protection law. To exercise any of the rights below, contact us at [privacy@yourdomain.com]. We will respond within the timeframes required by applicable law — generally 30 days (GDPR, PIPEDA) or 45 days (CCPA/CPRA). We may extend this by an additional period where legally permitted; we will notify you if we do.

We will verify your identity before responding to any request, using reasonable procedures proportionate to the sensitivity of the data. We will not discriminate against you for exercising any of these rights (for example, by denying you Services or charging different prices).

If you are in the European Economic Area, the United Kingdom, or Switzerland (GDPR / UK GDPR)

  • Right of access — obtain a copy of the personal data we hold about you.
  • Right to rectification — correct inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten") — request deletion of your data, subject to legal retention obligations.
  • Right to restriction of processing — limit how we use your data in specific circumstances.
  • Right to data portability — receive your data in a structured, machine-readable format (CSV or JSON).
  • Right to object — object to processing based on legitimate interests or for direct marketing.
  • Rights related to automated decision-making — see Section 15.
  • Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint — with your local supervisory authority, or with the Irish Data Protection Commission as our lead EU supervisory authority [CONFIRM WITH COUNSEL].

If you are in Canada (PIPEDA and Quebec Law 25)

  • Right to access and correction of your personal information held by us.
  • Right to withdraw consent to the collection, use, or disclosure of your information (subject to legal or contractual limitations).
  • Right to data portability under Quebec's Law 25, effective September 2024.
  • Right to be informed when your information is used for automated decision-making that produces significant effects, and the right to request human review.
  • Right to complain to the Office of the Privacy Commissioner of Canada (OPC) or, for Quebec residents, the Commission d'accès à l'information du Québec (CAI).

If you are in California (CCPA / CPRA)

  • Right to know what personal information we collect, the sources, the purposes, and the third parties with whom we share it.
  • Right to delete personal information we collected from you, subject to legal retention obligations.
  • Right to correct inaccurate personal information.
  • Right to opt out of sale or sharing — note that we do not sell your personal information or share it for cross-context behavioural advertising, so this right is preserved by default.
  • Right to limit the use of sensitive personal information.
  • Right to non-discrimination for exercising your CCPA/CPRA rights.
  • You may designate an authorized agent to exercise your rights on your behalf, subject to identity verification.

If you are in Colorado, Connecticut, Virginia, Utah, or another U.S. state with a comprehensive privacy law

  • You have substantially similar rights to those listed under California above, including rights of access, correction, deletion, portability, and opt-out from targeted advertising, sale, and certain forms of profiling.
  • Contact us at [privacy@yourdomain.com] to exercise these rights.
  • If we deny your request, you have the right to appeal by replying to our response.

9. Data security

We implement industry-standard technical and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit using TLS 1.2 or higher.
  • Encryption of data at rest in our production database.
  • PostgreSQL Row Level Security (RLS) policies that enforce access controls at the database level, so that each user can only access data belonging to their own account.
  • Salted, one-way cryptographic hashing of passwords using industry-standard algorithms. We do not store plaintext passwords.
  • Two-factor authentication (available for all accounts).
  • Regular security reviews of our code, dependencies, and infrastructure.
  • Access to production systems restricted to authorized personnel on a least-privilege basis, with all access logged.

Notwithstanding these measures, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security. If we become aware of a security breach affecting your personal information, we will notify you and any relevant supervisory authority in accordance with applicable law (generally within 72 hours for GDPR, and as soon as reasonably practicable under other applicable laws).

10. Data retention

We retain your personal information only for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required or permitted by law.

  • Account data: retained for the life of your account, plus a grace period of 30 days after account deletion to allow for accidental-deletion recovery. After 30 days, active-system data is permanently purged. Backup copies are purged in accordance with our backup rotation schedule, which does not exceed 90 days.
  • Billing and tax records: retained for the period required by applicable tax and accounting law (generally 6–7 years in the U.S., Canada, and most EU jurisdictions).
  • Security and audit logs: retained for up to 12 months for security investigations and legal defence.
  • Support communications: retained for up to 24 months to help us provide continuity of service and improve our support.

11. International data transfers

The Booth Pulse is operated from [COUNTRY OF OPERATION], and our primary data storage is located in [REGION]. If you access the Services from outside [REGION], your personal information will be transferred to and processed in [REGION], where data protection laws may be different from those of your jurisdiction.

For transfers of personal data from the EEA, the UK, or Switzerland to countries not deemed adequate by the European Commission or the UK Government, we rely on the following safeguards, as applicable:

  • The European Commission's Standard Contractual Clauses (2021/914), with any required addenda for UK transfers.
  • The UK Information Commissioner's International Data Transfer Addendum, where applicable.
  • The EU-U.S. Data Privacy Framework (where applicable to specific U.S. subprocessors).
  • Transfer impact assessments where required by applicable law.

A copy of the applicable safeguards can be requested at [privacy@yourdomain.com].

12. Children's privacy

The Services are not directed to individuals under the age of 16, and we do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 16 without verified parental consent, we will delete that information as soon as reasonably practicable. If you believe we may have collected information from a child, please contact us at [privacy@yourdomain.com].

13. Cookies & tracking technologies

We use cookies and similar technologies (such as local storage) for the following purposes:

  • Strictly necessary — to authenticate your session, remember your preferences, and enable core functionality. These cannot be disabled.
  • Analytics — to understand how the Services are used in aggregate. We use privacy-friendly, non-tracking analytics where feasible.
  • Preferences — to remember your settings such as theme, billing frequency, and dashboard layout.

We do not use cookies for cross-site tracking, retargeting, or behavioural advertising. Where consent is required for non-essential cookies (for example, under the EU ePrivacy Directive), we will request it via a cookie banner before setting such cookies. You can control cookies through your browser settings.

14. Do Not Track & Global Privacy Control

Because there is no industry-standard interpretation of the Do Not Track (DNT) browser signal, we do not respond to DNT signals at this time. However, we do honour the Global Privacy Control (GPC) signal as a valid opt-out request under the CCPA/CPRA and similar U.S. state privacy laws for California and other applicable residents.

15. Automated decision-making & artificial intelligence

The Booth Pulse uses statistical models and machine-learning techniques to compute analytics such as revenue trends, sell-through rates, projected festival ROI, and pricing suggestions on the data you provide. These computations are:

  • Performed exclusively on your own account data, for your own dashboards.
  • Not used to make decisions that produce legal or similarly significant effects on you or on third parties.
  • Presented as recommendations only. You retain full control over all business, pricing, and customer-facing decisions.

We do not train foundation models on your customer lists, contact information, private notes, or other content that identifies your buyers or contacts. If in the future we develop features that rely on training against aggregated, de-identified customer data, we will obtain your explicit, opt-in consent before doing so, and we will describe those features clearly in an updated version of this policy.

If you are subject to GDPR, PIPEDA, or Quebec Law 25 and believe that any automated processing we perform produces a legal or similarly significant effect on you, you have the right to request human review, to express your point of view, and to contest the decision. Contact [privacy@yourdomain.com].

16. Limitations of liability & user representations

16.1 Your representations and warranties

By using the Services, you represent, warrant, and covenant to us that:

  • You are at least 18 years of age (or the age of legal majority in your jurisdiction) and have full legal capacity to enter into a binding agreement.
  • All information you provide to us is accurate, current, and complete, and you will keep it up to date.
  • You have all necessary rights, consents, licences, and lawful bases to upload, share, and process any personal information about third parties (including your own customers) through the Services. This includes any consent required under GDPR, CCPA/CPRA, PIPEDA, Quebec Law 25, CAN-SPAM, CASL, or other applicable law.
  • Your use of the Services complies with all applicable laws, regulations, and third-party terms of service (including those of any integration partner you connect).
  • You will not use the Services to store, process, or transmit any information the sharing of which is prohibited or restricted by law (including special categories of personal data under GDPR Article 9, protected health information under HIPAA, or payment card data outside of authorized PCI DSS scope).
  • You will not attempt to reverse-engineer, decompile, or otherwise derive the source code of the Services, circumvent security measures, or access any system for which you do not have authorization.

16.2 Indemnification

To the fullest extent permitted by applicable law, you agree to defend, indemnify, and hold harmless The Booth Pulse, its affiliates, and their respective officers, directors, employees, agents, licensors, and suppliers from and against any and all claims, damages, obligations, losses, liabilities, costs, or debt, and expenses (including but not limited to reasonable attorneys' fees) arising from:

  • Your access to or use of the Services.
  • Your violation of this Privacy Policy, our Terms of Service, or any applicable law.
  • Your violation of any third-party right, including any intellectual property right, publicity right, confidentiality right, or privacy right of any of your own customers, contacts, or the terms of any third-party platform you connect (Shopify, Squarespace, Wix, WordPress, PayPal, Stripe, Block/Square, or others).
  • Any claim by a third party that your content, business data, or your use of the Services caused damage to that third party.
  • Any dispute between you and any of your customers, contacts, or third-party integration partners.

16.3 Disclaimer of warranties

THE SERVICES ARE PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE. TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, THE BOOTH PULSE DISCLAIMS ALL WARRANTIES, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND ANY WARRANTIES ARISING FROM COURSE OF DEALING OR USAGE OF TRADE.

WITHOUT LIMITING THE FOREGOING, WE DO NOT WARRANT THAT: (I) THE SERVICES WILL BE UNINTERRUPTED, SECURE, OR ERROR-FREE; (II) DEFECTS WILL BE CORRECTED; (III) ANALYTICS, RECOMMENDATIONS, OR PROJECTIONS PROVIDED BY THE SERVICES WILL BE ACCURATE, RELIABLE, OR SUITABLE FOR ANY PARTICULAR PURPOSE; OR (IV) THIRD-PARTY INTEGRATIONS WILL PERFORM AS EXPECTED. YOU ACKNOWLEDGE THAT ANY BUSINESS OR FINANCIAL DECISION YOU MAKE IN RELIANCE ON THE SERVICES IS AT YOUR SOLE RISK.

16.4 Limitation of liability

TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL THE BOOTH PULSE, ITS AFFILIATES, OR THEIR RESPECTIVE OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, LICENSORS, OR SUPPLIERS BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, EXEMPLARY, OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO LOSS OF PROFITS, LOSS OF REVENUE, LOSS OF BUSINESS OPPORTUNITY, LOSS OF DATA, LOSS OF GOODWILL, OR THE COST OF SUBSTITUTE SERVICES, ARISING OUT OF OR IN CONNECTION WITH YOUR USE OF THE SERVICES, WHETHER BASED IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR ANY OTHER LEGAL THEORY, AND WHETHER OR NOT WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

IN NO EVENT SHALL OUR AGGREGATE LIABILITY TO YOU FOR ALL CLAIMS ARISING OUT OF OR RELATING TO THE SERVICES EXCEED THE GREATER OF (I) THE AMOUNTS YOU HAVE PAID TO US FOR THE SERVICES IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM, OR (II) ONE HUNDRED U.S. DOLLARS (USD $100).

Some jurisdictions do not allow the exclusion or limitation of certain damages, so some of the above limitations may not apply to you. Nothing in this Privacy Policy limits any rights that cannot be limited under applicable consumer protection law, and nothing here excludes liability for fraud, gross negligence, wilful misconduct, or personal injury caused by negligence.

16.5 Third-party integrations and platforms

You expressly acknowledge and agree that:

  • The Booth Pulse is not affiliated with, endorsed by, or partnered with Shopify Inc., Squarespace Inc., Wix.com Ltd., Automattic Inc., PayPal Holdings Inc., Stripe Inc., or Block Inc., except as expressly stated in this policy or through a duly executed partnership agreement.
  • We are not responsible for the availability, accuracy, or reliability of any third-party platform, or for any damages or losses caused by that platform.
  • Any dispute you have with a third-party platform must be resolved directly with that platform.
  • We reserve the right to modify, suspend, or discontinue any integration at any time, with or without notice, without liability to you.

17. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our Services, or applicable law. When we do, we will update the "Last updated" date at the top of this page. If we make material changes that affect your rights or how we handle your information, we will notify you by email (to the address associated with your account) and by an in-app notice at least 30 days before the changes take effect. Your continued use of the Services after the effective date of the updated policy constitutes acceptance of the updated policy.

We will retain prior versions of this policy for reference. Contact us at [privacy@yourdomain.com] if you would like a copy of an earlier version.

18. How to contact us

For any questions about this Privacy Policy, to exercise any of your rights, or to raise any privacy concern, please contact:

Privacy Team
The Booth Pulse
[REGISTERED BUSINESS ADDRESS]
Email: [privacy@yourdomain.com]

EU/UK/EEA users may also contact our EU representative at [EU REPRESENTATIVE CONTACT].

Canadian users may also contact our Chief Privacy Officer at [dpo@yourdomain.com].

California users may also submit privacy requests via our Do Not Sell or Share My Personal Information page, or by calling our toll-free line at [US TOLL-FREE NUMBER] where required by law.

You have the right to lodge a complaint with a supervisory authority:

  • EU: Your local Data Protection Authority, or our lead supervisory authority, the [LEAD DPA — e.g. Irish Data Protection Commission].
  • UK: The Information Commissioner's Office (ICO), ico.org.uk.
  • Canada: The Office of the Privacy Commissioner of Canada, priv.gc.ca. Quebec residents: the Commission d'accès à l'information du Québec.
  • California: The California Privacy Protection Agency (CPPA) or the California Attorney General.