Privacy Policy | Peak Venue

1. Introduction & Scope

Peak Venue, Inc. ("Peak Venue," "we," "us," or "our") operates a software-as-a-service platform that helps wedding and event venues manage events, guest lists, RSVPs, seating charts, emails, wedding websites, decor, vendors, and more. This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use our website, applications, and services (collectively, the "Services").

Our Services involve three types of users:

Venues — Wedding and event venues that subscribe to Peak Venue and use the platform to manage their business and events.
Couples — Individuals invited by venues to manage their own event details, guest lists, wedding websites, and more through a dedicated dashboard.
Guests — Individuals who provide personal information through RSVP forms, wedding websites, or other event-related interactions.

Our role in data processing: For guest personal data, Peak Venue acts as a data processor, handling information on behalf of and under the instructions of venues and couples (who are the data controllers). For venue and couple account data, billing information, and platform usage data, Peak Venue acts as a data controller.

By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use the Services.

2. Information We Collect

2.1 Information You Provide

Venue accounts: Business name, contact information, address, phone number, website URL, billing and payment information, team member details, venue photos, documents, and policies.
Couple accounts: Names, email addresses, phone numbers, event dates and details, wedding website content, seating arrangements, vendor information, decor selections, budget data, and timeline information.
Guest data via forms: Names, email addresses, phone numbers, mailing addresses, dietary restrictions and allergies, RSVP responses, meal selections, plus-one information, attendance preferences for sub-events, and any additional information collected through custom RSVP form fields.
Wedding website content: Text, photos, event schedules, travel information, and any other content couples add to their wedding websites.
Communications and support: Messages you send to us, support requests, feedback, and any other information you provide when contacting us.
Other event data: Seating chart configurations, decor inventory and selections, vendor contacts and contracts, document uploads, and AI chatbot training documents.

2.2 Information Collected Automatically

Device and browser information: Device type, operating system, browser type and version, screen resolution, and language preferences.
Network information: IP address, approximate geographic location (derived from IP), and internet service provider.
Cookies and similar technologies: We use cookies and local storage to maintain sessions, remember preferences, and support platform functionality. See Section 5 for details.
Usage data and analytics: Pages visited, features used, clicks, interactions, time spent on pages, and navigation paths, collected via analytics tools.
Email interaction data: Email open rates, click-through rates, bounce information, and delivery status, collected via our email service provider.

2.3 Information from Third Parties

Stripe: Payment confirmation status, subscription details, and billing-related information (we do not store full credit card numbers).
Supabase: Authentication tokens and user identity information.
Social login providers: If you sign in using a social account, we receive your name, email address, and profile information as permitted by your social account settings.

3. How We Use Information

We use the information we collect to:

Provide and operate the Services: Create and manage accounts, process RSVPs, manage guest lists, generate wedding websites, build seating charts, manage decor selections, and facilitate all platform features.
Process payments: Handle subscription billing, process payments through Stripe, manage invoices, and maintain billing records.
Send emails on behalf of users: Deliver emails that venues and couples compose and schedule through the platform, including RSVP confirmations, event updates, and custom messages to guests.
Power AI features: Operate the AI venue chatbot (powered by OpenAI) to answer questions from couples and guests based on venue-uploaded documents and event information.
Analytics and improvements: Understand how users interact with the platform (via analytics tools), identify trends, fix bugs, and improve the Services.
Customer support: Respond to inquiries, troubleshoot issues, and provide assistance.
Security and fraud prevention: Detect, prevent, and respond to security incidents, fraud, and abuse.
Legal compliance: Comply with applicable laws, regulations, legal processes, and governmental requests.

Important: Guest personal data is not used for AI model training without explicit consent. We do not feed guest names, emails, phone numbers, addresses, or other personal data into AI training datasets. Anonymized and aggregated data (which cannot identify individuals) may be used to improve platform features and performance.

We do NOT sell personal information. We have never sold personal information and have no plans to do so.

We may share information in the following circumstances:

4.1 Service Providers

We share information with trusted third-party service providers who assist us in operating the Services:

Supabase — Database hosting, authentication, and file storage (US servers).
Stripe — Payment processing and subscription management.
Resend — Email delivery on behalf of venues and couples.
OpenAI — AI chatbot processing. Venue documents and event information are sent to OpenAI to generate chatbot responses. OpenAI's API data usage policy applies.
Mixpanel — Client-side analytics and usage tracking.
Vercel — Application hosting and serverless infrastructure.

4.2 Between User Types

The platform facilitates data sharing between user types as part of its core functionality:

Guest data (RSVP responses, contact information, meal selections, etc.) is accessible to the couple managing the event and the venue hosting the event.
Couple event information is accessible to the venue that invited them.
Wedding website content is publicly accessible to anyone with the website URL.

4.3 Legal Requirements

We may disclose information if required by law, subpoena, court order, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

4.4 Business Transfers

If Peak Venue is involved in a merger, acquisition, bankruptcy, or sale of all or a portion of its assets, your information may be transferred as part of that transaction. We will notify you of any such change via email and/or a prominent notice on the Services.

4.5 With Your Consent

We may share information for other purposes with your explicit consent.

5. Cookies and Tracking

We use the following types of cookies and tracking technologies:

Essential cookies: Required for authentication, session management, and core platform functionality. These cannot be disabled.
Analytics cookies (Mixpanel): Help us understand how users interact with the platform, which features are most popular, and where users encounter issues. These are client-side only.
Functionality cookies: Remember your preferences, such as theme settings and language.
Email tracking pixels (Resend): Small transparent images embedded in emails sent through the platform that allow us to track whether an email was opened and which links were clicked. This data is provided to venues and couples who sent the email.

Managing cookies: You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. Note that blocking essential cookies may impair platform functionality.

Global Privacy Control: We honor Global Privacy Control (GPC) signals. If your browser sends a GPC signal, we will treat it as a valid opt-out request for the sale or sharing of personal information, as applicable under state privacy laws.

6. Data Retention

We retain personal information only as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Venue data: Retained while your subscription is active, plus 12 months after cancellation to allow for reactivation. After this period, data is permanently deleted upon request or at the end of the retention window.
Couple data: Retained while the associated event is active, plus 12 months after the event date to support post-event needs (thank-you notes, address exports, etc.).
Guest data: Retained while the associated event is active. Deleted upon request or after the applicable retention period following the event date. Guest data may be deleted sooner at the request of the couple or venue managing the event.
Billing and payment records: Retained for 7 years as required by applicable tax and financial regulations.
Analytics data: Aggregated and anonymized analytics data (which cannot identify individuals) may be retained indefinitely for trend analysis and platform improvement.
Email logs: Email delivery records, open/click tracking, and message metadata are retained for 2 years.

7. Data Security

We implement appropriate technical and organizational measures to protect personal information against unauthorized access, alteration, disclosure, or destruction.

Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS/HTTPS.
Encryption at rest: Data stored in our database is encrypted at rest using industry-standard encryption provided by our infrastructure providers.
Row-Level Security: Our database uses row-level security policies to ensure that users can only access data they are authorized to view.
Access controls: Role-based access controls (Owner, Manager, Viewer) limit what team members can see and do within a venue account.
Incident response: In the event of a data breach, we will notify affected users and relevant authorities without unreasonable delay, in accordance with applicable law.

While we strive to protect your personal information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

8. Your Rights

Depending on your location and applicable law, you may have the following rights regarding your personal information:

8.1 All Users (Venues, Couples, and Guests)

Access: Request a copy of the personal information we hold about you.
Correction: Request correction of inaccurate or incomplete information.
Deletion: Request deletion of your personal information, subject to legal retention requirements.
Opt out of marketing: Unsubscribe from marketing communications at any time.
Data export: Request an export of your data in a portable format.

8.2 Guests

In addition to the rights above, guests may:

Unsubscribe from event-related emails by clicking the unsubscribe link included in every email.
Request deletion of their personal information by contacting us or the couple/venue managing their event.

8.3 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@thepeakvenue.com. We will respond to verified requests within 30 days. We may need to verify your identity before processing your request.

9. Email Communications

Peak Venue sends and facilitates several types of email communications:

9.1 Platform Emails (Transactional)

Account-related notifications, including signup confirmations, password resets, billing receipts, subscription changes, invitation links, and security alerts. These are essential to the operation of your account and cannot be opted out of while you maintain an active account.

9.2 Event Emails

Emails composed by venues and couples and sent to guests through the platform. These include RSVP confirmations, event updates, reminders, and custom messages. These emails are sent on behalf of venues and couples (not Peak Venue), and guests can unsubscribe from event-related emails using the unsubscribe link included in every message.

9.3 Compliance

All emails sent through the platform comply with the CAN-SPAM Act. Every non-transactional email includes a clear unsubscribe mechanism, accurate sender identification, and a valid physical mailing address.

10. CCPA / California Privacy Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information.

10.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information:

Identifiers (names, email addresses, phone numbers, mailing addresses, IP addresses)
Commercial information (subscription and billing records)
Internet or electronic network activity (usage data, browsing history on our platform)
Geolocation data (approximate location from IP address)
Inferences drawn from other personal information (analytics and usage patterns)

10.2 Your California Rights

Right to Know / Access: You may request that we disclose the categories and specific pieces of personal information we have collected about you.
Right to Delete: You may request that we delete the personal information we have collected about you, subject to certain exceptions.
Right to Correct: You may request that we correct inaccurate personal information we maintain about you.
Right to Opt Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising. Therefore, there is no need to opt out, but we honor such requests regardless.
Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

10.3 Authorized Agents

You may designate an authorized agent to submit a privacy request on your behalf. We will require verification of both your identity and the agent's authority to act on your behalf.

10.4 California Shine the Light

Under California Civil Code Section 1798.83, California residents may request information about our disclosure of personal information to third parties for their direct marketing purposes. As stated above, we do not disclose personal information to third parties for their direct marketing purposes.

11. Other US State Privacy Laws

If you reside in Virginia, Colorado, Connecticut, or other states with comprehensive privacy legislation, you may have additional rights:

11.1 Virginia Consumer Data Protection Act (VCDPA)

Virginia residents have the right to:

Access and obtain a copy of their personal data.
Correct inaccuracies in their personal data.
Delete their personal data.
Obtain a portable copy of their personal data.
Opt out of targeted advertising, sale of personal data, and profiling.

11.2 Colorado Privacy Act (CPA)

Colorado residents have the right to:

Access, correct, and delete their personal data.
Obtain a portable copy of their personal data.
Opt out of targeted advertising, sale of personal data, and certain profiling.

11.3 Connecticut Data Privacy Act (CTDPA)

Connecticut residents have the right to:

Access, correct, and delete their personal data.
Obtain a portable copy of their personal data.
Opt out of targeted advertising, sale of personal data, and profiling.

11.4 Appeal Process

If we decline to take action on a privacy request, you may appeal our decision by contacting us at privacy@thepeakvenue.com with the subject line "Privacy Appeal." We will respond to your appeal within the timeframe required by applicable law (typically 60 days). If your appeal is denied, you may contact your state attorney general.

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) or equivalent legislation provides additional protections.

12.1 Lawful Bases for Processing

We process personal data on the following legal bases:

Performance of a contract: Processing necessary to provide the Services you have requested (e.g., managing your account, processing RSVPs, delivering email on your behalf).
Legitimate interests: Processing necessary for our legitimate business interests, such as improving the Services, preventing fraud, and ensuring security, where those interests are not overridden by your rights.
Consent: Where you have given explicit consent for specific processing activities, such as receiving marketing communications or enabling optional analytics.
Legal obligation: Processing necessary to comply with applicable laws and regulations.

12.2 Data Subject Rights

Under the GDPR, you have the right to:

Access your personal data and receive a copy.
Rectify inaccurate or incomplete personal data.
Erase your personal data ("right to be forgotten").
Restrict the processing of your personal data.
Data portability — receive your data in a structured, machine-readable format.
Object to processing based on legitimate interests or direct marketing.
Withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

12.3 Complaints

You have the right to lodge a complaint with a supervisory authority in the EU/EEA member state of your habitual residence, place of work, or place of the alleged infringement. We encourage you to contact us first so we can attempt to resolve your concern.

12.4 International Data Transfers

Your personal data is processed and stored in the United States. If you are located outside the United States, your data will be transferred to the US for processing. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms, to ensure adequate protection for international data transfers where required.

13. Children's Privacy

Peak Venue is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under the age of 13. If we become aware that we have inadvertently collected personal information from a child under 13, we will take steps to delete that information as promptly as possible, in compliance with the Children's Online Privacy Protection Act (COPPA).

We do not sell the personal information of consumers under the age of 16.

If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at privacy@thepeakvenue.com.

14. Third-Party Links

The Services may contain links to third-party websites, including links that couples add to their wedding websites (e.g., gift registries, travel booking sites, accommodation providers). We are not responsible for the privacy practices, content, or security of any third-party websites or services. We encourage you to review the privacy policies of any third-party sites you visit.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes:

We will update the "Last Updated" date at the top of this page.
For material changes, we will provide notice via email to account holders and/or a prominent notice within the Services.
Material changes will be prominently noted with a summary of what changed.

Your continued use of the Services after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: privacy@thepeakvenue.com
Mail: Peak Venue, Inc., Attn: Privacy, 2713 Rutgers Ct, Richmond, VA 23233
Data Protection Contact: privacy@thepeakvenue.com

We will make every effort to respond to your inquiry within 30 days.