SetVenue Privacy Policy

Last updated: 2026-05-26 Effective date: [EFFECTIVE DATE]

Plain-English Summary

SetVenue is a U.S. marketplace where people book hourly venues for film and photography productions, events, and similar professional uses. This Privacy Policy explains, in legal terms, what we do with your personal information. Here is the short version, in plain English:

• We collect what we need to run the Service. Your name, email, optional phone number, the listings you create or book, the messages you exchange with the other side of a Booking, photos you upload to document a property's condition, and basic technical data such as IP address and server logs.
• We never see your card number or your full bank details. Stripe handles payment data and Host identity verification directly. We hold a Stripe account reference, not your taxpayer ID, not your card.
• We do not sell or "share" your data for advertising. We do not run Facebook Pixel, Google Analytics, Mixpanel, Plausible, or any other behavioral-tracking tag. We do not load any third-party analytics or advertising product on the Service.
• We respect Global Privacy Control (GPC) signals. Because SetVenue does not sell or share your data for advertising, there is nothing GPC needs to disable — but if our practices ever change, GPC will be honored automatically. Browser-level "Do Not Track" has no consistent industry standard, so we do not act on it.
• You have rights. You can ask for a copy of your data, ask us to correct it, ask us to delete it, and (if you live in California, the EEA, the UK, or Switzerland) exercise additional statutory rights described in § 7.
• We keep records as long as the law requires. Booking and tax records — and damage-hold audit logs — are kept for seven years; inspection photos for two years; magic-link tokens for fourteen days; account data is deleted within thirty days of a verified deletion request, subject to legal-retention exceptions.
• You must be 18 to use SetVenue. The Service is not for minors.

This summary is provided for convenience only. The numbered sections below are the operative legal text and control in any conflict.

1. Introduction

This Privacy Policy explains how Set Venue LLC ("SetVenue," "we," "us," or "our") collects, uses, shares, and protects personal information when you use the SetVenue platform at setvenue.com and related services (the "Service").

SetVenue is an online marketplace that connects property owners and operators ("Hosts") with renters ("Guests") who book properties for film and photography productions, events, and similar professional uses. Throughout this Policy, "Guest" includes individuals, sole proprietors, production companies, agencies, and event organizers booking through the Platform. The Service includes account creation, listing management, booking facilitation, payment processing, communications, damage-hold workflows, and inspection-photo handling.

This Policy applies to all users of the Service: visitors, Guests, Hosts, and any other recipient of communications from us in connection with a Booking. It does not apply to third-party services that you may access through links on our site, which are governed by their own privacy policies.

Service availability; U.S.-only intake. The Service is offered exclusively to users physically located in the United States. SetVenue does not offer, market, or accept users from the European Economic Area, the United Kingdom, or Switzerland, and will not knowingly accept account registration, Listing creation, or Booking participation by any data subject located in those jurisdictions until SetVenue (a) has designated a written representative in the European Union under GDPR Article 27 and a written representative in the United Kingdom under UK GDPR Article 27, (b) has updated this Policy to publish the representatives' names and addresses, and (c) has implemented the Standard Contractual Clauses transfer mechanism described in § 7.3 and § 10 for that traffic. If you are located in the EEA, the UK, or Switzerland and nonetheless create an account, you do so on your own initiative against SetVenue's stated availability; SetVenue reserves the right to refuse service, suspend the Account, and decline to process Bookings on that basis, and SetVenue is not the "controller offering services" to you within the meaning of GDPR Article 3(2)(a). SetVenue expressly reserves the right to expand the Service to EEA, UK, or Swiss data subjects in the future upon designation of the representatives required above; until that designation is published, the foregoing prohibition controls and the § 7.3 GDPR / UK GDPR machinery operates as a conditional-on-future-expansion provision rather than as an active commitment to current EU/UK/Swiss processing.

By creating an account, listing a property, booking a venue, or otherwise using the Service, you acknowledge that you have read this Policy. If you do not agree with this Policy, do not use the Service.

For questions or to exercise any rights described below, contact us at privacy@setvenue.com.

2. Information We Collect

We collect personal information in five categories. We collect only what is necessary to operate the Service, fulfill Bookings, prevent fraud, comply with law, and improve the Platform.

2.1 Account Information

When you create an account or interact with the Service, we collect:

• Identity and contact data: name, email address, and (where you choose to provide it) phone number.
• Authentication data: hashed password material and session identifiers stored in secure HttpOnly cookies. We never store passwords in plaintext.
• Role data: whether you are acting as a Guest, Host, or both, and account preferences associated with each role.
• Communications you send to us: support requests, contact-form submissions, partnership inquiries, and message-thread content with counterparties on the Platform.

2.2 Listing Information (Hosts)

When you list a property on SetVenue, we collect:

• Property details: address, neighborhood, square footage, capacity, amenities, rules, and similar descriptive information.
• Photographs and media: images you upload to depict the property, stored in Supabase Object Storage.
• Pricing and availability: rates, fees, blackout dates, and minimum-stay rules.
• Insurance and compliance attestations: declarations made during listing setup.

2.3 Booking Information

When a Booking is created, requested, or fulfilled, we collect:

• Booking metadata: dates, times, total price, deposit amount, fees, status, party size, intended use.
• Guest contact data: the email address (and, if provided, phone number) of the Guest, so the Host can communicate and so we can send transactional notices.
• Messaging: content of messages exchanged between Guest and Host on the Platform, including timestamps and read state.
• Inspection photographs: pre- and post-event photos uploaded by Guests and Hosts to document the condition of the property, stored in Supabase Object Storage.

2.4 Damage-Hold and Dispute Information

When a Damage Hold is opened, contested, or resolved, we collect:

• Damage-hold metadata: stated reason, claimed amount, supporting photographs, and decision outcome.
• Audit trail: timestamps and actor identifiers for each step in the damage-hold workflow, stored in our damage_hold_notification_log table for legal and dispute-resolution purposes.
• Magic-link tokens: when a Guest is asked to accept or contest a Damage Charge Request by email, we generate an HMAC-signed, single-use, server-side-only token that authorizes the Guest to view and respond. These tokens expire fourteen (14) days after issuance for security purposes. The Guest's affirmative-accept window is seven (7) calendar days per the Terms of Service § 9.5; tokens received after the seven-day window will return an "expired window" response notwithstanding cryptographic validity. The longer fourteen-day token expiry exists so that a Guest who clicks the link on or near day seven can still complete the workflow without a re-issuance round-trip.

2.5 Technical and Log Data

We and our hosting providers automatically collect technical information when you use the Service:

• Server logs: IP address, user-agent string, request path and method, response status, and timestamp, generated by our application running on Vercel and our database, authentication, and storage running on Supabase.

• Cookie identifiers: strictly necessary cookies that maintain your session and prevent cross-site request forgery. See the Cookie Policy inventory below for the complete list.

  Cookie inventory and route-verification commitment. SetVenue will publish a standalone Cookie Policy at setvenue.com/legal/cookies on or before the Effective Date of this Policy. SetVenue's engineering team will verify, prior to publication, that the /legal/cookies route returns the full Cookie Policy and not a 404 or placeholder. In the event that the standalone Cookie Policy is not published on the Effective Date, the following inventory of strictly necessary cookies controls and is incorporated into this Privacy Policy by this reference:

  Cookie	Purpose	Duration	Category
  ds-session	User session authentication for the Guest/Host Account	30 minutes sliding (SameSite=Lax)	Strictly necessary
  host-session	Host-session authentication for owner workflows	24 hours (SameSite=Strict)	Strictly necessary
  admin-session	Admin-staff session authentication	8 hours absolute	Strictly necessary
  csrf-token	Cross-Site Request Forgery protection on state-changing requests	8 hours	Strictly necessary
  gcal_oauth_state / gcal_writeback_state / mscal_oauth_state	Short-lived OAuth state tokens during calendar-sync connect flow	~10 minutes per connect attempt	Strictly necessary
  sb-* (Supabase SSR)	Supabase Auth session propagation across server/client renders	Session	Strictly necessary
  __cf_bm (Cloudflare)	Bot-management cookie set by Cloudflare CDN on every request; SetVenue does not control it	30 minutes (per Cloudflare)	Strictly necessary (third-party)

  SetVenue does not display a cookie consent banner because every cookie above is strictly necessary under the ePrivacy Directive Art. 5(3) "absolutely necessary for the service requested by the user" exemption and EDPB Guidelines 2/2023 ¶¶ 17-24. SetVenue does not set advertising, marketing, social-media, or behavioral-tracking cookies. SetVenue does not currently run third-party analytics products (no Plausible Analytics, no Google Analytics, no Meta Pixel) and uses no persistent device fingerprinting. Stripe-hosted checkout pages may set Stripe's own cookies during payment; those are governed by Stripe's privacy policy and are unavoidable for payment processing. If SetVenue adds any non-strictly-necessary cookie in the future, SetVenue will update this Policy, publish a corresponding consent mechanism, and provide reasonable advance notice consistent with §11 (Changes to this Policy).

2.6 Information We Do Not Collect

We want to be specific about what is not in our systems:

• Raw payment-card numbers, CVV, or full bank-account numbers. All payment data is collected directly by Stripe through Stripe Elements or hosted Stripe pages. SetVenue never sees, stores, or transmits raw card data. See §5.
• Government identifiers (SSN, EIN, passport number) for Hosts. Host identity-verification data required to receive payouts is collected directly by Stripe Connect Express during onboarding. SetVenue stores only the resulting Stripe account identifier (stripe_account_id) and high-level onboarding status flags. See §5.
• Biometric or genetic information. SetVenue does not collect any biometric identifier (fingerprint, voiceprint, face geometry, retina/iris scan) or genetic data from any User. SetVenue does not implement any facial-recognition or voice-recognition system on the Platform.
• Marketing or social-media tracking pixels. As of the date of this Policy, the Service contains no Facebook Pixel, Google Tag Manager / Google Analytics, Mixpanel, Segment, Amplitude, PostHog, Plausible, or similar third-party advertising or behavioral-tracking tags.
• Precise geolocation. SetVenue does not collect or store precise (GPS-grade) geolocation. Approximate, IP-derived city- or region-level geolocation is processed for fraud-screening and aggregate analytics only and is not retained beyond the relevant operational purpose.

2.7 Sensitive Personal Information; Joint-Controller Posture for Stripe Data

Under California law (Cal. Civ. Code § 1798.140(ae)), "sensitive personal information" includes Social Security and similar government IDs, account-access credentials with security/access codes, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, contents of mail, email, and text messages not directed to the business, and biometric or genetic data. Of these categories, the only category that flows through the SetVenue ecosystem is the taxpayer-identifier and financial-account data that Stripe collects directly from Hosts during Stripe Connect Express onboarding.

Stripe is an independent business / independent controller (not a joint controller) of taxpayer-identifier and financial-account data. Stripe collects this data directly from the Host through Stripe-hosted pages; SetVenue does not collect, see, or retain that data on its own systems. Stripe processes this data for its own purposes (KYC, AML, payment processing, 1099-K issuance) under its own privacy policy and terms with the Host. SetVenue's contractual arrangement with Stripe does not establish joint controllership for purposes of GDPR Article 26 or any analogous California regulation. (See GDPR Art. 26; Schrems II, Case C-311/18, Data Protection Comm'r v. Facebook Ireland Ltd., ECLI:EU:C:2020:559 (16 July 2020); V5 Drafting Commentary, Privacy § 2.7.)

SetVenue is not the controller of any sensitive personal information. Taxpayer-identifier and financial-account data necessary for Host payouts is collected and controlled by Stripe (§ 5); SetVenue does not collect, view, or store that data on its own systems. SetVenue does not itself collect biometric data, genetic data, precise geolocation, or any other category of sensitive personal information enumerated in Cal. Civ. Code § 1798.140(ae). SetVenue does not use or disclose any sensitive personal information for any purpose beyond those permitted under Cal. Civ. Code § 1798.121(a) and 11 C.C.R. § 7027(m); accordingly, no separate "Limit the Use of My Sensitive Personal Information" link is required under Cal. Civ. Code § 1798.121(d). If SetVenue's practices change, this Policy will be updated and the required link will be provided.

2.8 Categories of Personal Information Collected, Sources, and Purposes — Cal. Civ. Code § 1798.130(a)(5)(B) Mapping

This subsection maps the personal information described in §§ 2.1–2.5 to the eleven statutory categories enumerated in Cal. Civ. Code § 1798.140(v), and discloses the categories of sources and the business or commercial purpose for each, as required by Cal. Civ. Code § 1798.130(a)(5)(B) and 11 C.C.R. § 7011(e)(1)(C)–(D). SetVenue is not a "data broker" within the meaning of Cal. Civ. Code § 1798.99.80; SetVenue has a direct relationship with every consumer whose personal information it processes.

Categories of sources (summary). SetVenue collects personal information from (a) the consumer directly (at signup, during Booking creation, when uploading listings or photos, and when communicating on the Platform); (b) the counterparty Host or Guest in a Booking; (c) Sub-Processors providing operational status flags (e.g., Stripe communicates "details submitted" / "charges enabled" / "payouts enabled" status flags to SetVenue without disclosing the underlying KYC data); and (d) automatically from the consumer's device or network when the consumer uses the Service (server logs, IP-derived geolocation, cookies).

Categories of recipients. See § 4.7 for the full disclosure of categories of recipients to whom SetVenue discloses each category of personal information.

3. How We Use Information

We use personal information for the following purposes:

1. Operating the Service. Creating and authenticating your account, displaying your Listings, surfacing search results, processing Bookings, and powering messaging between Guests and Hosts.
2. Facilitating payments and payouts. Routing payment information to Stripe and routing host onboarding data to Stripe Connect, so that Bookings can be paid for and Hosts can be paid out. SetVenue does not initiate payments without your action.
3. Damage-hold and inspection workflows. Sending magic-link notices to Guests so they can review and respond to damage claims, recording inspection-photo evidence, and maintaining the audit log required to resolve disputes fairly.
4. Transactional communications. Sending Booking confirmations, payment receipts, host alerts, message-thread notifications, calendar reminders, account-security notices (such as login alerts and session-revocation notices), Damage Charge Request magic-link emails, dispute notices, and similar operational communications. These are "transactional or relationship messages" within the meaning of the CAN-SPAM Act (15 U.S.C. § 7702(17)) and 16 C.F.R. § 316.3 and are not subject to opt-out under § 7704(a)(5). They will be sent for so long as you maintain an Account or have an active Booking, and they cannot be unilaterally opted out without closing your Account. Anti-bundling rule. SetVenue will not bundle promotional or marketing content into transactional emails in a manner that would convert the message from "transactional or relationship" to "commercial" under 15 U.S.C. § 7702(2). Transactional emails will not contain promotional content above the fold; minor cross-references to related Service features (for example, a link to your account dashboard) are operational in nature and not promotional.
5. Marketing communications. Where SetVenue sends marketing or promotional emails (newsletters, feature announcements, optional product offers), those messages comply with the CAN-SPAM Act, will identify themselves as advertisements where required, will include a clear opt-out mechanism that we will honor within ten (10) business days, and will include SetVenue's valid postal address. Opting out of marketing does not affect transactional communications described in item 4 above.
6. Customer support. Responding to questions, troubleshooting issues, and resolving disputes that you raise with us at support@setvenue.com or through other support channels.
7. Platform safety, fraud prevention, and security. Detecting and preventing fraudulent Listings, fraudulent Bookings, payment-card abuse, account takeovers, scraping, harassment, and Terms-of-Service violations. This includes inspecting server logs, IP addresses, and account-behavior signals.
8. Automated content screening. SetVenue uses an automated text-classification service to screen new Listings (and Listing photographs) for policy violations at submission time — for example, scam patterns, off-platform-payment solicitation, prohibited-content categories, and trust-and-safety red flags. The service used is Anthropic, PBC's Claude Haiku 4.5 model (see § 4.2 Sub-Processor table). The model receives the Listing's title, description, category, and photograph metadata; SetVenue does not intentionally submit personal information (no name, no email, no phone, no address fields) to Anthropic. If a Host embeds personal information in free-form Listing description text and the description is submitted for automated screening, the Anthropic Data Processing Addendum governs Anthropic's handling. Where automated screening results in a Listing being declined, the Host may request a human review by contacting support@setvenue.com. SetVenue does not use automated decision-making to materially affect the booking, pricing, or payout of any individual Guest or Host without human review. See also § 7.2 (right to request human review of an automated listing decision).
9. Service improvement. Aggregated, non-identifying analysis of de-identified server logs to understand performance and reliability. SetVenue does not load Plausible or any other third-party analytics product. SetVenue does not use User content for generative-AI model training without separate opt-in consent (see Terms of Service §6.4 and §14.2).
10. Legal compliance. Retaining records necessary to comply with tax, financial, and consumer-protection law; responding to lawful requests from regulators, courts, or law enforcement; and enforcing our Terms of Service, Acceptable Use Policy, and Property Owner Agreement.

We do not use your personal information for cross-context behavioral advertising, and we do not sell your personal information.

4. How We Share Information

We share personal information only in the limited circumstances below.

4.1 With the Counterparty in a Booking

When you book a venue, certain account and Booking information is shared with the other party so the Booking can proceed:

• Guest → Host. Your name, email, and message-thread content; Booking dates, party size, and stated use; inspection photos you upload.
• Host → Guest. Your Listing details, listing photos, contact email for Booking-related communication, and inspection photos you upload.

We do not disclose more than is necessary to complete the Booking. Counterparties are bound by our Terms of Service and Acceptable Use Policy with respect to data they receive through the Platform.

4.2 With Service Providers (Sub-Processors)

We use the following third-party service providers ("Sub-Processors") to operate the Service. Each is bound by contract to process personal information only on our instructions and only for the purposes set out below.

We may add or change Sub-Processors over time. When we do, we will update this Policy and, where required by law, give advance notice.

Sub-Processor change notice. SetVenue maintains a current list of Sub-Processors. We may add or change Sub-Processors over time. Where required by an applicable processor agreement (including SCC Module Two for EU data), we will provide advance notice of new Sub-Processors and an opportunity to object. Notice will be given at least thirty (30) days before the new Sub-Processor begins processing personal information, except where shorter notice is required for urgent security or business-continuity reasons.

4.3 For Legal, Safety, and Compliance Reasons

We may disclose personal information when we believe in good faith that disclosure is necessary to:

• comply with applicable law, a subpoena, court order, or other lawful government request;
• enforce our Terms of Service, Acceptable Use Policy, or Property Owner Agreement, including investigating suspected violations;
• protect the rights, property, or safety of SetVenue, our Users, or the public, including preventing fraud, abuse, harassment, or imminent harm;
• defend ourselves in legal proceedings;
• report content involving suspected child sexual abuse material to the National Center for Missing & Exploited Children (NCMEC) per 18 U.S.C. § 2258A or to comply with parallel reporting obligations.

Where permitted by law, we will use reasonable efforts to notify you of a legal demand for your data before disclosing it, except where the legal demand prohibits us from doing so or where giving notice would frustrate the investigation.

4.4 In Connection with a Business Transfer

If SetVenue is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of its assets, personal information may be transferred to the successor or acquirer as part of that transaction. We will require any successor to honor the commitments in this Policy and to notify affected users in advance of any material change. Where required by Cal. Civ. Code § 1798.140(ad)(2) or analogous law, a business transfer that would constitute a "sale" or "share" within the statute's narrow definition will be conditioned on the successor's accepting the same terms (or stricter ones) for the transferred information.

4.5 With Your Consent

We may share information for purposes not described above with your specific, informed consent. You may withdraw that consent at any time.

4.6 We Do Not Sell or "Share" Your Information; Opt-Out Signals

4.6(a) Sale and Share Disclosure (CCPA § 1798.135)

SetVenue does not sell personal information for monetary consideration, and does not "share" personal information for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act ("CCPA") and California Privacy Rights Act ("CPRA"). We have no opt-out-of-sale or opt-out-of-share obligation because there is nothing to opt out of. SetVenue honors the W3C Global Privacy Control ("GPC") signal when received in an HTTP header as a valid opt-out of the sale and sharing of personal information, as required by 11 C.C.R. § 7025(c); if SetVenue's practices ever change such that "sale" or "share" would occur, GPC will be respected by default.

4.6(b) Do Not Track Disclosure (CalOPPA § 22575(b)(5))

SetVenue does not change its behavior in response to browser "Do Not Track" ("DNT") signals because no industry consensus exists on how to interpret them. SetVenue does honor the W3C Global Privacy Control ("GPC") signal as described in § 4.6(a). This disclosure satisfies the requirement of Cal. Bus. & Prof. Code § 22575(b)(5).

4.7 Categories of Recipients per Category of Personal Information — CCPA § 1798.130(a)(5)(C)

The categories of recipients to whom SetVenue discloses each category of personal information are:

5. Stripe Connect Specific Disclosure

Because payments and host payouts are central to the Service, we want to be especially clear about how payment data flows.

Guests (paying for a Booking). When you pay for a Booking, your payment-card or bank-account details are collected through embedded Stripe Elements or hosted Stripe pages and are transmitted directly to Stripe's PCI-compliant infrastructure. SetVenue's servers receive a Stripe-issued payment-method token, the Booking amount, and confirmation of success or failure. We never receive, see, or store your raw card number, CVV, expiration date, or full bank-account number.

Hosts (receiving payouts). When you onboard as a Host through Stripe Connect Express, Stripe — not SetVenue — collects the identity-verification information required to receive payouts under U.S. financial regulations. This may include your legal name, residential or business address, date of birth, taxpayer identifier (SSN, ITIN, or EIN), and bank-account information. SetVenue stores only:

• the Stripe-issued account identifier (stripe_account_id);
• a coarse onboarding-status flag (e.g., "details submitted", "charges enabled", "payouts enabled");
• and links between that account and your SetVenue Host record.

Stripe is an independent controller of the data it collects directly. Stripe's processing of payment data is governed by Stripe's own privacy notice and terms. Stripe is the controller (or joint controller as Stripe may determine) of payment-card and identity-verification data it collects, and you should review Stripe's privacy policy at https://stripe.com/privacy for details about how Stripe handles that data.

Song-Beverly Credit Card Act compliance. Cal. Civ. Code § 1747.08 prohibits a merchant accepting a credit card from requiring or requesting the cardholder to provide "personal identification information" not necessary for the transaction. Because SetVenue does not directly accept the credit card — Stripe does — SetVenue does not request or store any cardholder personal-identification information beyond what Stripe collects through Stripe Elements (which includes only what is necessary for fraud verification, such as the billing ZIP code).

If you exercise a deletion right (§7) with us, we will delete the SetVenue-side records described above, but Stripe may retain transaction records as required by financial-services and tax law. To exercise rights against records held by Stripe, contact Stripe directly. Stripe maintains its own EU-US Data Privacy Framework certification and Standard Contractual Clauses; see Stripe's Privacy Center at https://stripe.com/privacy.

6. Data Retention

We keep personal information only as long as needed for the purposes described in this Policy, or as required by law.

Where law requires longer retention (for example, an active legal hold or tax audit), we will retain the affected records for the period required, and only for the purpose required.

7. Your Privacy Rights

Depending on where you live, you may have rights with respect to your personal information. Regardless of jurisdiction, we honor the rights below to the maximum extent we can practically support.

7.1 Rights for All Users

• Access. You may request a copy of the personal information we hold about you.
• Correction. You may correct inaccurate information through your account settings or by writing to us.
• Deletion. You may request deletion of your account and associated personal information, subject to retention obligations described in §6.
• Portability. You may request a structured, commonly used, machine-readable copy of the personal information you provided to us.
• Withdraw consent. Where we rely on your consent (for example, optional analytics), you may withdraw it at any time without affecting the lawfulness of prior processing.
• Complain. You may complain to a privacy regulator if you believe we have mishandled your data.

7.2 California Residents (CCPA / CPRA)

If you are a California resident, the CCPA, as amended by the CPRA, grants you the following rights with respect to your personal information:

• Right to know — categories and specific pieces of personal information collected (mapped to the eleven statutory categories of Cal. Civ. Code § 1798.140(v) at § 2.8), the categories of sources (see § 2.8), the business or commercial purpose (see § 2.8 and § 3), the categories of third parties with whom the information is disclosed (see § 4.7), and the specific pieces of personal information collected about you.
• Right to delete personal information, subject to exceptions in Cal. Civ. Code § 1798.105(d).
• Right to correct inaccurate personal information.
• Right to portability — to receive a structured, commonly used, machine-readable copy of personal information SetVenue has collected from you, in a format that allows you to transmit it to another business (Cal. Civ. Code § 1798.130(a)(3)(B)(iii); 11 C.C.R. § 7024).
• Right to opt out of "sale" or "sharing" of personal information. As stated in § 4.6, SetVenue does not sell or share personal information. There is therefore nothing to opt out of, but we honor opt-out preference signals (including GPC) sent by your browser.
• Right to limit use of sensitive personal information. SetVenue uses sensitive personal information solely for purposes permitted under Cal. Civ. Code § 1798.121(a) and 11 C.C.R. § 7027(m). Because SetVenue does not use or disclose sensitive personal information for any purpose beyond those permitted purposes, no separate "Limit the Use of My Sensitive Personal Information" link is required.
• Right to non-discrimination. We will not deny service, charge different prices, or provide a different level of quality because you exercised a privacy right.
• Right to opt out of automated decision-making affecting a significant decision. Pending the California Privacy Protection Agency's finalization of automated-decision-making-technology ("ADMT") regulations under Cal. Civ. Code § 1798.185(a)(16), SetVenue commits to providing human review of any automated Listing-screening decision (see § 3 item 8 and § 4.2 Anthropic row) upon written request to support@setvenue.com. SetVenue does not use automated decision-making to materially affect the booking, pricing, or payout of any individual Guest or Host without human review.

Authorized agent. You may designate an authorized agent to make a request on your behalf in accordance with Cal. Civ. Code § 1798.135 and 11 C.C.R. § 7063. The agent must produce written authorization signed by you, and we may verify your identity directly with you regardless of the agent's submission. We may also require, where the agent is a business, evidence that the agent is registered with the California Secretary of State (where applicable).

Children Under 16. SetVenue does not knowingly sell or share the personal information of consumers under 16. The Platform is not directed to children, and per the Terms of Service users must be 18 or older.

Shine the Light (Cal. Civ. Code § 1798.83). California residents who have an established business relationship with SetVenue may request, once per calendar year, information about (a) the categories of personal information shared with third parties for those third parties' direct-marketing purposes during the preceding calendar year and (b) the names and addresses of those third parties. SetVenue does not currently share personal information with third parties for those third parties' direct-marketing purposes. Requests may be sent to privacy@setvenue.com.

Verification. We verify CCPA requests using information already on file, including verifiable signals such as account-email match, recent Booking details, or device-bound session tokens. Unverifiable requests will be denied with explanation.

Fees for excessive requests. We may charge a reasonable fee, or refuse to act, on requests that are manifestly unfounded or excessive (in particular because of their repetitive character), as permitted by Cal. Civ. Code § 1798.130(a)(2). A fee will not be charged for a User's first verifiable request in a 12-month period; fees, if any, will be limited to SetVenue's reasonable administrative cost and will be waived on demonstrated undue hardship.

CalOPPA. This Policy satisfies the disclosure requirements of California's Online Privacy Protection Act, Bus. & Prof. Code § 22575 et seq., including the disclosure of DNT non-response under § 22575(b)(5).

7.3 European Economic Area, United Kingdom, and Switzerland

If you are located in the EEA, the UK, or Switzerland, you have the rights set out in §7.1 plus rights under the General Data Protection Regulation ("GDPR") and the UK GDPR, including the right to object to processing based on legitimate interests, the right to restrict processing, and the right to lodge a complaint with your local supervisory authority.

We process personal information on the following legal bases:

• Performance of a contract (operating your account, fulfilling your Bookings, paying out Hosts) — GDPR Art. 6(1)(b);
• Legitimate interests (Platform safety, fraud prevention, security, service improvement, communicating with you about your account), balanced against your rights and freedoms — GDPR Art. 6(1)(f);
• Legal obligation (tax, financial, consumer-protection, and law-enforcement compliance) — GDPR Art. 6(1)(c);
• Consent (any future processing that depends on consent, including any non-essential cookie added in the future; per § 2.5, SetVenue does not currently rely on consent for cookies because it loads only strictly-necessary cookies) — GDPR Art. 6(1)(a).

The Service is operated from the United States, and personal information will be processed in the United States. For transfers from the EEA, UK, or Switzerland to a country not covered by an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) (Module 2 controller-to-processor where SetVenue is controller and a Sub-Processor is processor; Module 1 controller-to-controller for Sub-Processors operating as independent controllers, including Stripe), supplemented by the UK International Data Transfer Addendum and equivalent Swiss safeguards as applicable. Where a Sub-Processor is certified under the EU-US Data Privacy Framework (DPF) (or its UK Extension or Swiss-US framework), we may rely on that certification as the lawful transfer basis as an alternative or supplement to the SCCs. We perform transfer-impact assessments under Schrems II (CJEU C-311/18) where appropriate.

Where you are an EU/UK/Swiss resident, your statutory data-protection rights apply notwithstanding the choice-of-law clause in the Terms of Service §19.5; the choice-of-law clause governs contractual interpretation only and does not derogate from non-waivable data-protection rights. You may lodge a complaint with your local supervisory authority. Data-controller contact: Set Venue LLC, 6927 Willis Ave, Van Nuys, CA 91405.

Conditional-on-future-EU-expansion notice. Consistent with § 1 (Service availability; U.S.-only intake), SetVenue does not currently offer the Service to data subjects in the European Economic Area, the United Kingdom, or Switzerland, and has not yet designated a representative in the European Union under GDPR Article 27 or a representative in the United Kingdom under UK GDPR Article 27. This § 7.3 sets out the rights, lawful bases, transfer mechanisms, and disclosures that will apply when SetVenue expands the Service to those jurisdictions and designates the required Article 27 representatives. Until that designation is published in this Policy with the representatives' names and addresses, the § 1 U.S.-only intake prohibition controls, and SetVenue is not the "controller offering goods or services" to EU/UK/Swiss data subjects within the meaning of GDPR Article 3(2)(a) and UK GDPR Article 3(2)(a). To the extent any EU/UK/Swiss data subject nonetheless uses the Service in contravention of § 1, SetVenue will honor the substantive rights set out in this § 7.3 (access, correction, deletion, portability, objection, restriction, complaint) on a best-efforts basis as a matter of internal policy, without thereby conceding GDPR Article 3(2)(a) jurisdiction or admitting that Article 27 applies.

7.4 How to Exercise Your Rights

To exercise any of the rights above, email us at privacy@setvenue.com with the request and enough information for us to verify your identity. We will respond within the timeframe required by applicable law:

• CCPA: 45 days from receipt of a verifiable request, with one extension of up to 45 days for complex requests; notice of any extension and the reason for it will be provided within the initial 45-day period (11 C.C.R. § 7021(b); Cal. Civ. Code § 1798.130(a)(2)(A));
• GDPR / UK GDPR: within one month, with one extension of up to two additional months for complex requests (notice of extension within the initial month);
• Other jurisdictions: as required by applicable law.

We may decline a request that we cannot verify, that is manifestly unfounded or excessive, or that we are required to refuse by law. We will explain our reasons. Fees, if charged on a verified excessive request, are governed by § 7.2 above.

8. Children's Privacy

The Service is not directed to children. Per our Terms of Service §3, you must be at least eighteen (18) years old to create an account, list a property, or book a venue. SetVenue does not knowingly collect personal information from anyone under 18.

SetVenue's prohibition on use by anyone under 18 is more conservative than the floor under the Children's Online Privacy Protection Act (15 U.S.C. § 6501 et seq., 16 C.F.R. Part 312), which addresses children under 13. It is also more conservative than the CCPA's under-16 opt-in requirement for sale/share (Cal. Civ. Code § 1798.120(c)).

If you believe a child has provided personal information to us, contact us at privacy@setvenue.com and we will (a) suspend the Account, (b) delete the personal information within thirty (30) days of confirmation, or as soon thereafter as is technically feasible, and (c) where required by law, notify a parent or guardian. We will not seek to retain or use the information for any other purpose during that window except as needed to confirm the age status.

9. Security

We take administrative, technical, and physical safeguards seriously, but no internet service can guarantee perfect security. Our current safeguards include:

• Encryption in transit. All connections to setvenue.com use HTTPS with current TLS configurations; sensitive cookies (ds-session, admin-session, csrf-token) are set with Secure, HttpOnly, and strict SameSite attributes.
• Encryption at rest. Personal information stored in Supabase Postgres and Supabase Object Storage is encrypted at rest by the provider. Backups are likewise encrypted.
• Database row-level security (RLS). Access to personal information stored in Supabase is gated by row-level security policies that enforce per-user access boundaries at the database layer, in addition to application-layer authorization checks.
• Stripe PCI scope. Because raw payment-card data is handled exclusively by Stripe, SetVenue's PCI scope is limited to SAQ-A or equivalent. We do not store, process, or transmit cardholder data on our servers.
• HMAC-signed magic links. Damage-hold and inspection-photo magic links are HMAC-signed server-side, validated server-side, single-use where appropriate, and time-limited.
• CSRF protection. Sensitive state-changing requests require a CSRF token bound to the user's session.
• Strict Content Security Policy. Our CSP whitelists only required origins (Stripe, Supabase, Anthropic) and blocks unauthorized script injection.
• Audit logging. Damage-hold workflows and admin actions are logged in dedicated audit tables.
• Operational separation. Production secrets are not stored in source control. Access to production infrastructure is limited to a small number of personnel and is reviewed regularly.

Breach notification. If we discover a security incident that compromises personal information, we will notify affected Users and regulators without undue delay, as follows:

• (a) California residents. In the most expeditious time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system (Cal. Civ. Code § 1798.82). Notice will include, to the extent then known and as required by Cal. Civ. Code § 1798.82(d), the categories of personal information involved, the date or estimated date of the breach, a general description of the incident, and any toll-free numbers and addresses of the major credit-reporting agencies where the breach involves a Social Security number, driver's license number, or financial-account number.
• (b) EEA/UK residents. Without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach (GDPR Art. 33; UK GDPR Art. 33), for incidents meeting the materiality threshold under those provisions.
• (c) Other state residents. Within any applicable state statutory window (including N.Y. Gen. Bus. Law §§ 899-aa, 899-bb (NY SHIELD Act) and any other state breach-notification statute applicable to the affected User's residence), with the shortest applicable timeline controlling.

The notice will identify, to the extent then known, (i) the categories of personal information involved, (ii) the approximate number of records, (iii) the steps we have taken to mitigate, and (iv) contact information for follow-up. Where a faster notification is required by any applicable law (including any breach-notification statute applicable to a specific User's residence), the shorter timeframe applies.

Account compromise. Where a security incident is caused by compromised User credentials and not by a breach of SetVenue's systems, the affected User is responsible for notifying any third parties whose information was held in the User's Account (e.g., counterparties whose Listings the compromised User had messaged). SetVenue will assist by providing relevant logs and notifications upon request and consistent with law.

10. International Transfers

The Service is operated from and the underlying infrastructure (Vercel, Supabase, Stripe, Resend) is hosted primarily in the United States.

If you are located outside the United States, you understand that personal information you provide will be transferred to and processed in the United States, which may have data-protection laws different from those in your jurisdiction. By using the Service, you consent to that transfer.

For transfers from the EEA, the UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914, including Module 1 controller-to-controller and Module 2 controller-to-processor as applicable), the UK International Data Transfer Addendum, equivalent Swiss safeguards, and, where applicable, EU-US Data Privacy Framework certifications of our Sub-Processors. We perform transfer-impact assessments where appropriate.

11. Changes to This Policy

We may update this Policy from time to time. When we make material changes, we will:

1. update the "Effective" date at the top of the Policy;
2. post the updated Policy at setvenue.com/legal/privacy; and
3. provide email or in-product notice of the material change at least thirty (30) days before the effective date.

Continued use of the Service after the effective date of an updated Policy constitutes acceptance. For Users with an active Booking on the date of notice, the version of this Policy in effect at the time of the Booking continues to govern personal information collected for that Booking until the Booking's completion, regardless of subsequent updates.

12. Contact

For privacy questions, requests, or complaints:

• Email: privacy@setvenue.com
• Postal: Set Venue LLC, 6927 Willis Ave, Van Nuys, CA 91405
• Governing law: This Policy is governed by the laws of the State of California, without regard to its conflict-of-laws principles, except that statutory data-protection rights are governed by the laws applicable to the data subject's jurisdiction.

Controller. Set Venue LLC is the data controller for the personal information described in this Policy.

Data Protection Officer / EU representative. SetVenue's processing does not currently trigger the conditions for mandatory Data Protection Officer designation under GDPR Art. 37(1) (large-scale systematic monitoring or large-scale special-category processing). SetVenue has not designated a representative in the European Union under GDPR Article 27 or a representative in the United Kingdom under UK GDPR Article 27 because, as stated in § 1 and § 7.3, the Service is offered exclusively to users physically located in the United States and SetVenue does not offer, market, or accept users from the EEA, the UK, or Switzerland. SetVenue accordingly takes the position that Article 27 does not apply (see GDPR Art. 3(2)(a); EDPB Guidelines 3/2018 on the Territorial Scope of the GDPR ¶ 145). If and when SetVenue expands the Service into the EEA, the UK, or Switzerland, SetVenue will designate the required Article 27 representatives, update this Policy to publish their names and addresses, and implement the additional transfer mechanisms described in § 7.3 and § 10 before accepting traffic from those jurisdictions.

If you do not receive a satisfactory response, you may contact your local data-protection authority. California residents may contact the California Privacy Protection Agency. EU residents may contact their national supervisory authority. UK residents may contact the Information Commissioner's Office.

v5 Hardening Summary (informational, not contractual)

Round-5 enhancements (over v4): Inline Bluebook citations added at § 2.7 (GDPR Art. 26 + Schrems II) and § 9 (Cal. Civ. Code § 1798.82 + GDPR Art. 33 + NY SHIELD Act); V5 Drafting Commentary cross-references; cross-references to V5 Case Law / Statutory Appendices, Defined Terms Registry, Conflicts & Hierarchy Matrix, and State-Specific Addenda.

V7.3.2 audit-fix pass (2026-05-26): Applied 26-finding senior-counsel audit. CRITICAL: (C-1) § 3 list renumbered consecutively 1–10 with no gaps and no "§ 3.4 / § 3.4a" islands; (C-2) new § 2.8 added with full Cal. Civ. Code § 1798.140(v) eleven-category mapping including categories of sources and business purposes per § 1798.130(a)(5)(B); (C-3) Anthropic, PBC added to § 4.2 Sub-Processor table with automated-Listing-screening disclosure at § 3 item 8 and ADMT right-to-human-review at § 7.2. HIGH: (H-1) § 2.7 SPI-controller language tightened; (H-2) § 9 breach-notification reordered California-first with § 1798.82(d) content requirements; (H-3) § 4.7 Stripe row corrected and Anthropic row added; (H-4) § 4.6 split into 4.6(a) sale/share + 4.6(b) DNT; (H-5) § 1 Service-availability US-only recital added with TODO for Joshua to choose between geofence vs. Art. 27 designation; (H-6) § 2.4 and § 6 token/window relationship clarified; (H-7) § 11 internal "where feasible" inconsistency resolved. MEDIUM: M-1 TODO on /legal/cookies verification; M-3 § 4.4 "or" → "and"; M-4 extension-reason added; M-5 server-log retention given SetVenue-specific 90-day window; M-6 Plain-English Summary updated; M-7 children's deletion SLA relaxed to 30 days; M-8 portability right broadened per § 1798.130(a)(3)(B)(iii). LOW: L-5 "reasonable signals" → "verifiable signals" example list; L-6 § 5 citation harmonized to Cal. Civ. Code; L-7 Plain-English Summary aligned to operative § 1 use-list. Not-a-data-broker recital (Cal. Civ. Code § 1798.99.80) inserted in § 2.8.

Carry-over hardenings (v4 over v3)

1. § 2.6 expanded "do not collect" list to include biometric, precise geolocation, genetic data.
2. § 2.7 Stripe joint-controller question resolved — Stripe is independent controller for KYC/payment data (GDPR Art. 26 defense).
3. § 3 item 4 anti-bundling rule added (CAN-SPAM transactional-vs.-commercial defense).
4. § 4.2 Sub-Processor DPA URLs added (CCPA disclosure adequacy).
5. § 4.2 Sub-Processor change notice — 30-day notice window explicit (EU SCC Module 2 alignment).
6. § 4.3 NCMEC § 2258A reporting carve added explicitly.
7. § 4.4 business-transfer-as-sale guardrail (Cal. Civ. Code § 1798.140(ad)(2)).
8. § 4.7 categories of recipients per category of PI — full CCPA § 1798.130(a)(5)(C) compliance.
9. § 5 Song-Beverly Credit Card Act compliance recital (Cal. Civ. Code § 1747.08).
10. § 6 retention table adds CCPA recordkeeping (11 C.C.R. § 7101).
11. § 7.2 authorized-agent verification flow tightened (CA Secretary of State registration where applicable).
12. § 7.2 fees on excessive requests bounded (no fee on first request in 12 mo; waived on hardship).
13. § 7.3 GDPR transfer specifics expanded (SCC Modules 1 and 2, Schrems II TIA).
14. § 8 children's privacy clarifies CCPA under-16 opt-in (more conservative under-18 prohibition).
15. § 9 breach notification — shorter-of-applicable-law rule (GDPR 72h, Cal. § 1798.82 "most expeditious", state-floor).