Privacy Policy

DRAFT — not lawyer-reviewed. This document is a planning artifact for 3rdSpace, Inc. Do not publish, link from the marketing site, or present for acceptance at sign-up until qualified counsel has reviewed and approved a final version.

Version: DRAFT-1 Effective date (planned): [TBD at launch] Document date: 2026-05-19 Last reviewed by counsel: never (not yet) Anchored to product features as of: 2026-05-19

Authoritative product documents (internal): CONTEXT.md, PLAN.md, TOOLS.md. Where this Policy describes product behavior, it is intended to match those documents as of the document date above. If engineering implementation temporarily diverges, we will correct the implementation or update this Policy.

1. Introduction and Scope
2. Who We Are and How to Contact Us
3. Definitions
4. Applicability, US-Only Launch, and Future Expansion
5. Roles: 3rdSpace, Hosts, and You
6. Categories of Personal Information We Collect
7. Sources of Personal Information
8. How We Use Personal Information and Our Purposes
9. Legal Bases for Processing (Where Applicable)
10. Auto-CRM-Entry and Dual CRM Architecture
11. Marketing Communications and Consent
12. AI Booster and Third-Party AI Processing
13. How We Share Personal Information
14. Service Providers and Sub-Processors
15. International Data Transfers
16. Data Retention Schedules
17. Security Measures and Limitations
18. Data Breach Notification
19. Your Privacy Rights and How to Exercise Them
20. Data Export (Portability) and the 14-Day Delivery Delay
21. Account and Data Deletion; 30-Day Grace Period
22. Cookies and Similar Technologies
23. Children's Privacy
24. Automated Decision-Making and Profiling
25. Host Responsibilities Toward Their Customers
26. Changes to This Privacy Policy
27. Dispute Resolution and Governing Law (Privacy-Specific)
28. California Privacy Rights (CCPA / CPRA Addendum)
29. Colorado Privacy Act Addendum (Placeholder)
30. Virginia Consumer Data Protection Act Addendum (Placeholder)
31. Other US State Privacy Laws (Placeholder)
Appendix A — Personal Information Category Matrix
Appendix B — Tool-by-Tool Data Flow Summary
Appendix C — Service Provider / Sub-Processor Register
Appendix D — Retention Schedule (Detailed)
Appendix E — Security Control Summary
Appendix F — Frequently Asked Questions
Appendix G — California Notice at Collection (Detailed Table)
Appendix H — Host Controller Obligations Checklist
Appendix I — 3rdSpace Internal Processing Activities (ROPA-Style Summary)
Appendix J — Detailed Rights Request Workflow
Appendix K — CPRA Sensitive Personal Information Limitation
Appendix L — Email and SMS Regulatory Cross-Reference
Appendix M — Extended Tool Privacy Notes

1. Introduction and Scope

This Privacy Policy ("Policy") describes how 3rdSpace, Inc., a Delaware corporation ("3rdSpace," "we," "us," or "our"), collects, uses, discloses, retains, and protects personal information when you interact with our products and services. This Policy applies to:

The 3rdSpace host platform (the business-facing SaaS application and related APIs) accessible at and around the3rd-space.com and associated subdomains;
The 3rdSpace marketing website and pre-launch waitlist surfaces;
Transactional and operational communications we send you (email, SMS, in-app notices);
The 3rdSpace consumer mobile application and related consumer experiences when they become available (currently planned for a later phase; disclosures herein describe intended practices so the Policy remains accurate as those surfaces launch);
Internal administration and support activities conducted by 3rdSpace personnel on behalf of users and host organizations.

This Policy does not govern websites, applications, or services operated by host organizations (venues, brands, and businesses using 3rdSpace) except where we process personal information on their behalf as described in Section 5. Hosts maintain their own customer relationships and are responsible for their own privacy notices and compliance obligations toward their customers.

By creating a 3rdSpace account, using the platform, or otherwise interacting with us, you acknowledge that you have read this Policy. Where separate consent is required by law (for example, optional marketing communications), we obtain that consent through distinct mechanisms described in Section 11.

2. Who We Are and How to Contact Us

Data controller (for platform account data and 3rdSpace internal CRM):
3rdSpace, Inc.
[Street address — TBD]
[City, State ZIP — TBD]
United States

Privacy inquiries: privacy@the3rd-space.com (placeholder — confirm before launch)

Data protection / legal escalations: legal@the3rd-space.com (placeholder)

Support (general): support@the3rd-space.com

Authorized agent requests (where applicable): We accept requests from authorized agents only where permitted by applicable law and where the agent provides documentation demonstrating authority to act on your behalf. We may require you to verify your identity directly with us.

We will respond to verifiable privacy requests within timeframes required by applicable law. For most US requests, our target is within 45 days, with a permitted extension of up to an additional 45 days where complexity requires it, accompanied by notice of the extension.

3. Definitions

Account means A registered 3rdSpace user identity authenticated through Firebase Auth (email/password or Google single sign-on), associated with a unique user ID (uid), username, and profile fields. AI Booster means An optional, organization-level feature that sends selected host data to third-party large-language-model providers (currently Google Gemini; additional providers such as Anthropic Claude may be added) to generate drafts, summaries, recommendations, and similar assistance inside enabled tools. Aggregated Data means Information derived from personal information that has been de-identified or combined such that it cannot reasonably be used to identify an individual. Audit Log means An append-only record of privileged actions taken within an organization (auditLog) or by 3rdSpace internal administrators (adminAuditLog), retained for security, accountability, and compliance purposes. Brand means A named business identity within a host Organization, which may own one or more Locations. Consumer App means The planned 3rdSpace business-to-consumer mobile application through which end users discover venues, plan visits, attend events, and engage with social features. Contact means A person record stored in a host Organization's customer relationship management (CRM) database, which may or may not be linked to a 3rdSpace Account. Controller means An entity that determines the purposes and means of processing personal information. 3rdSpace is a controller for platform account data and its internal CRM. A Host is typically the controller for CRM data about its customers. Metered Usage Rate means Provider cost plus five percent (5%) applied when SMS, Email, or AI Booster usage debits the Organization unified credit pool (see cost-pass-through-disclosure.md and CONTEXT — Unified credit pool). Unified Credit Pool means A single Organization balance (creditsCents plus any Included Monthly Credit on Unlimited tier) from which metered SMS, Email, and AI usage draw; there are no separate pass-through invoices for these services (PLAN Step 11, Terms Article 11). Customer of a Host means An individual whose personal information appears in a Host's CRM because the Host entered it, imported it, or collected it through 3rdSpace tools (reservations, ticketing, waivers, lead forms, etc.). Deactivated Entity means An Organization, Brand, Location, or related record that has been deactivated but not deleted, preserving data while limiting active use. Gemini means Google's generative AI service family used by AI Booster for analytical and drafting workloads, subject to Google's API terms and our contractual restrictions on training use. Host means A business entity that subscribes to or uses the 3rdSpace host platform, including its authorized users (Owners, Admins, Managers, Employees) and its Brands and Locations. Host Channel Marketing means Marketing communications sent by 3rdSpace that reference a Host with whom the recipient has an existing customer relationship, framed to make the consent chain transparent (for example, identifying both 3rdSpace and the Host). Internal CRM means 3rdSpace's own customer database containing a record for every user who creates a 3rdSpace Account, used for product operations, support, analytics, and—where permitted—marketing. Location means A physical or logical place of business within a Brand, often corresponding to a venue, store, or site. Marketing Opt-In means A separate, optional affirmative consent captured at sign-up (not pre-checked) for 3rdSpace to send marketing communications to the user. Material Change means A revision to this Policy that meaningfully alters your rights or our practices regarding collection, use, disclosure, or retention of personal information. Personal Information means Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. Processor means An entity that processes personal information on behalf of a controller pursuant to documented instructions. 3rdSpace acts as a processor when handling Host CRM data to provide platform services. Purge means Permanent deletion of personal information from active production systems following any applicable grace period, subject to legal retention exceptions. Sensitive Personal Information means Categories afforded heightened protection under some laws (for example, precise geolocation in certain contexts, government identifiers, financial account numbers). We minimize collection of sensitive categories and apply additional controls where collected. Service Provider means A third party engaged by 3rdSpace to process personal information on our behalf to deliver the platform (for example, Firebase, Stripe, SendGrid, Twilio, Sentry, Gemini). Soft Delete means A reversible deletion state during which data is hidden from normal use but recoverable for a defined grace period before Purge. Sub-Processor means A service provider engaged by our primary service providers; we maintain awareness of sub-processors in our vendor chain. Unified Credit Pool means See Credit Pool. User means Any individual with a 3rdSpace Account, including Host personnel and future Consumer App users. UTM Parameters means Marketing attribution tags appended to URLs (for example, utm_source, utm_campaign) captured when present at sign-up or in tracked links. Webhook means An automated HTTP callback from a third-party service (Stripe, Twilio, SendGrid) to our API endpoints, verified cryptographically before processing.

Applicability, US-Only Launch, and Future Expansion

At launch, 3rdSpace offers paid subscriptions and host onboarding to United States–hosted businesses only, with USD-only billing. Our checkout and organization-creation flows gate eligibility by country and billing address. The marketing website states US availability plainly.

We do not presently offer a self-serve onboarding path for foreign-incorporated organizations. Organizations incorporated outside the United States but operating primarily in the United States may be evaluated case-by-case through support; such cases are not guaranteed acceptance.

Implication for international users: If you access our services from outside the United States, you do so with the understanding that the service is designed for US operations and US law is primary. Additional rights may apply depending on your residence; see Sections 28–31.

Future expansion: We may expand to additional countries and currencies after a deliberate compliance review (tax registrations, anti-money-laundering disclosures, data processing agreements, and localized legal text). If we expand, we will update this Policy and may require additional consents before enabling new regions.

Roles: 3rdSpace, Hosts, and You

Understanding who controls which data is essential:

5.1 3rdSpace as controller — platform and internal CRM

We act as the controller for:

Your 3rdSpace Account credentials and profile (username, name, birthday, email, phone, authentication metadata);
Billing relationship data between you and 3rdSpace (subscription tier, invoices, payment method tokens held by Stripe);
Records in 3rdSpace's internal CRM, which includes every user who registers on the platform;
Product analytics and security logs attributable to your use of 3rdSpace-operated surfaces;
Marketing preferences you express directly to 3rdSpace via the Marketing Opt-In checkbox or subsequent settings.

5.2 Host as controller — host CRM data

When a Host stores information about its customers, leads, affiliates, or staff in the Organization CRM, the Host is the controller for that data. The Host determines what fields to collect, what marketing to send, and what consents to obtain from its customers.

3rdSpace acts as a processor (or service provider, under California law) when we store, organize, transmit, or otherwise process Host CRM data solely to provide the contracted platform features the Host selects.

5.3 You as a Host customer

If you are a Customer of a Host (for example, you booked a reservation or bought a ticket), your primary privacy relationship is with that Host. You may also have a relationship with 3rdSpace if you create your own Account or interact with the Consumer App. Requests to access or delete data held in a Host's CRM should generally be directed to the Host; we provide mechanisms described in Section 19 to route requests appropriately.

5.4 Joint scenarios

Some processing involves both parties: for example, when you join a Host's Organization as an employee, your Account data is in our internal CRM while your role membership is also visible to the Host. We describe these flows in Section 10.

6. Categories of Personal Information We Collect

We collect personal information in the categories below. Not every category applies to every user; applicability depends on whether you are a Host user, a Customer of a Host, a Consumer App user, or a website visitor.

6.1 Identifiers

3rdSpace username (unique handle)
Legal and display name (first, last)
Email address(es)
Phone number(s)
Firebase Auth user ID (uid)
Organization, Brand, and Location identifiers and slugs
Stripe customer ID and Connect account IDs where applicable
CRM contact IDs and affiliate codes
Device identifiers used for fraud prevention (not advertising ID at launch)
Session tokens and authentication cookies (see Cookies Policy)

6.2 Customer records and commercial information

Host CRM contact fields (names, emails, phones, addresses, notes, tags)
Purchase and visit history aggregated in CRM stats
Reservation, ticketing, and waiver records
Invoice and payment records processed through platform tools
Gift-card and loyalty balances where enabled
Affiliate conversion attribution metadata
Custom fields defined by each Host organization

6.3 Internet and network activity

IP address at sign-up and during authenticated sessions
User agent and browser/device type
Pages viewed and features used within the dashboard (where analytics cookies are enabled)
QR code scan and short-link click events (aggregated campaign metrics)
API request logs for security and debugging
Webhook delivery logs (Stripe, Twilio, SendGrid)

6.4 Geolocation data

Approximate location derived from IP (security and fraud)
Precise latitude/longitude when a Host selects a Google Places address for a Location
Time zone associated with a Location
Future Consumer App location features (when launched) subject to device permissions

Organization role (Owner, Admin, Manager, Employee)
Scope grants (organization, brand, location group, location)
Staff scheduling assignments where the Staff Scheduling tool is used
Internal notes a Host stores about staff or vendors in CRM

6.6 Inferences and profiles

CRM segments and tags applied manually or by rules
AI Booster-generated summaries and marketing profile drafts (not automated legal decisions)
Engagement scores used for reengagement queue suggestions
Completeness scores for app presence and business profile tooling

6.7 Audio, electronic, and visual information

Images and videos uploaded to the Media Library
Smart TV CMS playlists and scheduled content metadata
Karaoke queue metadata (we do not host copyrighted song audio)
Waiver signatures and uploaded identification where hosts configure collection

6.8 Communications content

Email and SMS message bodies composed in the Email and SMS tools
Two-way SMS conversation threads
Support ticket messages
AI Booster prompts and responses stored in usage logs

6.9 Financial information

Subscription tier, cadence, and billed location counts
Credit pool balance and usage ledger entries
Stripe payment method metadata (brand, last four digits, expiration) — full card numbers are held by Stripe, not us
Tax exemption certificates uploaded for qualifying nonprofits
Payout records for affiliate programs via Stripe Connect

6.10 Education and demographic information

Birthday collected at sign-up for age-gating (see Section 23)
Optional demographic custom fields a Host may define
AI-generated demographic summaries when Booster is enabled

6.11 Sensitive personal information (limited)

We do not intentionally collect government ID numbers or full payment card numbers in our database.
Hosts may configure waivers or forms that collect additional categories; Hosts are responsible for lawful collection and notice.
If Sensitive Personal Information is processed, Hosts should limit fields to what is necessary and honor applicable opt-out rights.

7. Sources of Personal Information

Directly from you: Account registration, profile updates, tool input, support correspondence, marketing opt-in/out, privacy settings, and voluntary uploads. Automatically from your device and browser: Log files, cookies (per our Cookies Policy), session management, and security telemetry. From Host organizations: CRM imports, manual entry, tool-generated records when you transact with a Host, and organizational membership when you are invited to a team. From third-party authentication: Google SSO profile elements permitted by your Google account settings. From third-party business APIs: Google Business Profile, Meta Graph (where enabled), web scraping outputs initiated by Hosts, POS imports (planned), and payment processors. From service providers: Delivery and engagement events from SendGrid and Twilio, payment confirmations from Stripe, error reports from Sentry. From publicly available sources: Only where a Host initiates a Web Scraper or similar tool and accepts responsibility for lawful collection.

8. How We Use Personal Information and Our Purposes

Provide, operate, maintain, and improve the platform and tools you enable
Authenticate users and enforce role-based access controls
Process subscriptions, usage billing, and unified credit pool debits
Deliver transactional messages (receipts, verification codes, security alerts)
Send marketing communications where permitted (Section 11)
Populate 3rdSpace internal CRM and Host CRMs per auto-entry (Section 10)
Provide AI-assisted features when AI Booster is enabled (Section 12)
Detect, prevent, and respond to fraud, abuse, and security incidents
Comply with law, regulation, legal process, and enforce our Terms
Generate aggregated analytics and product insights with de-identified data
Provide customer support and internal administration (including read-only impersonation with audit logging)
Honor your privacy rights requests and maintain audit trails of privileged actions We do not use personal information for automated decisions that produce legal or similarly significant effects without human review. AI outputs are assistance for Hosts who remain responsible for decisions.

9. Legal Bases for Processing (Where Applicable)

For users in jurisdictions that require a legal basis (for example, the European Economic Area or United Kingdom if we expand), we rely on:

Contract: Processing necessary to perform our Terms of Service with Hosts and to provide Account features you request.
Legitimate interests: Securing the platform, preventing fraud, improving products, and communicating about service changes—balanced against your rights.
Consent: Marketing Opt-In, optional analytics/marketing cookies, and certain Host-initiated communications where consent is required.
Legal obligation: Tax, accounting, telecommunications compliance records, and responses to lawful requests.

10. Auto-CRM-Entry and Dual CRM Architecture

Material disclosure: Every individual who creates a 3rdSpace Account is automatically entered into:

3rdSpace's internal CRM — maintained by us as controller for product operations, support, analytics, growth, and (if you opted in) marketing; and
The CRM of each Organization you join — maintained by that Host as controller for its business relationship with you.

This occurs at account creation and when you accept an invitation to an Organization. We disclose this practice at sign-up and in this Policy. You may request deletion of your personal information subject to Section 21 and applicable law; deletion from our internal CRM does not automatically delete records a Host holds where you were their customer, and vice versa—see routing in Section 19.

Wide schema design: Host CRMs support extensive fields and custom fields so tools can attach reservation history, ticket purchases, waiver records, marketing engagement, and future Consumer App activity. Fields may be sparse early in adoption; the schema is designed to grow without frequent migrations.

Linking: When a CRM Contact corresponds to a 3rdSpace Account, we store the thirdSpaceUserId linkage so records remain consistent across tools. Hosts see only CRM data their role scope permits.

11.1 Separate Marketing Opt-In

At sign-up, acceptance of the Terms of Service and Privacy Policy is required and is separate from the Marketing Opt-In checkbox, which is optional and not pre-checked. If you do not opt in, we will not send you 3rdSpace marketing emails or SMS except as permitted for transactional or service messages.

11.2 Host channel marketing

Where permitted by our Terms and applicable law, we may send Host Channel Marketing to individuals who are customers of a Host and who have opted in to marketing communications with that Host (or as otherwise permitted). Messages clearly identify 3rdSpace and the relevant Host (for example, inviting you to use the Consumer App in connection with venues you already patronize). We do not claim the Host's consent extends beyond what the customer relationship supports.

11.3 Host marketing tools

Hosts use Email and SMS tools to message their own CRM segments. Hosts are controllers responsible for consent, content, suppression (STOP/UNSUBSCRIBE), and regulatory compliance (CAN-SPAM, TCPA, A2P 10DLC registration). We provide technical suppression lists and delivery infrastructure.

11.4 Opt-out

You may opt out of 3rdSpace marketing via Account → Settings → Privacy, unsubscribe links in emails, or STOP replies to SMS. Host marketing opt-outs are managed by the Host's suppression records; we propagate unsubscribe signals across our Email and SMS tools when events are received from providers.

12. AI Booster and Third-Party AI Processing

When a Host enables AI Booster at the Organization level and for specific tools, we transmit the minimum data reasonably necessary for each AI request—such as email draft context, CRM excerpts for summarization, SEO audit findings, or web-scraper synthesis inputs—to Google Gemini (and potentially Anthropic Claude in the future).

Provider terms: AI providers process data under their API terms and our vendor agreements. We contractually require that data submitted through our Booster integration not be used to train their public foundation models, consistent with enterprise API offerings.

14-day asymmetric disable delay: If a Host requests to disable Booster after it was enabled, the disable takes effect after 14 days, during which the Host may cancel the pending disable. Re-enabling is immediate. This delay is disclosed in our Terms and exists to prevent accidental disruption and billing surprises.

Logging: Booster usage is logged in the organization's usage ledger for billing transparency and fraud review.

No AI-only critical path: Tools function without AI; Booster features degrade gracefully when disabled or credits are exhausted.

Human review: Hosts must approve outbound AI-drafted SMS and similar communications where law or policy requires human approval (for example, TCPA-sensitive reengagement queues).

We do not sell your personal information. We do not exchange your personal information for money or other valuable consideration with data brokers for their independent use.

We do share personal information broadly with service providers who assist us in operating the platform, as detailed in Section 14. This sharing is business-favorable in the sense that it is necessary to deliver a modern SaaS product, but we disclose it plainly: your data may be processed by multiple specialized vendors in the United States and, where applicable, abroad under appropriate safeguards.

We may also share information:

With Hosts you belong to or transact with (CRM visibility per RBAC);
For legal reasons — subpoenas, court orders, or to protect rights, safety, and integrity;
In corporate transactions — merger, acquisition, or asset sale, with notice where required;
With your direction — when you integrate third-party services or export data;
Aggregated or de-identified — insights that cannot reasonably identify you.

14. Service Providers and Sub-Processors

Provider	Processing purpose	Primary location	When used
Google Firebase / Google Cloud	Authentication, Firestore database, Cloud Storage, Cloud Functions, Hosting	United States (us-east1 region at launch)	Platform core
Stripe, Inc.	Subscriptions, invoices, payment methods, Stripe Tax, Connect payouts	United States	Billing and payouts
Twilio Inc.	SMS send/receive, A2P 10DLC compliance webhooks	United States	SMS tool
SendGrid (Twilio)	Email send, event webhooks	United States	Email tool
Google Gemini API	AI Booster inference	United States / global Google infrastructure	Only when Booster enabled
Sentry	Error tracking, optional session replay	United States	Diagnostics
Have I Been Pwned	Password breach check (k-anonymity hash prefix only)	Global API	Sign-up / password change
Google Maps / Places	Address autocomplete for Locations	United States	Location setup
We maintain contractual terms requiring service providers to process personal information only on our instructions and for specified purposes. We review subprocessors periodically. A machine-readable register may be published at `/privacy/subprocessors` before launch.

15. International Data Transfers

Our primary hosting region at launch is us-east1 (United States). Service providers in Section 14 may process data in the United States or other countries where they operate data centers.

Where required for lawful international transfers (for example, if we onboard European users in the future), we will implement appropriate safeguards such as Standard Contractual Clauses and supplementary measures. At US-only launch, most users' data remains in US-controlled environments; see state addenda for US resident rights.

16. Data Retention Schedules

We retain personal information only as long as necessary for the purposes described, unless a longer period is required by law.

Data type	Retention period	Notes
Active Account profile	While Account is active	Updated on change
Soft-deleted Account / Org / Brand / Location	30 days	Then permanent Purge
Deactivated Location (billing)	Data preserved; billing stops after 60 days inactive	Per Terms
Host CRM contact (active)	While Host retains record	Host may delete
Email per-recipient send records	2 years	CAN-SPAM / deliverability
SMS per-recipient send records	2–4 years	TCPA / carrier compliance
Campaign step send records	2 years	Aligned with Email/SMS
Audit logs (`auditLog`, `adminAuditLog`)	2 years from event	Automated purge
AI Booster usage ledger	While org active + 2 years	Billing disputes
Stripe billing records	7 years typical	Tax / accounting
Support tickets	3 years after close	Service quality
Weekly Firestore backup snapshots	90 days	Disaster recovery
Firestore PITR window	7 days rolling	Operational restore
Aggregated analytics	Indefinite	De-identified
Affiliate conversion orphans	Up to 7 years	Financial audit (Host program)
Web scraper audit confirmations	2 years	Liability documentation
Username history after change	30 days hold on old name	Anti-impersonation

17. Security Measures and Limitations

HTTPS for data in transit; TLS for API traffic
Firebase Authentication with email verification and mandatory phone verification before org actions
Password hashing — we never store plaintext passwords
Have I Been Pwned k-anonymity checks on passwords at sign-up and change
Role-based access control with organization, brand, and location scopes
Webhook signature verification for Stripe, Twilio, and SendGrid
Rate limiting on SMS verification and invite-code attempts
Internal-admin read-only impersonation with mandatory audit logging
Firestore security rules and server-side assertCan() enforcement
Weekly encrypted backups and point-in-time recovery on production
Separation of development and production Firebase projects Disclaimer: No method of transmission or storage is completely secure. We cannot guarantee absolute security against all attacks, including sophisticated or novel threats. You are responsible for safeguarding your credentials and promptly reporting suspected unauthorized access.

We design against common web vulnerabilities (XSS, CSRF, injection) but do not warrant uninterrupted or error-free operation. See our Terms of Service for limitation-of-liability provisions.

18. Data Breach Notification

If we become aware of a breach of security leading to unauthorized acquisition of personal information that we maintain as controller, we will investigate promptly, take reasonable steps to mitigate harm, and notify affected individuals and regulators as required by applicable law. Notification may include email, in-app notice, or other permitted channels. We will describe, to the extent known, the categories of information involved, steps we are taking, and recommended protective measures you may take.

Hosts are responsible for notifying their customers regarding breaches affecting Host CRM data where the Host is controller, though we will assist with available technical information when appropriate and contracted.

19. Your Privacy Rights and How to Exercise Them

Access / know — confirm whether we process your personal information and obtain a copy.
Correction — update inaccurate Account information via settings or support.
Deletion — request deletion of personal information we control, subject to exceptions (Section 21).
Portability — receive a machine-readable export (Section 20).
Opt-out of marketing — withdraw Marketing Opt-In at any time.
Restrict or object — where applicable law provides these rights.
Non-discrimination — we will not deny services solely for exercising privacy rights, except where the right limits a feature (for example, deletion closes your Account). How to submit: Account → Settings → Privacy, or email privacy@the3rd-space.com. We verify identity before fulfilling requests. Authorized agents must provide proof of authority.

20. Data Export (Portability) and the 14-Day Delivery Delay

Self-serve export is available at Account → Settings → Privacy → Export my data. The export includes a zipped JSON bundle of data associated with your Account and Organization memberships you are entitled to access.

14-day delivery delay: When you request an export, delivery is intentionally delayed 14 calendar days from the request timestamp. Rationale: reduce impulsive churn-driven exports and allow fraud review while remaining within typical regulatory windows (for example, GDPR Article 12(3)'s one-month outer bound if applicable).

When the export is ready, we email you a signed download link valid for 7 days, then the file is removed from storage. The export job runs as a background Cloud Function; results reside in a private cloud storage bucket.

Exports may exclude information we cannot disclose without affecting other individuals' rights (for example, other users' personal data in shared Organization audit entries) or information subject to legal hold.

21. Account and Data Deletion; 30-Day Grace Period

Unconditional right: You may request deletion of your Account and associated personal information we control. The right is unconditional subject to narrow exceptions where retention is required by law (for example, completed billing records) or to resolve disputes.

Self-serve: Account → Settings → Privacy → Delete my account.

30-day soft-delete grace: Deletion initiates a 30-day grace period during which data is soft-deleted and may be recoverable if deletion was accidental. After 30 days, we purge data from active production systems per our retention schedule.

Host CRM: Deleting your Account does not automatically delete records a Host holds about you as their customer. Contact the Host or use our routing support to request Host deletion where applicable.

Organization deletion: Owners may delete Organizations through a controlled flow with confirmation safeguards; sole Owners cannot orphan paid Organizations without succession steps documented in our Terms.

22. Cookies and Similar Technologies

We use cookies and similar technologies as described in our Cookies Policy (/cookies), incorporated by reference. Categories include Essential (always on), Functional (default on, opt-out available), Analytics (default off, opt-in), and Marketing (default off, opt-in). Manage preferences at Account → Settings → Privacy → Cookie preferences.

Third-party cookies may be set by Stripe (checkout), Firebase (auth), and Sentry (diagnostics / optional replay) as described in the Cookies Policy.

23. Children's Privacy

The platform is not directed to children under 13 (or the minimum age in your jurisdiction). We collect birthday at sign-up to enforce age gating and prevent under-age registrations. If we learn we have collected personal information from a child without verifiable parental consent, we will delete it promptly.

Hosts must not use the platform to knowingly collect personal information from children without appropriate consent and compliance frameworks.

24. Automated Decision-Making and Profiling

We do not make solely automated decisions with legal or similarly significant effects about consumers. AI Booster outputs are advisory; Hosts approve sends. CRM segmentation rules and reengagement heuristics may automate suggestions, not binding outcomes.

25. Host Responsibilities Toward Their Customers

Publish a privacy notice to customers describing the Host's practices
Obtain valid consent for marketing and honor opt-outs promptly
Configure waivers and lead forms lawfully
Respond to customer rights requests for Host-controlled CRM data
Ensure scraping and affiliate outreach comply with site terms and advertising disclosure laws
Maintain A2P 10DLC registration for US SMS campaigns

26. Changes to This Privacy Policy

We may update this Policy from time to time. Material changes will be communicated at least 30 days before they take effect via in-app banner and email, referencing the version number.

Constructive continuation: Unless you object in writing to Support within the notice window, continued use of the platform after the effective date constitutes acceptance of the revised Policy. If you object, we may suspend access until you accept the revised Policy or complete an offboarding / account-closure flow consistent with deletion obligations. We maintain acceptedPrivacyVersion (and related records) in our systems.

Non-material clarifications (formatting, contact updates, typographical corrections) may take effect immediately with updated version metadata.

27. Dispute Resolution and Governing Law (Privacy-Specific)

Privacy disputes are governed by the laws and dispute resolution provisions in our Terms of Service [State TBD], except where overridden by mandatory privacy laws in your state of residence. Nothing in this Policy limits rights that cannot be waived under applicable law.

28. California Privacy Rights (CCPA / CPRA Addendum)

This section applies to California residents and supplements the Policy above.

28.1 Categories collected (last 12 months)

See Section 6 and Appendix A. We collect identifiers, commercial information, internet activity, geolocation, professional information, inferences, audio/visual (user-uploaded), and communications content.

28.2 Sources

See Section 7.

28.3 Business and commercial purposes

See Sections 8 and 9.

28.4 Disclosure for business purposes

We disclose to service providers in Section 14. We do not sell personal information.

28.5 Sensitive personal information

We limit sensitive categories; Hosts may collect additional categories as controllers.

28.6 Retention

See Section 16 and Appendix D.

28.7 Your California rights

Right to know/access, delete, correct, opt-out of sale/share (not applicable — we do not sell), limit use of sensitive personal information where applicable, and non-discrimination.

28.8 Shine the Light

California Civil Code § 1798.83 — we do not share personal information with third parties for their direct marketing without disclosure; contact privacy@ for questions.

28.9 Authorized agents

Agents must submit signed permission and we may verify the consumer directly.

28.10 Verification

We match requests to Account credentials or additional information.

29. Colorado Privacy Act Addendum (Placeholder)

[PLACEHOLDER — counsel to complete before CO residents are onboarded.] Colorado residents may have rights to access, correct, delete, obtain portability, and opt out of targeted advertising, sale, or profiling in furtherance of decisions producing legal or similarly significant effects. Contact privacy@ to exercise rights. Appeal process: [TBD].

30. Virginia Consumer Data Protection Act Addendum (Placeholder)

[PLACEHOLDER — counsel to complete before VA residents are onboarded.] Virginia residents may have rights to access, correct, delete, obtain portability, and opt out of targeted advertising, sale, or certain profiling. Contact privacy@. Appeal process: [TBD].

31. Other US State Privacy Laws (Placeholder)

[PLACEHOLDER — counsel to maintain a rolling addendum for CT, UT, TX, OR, FL, MT, and other comprehensive state laws as we expand marketing and customer footprint.]

Appendix A — Personal Information Category Matrix

Data element	CPRA-style category	Typical source	Purpose	Recipients	Retention
Username, uid	Identifiers	Sign-up / auth	Account	Firebase, internal CRM	Active + 30d grace
Email, phone	Identifiers	Sign-up / verification	Auth, CRM, comms	Firebase, Twilio, SendGrid	Active + 30d grace
Birthday	Identifiers	Sign-up	Age gate, CRM	Internal CRM	Active + 30d grace
Password hash	Identifiers	Sign-up	Auth	Firebase	Active account
Billing address	Identifiers / commercial	Checkout	Stripe Tax	Stripe	7 years
Org/brand/location names	Commercial	Host setup	Service	Firebase	While active
CRM contact rows	Commercial	Host tools	Host relationship	Host users, processors	Host-controlled
Reservation / ticket PII	Commercial	Ops tools	Fulfillment	Host, Stripe (host)	Host + Section 16
SMS/email content	Communications	Messaging tools	Delivery	Twilio, SendGrid	2–4 years
AI prompt payloads	Inferences / communications	AI Booster (L2+)	Assistance	Gemini	Ledger + 2 years
Credit ledger rows	Commercial / financial	Metered usage	Billing	Firebase, Stripe	7 years
IP, user agent	Internet activity	Sessions	Security	Logs, Firebase	~2 years
placeId, lat/lng	Geolocation	Places API	Location setup	Google	While location active
QR click metadata	Internet activity	QR tool	Analytics	Firebase	~2 years
Audit log events	Professional / identifiers	Privileged actions	Security	Firebase	2 years
Marketing opt-in flag	Identifiers	Sign-up checkbox	Marketing	Internal CRM	Until opt-out
Suppression flags	Identifiers	STOP / unsubscribe	Compliance	Firebase	Until new consent
Cookie preferences	Identifiers	Privacy settings	Compliance	Browser / Firebase	Per cookies policy

Appendix B — Tool-by-Tool Data Flow Summary

Tool	Primary data	Role
CRM	Stores contacts; receives imports from reservations, ticketing, forms	Host controller; we processor
Email System	Sends campaigns; logs opens/clicks via SendGrid webhooks	Processor SendGrid
SMS System	Sends SMS; STOP suppression via Twilio inbound webhook	Processor Twilio
AI Booster	Sends prompts to Gemini; logs usage credits	Processor Google
Web Scraper	Stores scrape results; optional CRM pipe on Host action	Host liability acknowledged
Stripe billing	Subscription and credit pool debits	Processor Stripe
Smart TV CMS	Schedules content to paired devices	Device pairing metadata only
Affiliate Marketing	Attribution to CRM contacts; Connect payouts	Processors Stripe
Reservation / Ticketing	Customer PII for bookings	Host controller
Digital Waiver	Signatures and custom fields	Host controller
Internal admin	Cross-org lookup on internal CRM; impersonation audit	3rdSpace controller

Appendix C — Service Provider / Sub-Processor Register

See Section 14. Updated versions will be published before launch.

Appendix D — Retention Schedule (Detailed)

Record type	Retention	Notes (CONTEXT / PLAN)
Active Account profile	While Account active	Updated on user edit
Soft-deleted entities	30 days then purge	Uniform purgeAt platform standard
Deactivated locations	Data indefinite; billing up to 60 days	Then quantity drops at Stripe cycle
Tier-downgrade soft-archive	30 days	deleteReason: tier-downgrade
SMS / email logs	2–4 years	Compliance + dispute
AI / credit ledger	7 years	Financial reconciliation
Subscription invoices (metadata)	7 years	Tax
Audit logs (org + admin)	2 years	Q-P2-19
Aggregated analytics	Indefinite	De-identified
Support tickets	3 years	Best-effort queue
Data export zip	14-day delay + 7-day link	Q-P2-18
Firestore PITR	7-day window	Q-CR-31
Weekly backup snapshots	90 days	Q-CR-31
Legal hold	Until released	Counsel-directed

Appendix E — Security Control Summary

See Section 17. SOC 2 or similar attestation: [TBD — not claimed at launch].

Appendix F — Frequently Asked Questions

Q: Does 3rdSpace sell my data? A: No. We do not sell personal information to data brokers.

Q: Why am I in two CRMs? A: Auto-CRM-entry places every Account in our internal CRM and each joined Host's CRM.

Q: How long until export arrives? A: 14 days after request, then a 7-day download link.

Q: What happens when I delete my account? A: 30-day grace, then purge except legal retention.

Q: Is AI training on my data? A: We contractually restrict training on Booster API data; see Section 12.

Q: Can I opt out of marketing? A: Yes — separate from Terms; use Privacy settings or unsubscribe.

Q: Who handles my reservation data? A: The Host is controller; we process on their instructions.

Q: Are audit logs deleted? A: After 2 years automatically.

Q: US only? A: Self-serve onboarding is US-hosted businesses at launch.

Q: How do policy changes work? A: 30-day notice; continued use accepts unless you object in writing.

Appendix G — California Notice at Collection (Detailed Table)

The following table satisfies CPRA-style notice at collection for California residents. It is illustrative, not exhaustive; see Section 6 for the authoritative category list.

Personal information	CPRA category	Collection point	Purpose	Recipients	Retention
Username and uid	Identifiers	Sign-up / auth	Account operation	Firebase, internal CRM	Life of Account + 30d grace
Email and phone	Identifiers	Sign-up / verification	Auth, CRM, comms	Firebase, Twilio, SendGrid	Life of Account + 30d grace
Birthday	Identifiers / age gate	Sign-up	Eligibility, CRM	Internal CRM	Life of Account + 30d grace
Billing address	Identifiers / commercial	Checkout	Stripe Tax, invoices	Stripe	7 years tax
CRM contact rows	Commercial	Host tools	Host relationship	Host users, processors	Host-controlled
Reservation PII	Commercial	Reservation tool	Fulfillment	Host, Firebase	Host + §16
Ticket purchase PII	Commercial	Ticketing	Fulfillment	Host, Stripe (host)	Host + §16
Waiver signature	Visual / commercial	Waiver tool	Legal record	Host	Host + legal hold
SMS body content	Communications	SMS tool	Delivery	Twilio	2–4 years
Email body content	Communications	Email tool	Delivery	SendGrid	2 years
AI prompt payload	Inferences / communications	Booster	Draft/summary	Gemini	Ledger + 2 years
IP and user agent	Internet activity	Sessions	Security	Firebase, logs	2 years logs
Location lat/lng	Geolocation	Places autocomplete	Venue setup	Google	While Location active
QR scan events	Internet activity	QR tool	Analytics	Firebase	2 years aggregated
Audit log actor	Identifiers / professional	Privileged actions	Security	Firebase	2 years
Support attachments	Communications / visual	Support	Resolution	Firebase Storage	3 years
Marketing opt-in flag	Identifiers	Sign-up checkbox	Marketing compliance	Internal CRM	Life of Account
Suppression flags	Identifiers	STOP / unsubscribe	TCPA/CAN-SPAM	Firebase	Indefinite until opt-in
Stripe payment method	Financial	Billing	Payment	Stripe	Per Stripe policy
Credit ledger entries	Commercial / financial	Usage billing	Invoicing	Firebase, Stripe	7 years
Affiliate tax IDs	Identifiers / financial	Connect onboarding	Payouts	Stripe Connect	Per tax law
Demo lead email	Identifiers	Demo mode gate	Sales	org-3rdspace CRM	Internal sales retention
Session replay (Sentry)	Internet activity	Error diagnostics	Debug	Sentry	Per Sentry config
Cookie preferences	Identifiers	Privacy settings	Compliance	Firebase	Life of Account
acceptedPrivacyVersion	Identifiers	Policy acceptance	Contract	Firebase	Life of Account
UTM attribution	Internet activity	Marketing URLs	Attribution	Internal CRM	2 years
Invite code attempts	Internet activity	Join-by-code	Anti-abuse	Cloud Functions logs	90 days
Impersonation session	Professional	Internal admin	Support	adminAuditLog	2 years
Web scrape URL log	Internet activity	Web Scraper	Audit	Firebase	2 years
Media EXIF (if present)	Visual / geolocation	Upload	Display	Firebase Storage	Until deleted
Staff shift times	Professional	Scheduling	Operations	Host	Host retention
Gift card balance	Commercial / financial	Loyalty tool	Redemption	Host, Stripe	Host + 7 years
Pipeline card notes	Commercial	State Tracker	Sales	Host	Host retention
Review reply text	Communications	Review tool	Reputation	Host	Host retention
Social post draft	Communications	Social tool	Publishing	Host	Host retention
TV schedule metadata	Commercial	Smart TV CMS	Playback	Device	While paired
Karaoke queue name	Identifiers	Karaoke tool	Queue	Host	Event + 90 days
Inventory SKU notes	Commercial	Inventory	Ops	Host	Host retention
Menu item description	Commercial	Products tool	Menu	Host	Host retention
Dynamic price rule	Commercial / inferences	Pricing	Pricing	Host	Host retention
POS import rows	Commercial	CRM import	Merge	Host	Host retention
Consumer app feed (future)	Internet / commercial	Consumer App	Social	Firebase	Per Consumer policy
Friend graph (future)	Identifiers	Consumer App	Social	Firebase	Per Consumer policy
Waitlist email	Identifiers	Pre-launch	Launch notice	SendGrid	Until launch + 1 year
Internal cost accounting	Commercial	org-3rdspace	COGS tracking	Internal only	7 years
Tax exempt certificate	Sensitive / commercial	Nonprofit flow	Stripe Tax exempt	Stripe	Per tax law
Org EIN verification	Identifiers	Nonprofit flow	Verification	Internal admin	Life of org
Role change history	Professional	Users tool	RBAC	auditLog	2 years
Billing tier changes	Commercial	Billing UI	Subscription	auditLog, Stripe	2 years + 7 tax
Deletion request log	Identifiers	Privacy UI	Compliance	Firebase	3 years
Export job metadata	Identifiers	Privacy export	Portability	GCS private bucket	14d + 7d link
Breach incident notes	Identifiers	Incident response	Legal	Restricted internal	7 years

Appendix H — Host Controller Obligations Checklist

Publish a privacy policy to end customers describing the Host's practices, retention, and rights contact.
Maintain a lawful basis or consent for marketing email and SMS to CRM contacts.
Honor opt-out, STOP, and unsubscribe signals within regulatory timelines.
Register A2P 10DLC brands and campaigns before large-scale US SMS sends.
Include physical mailing address in commercial email footers where CAN-SPAM requires.
Document affiliate and sponsored-content disclosures where state law requires.
Avoid collecting excessive sensitive data in waivers and lead forms.
Respond to customer access, correction, and deletion requests for Host-controlled CRM records.
Notify customers of material privacy practice changes the Host initiates.
Ensure scraping targets are permitted and robots.txt overrides are justified.
Configure amusement-tax and dynamic-pricing disclosures for customer-facing flows when applicable.
Retain financial records for affiliate payouts and gift cards per applicable law.
Train staff with CRM access on confidentiality and role scopes.
Report suspected platform security issues to 3rdSpace promptly.
Execute a Data Processing Addendum with 3rdSpace when required by scale or jurisdiction.

Appendix I — 3rdSpace Internal Processing Activities (ROPA-Style Summary)

Activity	Legal basis	Subjects	Systems	Retention
Account lifecycle management	Contract / legitimate interest	All users	Firebase Auth, Firestore	Active + 30d grace
Internal CRM enrichment	Legitimate interest / consent for marketing	All users	Firestore	Active + legal
Subscription billing	Contract	Paying orgs	Stripe, Firestore	7 years
Unified credit pool metering	Contract	Paying orgs	Firestore, Stripe	7 years
Transactional notifications	Contract	All users	SendGrid, Twilio	Per channel §16
Optional marketing to users	Consent	Opted-in users	SendGrid, Twilio	Until opt-out
Host channel marketing	Legitimate interest / consent chain	Host customers opted-in	SendGrid, Twilio	Until opt-out
AI Booster inference	Contract / legitimate interest	Booster-enabled orgs	Gemini	Ledger + 2y
Security monitoring	Legitimate interest	All users	Sentry, logs	2 years
Fraud prevention	Legitimate interest	Sign-up, billing	HIBP, rate limits	90 days–2 years
Customer support	Contract	Support requesters	Firestore tickets	3 years
Internal admin impersonation	Legitimate interest	Supported hosts	adminAuditLog	2 years
Legal compliance responses	Legal obligation	Affected users	Various	As required
Backup and disaster recovery	Legitimate interest	All production data	GCS, PITR	90d / 7d
Policy version tracking	Contract	All users	Firestore	Life of Account

Appendix J — Detailed Rights Request Workflow

Step 1: User submits request via Privacy settings or privacy@ email. Step 2: We acknowledge receipt within 10 business days (target). Step 3: We verify identity using Account login or supplemental factors for email-only requests. Step 4: We classify request type: access, correction, deletion, portability, opt-out, limitation, appeal. Step 5: For Host-controlled CRM data, we notify the Host or provide Host contact where direct access is inappropriate. Step 6: We locate data across Firebase collections, Stripe (billing), and archived exports. Step 7: We apply exceptions: legal retention, ongoing disputes, anti-fraud holds, backup tapes within retention. Step 8: For deletion, soft-delete clock starts (30 days) before purge jobs run. Step 9: For export, 14-day delay clock starts; Cloud Function builds zip; signed URL emailed. Step 10: We close the request and retain minimal metadata of the request for compliance (3 years).

Appendix K — CPRA Sensitive Personal Information Limitation

We do not use or disclose Sensitive Personal Information for purposes other than those permitted by CPRA regulations without offering a right to limit. Hosts may configure tools that collect additional sensitive fields (for example, health-related waiver questions); in those cases, the Host is the controller and must provide any required notices and limitation rights directly to the consumer.

Where Stripe or government processes require collection of tax identifiers for Connect payouts, we rely on Stripe's controlled collection environments and limit our own storage to references and status flags necessary for operations.

Appendix L — Email and SMS Regulatory Cross-Reference

CAN-SPAM (email): Commercial emails include identification, valid physical postal address of the sender, and unsubscribe mechanism. Hosts sending through our Email tool remain responsible for content truthfulness and consent.

TCPA (SMS): Marketing SMS requires appropriate consent. Hosts must honor STOP. We implement inbound webhooks verified by Twilio signature.

A2P 10DLC: US application-to-person long codes require brand and campaign registration. Hosts complete registration before large sends; we surface status in the SMS tool.

State mini-laws: California, Florida, Oklahoma, and others impose additional SMS/email rules; Hosts with customers in those states bear compliance responsibility as controllers.

Appendix M — Extended Tool Privacy Notes

CRM (Customer Relationship Management)

Org-wide customer graph with brand/location scoping. Auto-entry links Accounts to contacts. Hosts may import CSV, POS data (planned), and tool-generated events. AI Booster may read wide schemas to produce demographic summaries—host approves use. Deletion of a contact soft-deletes for 30 days unless Host purges immediately.