Privacy policy

We collect the personal information you give us (name, email, phone if you opt in to SMS, the events and signups you create or join). We use it to operate the product, send transactional notifications about your events, and diagnose problems. We share it only with a small set of named subprocessors that help us run the service. We do not sell it, and we do not use it for third-party advertising.

You can view, edit, export, or delete your data on our data requests page.

Information you give us when you create an account, post an event, sign up to attend, or contact us:

• Name and email address.
• Password (hashed, never stored in plain text), only if you sign up with email/password.
• Phone number, only if you opt in to SMS reminders by entering it on a signup form. See our SMS messaging policy.
• Notification, contact, and visibility preferences you set in your account.
• Event content you author (titles, descriptions, time slots, items, locations).
• Signups you submit (slot or item, optional notes).
• Payment data, if you make a payment through the Services, payment instrument details (card number, security code, billing address) are collected and processed directly by Stripe. We do not store full card numbers or security codes; we receive only a token and transaction metadata.

Information we collect automatically, basic device/browser metadata, error reports when something breaks, and pseudonymous product analytics events (e.g. event created, signed up) so we can improve the product.

Sensitive information. We do not collect or process sensitive personal information (e.g. racial or ethnic origin, sexual orientation, religious beliefs, biometrics, health data).

Information from third parties. We do not buy or otherwise collect personal information from third-party data brokers. The only third-party identity we receive is when you choose to sign in with Google (see "Google API" below).

Google API

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. When you choose to sign in with Google, we receive your name, email, and Google account ID; we do not receive or store your Google password. We use this only to authenticate you and link your account.

• Run the product, show you your events, deliver signup confirmations and reminders.
• Authenticate you and protect your account.
• Diagnose problems, fix bugs, and improve the product.
• Send transactional messages about events you organize or have signed up for.
• Send marketing or promotional communications (only if you have opted in). You can opt out at any time by clicking the unsubscribe link in any marketing email or by emailing support@thesignup.app. Opting out of marketing does not affect transactional messages we are required to send to run the Services.
• Comply with legal obligations and enforce our terms.

We do not use your information for third-party advertising, and we do not sell it.

If you are in the EEA, UK, or Switzerland, our legal bases for processing are:

• Performance of a contract, to provide the Services you signed up for.
• Legitimate interests, to keep the product secure and improve it (pseudonymous analytics).
• Consent, for SMS reminders, which you opt in to by providing a phone number. You can withdraw consent any time.
• Legal obligations, to comply with applicable laws.
• Vital interests, in rare cases to protect someone's safety.

If you are in Canada, we rely on your express or implied consent, with the limited exceptions permitted under PIPEDA.

We share the minimum necessary information with the subprocessors below. Each is contractually bound to protect your data and use it only to provide their service.

• Vercel, hosts the application.
• Supabase, hosts our Postgres database.
• Resend, delivers transactional email.
• Twilio, delivers SMS reminders (only if you opt in).
• Google, authenticates you when you choose Sign in with Google.
• PostHog, pseudonymous product analytics.
• Stripe, processes payments. Privacy notice: https://stripe.com/privacy.
• Anthropic and OpenAI, AI service providers powering AI-based features (see section 6 below). Inputs and outputs are processed by these providers under their respective data terms.

Other users. When you organize an event, the participants you invite see your name and the event details. When you sign up to attend, the organizer (and anyone they have shared management with) sees your name and your signup details.

Business transfers. If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you and honor the privacy choices you have made.

We use cookies and local storage for authentication (keeping you signed in), basic preferences, and product analytics. We do not use third-party advertising or tracking cookies. See our cookie policy for the categories we use and how to control them.

We may offer features powered by artificial intelligence and machine learning ("AI Products"), for example, drafting suggestions for event descriptions or summarizing signup activity. These features use third-party AI providers, currently Anthropic and OpenAI.

When you use an AI Product, the input you provide and the output it returns are sent to the relevant provider so they can generate the response. We do not allow these providers to use your input to train their general-purpose models, and we share only the minimum necessary information to deliver the feature.

You should not enter sensitive personal information (e.g. health, financial, or government ID data) into AI Products. Outputs from AI may be inaccurate; treat them as suggestions, not authoritative answers.

Our servers are located in the United States. If you access the Services from outside the US, your information will be transferred to, stored, and processed there. Where required, we rely on the European Commission's Standard Contractual Clauses (or equivalent UK / Swiss mechanisms) for transfers from the EEA, UK, and Switzerland to the US. Copies are available on request.

We keep your personal information for as long as your account is active. If you delete your account, we delete or anonymize your personal information within 30 days, except where we are legally required to retain it (e.g. tax or accounting). No purpose in this notice will require us to keep personal information for longer than 12 months past the termination of your account.

Email and SMS delivery logs may be retained by our vendors (Resend, Twilio) per their own retention policies.

We use reasonable technical and organizational security measures, encrypted connections, hashed passwords, scoped database access, audit logging, to protect your information. No system is 100% secure; you should access the Services from a secure environment.

The Services are not directed to children under 18, and we do not knowingly collect information from anyone under 18. By using the Services you confirm you are at least 18 (or the equivalent age of majority in your jurisdiction) or that a parent or guardian has consented on your behalf. If you believe a child has created an account, contact us and we will deactivate it.

Depending on where you live, you may have the right to access, correct, port, or delete the personal information we hold about you, restrict or object to certain processing, withdraw consent, and not be subject to solely-automated decision-making with legal effect. You can exercise all of these on our data requests page.

If you are in the EEA or UK and believe we are processing your information unlawfully, you have the right to lodge a complaint with your local data protection authority or the UK ICO. If you are in Switzerland, you may contact the FDPIC.

No uniform Do-Not-Track standard has been finalized. We do not currently respond to DNT signals or any other automated mechanism that communicates a choice not to be tracked. If a standard we're bound to follow is adopted, we will update this notice.

We may update this Privacy Notice. The "last updated" date at the top will reflect any change. If we make material changes we will notify you in-product or by email.

Questions, requests, or concerns: support@thesignup.app, or by post: