PRIVACY POLICY

FloorRequest LLC ("FloorRequest," "we," "us," or "our") respects your privacy. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the rights you have regarding your personal information when you use the FloorRequest platform, website at floorrequest.com, and related services (collectively, the "Service").

This Privacy Policy applies to both:

• Venues — paying subscribers who register an account to manage song requests at their venue, dance hall, club, or event;
• Guests — individuals who scan a QR code at a venue and submit song requests without creating an account.

1. INFORMATION WE COLLECT

1.1 Information You Provide — Venues

When you register as a Venue or use the Service, we collect:

• Account information: name, business name, email address, password (hashed), phone number (optional);
• Venue information: venue name, location, type of venue, branding details, custom configurations;
• Payment information: processed by Stripe, Inc. We do not store full credit card numbers. We receive limited payment metadata such as the last four digits, card brand, and billing zip code;
• Communications: support requests, feedback, and other correspondence with us.

1.2 Information You Provide — Guests

Guests do not create accounts. When a Guest submits a song request, we collect:

• Song request data: the song selected, the venue it was submitted to, and the timestamp;
• Optional information: a display name or note submitted with the request, if the Guest chooses to provide one;
• Technical metadata: IP address, browser type, device information, and approximate location (city-level), collected automatically.
• For Guests located in the European Economic Area, United Kingdom, or Switzerland, the technical metadata described above is processed under our legitimate interests in operating, securing, and improving the Service.

1.3 Information Collected Automatically

Whether you are a Venue or Guest, we automatically collect certain information when you access the Service:

• Log data: IP address, browser type and version, operating system, referring URL, pages visited, timestamps;
• Device information: device type, screen size, language preference;
• Usage data: features accessed, actions taken, frequency of use;
• Cookies and similar technologies: see Section 7 below.

1.4 Information from Third Parties

We receive information from third parties that you connect to the Service:

• Spotify: when a Venue connects their Spotify account, we receive an OAuth access token that allows us to perform actions on the Venue's Spotify account on the Venue's behalf. The scopes we request include searching the Spotify catalog, viewing and modifying the Venue's playback queue, reading and modifying playlists owned by the Venue, and reading basic profile information. We do not receive your Spotify password. Tokens are stored encrypted at rest;
• Stripe: payment processing metadata as described in Section 1.1;
• Analytics providers: aggregated usage statistics about your interaction with the Service.

2. HOW WE USE INFORMATION

We use information we collect for the following purposes:

• Provide, operate, and maintain the Service;
• Process payments and manage subscriptions;
• Authenticate Venues and secure accounts;
• Integrate with third-party services (such as Spotify) at the Venue's direction;
• Display song requests and analytics to Venues;
• Communicate with Venues about the Service, including service updates, billing notifications, and support;
• Improve, customize, and develop the Service, including through aggregated and anonymized analytics;
• Detect, prevent, and respond to fraud, security threats, and violations of our Terms of Service;
• Comply with legal obligations and enforce our rights;
• With your consent, send marketing communications about FloorRequest features and offerings (Venues only).

3. LEGAL BASES FOR PROCESSING (EEA/UK USERS)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal information under the following legal bases:

• Contract: to provide the Service and fulfill our obligations to Venues under our Terms of Service;
• Legitimate interests: to operate, secure, and improve the Service, prevent fraud, and conduct analytics, where such interests are not overridden by your rights;
• Consent: for marketing communications and certain cookies, where required;
• Legal obligation: to comply with applicable laws and respond to lawful requests.

4. HOW WE SHARE INFORMATION

We do not sell your personal information. We share information only as described below:

4.1 With Venues (Song Requests from Guests)

Song requests submitted by Guests are displayed to the Venue at which they were submitted, including any optional name or note the Guest provided. Aggregated request analytics are also visible to the Venue.

4.2 With Service Providers

We share information with third-party service providers who perform services on our behalf, including:

• Stripe, Inc. — payment processing;
• Spotify AB — music streaming integration (at the Venue's direction);
• Supabase — database, authentication, and storage infrastructure;
• Hosting and infrastructure providers — for example, Vercel or similar platforms;
• Analytics providers — to understand Service usage;
• Email and communications providers — to deliver transactional and support emails.

These providers are contractually obligated to protect your information and use it only for the purposes we direct.

4.3 For Legal Reasons

We may disclose information to comply with applicable law, legal process, or government requests; to enforce our Terms of Service; to protect our rights, property, or safety, or that of our users or others; or in connection with the investigation of fraud, security, or technical issues.

4.4 Business Transfers

If FloorRequest is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will provide notice and choices where required by law.

4.5 Aggregated or De-Identified Information

We may share aggregated or de-identified information (such as song request trends across venues) that cannot reasonably be used to identify you. This may be shared for research, marketing, or industry analysis.

5. DATA RETENTION

We retain personal information for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods include:

• Venue account data: retained while your account is active and for up to 12 months after account closure, unless a longer period is required by law;
• Song request data (Guests): retained for up to 24 months for analytics and reporting purposes, then anonymized or deleted;
• Payment records: retained as required by tax, accounting, and financial regulations (typically 7 years);
• Logs and security data: retained for up to 12 months.

We may retain anonymized or aggregated data indefinitely.

6. SECURITY

We use industry-standard administrative, technical, and physical safeguards to protect your information, including encryption in transit and at rest, access controls, and regular security reviews. Spotify access tokens are stored encrypted at rest. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for maintaining the security of your account credentials.

7. COOKIES AND TRACKING TECHNOLOGIES

7.1 What We Use

We use cookies and similar technologies (such as local storage and pixels) to:

• Authenticate Venues and maintain logged-in sessions;
• Remember preferences and settings;
• Understand how the Service is used (analytics);
• Secure the Service against fraud and abuse.

7.2 Your Choices

Most browsers allow you to control cookies through settings. Disabling certain cookies may affect the functionality of the Service. Where required by law, we will request your consent before placing non-essential cookies and provide a cookie management tool on the Service.

We currently do not respond to Do Not Track ("DNT") browser signals, as no industry standard for DNT has been established. We honor Global Privacy Control (GPC) signals from California residents as an opt-out of sale and sharing of personal information, though we do not currently sell or share personal information as defined under CCPA/CPRA.

We currently do not respond to Do Not Track ("DNT") browser signals, as no industry standard for DNT has been established.

8. INTERNATIONAL DATA TRANSFERS

FloorRequest is based in the United States, and we process and store information in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States, which may have different data protection laws than your jurisdiction. Where required by law (for example, transfers from the EEA, UK, or Switzerland), we rely on appropriate safeguards such as Standard Contractual Clauses.

9. YOUR PRIVACY RIGHTS

9.1 General Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: request a copy of the personal information we hold about you;
• Correction: request that we correct inaccurate or incomplete information;
• Deletion: request that we delete your personal information, subject to legal exceptions;
• Portability: request a copy of your information in a portable format;
• Restriction: request that we restrict processing of your information;
• Objection: object to certain processing of your information;
• Withdrawal of consent: where we rely on consent, withdraw it at any time;
• Complaint: file a complaint with your local data protection authority.

To exercise these rights, contact us at legal@floorrequest.com. We will respond within the time required by applicable law (typically 30-45 days). We may need to verify your identity before fulfilling your request.

9.2 California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights:

• The right to know what categories of personal information we collect, the sources, the purposes, and to whom we disclose it;
• The right to request deletion of your personal information;
• The right to correct inaccurate information;
• The right to opt out of the sale or sharing of personal information (we do not sell or share personal information as defined under CCPA);
• The right to limit the use of sensitive personal information;
• The right to be free from discrimination for exercising your privacy rights.

To exercise these rights, contact us at legal@floorrequest.com. You may also designate an authorized agent to make a request on your behalf, subject to verification.

9.3 European, UK, and Swiss Residents (GDPR)

If you are located in the EEA, UK, or Switzerland, you have the rights described in Section 9.1 under the General Data Protection Regulation (GDPR) and equivalent local laws. You also have the right to lodge a complaint with your local supervisory authority. Our data controller for these purposes is FloorRequest LLC, contactable at legal@floorrequest.com.

10. CHILDREN'S PRIVACY

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn we have collected personal information from a child under 13 without verifiable parental consent, we will delete it. If you believe we have collected information from a child under 13, please contact us at legal@floorrequest.com.

11. THIRD-PARTY SERVICES AND LINKS

The Service may contain links to or integrate with third-party services (such as Spotify, Stripe, or external websites). This Privacy Policy does not apply to those services. We encourage you to review the privacy policies of any third-party services you use:

• Spotify Privacy Policy: spotify.com/legal/privacy-policy
• Stripe Privacy Policy: stripe.com/privacy

12. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. We will post the updated Privacy Policy on floorrequest.com and update the "Last Updated" date above. For material changes, we will provide notice via email or in-product notification at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.

13. HOW TO CONTACT US

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:

FloorRequest LLC

7533 S Center View Ct #5845

West Jordan, UT 84084

Email: legal@floorrequest.com

Website: floorrequest.com