PRIVACY POLICY

Last Updated: 18th September 2025

1. Overview

This Privacy Policy explains how VenueBurst Limited ("VenueBurst", "we", "us" or "our") collects, uses, shares and protects personal data when you use the VenueBurst platform, website, mobile applications and related services (the "Platform"). It also explains your rights and how to exercise them.

Controller: VenueBurst Limited is the data controller for personal data processed in connection with the Platform. We operate from the United Kingdom (London timezone). For privacy enquiries contact support@venueburst.co.uk.

2. Scope

This Policy applies to all users of the Platform including Customers, venue representatives, suppliers and visitors. It covers data collected directly, from third parties, and automatically via your device.

3. Personal Data We Collect

3.1 Identity & Contact Data

  • Full name, display name, email, phone number, billing address and postal address, only as necessary to provide services.

3.2 Account & Authentication Data

  • Hashed passwords, password reset tokens, OAuth identifiers (Google, Facebook), two-factor authentication, account activity logs.

3.3 Booking & Transaction Data

  • Booking dates and times, guest numbers, venue, messages to venues, booking references, invoices, receipts, and payment metadata required to process bookings. Raw card numbers are never stored.

3.4 Payment & Payout Data

  • Payment processor identifiers, payout account references, VAT/tax identifiers, billing records required for reconciliation.

3.5 Communications & Content

  • Messages, attachments and feedback sent through the Platform and support communications, stored only for service provision.

3.6 Technical & Usage Data

  • IP address (anonymised where possible), device/browser info, OS, unique device IDs, page views, referrer URLs, timestamps, clicks, error logs, cookies, analytics identifiers.

3.7 Derived & Aggregated Data

  • Aggregated or anonymised information that does not identify individuals, used for analytics or reporting.

3.8 Third-party Data

  • Data from third-party sign-in providers or when venues provide additional booking information, processed under lawful agreements.

4. Legal Bases for Processing (UK GDPR)

  • Contractual necessity — to provide services and fulfil bookings.
  • Legal obligation — to comply with accounting, tax, or regulatory requirements.
  • Legitimate interests — to operate, secure and improve the Platform, prevent fraud, communicate service messages, provided your rights are respected.
  • Consent — where required for marketing or certain cookies, withdrawable at any time.

5. How We Collect Data

  • Directly from you when registering, updating profiles, booking or contacting support.
  • From venues via lawful agreements and only for service delivery.
  • From third parties (sign-in providers, payment processors, identity verification services).
  • Automatically via cookies, log files, analytics tools and device identifiers.

6. How We Use Your Data

  • Administer accounts and authenticate access.
  • Process bookings, payments, refunds, issue receipts, communicate booking updates.
  • Share only necessary data with Venues under lawful agreements.
  • Provide customer support and respond to enquiries.
  • Operate Platform features such as messaging, reviews, search.
  • Detect, prevent, investigate fraud or abuse.
  • Maintain and improve Platform performance via analytics.
  • Send marketing communications with consent, opt-out available anytime.

7. Sharing & Disclosure

7.1 Venues

Venues receive only necessary customer data under Data Sharing Agreements to fulfil bookings. Venues must process data lawfully and comply with GDPR.

7.2 Payment Processors

Payment metadata shared with processors for transaction handling and reconciliation. Cardholder data handled directly by providers; raw card numbers are never stored.

7.3 Service Providers & Infrastructure

Third-party providers (AWS, Google, Facebook, Stripe, Jetpack) process data only under contract and privacy rules.

7.4 Legal Requests

Data may be shared with legal, tax, audit advisors, or to comply with lawful requests or protect rights.

7.5 Aggregated/Anonymised Data

Shared data that cannot identify individuals for analytics, research, or commercial purposes.

7.6 Business Transfers

In the event of mergers or acquisitions, personal data may transfer to the acquiring entity under confidentiality and legal safeguards.

8. International Transfers

Data may be processed outside the UK/EEA under adequacy decisions, Standard Contractual Clauses, or lawful mechanisms. Use of the Platform constitutes consent to such transfers.

9. Cookies & Tracking

  • Strictly necessary: core Platform functionality.
  • Performance & analytics: measure use, improve Platform.
  • Functional: remember preferences/settings.
  • Advertising & targeting: where permitted, for marketing.

You may control cookies via your browser or banner. Blocking some may limit functionality.

10. Data Retention

Data CategoryRetention
Account recordsActive account + 6 years for legal/tax purposes
Booking & payment7 years for accounting and tax
Support & communications3–7 years based on relevance/legal obligations
Logs & analyticsUp to 2 years; anonymised earlier where possible

Deletion requests will be honoured where possible, subject to legal/contractual obligations.

11. Security

We implement technical and organisational safeguards, including encryption, access controls, vulnerability scanning, and security reviews. Absolute security cannot be guaranteed. Data breaches will be notified as legally required.

12. Your Rights

  • Access: request your personal data.
  • Correction: fix inaccurate/incomplete data.
  • Deletion: erase personal data subject to exceptions.
  • Restriction: limit processing in certain cases.
  • Object: object to processing for legitimate interests or direct marketing.
  • Portability: receive your data in machine-readable format.
  • Withdraw consent: where processing is consent-based.

Contact support@venueburst.co.uk to exercise rights. Proof of identity may be required. Responses within statutory timeframes.

13. Automated Decisions

We may use automated tools to detect fraud or support Platform features. No fully automated decisions with legal/similar effects are made without safeguards. Contact us for concerns.

14. Children

Not directed at children under 13. Data from children under 13 will be deleted upon request.

15. Third-Party Services & Links

We are not responsible for privacy practices of external services. Key third parties include AWS, Google, Facebook/Meta, Stripe, Jetpack, and other service providers.

16. Payment & Fee Statements

  • Platform fees are final and non-refundable.
  • Venue pricing/refunds handled directly between Customer and Venue.
  • Connected accounts (e.g. Stripe Connect) receive funds directly; VenueBurst retains application fees.

17. Disputes & Mediation

Bookings are contracts between Customer and Venue. VenueBurst may voluntarily mediate, but has no obligation to resolve disputes.

18. Limitation of Liability

  • No liability for indirect, special, incidental, punitive or consequential losses.
  • Total liability limited to fees paid to VenueBurst in prior 6 months.
  • You indemnify VenueBurst for breaches or misuse of the Platform.

19. Complaints

Contact support@venueburst.co.uk for privacy requests. Complaints can also be lodged with the ICO in the UK.

20. Changes to This Policy

Policy updates will be posted with an updated "Last Updated" date. Continued use implies acceptance.

21. Contact

Email: support@venueburst.co.uk

Postal: VenueBurst Limited, [Registered Address]

By using the Platform you acknowledge reading and accepting this Privacy Policy. Do not use the Platform if you do not agree.

22. Notes for Venues & Partners

Venues remain responsible for lawful processing of customer data received via the Platform, including GDPR compliance.

23. Data Protection Officer

Contact support@venueburst.co.uk with "DPO/Privacy" in the subject line for DPO or privacy enquiries.