Feasty Privacy Policy

1. Introduction

Feasty, LLC ("Feasty," "we," "our," or "us") respects your privacy. This Privacy Policy explains how we collect, use, and share information when you use the Feasty mobile application, website, and related services (collectively, the "Platform").

By using Feasty, you agree to the practices described in this Policy. If you do not agree, please do not use the Platform.

Role of Parties: Feasty acts as a data controller for information we process to operate the Platform. Vendors are independent controllers of information they receive to fulfill orders. Our vendors and service providers act as service providers or contractors under applicable law.

2. Information We Collect

We may collect the following categories of information:

• Account Information: name, email address, phone number, and password.
• Order Information: items ordered, payment method, and pickup or delivery details.
• Vendor Information: business name and payout details.
• Payment Data: processed by Stripe. We do not store card details.
• Location Data: approximate location, collected with your consent.
• Device & Usage Data: IP address, browser type, app version, and usage logs.
• Communications: emails, texts, or in-app messages you send or receive through the Platform.
• Cookies & Tracking Data: used to improve service and analytics.
• Google User Data (Google Calendar): when you choose to connect your Google account, we request the https://www.googleapis.com/auth/calendar.events OAuth scope so Feasty can create, read, update, and delete calendar events that you manage through the Feasty scheduling feature. We also receive the OAuth access token, refresh token, and token expiration issued by Google. We do not request or use any other Google scopes, and we do not access Gmail, Contacts, Drive, profile, or any calendar data unrelated to your Feasty schedule. A full description of how this data is accessed, used, stored, and shared is provided in Section 10 below.

Data Retention: We retain your data only as long as necessary for the purposes described in this Policy, subject to the following schedules:

• Order data: retained for 3 years from the date of the transaction to support dispute resolution, tax compliance, and legal obligations.
• Account data: retained for 2 years following account closure or last active use, after which it is deleted or anonymized.
• Vendor payout data: retained for 7 years to comply with IRS and financial recordkeeping requirements.
• Communications and support records: retained for 2 years.
• Cookies and usage data: retained for up to 13 months.

Data that is no longer required will be securely deleted or anonymized.

3. How We Use Information

We use information to:

• Process and fulfill orders.
• Provide customer and vendor support.
• Facilitate payments and vendor payouts.
• Improve and personalize the Platform.
• Send transactional updates such as order confirmations and security alerts.
• Send marketing communications, with your consent where required by applicable law.
• Detect fraud, enforce our Terms & Conditions, and comply with legal obligations.

We do not use personal information for cross-context behavioral advertising or automated decision-making that produces legal effects on individuals.

4. How We Share Information

We may share information with:

• Vendors: to fulfill orders placed through the Platform.
• Stripe: to process payments on our behalf.
• Service Providers: including hosting, analytics, and customer support tools, who process data on our behalf under contractual data protection obligations.
• Legal Authorities: when required by law, subpoena, or to protect the rights and safety of Feasty and its users.
• Business Transfers: in connection with a merger, acquisition, or sale of assets, subject to standard confidentiality protections.

We do not sell personal information. If our practices change, we will provide a clear opt-out mechanism and advance notice before doing so.

5. Privacy Rights

Depending on your state of residence, and where required by applicable law, you may have the right to:

• Access or receive a copy of the personal information we hold about you.
• Request correction of inaccurate personal information.
• Request deletion of your personal information, subject to legal retention obligations.
• Opt out of the sale or sharing of your personal information.
• Limit the use of sensitive personal information.
• Appeal a decision if we deny your privacy rights request.

To submit a privacy rights request, email [email protected]. We will verify your identity using account information and respond within the timeframe required by applicable law (generally 45 days, with a possible 45-day extension). Appeals may also be submitted by email.

We will not discriminate against you for exercising any privacy rights available to you under applicable law.

6. California Privacy Rights (CCPA/CPRA)

Feasty intends to operate in California and is committed to complying with the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). California residents have the following additional rights:

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, the business or commercial purposes for collection, and the categories of third parties with whom we share it.
• Right to Delete: You may request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Opt Out: You may opt out of the sale or sharing of your personal information. Feasty does not currently sell personal information.
• Right to Limit Sensitive Data Use: You may limit the use and disclosure of sensitive personal information to purposes permitted by law.
• Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA rights.

To exercise any of these rights, email [email protected]. We will respond within 45 days of a verified request, with a possible extension of an additional 45 days where reasonably necessary.

We do not knowingly sell or share the personal information of California residents under the age of 16 without opt-in consent as required by law.

7. Children's Privacy

The Platform is intended for users who are 18 years of age or older. We do not knowingly collect, use, or share personal information from anyone under the age of 18. If we discover that we have inadvertently collected information from a user under 18, we will promptly delete it.

If you believe we have collected information from a minor, please contact us at [email protected].

8. Communications & SMS

By providing a phone number, you may receive transactional text messages such as order updates and account alerts. Marketing texts require separate opt-in consent. You may opt out of text messages at any time by replying STOP or emailing [email protected].

9. Cookies & Tracking

We use cookies and similar technologies for login, security, and analytics, including Google Analytics 4 (GA4). When you use the Platform, certain usage data may be shared with Google for analytics purposes.

We use Google Analytics Consent Mode v2, which means:

• On your first visit, you will be presented with a consent banner before any analytics tracking is activated.
• If you decline, Google Analytics operates in cookieless mode and does not collect or share your personal information with Google.
• If you accept, standard analytics tracking is enabled to help us improve the Platform.
• You may change your consent preference at any time through the Platform settings.

We automatically detect and honor Global Privacy Control (GPC) browser signals as a valid opt-out of the sharing of your personal information. No additional action is required if your browser has GPC enabled.

You can also adjust your browser settings to disable cookies at any time, though some Platform features may not function correctly. For more information on how Google processes data, visit policies.google.com/privacy.

10. Google API Services & Calendar Integration

Feasty's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements. This section comprehensively describes how Feasty accesses, uses, stores, and shares Google user data.

a. What Google data we access

The Google Calendar integration is strictly optional and only initiates after you click "Connect Google Calendar" and complete Google's OAuth consent screen. We request only the following OAuth scope:

• https://www.googleapis.com/auth/calendar.events — view and edit events on your Google Calendars.

Within that scope, we access only the event fields necessary to mirror your Feasty schedule:

• Event ID and calendar ID
• Event title, description, and location
• Start and end date/time, time zone, all-day flag
• Recurrence rule and updated-at timestamp
• Sync tokens and webhook channel metadata returned by Google to keep your schedule current

We do not request or access Gmail, Contacts, Drive, Photos, YouTube, profile, location, biometric, health, or any other Google scope. We do not access events outside the calendar(s) you select for Feasty.

b. How we use Google data

Google user data is used solely to provide and improve the user-facing scheduling feature you connected — for example:

• Creating, updating, and deleting calendar events that correspond to your Feasty schedule.
• Importing existing Google Calendar events as pending Feasty schedule items for your review and approval.
• Detecting scheduling conflicts and surfacing them in the Feasty UI.
• Maintaining synchronization between Feasty and Google Calendar (including incremental and tail-sweep syncs).

We do not use Google user data for advertising, retargeting, profiling, credit decisions, or any purpose unrelated to the scheduling feature. We do not use, transfer, or sell Google user data to develop, improve, or train generalized or non-personalized AI/ML models, including large language models or foundation models.

c. How we store Google data

• OAuth tokens. Your Google access token, refresh token, and token expiration are stored on Feasty's servers in our managed database, hosted in the United States, and protected by encryption in transit (TLS) and at rest, access controls, and audit logging. Tokens are used only to call Google APIs on your behalf for the purposes described above.
• Event and sync metadata. Calendar IDs, event IDs, sync tokens, webhook channel IDs/expirations, and the event fields listed in 10(a) are stored to keep your Feasty schedule and Google Calendar in sync.
• Retention. Google user data is retained only while your Google Calendar connection is active. When you disconnect, revoke access at myaccount.google.com/permissions, or delete your Feasty account, we revoke the tokens with Google and delete the stored OAuth tokens, sync state, and pending Google event records within 6 hours.

d. How we share Google data

We do not sell Google user data, and we do not transfer Google user data to third parties except in the following narrow cases permitted by Google's Limited Use policy:

• Infrastructure subprocessors that host or operate Feasty (e.g., our cloud hosting and database providers) process Google user data solely on our behalf, under contractual confidentiality and data-protection obligations, and only as needed to operate the scheduling feature.
• With your explicit consent to a specific disclosure.
• For legal reasons where required to comply with applicable law, valid legal process, or to protect the rights, property, or safety of Feasty, our users, or the public.

e. Human access to Google data

No human at Feasty reads your Google user data, except: (i) with your explicit consent, for example when you ask our support team to investigate an issue with your calendar; (ii) for security purposes, such as investigating abuse or a security incident; or (iii) to comply with applicable law.

f. Revoking access and deleting Google data

You can disconnect Feasty from your Google account at any time:

• Inside Feasty: open Calendar settings and click "Disconnect Google Calendar."
• From Google directly: myaccount.google.com/permissions.
• To request deletion of all Google user data we hold about you, email [email protected].

11. Security

We implement reasonable technical and organizational safeguards to protect your personal information, consistent with applicable laws including the New York SHIELD Act. While no system is fully secure, we take meaningful steps to reduce the risk of unauthorized access, loss, or misuse. Users share information at their own risk.

In the event of a data breach affecting your personal information, we will notify you as required by applicable state law.

12. International Users

If you access Feasty from outside the United States, your data may be transferred to and stored in the U.S. We will apply appropriate safeguards as required by applicable law for such transfers.

13. Financial Incentives

We do not currently offer financial incentive programs in exchange for your personal information. If we do in the future, we will provide a separate notice with material terms and obtain your opt-in consent before collecting data under any such program.

14. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or applicable law. Material changes will be communicated by posting a notice in the app or on our website with an updated effective date. Your continued use of the Platform after any update constitutes your acceptance of the revised Policy.

15. Contact Us

For privacy questions, to exercise your rights, or to report a concern:

Email: [email protected]