Privacy Policy

1. Introduction and Data Controller

This Privacy Policy ("Policy") describes how Ihq Tech, a Belgian limited liability company (Commanditaire Vennootschap) with registered office at Raadhuislaan 4, 3010 Leuven, Belgium, enterprise number BE 1012.085.231 ("Company", "we", "us", "our"), collects, uses, processes, discloses, and safeguards personal data of users ("you", "your", "User", "Data Subject") of the AutomatedSeating.com platform, website, software, and services (collectively, the "Service", "Platform").

1.1 Data Controller. For purposes of Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR") and Belgian data protection law (Wet van 30 juli 2018 betreffende de bescherming van natuurlijke personen met betrekking tot de verwerking van persoonsgegevens), the Company acts as the data controller responsible for determining the purposes and means of processing your personal data.

1.2 Scope and Consent. By accessing or using the Service, uploading personal data, creating an account, or otherwise interacting with the Platform in any manner, you expressly acknowledge that you have read, understood, and unconditionally consent to the collection, use, processing, and disclosure of your personal data as described in this Policy.

1.3 Incorporation by Reference. This Policy is incorporated into and forms an integral part of our Terms and Conditions. Defined terms not otherwise defined herein shall have the meanings ascribed to them in the Terms and Conditions.

2. Legal Basis for Processing

We process personal data only where we possess a lawful basis for such processing under applicable data protection law. The legal bases for our processing activities include:

• 2.1 Contractual Necessity (GDPR Art. 6(1)(b)): Processing is necessary for the performance of our contract with you (i.e., provision of the Service), including account creation, authentication, service delivery, billing, and customer support.
• 2.2 Consent (GDPR Art. 6(1)(a)): Where you have provided explicit, informed, freely given consent for specific processing activities, including analytics cookies, marketing communications, and optional data processing features. Consent may be withdrawn at any time without affecting the lawfulness of processing conducted prior to withdrawal.
• 2.3 Legitimate Interests (GDPR Art. 6(1)(f)): Processing is necessary for our legitimate business interests, including fraud prevention, security enhancement, system optimization, product development, and enforcement of legal rights, provided such interests are not overridden by your fundamental rights and freedoms.
• 2.4 Legal Obligation (GDPR Art. 6(1)(c)): Processing is necessary to comply with legal obligations imposed upon us, including tax reporting, anti-money laundering requirements, data breach notification obligations, and responses to lawful requests from competent authorities.
• 2.5 Vital Interests (GDPR Art. 6(1)(d)): In exceptional circumstances, processing may be necessary to protect your vital interests or those of another natural person.

3. Personal Data Collected

3.1 Information You Provide Directly

You directly provide us with the following categories of personal data:

• (a) Account Registration Data: Full name, email address, password (encrypted), account credentials, profile information, and any other information you voluntarily provide during registration.
• (b) Billing and Payment Information: Payment card details, billing address, VAT/tax identification number (if applicable), and transaction history. Payment card information is transmitted directly to and processed exclusively by our third-party payment processor, Stripe, Inc., and is not stored on our systems.
• (c) Event and Guest Data (User Content): Event details, guest names, guest contact information, seating arrangements, group affiliations, labels, preferences, dietary restrictions, and any other information you upload to or create through the Service. You are solely responsible for ensuring lawful processing of personal data of third parties (e.g., event attendees) uploaded as User Content.
• (d) Communications Data: Contents of communications sent to us via email, contact forms, support requests, or other channels, including all metadata associated with such communications.
• (e) Marketing Preferences: Consent status for marketing communications, communication preferences, and opt-out requests.

3.2 Information Collected Automatically

When you access or use the Service, we automatically collect certain technical and usage information, including:

• (a) Device and Browser Information: Device type, operating system, browser type and version, screen resolution, language preferences, time zone settings, and installed plugins.
• (b) Usage Data: Pages visited, features accessed, actions performed, click patterns, time spent on pages, referring and exit pages, interaction sequences, and feature utilization metrics.
• (c) Network and Connection Data: IP address (anonymized where feasible), internet service provider, geographic location (city and country level), and connection type.
• (d) Log Data: Access logs, error logs, security logs, timestamps, and system events.
• (e) Cookies and Tracking Technologies: Information collected through cookies, web beacons, pixel tags, local storage, and similar tracking technologies, as further described in Section 6.

3.3 Information from Third Parties

We may receive personal data from third-party sources, including:

• (a) Authentication Providers: If you register or authenticate using third-party services (e.g., Google, Microsoft), we receive basic profile information (name, email, profile photo) from such providers in accordance with their privacy policies and your authorization.
• (b) Payment Processors: Transaction data, payment status, fraud detection signals, and dispute information from Stripe, Inc.
• (c) Analytics and Service Providers: Aggregated and anonymized usage statistics from PostHog, Vercel Analytics, and other analytics providers.
• (d) Publicly Available Sources: Information from publicly accessible databases, registries, or sources to verify identity or comply with legal obligations.

3.4 Sensitive Personal Data

We do not intentionally collect or process "special categories of personal data" (sensitive data) as defined under GDPR Article 9, including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation. You are expressly prohibited from uploading such sensitive data as User Content except where strictly necessary for legitimate event planning purposes (e.g., dietary restrictions) and where you have obtained all legally required consents.

4. Purposes of Processing and Data Use

We collect, use, and process your personal data for the following purposes, each supported by a lawful basis as set forth in Section 2:

• 4.1 Service Provision and Performance: To create, maintain, and authenticate user accounts; provide access to features and functionality; process and fulfill service requests; store and manage User Content; enable collaboration features; and perform all activities necessary to deliver the Service (Legal basis: Contractual necessity).
• 4.2 Payment Processing and Billing: To process subscription payments, handle billing inquiries, manage invoices, collect fees, process refunds (where applicable), handle chargebacks and disputes, and comply with payment card industry requirements. Payment processing is performed by Stripe, Inc. (Legal basis: Contractual necessity, legal obligation).
• 4.3 Customer Support and Communications: To respond to inquiries, provide technical support, resolve issues, send service-related notifications (account confirmations, password resets, billing notifications, service updates, security alerts), and communicate regarding your use of the Service (Legal basis: Contractual necessity, legitimate interests).
• 4.4 Service Improvement and Development: To analyze usage patterns, identify trends, understand user preferences, develop new features and functionality, improve user experience, optimize performance, and conduct product research and development (Legal basis: Legitimate interests, consent for analytics cookies).
• 4.5 Security and Fraud Prevention: To detect, prevent, and investigate fraud, unauthorized access, security breaches, abuse, prohibited conduct, and violations of our Terms and Conditions; to authenticate users; to implement security measures; and to protect the rights, property, and safety of the Company, users, and third parties (Legal basis: Legitimate interests, legal obligation).
• 4.6 Analytics and Performance Monitoring: To monitor system performance, measure feature effectiveness, track user engagement, analyze conversion rates, and generate aggregated usage statistics through PostHog and Vercel Analytics (Legal basis: Consent for PostHog; legitimate interests for Vercel Analytics (privacy-preserving, no cookies)).
• 4.7 Marketing and Promotional Communications: Where you have provided consent, to send newsletters, product updates, promotional offers, feature announcements, and other marketing materials. You may withdraw consent and unsubscribe at any time (Legal basis: Consent).
• 4.8 Legal Compliance and Obligations: To comply with applicable laws, regulations, legal processes, and governmental requests; to enforce our Terms and Conditions and other agreements; to respond to lawful requests from public authorities; to comply with tax, accounting, and reporting obligations; and to establish, exercise, or defend legal claims (Legal basis: Legal obligation, legitimate interests).
• 4.9 Business Transfers: In connection with or during negotiations of any merger, sale of company assets, financing, acquisition, divestiture, or dissolution of all or a portion of our business, personal data may be transferred to prospective or actual purchasers or successors (Legal basis: Legitimate interests).

5. Data Sharing, Disclosure, and Sub-Processors

5.1 No Sale of Personal Data. We do not and will not sell, rent, lease, or trade your personal data to third parties for monetary or other valuable consideration.

5.2 Sub-Processors and Service Providers. We engage carefully selected third-party service providers ("Sub-Processors") to perform functions on our behalf and process personal data under our instructions. We share personal data with the following categories of Sub-Processors under appropriate data processing agreements:

• (a) Payment Processor: Stripe, Inc. (United States) - Processes payment card information, billing data, and transaction records. See Stripe Privacy Policy.
• (b) Cloud Infrastructure and Hosting: Cloud hosting providers for storage, computing resources, database management, and content delivery. Data may be processed in secure data centers within the European Economic Area (EEA) or in third countries subject to appropriate safeguards.
• (c) Analytics Providers: PostHog, Inc. (United States) - Product analytics and user behavior tracking (requires consent). See PostHog Privacy Policy. Vercel, Inc. (United States) - Privacy-preserving web analytics and performance monitoring (no personal data collection, no cookies). See Vercel Privacy Policy.
• (d) Authentication Services: Third-party authentication providers (Google, Microsoft) for optional social login functionality.
• (e) Email Service Providers: Email delivery services for transactional emails, notifications, and marketing communications (where consented).
• (f) Customer Support Tools: Customer support and ticketing platforms to manage support requests and communications.

5.3 Legal and Regulatory Disclosures. Notwithstanding any other provision of this Policy, we may disclose personal data to governmental authorities, law enforcement agencies, courts, regulators, or other third parties where we are legally required or permitted to do so, including:

• In response to lawful requests, court orders, subpoenas, or legal processes;
• To comply with applicable laws, regulations, or legal obligations;
• To protect and defend our rights, property, or safety, or those of users or third parties;
• To investigate, prevent, or take action regarding suspected fraud, illegal activity, violations of our Terms, or security threats; or
• In connection with legal proceedings, investigations, or regulatory inquiries.

5.4 Business Transfers. If we undergo a merger, acquisition, reorganization, bankruptcy, dissolution, or sale of assets, personal data may be transferred to the acquiring or successor entity. You will be notified of any such change in ownership or control of personal data.

5.5 Aggregated and Anonymized Data. We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you with third parties for analytics, research, marketing, or other lawful purposes. Such data is not considered personal data.

5.6 User Consent. We may share personal data with third parties where you have provided explicit consent for such sharing.

6. Cookies and Tracking Technologies

6.1 What Are Cookies. Cookies are small text files placed on your device by websites you visit. Cookies are widely used to make websites function efficiently, enhance user experience, and provide analytics information to website operators.

6.2 Types of Cookies We Use. We use the following categories of cookies and similar tracking technologies:

• (a) Strictly Necessary Cookies: Essential for the operation of the Service, including authentication, session management, security features, and core functionality. These cookies cannot be disabled as they are necessary for the Service to function. Legal basis: Legitimate interests; contractual necessity. No consent required.
• (b) Performance and Analytics Cookies: Used to collect information about how users interact with the Service, including pages visited, features used, errors encountered, and performance metrics. This helps us improve the Service and user experience. PostHog analytics cookies (behavioral analytics, session recordings, heatmaps). Legal basis: Consent. Consent required for EU users. Vercel Analytics (privacy-preserving, no personal data, no cookies). Legal basis: Legitimate interests. No consent required.
• (c) Functional Cookies: Enable enhanced functionality and personalization, such as remembering user preferences, language settings, and customization options. Legal basis: Legitimate interests; consent (where applicable).

6.3 Cookie Consent (EU Users). For users accessing the Service from the European Union (EU) or European Economic Area (EEA), we implement geo-detection using ipapi.co to identify your location. If you are identified as an EU/EEA user, we display a cookie consent banner and will not set non-essential analytics cookies (PostHog) until you provide explicit consent. You may accept or decline analytics cookies. Strictly necessary cookies and privacy-preserving analytics (Vercel) will be used regardless of consent as permitted by law.

6.4 Cookie Management and Withdrawal of Consent. You may manage cookie preferences through your browser settings. Most browsers allow you to refuse cookies, delete cookies, or receive warnings before cookies are stored. However, disabling strictly necessary cookies may impair Service functionality and prevent access to certain features. You may withdraw consent for analytics cookies at any time by adjusting your browser settings or contacting us at privacy@automatedseating.com.

6.5 Third-Party Cookies and Tracking. Third-party service providers (PostHog, Stripe, authentication providers) may set their own cookies and tracking technologies. We do not control third-party cookies and recommend reviewing the privacy policies of such third parties for information on their data practices.

6.6 Do Not Track Signals. Some browsers offer "Do Not Track" (DNT) signals. As there is no industry consensus on how to respond to DNT signals, we do not currently respond to DNT browser settings.

7. International Data Transfers

7.1 Cross-Border Transfers. The Company is located in Belgium (European Economic Area), but the Service utilizes Sub-Processors located in third countries outside the EEA, including the United States (Stripe, PostHog, Vercel). Personal data may be transferred to, stored in, and processed in jurisdictions that may not provide the same level of data protection as your home jurisdiction.

7.2 Safeguards for International Transfers. Where personal data is transferred to third countries not recognized by the European Commission as providing an adequate level of data protection, we implement appropriate safeguards to protect your personal data, including:

• Standard Contractual Clauses (SCCs): We enter into European Commission-approved Standard Contractual Clauses (also known as Model Clauses) with Sub-Processors to ensure contractual obligations to protect personal data in accordance with EU standards.
• Data Processing Agreements: Binding data processing agreements that impose GDPR-equivalent data protection obligations on Sub-Processors.
• Privacy Shield Successor Frameworks: Where applicable, reliance on privacy frameworks recognized by competent authorities (subject to ongoing legal developments).
• Sub-Processor Certifications: Sub-Processors maintain security certifications, including SOC 2, ISO 27001, and other internationally recognized standards.

7.3 User Consent. By using the Service, you expressly acknowledge and consent to the transfer of your personal data to third countries, including the United States, subject to the safeguards described in this Section.

7.4 Further Information. For additional information regarding international data transfers, including copies of Standard Contractual Clauses, please contact us at privacy@automatedseating.com.

8. Data Retention

8.1 Retention Principles. We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal and regulatory obligations, resolve disputes, enforce our agreements, and establish, exercise, or defend legal claims.

8.2 Retention Periods. Specific retention periods vary depending on the category of personal data and the purposes of processing:

• (a) Account Data: Retained for the duration of your account and for up to 90 days following account deletion to accommodate account recovery requests, unless longer retention is required by law.
• (b) User Content: Retained for the duration of your account. Upon account deletion, User Content is permanently deleted within 30 days, except where retention is required for legal, regulatory, or legitimate business purposes (e.g., resolution of disputes, fraud prevention).
• (c) Transaction and Billing Records: Retained for a minimum of 7 years to comply with tax, accounting, and financial regulatory obligations under Belgian law.
• (d) Communications and Support Records: Retained for up to 3 years for quality assurance, dispute resolution, and customer service improvement purposes.
• (e) Analytics and Usage Data: Retained in aggregated and anonymized form indefinitely for analytics and research purposes. Personal identifiers are anonymized or deleted within 24 months.
• (f) Log Data: Security and access logs retained for up to 12 months for security monitoring, incident investigation, and legal compliance purposes.
• (g) Marketing Data: Retained until you withdraw consent or unsubscribe, plus up to 12 months for compliance verification.

8.3 Deletion Procedures. Upon expiration of the applicable retention period or receipt of a valid erasure request (subject to legal exceptions), personal data will be securely deleted or anonymized such that it can no longer be attributed to an identifiable individual.

8.4 Legal Holds. Notwithstanding the foregoing, we may retain personal data beyond the stated retention periods where required by law, legal process, litigation holds, regulatory investigations, or to establish, exercise, or defend legal claims.

9. Data Security

9.1 Security Measures. We implement and maintain appropriate technical and organizational security measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, including:

• Encryption: Data encryption in transit using TLS/SSL protocols (HTTPS); data encryption at rest using industry-standard encryption algorithms (AES-256 or equivalent);
• Access Controls: Role-based access controls (RBAC); multi-factor authentication (MFA) for administrative access; principle of least privilege; regular access reviews;
• Authentication and Authorization: Secure authentication mechanisms; password hashing and salting; session management and timeout controls;
• Network Security: Firewalls, intrusion detection and prevention systems (IDS/IPS), DDoS protection, and network segmentation;
• Security Monitoring: Continuous security monitoring, logging, and alerting; security incident detection and response procedures;
• Vulnerability Management: Regular security assessments, penetration testing, vulnerability scanning, and timely patching;
• Secure Development: Secure coding practices, code reviews, dependency scanning, and security testing;
• Third-Party Security: Due diligence on Sub-Processors; contractual security obligations; periodic security assessments of critical vendors;
• Physical Security: Physical access controls at data center facilities operated by infrastructure providers;
• Employee Training: Security awareness training for employees with access to personal data; confidentiality obligations.

9.2 Security Limitations and Disclaimer. While we implement commercially reasonable security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot and do not guarantee absolute security of personal data. You acknowledge and accept the inherent risks associated with Internet transmission and electronic storage. To the fullest extent permitted by applicable law, we disclaim all liability for unauthorized access, security breaches, or data compromises caused by factors beyond our reasonable control, including user negligence, third-party attacks, or Force Majeure events.

9.3 User Responsibilities. You are responsible for maintaining the confidentiality and security of your account credentials and for all activities conducted under your account. You must immediately notify us of any unauthorized access, security breach, or suspected compromise at privacy@automatedseating.com.

10. Personal Data Breach Notification

10.1 Definition. A "personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

10.2 Breach Detection and Assessment. We maintain incident detection, monitoring, and response procedures to identify and assess potential personal data breaches. Upon detection of a breach, we will promptly investigate the nature, scope, and impact of the incident.

10.3 Notification to Supervisory Authority. In accordance with GDPR Article 33, where a personal data breach is likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority (Belgian Data Protection Authority - Gegevensbeschermingsautoriteit) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to your rights and freedoms.

10.4 Notification to Data Subjects. In accordance with GDPR Article 34, where a personal data breach is likely to result in a high risk to your rights and freedoms, we will communicate the breach to you without undue delay, unless:

• We have implemented appropriate technical and organizational protection measures (e.g., encryption) that render the personal data unintelligible to unauthorized persons;
• We have taken subsequent measures ensuring that the high risk is no longer likely to materialize; or
• Individual notification would involve disproportionate effort, in which case we will make a public communication or take similar measures to inform you.

10.5 Breach Notification Contents. Breach notifications will describe, in clear and plain language, the nature of the breach, the likely consequences, the measures taken or proposed to address the breach, and contact details for further information.

10.6 No Admission of Liability. Provision of breach notification does not constitute an admission of fault, liability, or negligence and shall not waive any applicable legal defenses, privileges, or protections.

11. Your Rights Under GDPR (EEA/EU Data Subjects)

If you are located in the European Economic Area (EEA) or European Union (EU), you possess the following rights under the General Data Protection Regulation (GDPR):

• 11.1 Right of Access (Article 15): You have the right to obtain confirmation as to whether we process your personal data and, where we do, to request access to such personal data, including information about the purposes of processing, categories of data, recipients, retention periods, and the source of the data. You may request a copy of your personal data in a commonly used electronic format.
• 11.2 Right to Rectification (Article 16): You have the right to request correction of inaccurate or incomplete personal data. We will make reasonable efforts to update inaccurate data without undue delay.
• 11.3 Right to Erasure / "Right to be Forgotten" (Article 17): You have the right to request deletion of your personal data where: (a) the data is no longer necessary for the purposes for which it was collected; (b) you withdraw consent and there is no other legal basis for processing; (c) you object to processing and there are no overriding legitimate grounds; (d) the data has been unlawfully processed; or (e) erasure is required to comply with a legal obligation. This right is not absolute and is subject to exceptions, including where retention is necessary for compliance with legal obligations, establishment or defense of legal claims, or other lawful purposes.
• 11.4 Right to Restriction of Processing (Article 18): You have the right to request restriction of processing where: (a) you contest the accuracy of personal data (for a period enabling verification); (b) processing is unlawful and you oppose erasure; (c) we no longer need the data but you require it for legal claims; or (d) you have objected to processing pending verification of legitimate grounds.
• 11.5 Right to Data Portability (Article 20): Where processing is based on consent or contractual necessity and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit such data to another controller without hindrance. Where technically feasible, you may request direct transmission to another controller.
• 11.6 Right to Object (Article 21): You have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to processing for direct marketing, we will cease such processing. For processing based on legitimate interests, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for establishment, exercise, or defense of legal claims.
• 11.7 Right to Withdraw Consent (Article 7(3)): Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing conducted prior to withdrawal.
• 11.8 Right Not to be Subject to Automated Decision-Making (Article 22): You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect you, except where such processing is necessary for contract performance, authorized by law, or based on explicit consent with appropriate safeguards. The Service does not currently engage in automated decision-making with legal or similarly significant effects.
• 11.9 Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of alleged infringement, if you believe our processing of your personal data violates GDPR. The Belgian supervisory authority is: Gegevensbeschermingsautoriteit (Data Protection Authority), Rue de la Presse 35, 1000 Brussels, Belgium, Email: contact@apd-gba.be, Website: https://www.gegevensbeschermingsautoriteit.be

11.10 Exercising Your Rights. To exercise any of the foregoing rights, please submit a written request to privacy@automatedseating.com with the subject line "GDPR Rights Request" and specify the right(s) you wish to exercise. We will respond to verified requests within one (1) month, extendable by two (2) additional months where necessary considering the complexity and number of requests. We may request additional information to verify your identity before processing requests. Requests are generally free of charge, but we may charge a reasonable fee for manifestly unfounded, excessive, or repetitive requests.

12. Data Processing Agreement for Business Customers

12.1 Applicability. Where you are a Business Customer who uploads personal data of third parties (e.g., event attendees, guests) through the Service, you act as a data controller and we act as a data processor on your behalf. In such cases, GDPR requires a written data processing agreement ("DPA") between controller and processor.

12.2 DPA Execution. Business Customers may request execution of a separate Data Processing Agreement by contacting privacy@automatedseating.com with the subject line "DPA Request." Our standard DPA complies with GDPR Article 28 requirements and includes Standard Contractual Clauses for international data transfers.

12.3 Controller Obligations. As data controller, you represent and warrant that: (a) you have obtained all necessary legal bases, consents, and authorizations for processing personal data of third parties; (b) you comply with all applicable data protection laws; (c) you have provided required privacy notices to data subjects; and (d) you indemnify us from claims arising from your failure to comply with data protection obligations.

12.4 Processor Obligations. As data processor, we commit to: (a) process personal data only on your documented instructions; (b) implement appropriate technical and organizational security measures; (c) assist with data subject rights requests; (d) notify you of personal data breaches; (e) delete or return personal data upon termination (subject to legal retention requirements); and (f) make available information necessary to demonstrate compliance.

13. Children's Privacy

13.1 Age Restriction. The Service is not intended for, directed to, or designed to attract children under the age of sixteen (16) years (or under thirteen (13) years in jurisdictions where such lower age applies). We do not knowingly collect, use, or process personal data from children under the applicable minimum age.

13.2 Parental Consent. If you are under the applicable minimum age, you are prohibited from using the Service and must not provide any personal data to us. If you are a parent or guardian and believe your child has provided personal data to us without your consent, please contact us immediately at privacy@automatedseating.com.

13.3 Deletion of Children's Data. Upon becoming aware that we have collected personal data from a child under the minimum age without verifiable parental consent, we will take reasonable steps to delete such information as soon as practicable.

14. Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights regarding personal information:

• 14.1 Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we collect, use, disclose, and sell (if applicable).
• 14.2 Right to Delete: You have the right to request deletion of personal information, subject to certain exceptions.
• 14.3 Right to Correct: You have the right to request correction of inaccurate personal information.
• 14.4 Right to Opt-Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising. Should this change, we will provide an opt-out mechanism.
• 14.5 Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes other than permitted by CPRA.
• 14.6 Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising your CCPA/CPRA rights.

To exercise these rights, contact privacy@automatedseating.com. We will verify your identity before processing requests.

15. Modifications to This Privacy Policy

15.1 We reserve the right, in our sole and absolute discretion, to modify, amend, supplement, or replace this Privacy Policy at any time for any reason, including to reflect changes in our data practices, legal requirements, or business operations.

15.2 Modifications shall be effective immediately upon posting of the revised Privacy Policy on the Platform, and the "Last updated" date shall be updated accordingly. For material changes that significantly affect your rights or our data practices, we may provide additional notice via email or prominent notice on the Platform.

15.3 Your continued access to or use of the Service following any modification constitutes unconditional acceptance of the modified Privacy Policy. If you do not agree to the modified Privacy Policy, you must immediately cease use of the Service and may request deletion of your account and personal data.

15.4 It is your sole responsibility to review this Privacy Policy periodically to remain informed of modifications. We shall have no obligation to provide individual notice of changes except as required by applicable law.

16. Contact Information and Data Protection Officer

For questions, concerns, complaints, or requests regarding this Privacy Policy, your personal data, or to exercise your rights under applicable data protection law, please contact:

We will respond to verified requests within the timeframes required by applicable law.