1. Introduction
BlueDuck LLC, a Colorado limited liability company doing business as ExperienceLocal ("ExperienceLocal," "Company," "we," "us," or "our"), respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, applications, platform, and services (collectively, the "Services").
By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with our privacy practices, please do not use our Services.
This Privacy Policy applies to all users of our Services, including Hotels/Operators, Experience Providers, Guests, and website visitors.
2. Information We Collect
2.1 Information You Provide Directly
We collect information you provide when you:
Account and Profile Information
- Identity Data: Name, username, date of birth
- Contact Data: Email address, phone number, mailing address
- Business Data: Business name, business address, tax identification number, business type
- Account Credentials: Username, password, security questions
Financial Information
- Payment Data: Credit/debit card numbers, bank account information (collected and processed by Stripe)
- Billing Data: Billing address, invoice history
- Payout Data: Bank account details for receiving payouts (for Providers)
Booking and Transaction Information
- Booking Data: Experience/Resource selections, dates, times, guest counts, special requests
- Guest Preferences: Dietary restrictions, accessibility needs, communication preferences
- Transaction History: Purchase history, payment records, refund information
Content You Submit
- User Content: Experience descriptions, photos, videos, reviews, ratings
- Communications: Messages sent through our platform, support inquiries, feedback
2.2 Information Collected Automatically
When you access our Services, we automatically collect:
- Device Information: Device type, operating system, browser type, screen resolution, unique device identifiers
- Log Data: IP address, access times, pages viewed, referring URL, clickstream data
- Location Data: General location based on IP address; precise location only with your explicit consent
- Usage Data: Features accessed, actions taken, time spent on pages, search queries
- Cookie Data: Information collected through cookies and similar technologies (see our Cookie Policy)
2.3 Information from Third Parties
We may receive information from:
- Authentication Providers: When you sign in using Clerk, we receive your name, email, and profile information
- Payment Processors: Stripe provides transaction confirmations, payment status, and fraud indicators
- Business Partners: Hotels and Providers may share Guest information for booking fulfillment
- Analytics Providers: Aggregated usage and performance data
- Public Sources: Publicly available business information
3. Legal Bases for Processing (GDPR)
If you are in the European Economic Area (EEA), UK, or Switzerland, we process your personal data based on:
- Contract Performance: Processing necessary to fulfill our agreement with you, including providing the Services, processing bookings, and managing your account
- Legitimate Interests: Processing necessary for our legitimate business interests, such as fraud prevention, security, analytics, and improving our Services, where these interests are not overridden by your rights
- Consent: Processing based on your explicit consent, such as for marketing communications or optional features; you may withdraw consent at any time
- Legal Obligation: Processing necessary to comply with applicable laws, regulations, or legal proceedings
4. How We Use Information
We use the information we collect to:
4.1 Provide and Operate Our Services
- Create and manage your account
- Process bookings, payments, and refunds
- Facilitate communication between Hotels, Providers, and Guests
- Provide customer support and respond to inquiries
- Process Provider payouts
4.2 Improve and Personalize Our Services
- Analyze usage patterns and trends
- Develop new features and functionality
- Personalize your experience and recommendations
- Conduct research and analytics
4.3 Communicate With You
- Send transactional emails (booking confirmations, receipts, reminders)
- Provide important notices about your account or the Services
- Send marketing communications (with your consent where required)
- Respond to your comments, questions, and requests
4.4 Ensure Safety and Security
- Detect, prevent, and address fraud and abuse
- Protect the security and integrity of our Services
- Enforce our Terms of Service and other policies
- Verify identity and prevent unauthorized access
4.5 Comply With Legal Obligations
- Respond to legal requests and court orders
- Comply with applicable laws and regulations
- Maintain records as required by law
- Protect our legal rights and interests
5. How We Share Information
We may share your information in the following circumstances:
5.1 With Your Consent
We may share information when you direct us to or provide explicit consent.
5.2 To Facilitate Bookings
When you make a booking, we share necessary information with the Hotel or Provider to fulfill your reservation. This includes your name, contact information, booking details, and any special requests.
5.3 With Service Providers
We share information with third-party vendors who perform services on our behalf, subject to confidentiality obligations. See Section 6 for details.
5.4 For Legal Reasons
We may disclose information if we believe it is necessary to:
- Comply with applicable laws, regulations, or legal processes
- Respond to lawful requests from public authorities
- Protect the rights, property, or safety of ExperienceLocal, our users, or the public
- Enforce our Terms of Service or other agreements
- Detect, prevent, or address fraud, security, or technical issues
5.5 Business Transfers
If ExperienceLocal is involved in a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our Services of any change in ownership or uses of your personal information.
5.6 Aggregated or De-identified Data
We may share aggregated or de-identified information that cannot reasonably be used to identify you for analytics, research, or other purposes.
6. Service Providers (Sub-processors)
We use the following categories of service providers to operate our Services:
| Provider | Purpose | Location |
|---|---|---|
| Stripe | Payment processing, payouts | United States |
| Clerk | Authentication, user management | United States |
| Resend | Transactional email delivery | United States |
| PostHog | Product analytics | United States/EU |
| Sentry | Error monitoring, performance | United States |
| Vercel | Website and application hosting | United States/Global |
| Neon | Database hosting | United States |
| Cloudflare | CDN, DDoS protection, security | Global |
| Inngest | Background job processing | United States |
All service providers are bound by data processing agreements that require them to protect your information and use it only for the purposes we specify.
7. Data Retention
We retain your personal information only as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements.
| Data Category | Retention Period | Basis |
|---|---|---|
| Account Information | Duration of account + 3 years | Contract performance, legal compliance |
| Booking Records | 7 years from transaction | Tax and legal compliance |
| Payment Information | 7 years from transaction | Financial regulations, dispute resolution |
| Support Communications | 3 years after resolution | Service improvement, dispute resolution |
| Usage Analytics | 2 years, then anonymized | Service improvement |
| Marketing Preferences | Until consent withdrawn | Consent |
When retention periods expire, we securely delete or anonymize your information in accordance with our data destruction policies.
8. Data Security
We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction.
Our security measures include:
- Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
- Access Controls: Role-based access, multi-factor authentication, principle of least privilege
- Infrastructure Security: Firewalls, intrusion detection, DDoS protection via Cloudflare
- Monitoring: Continuous security monitoring, audit logging, anomaly detection
- Vendor Security: Security assessments of all service providers
- Incident Response: Documented procedures for security incident response
Despite our efforts, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to protecting your information using industry-standard practices.
9. International Data Transfers
Your information may be transferred to and processed in countries other than your country of residence, including the United States, where our servers and service providers are located.
For transfers from the EEA, UK, or Switzerland to countries not deemed adequate by relevant authorities, we rely on:
- Standard Contractual Clauses (SCCs): EU Commission-approved contractual terms ensuring adequate protection
- Data Processing Agreements: Binding agreements with all service providers
- Supplementary Measures: Additional technical and organizational safeguards where appropriate
You may request a copy of the safeguards we use by contacting us at privacy@experiencelocal.io.
10. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
10.1 Your California Privacy Rights
- Right to Know: Request disclosure of personal information we collect, use, disclose, and sell
- Right to Delete: Request deletion of your personal information, subject to certain exceptions
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt-Out of Sale/Sharing: Opt out of the sale or sharing of personal information for cross-context behavioral advertising
- Right to Limit Use of Sensitive Information: Limit use of sensitive personal information to specific purposes
- Right to Non-Discrimination: Not receive discriminatory treatment for exercising your privacy rights
10.2 Categories of Information We Collect
In the preceding 12 months, we have collected the following categories of personal information:
- Identifiers (name, email, phone number, IP address)
- Customer records (billing address, payment information)
- Commercial information (booking history, transaction records)
- Internet/electronic activity (browsing history, search queries, usage data)
- Geolocation data (general location from IP address)
- Professional/employment information (business name, role)
- Inferences drawn from the above categories
10.3 Sale and Sharing of Personal Information
We do not sell your personal information. We do not share personal information for cross-context behavioral advertising. We may share information with service providers as described in Section 5, which does not constitute a "sale" or "sharing" under the CCPA/CPRA.
10.4 How to Exercise Your Rights
To exercise your California privacy rights, you may:
- Email us at privacy@experiencelocal.io
- Submit a request through your account settings
We will verify your identity before processing your request. You may designate an authorized agent to make requests on your behalf by providing written authorization.
11. Colorado Privacy Rights
If you are a Colorado resident, you have rights under the Colorado Privacy Act (CPA):
- Right to Access: Confirm whether we are processing your personal data and access that data
- Right to Correct: Correct inaccuracies in your personal data
- Right to Delete: Delete personal data you have provided or we have obtained
- Right to Data Portability: Obtain a copy of your personal data in a portable format
- Right to Opt-Out: Opt out of targeted advertising, sale of personal data, or profiling
We do not sell personal data or use it for targeted advertising or profiling as defined under the CPA.
To exercise your Colorado privacy rights, contact us at privacy@experiencelocal.io. If we deny your request, you may appeal by contacting us with "Appeal" in the subject line.
12. European Privacy Rights (GDPR)
If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):
- Right of Access: Obtain confirmation of whether we process your personal data and access to that data
- Right to Rectification: Correct inaccurate or incomplete personal data
- Right to Erasure: Request deletion of your personal data in certain circumstances ("right to be forgotten")
- Right to Restriction: Restrict processing of your personal data in certain circumstances
- Right to Data Portability: Receive your personal data in a structured, machine-readable format
- Right to Object: Object to processing based on legitimate interests or for direct marketing
- Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
- Right to Lodge a Complaint: File a complaint with your local data protection authority
To exercise your GDPR rights, contact us at privacy@experiencelocal.io. We will respond within one month, which may be extended by two additional months for complex requests.
For GDPR-related matters, you may also contact your local supervisory authority.
13. Other U.S. State Privacy Rights
Residents of Virginia (VCDPA), Connecticut (CTDPA), and Utah (UCPA) have similar privacy rights, including the rights to access, correct, delete, and obtain a copy of personal data, as well as the right to opt out of targeted advertising, sale of personal data, and profiling.
We do not sell personal data or use it for targeted advertising as defined under these state laws.
To exercise your rights under these or any other applicable state privacy laws, contact us at privacy@experiencelocal.io.
14. Children's Privacy
Our Services are not directed to children under the age of 18, and we do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@experiencelocal.io, and we will take steps to delete such information.
15. Third-Party Links
Our Services may contain links to third-party websites, services, or applications. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access through our Services.
16. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the updated policy on our website with a new "Last Updated" date and, where required by law, by sending an email to the address associated with your account at least thirty (30) days before the changes take effect.
We encourage you to review this Privacy Policy periodically to stay informed about our privacy practices.
17. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:
BlueDuck LLC (d/b/a ExperienceLocal)
Privacy Inquiries: privacy@experiencelocal.io
General Support: support@experiencelocal.io
Address: 1942 Broadway, Suite 314C, Boulder, CO 80302
For GDPR-related inquiries, you may also contact your local data protection authority if you believe we have not adequately addressed your concerns.