Privacy Policy for LOMAevents Effective Date: July 8, 2025 1. Introduction Welcome to LOMAevents ("we," "our," or "us"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application LOMAevents (the "App") and related services (the "Services"). By using our App, you consent to the data practices described in this Privacy Policy. If you do not agree with our policies and practices, do not use our App. 2. Information We Collect 2.1 Information You Provide Directly Account Information: - Name and email address (required for account creation) - Profile photo (optional) - Phone number (optional) - Password (encrypted and stored securely) Event Information: - Event names, dates, and descriptions - Guest count and RSVP preferences - Event location and venue preferences - Food, entertainment, and vendor preferences - Custom notes and tips you add to events Business and Vendor Data: - Businesses you save or bookmark - Custom notes about saved businesses - Manual business entries you create - Vendor organization and categorization preferences Communication Data: - Messages and conversations with our AI assistant - Feedback and support communications - RSVP responses and guest information 2.2 Information Collected Automatically Device and Usage Information: - Device type, operating system, and version - App usage patterns and feature interactions - Crash reports and performance analytics - Session duration and frequency of use Location Information: - GPS coordinates (only when you grant permission) - Location-based search queries - Event venue locations you specify Technical Information: - IP address and device identifiers - App version and build information - Firebase Analytics data for app improvement 2.3 Information from Third-Party Services Authentication Services: - Google Sign-In: Name, email, profile photo (only on first sign-in for name) - Apple Sign-In: Name (first + last only on the very first authorization), email (may be a private relay address). We do not receive or store your real email if you choose Hide My Email. Tokens are used only to create / authenticate your Firebase session and are not stored long-term. - Facebook Login: Name, email, profile photo (if enabled in future) Business Discovery Services: - Yelp business information and reviews - Google Places business data and ratings - Public business contact information and photos 3. How We Use Your Information 3.1 Primary Purposes Event Planning and Management: - Creating and organizing your events - Saving and categorizing preferred vendors - Generating AI-powered event planning suggestions - Managing RSVP responses and guest lists Personalization: - Customizing business recommendations - Remembering your preferences and settings - Providing relevant search results - Enhancing AI assistant interactions Communication: - Sending important account notifications - Providing customer support - Sharing app updates and improvements - Processing RSVP invitations and responses 3.2 Analytics and Improvement App Enhancement (Non-Personalized): - Understanding aggregate feature usage (non-advertising) - Identifying and fixing technical issues - Improving user experience and interface - Developing new features based on user needs We currently do NOT use analytics events for advertising or tracking across apps. Any future analytics containing personal identifiers will be gated behind an in-app consent toggle before collection. Performance Monitoring: - Monitoring app stability and performance - Analyzing crash reports and error logs - Optimizing app speed and reliability 4. Information Sharing and Disclosure 4.1 Third-Party Service Providers We share information with trusted third-party services that help us operate our App: Firebase (Google): - User authentication and account management - Cloud storage for your events and business data - Analytics for app improvement - Crash reporting and performance monitoring Yelp Fusion API: - Business search queries for vendor discovery - Business information retrieval - Review and rating data display Google Places API: - Business search and discovery - Location-based business recommendations - Maps and location services AI Services: - Google Generative AI for event planning assistance - Query processing for intelligent recommendations 4.2 Legal Requirements We may disclose your information when required by law, such as: - In response to valid legal process (subpoenas, court orders) - To protect our rights, property, or safety - To prevent fraud or security threats - To comply with regulatory requirements 4.3 Business Transfers In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity, subject to the same privacy protections. 4.4 What We Don't Share We never sell your personal information to third parties. We don't share your private event details or personal notes with other users. We don't provide your contact information to businesses or vendors. 5. Data Security 5.1 Security Measures Encryption: - All data transmitted between your device and our servers is encrypted using TLS/SSL - Passwords are hashed and salted using industry-standard methods - Sensitive data is encrypted at rest in Firebase Access Controls: - Strict access controls limit who can view your data - Employee access is logged and monitored - Multi-factor authentication required for admin access Infrastructure Security: - Data stored on Google Firebase with enterprise-grade security - Regular security audits and vulnerability assessments - Automated backup and disaster recovery systems 5.2 API Key Protection Secure Storage: - All API keys are stored in secure environment variables - Keys are never exposed in client-side code - Regular rotation of API credentials 6. Your Privacy Rights 6.1 Access and Control Account Management: - View and edit your profile information - Update your privacy preferences - Download your data in a portable format - Delete your account and associated data Data Portability: - Export your event data and business lists - Transfer data to other compatible services - Receive data in structured, machine-readable format 6.2 Communication Preferences Notification Controls: - Opt out of non-essential emails - Manage push notification settings - Control RSVP and event reminder preferences 6.3 Location Data GPS Controls: - Grant or revoke location permissions at any time - Use manual location entry instead of GPS - Control location-based search features 7. Data Retention 7.1 Account Data Active Accounts: - We retain your data as long as your account is active and only for features you use. - You can delete specific events or business data at any time. Deleted Accounts (Immediate Cascade): - When you choose Profile > Settings > Delete Account, we immediately invoke a secure cascade removal that deletes: your user profile document, events you created (and their guest lists, itineraries, RSVPs, notes), saved business containers, feedback you submitted, and other user-linked collections (including preference subcollections). Saved references in other users' event lists are pruned of your identifier. - Authentication credentials (Firebase Auth user) are deleted immediately after the cascade completes. - We do NOT retain a recoverable copy of your account. Deletion is irreversible. - Limited technical logs (security, error traces) may persist temporarily (<= 30 days) in aggregated form and are automatically rotated; these do not contain full profile or event contents and are used solely for abuse prevention and diagnostics. - If required by law, minimal records may be retained (e.g., legal holds) and will be purged when no longer necessary. 7.2 RSVP and Guest Data Guest Information: - RSVP responses are retained for event management purposes - Guest data is deleted when events are removed - Anonymous RSVP statistics may be retained for analytics 8. Children's Privacy LOMAevents is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us immediately. 9. International Users 9.1 Data Transfers Your information may be transferred to and processed in countries other than your own, including the United States, where our servers and service providers are located. 9.2 European Users (GDPR) If you are located in the European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR): Legal Basis for Processing: - Contractual necessity for app functionality - Legitimate interests for analytics and improvement - Consent for optional features like location services Additional Rights: - Right to rectification of inaccurate data - Right to erasure ("right to be forgotten") - Right to restrict processing - Right to data portability - Right to object to processing - Right to lodge a complaint with supervisory authorities 10. California Privacy Rights (CCPA) 10.1 Categories of Information Personal Information Collected: - Identifiers (name, email, device ID) - Commercial information (event preferences, saved businesses) - Internet activity (app usage, search queries) - Location data (when permitted) - Inferences (preferences and characteristics) 10.2 Your Rights Right to Know: - Request disclosure of information categories collected - Request specific pieces of personal information - Request information about sharing practices Right to Delete: - Request deletion of personal information - Exceptions for legal compliance and functionality Right to Opt-Out: - We don't sell personal information, so no opt-out needed - You can limit data sharing through privacy settings Non-Discrimination: - We won't discriminate against you for exercising privacy rights - Equal service and pricing regardless of privacy choices 11. Third-Party API Compliance 11.1 Yelp API Terms Compliance Attribution: - All Yelp business data includes proper attribution - Powered by Yelp branding displayed where required - Links to Yelp business pages provided Data Usage: - Business information used only for event planning purposes - No data manipulation or misrepresentation - Compliance with Yelp's rate limiting and usage policies 11.2 Google API Terms Compliance Google Places API: - Proper attribution with Powered by Google branding - Compliance with Google Maps Platform Terms of Service - No data mixing between different sources Google Generative AI: - AI responses used for event planning assistance only - No sharing of AI conversation data with third parties - Compliance with Google's AI service terms 12. Updates to This Privacy Policy We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. We will notify you of any material changes by: - Posting the updated policy in the App - Sending an email notification to your registered email address - Displaying a prominent notice within the App Your continued use of the App after any changes constitutes acceptance of the updated Privacy Policy. 13. Contact Information If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: Email: privacy@lomaevents.com Address: Online Phone: N/A Data Protection Officer (for EU users): dpo@lomaevents.com For California residents, you may also submit privacy requests through our designated request portal at: privacy-requests@lomaevents.com Last Updated: September 2, 2025 This Privacy Policy is effective as of the date above and supersedes all prior privacy policies.