Privacy Policy

1. Information We Collect

2. How We Use Your Information

• Booking confirmation and delivery — to process your reservation and send confirmation details
• Fraud prevention — to detect and prevent unauthorized or fraudulent transactions
• Transactional email — to send booking confirmations, cancellation notices, and account alerts via Resend
• Service improvements and bug fixes — to understand how the platform is used and identify areas for improvement

3. Third-Party Service Providers

We work with a small set of trusted service providers to operate IceTime. Each provider handles data only as needed to perform their specific function:

• Stripe — payment processing, PCI-DSS Level 1 compliant (stripe.com/privacy)
• Supabase — US-hosted PostgreSQL database and user authentication
• Resend — transactional email delivery (booking confirmations, account notices)
• Vercel — hosting and global content delivery network (CDN)
• Plausible Analytics — anonymized, cookieless page-view analytics with no personal data collected

4. Data Sharing

We do not sell, rent, or trade your personal data. Your information is shared only with the service providers listed in Section 3 above, solely to operate the IceTime platform, and when required by applicable law such as in response to a valid subpoena, court order, or other legal process. In such cases, we will notify you to the extent permitted by law.

5. Data Retention

• Active accounts: personal data is retained for the duration your account remains active.
• Deleted accounts: personal data is purged within 90 days of account deletion, except where retention is required by law.
• Financial records: payment and transaction records are retained for 7 years to comply with tax and accounting regulations.
• Booking history: retained as needed for dispute resolution and fraud prevention.

6. Your Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to know — you may request a description of the categories and specific pieces of personal information we have collected about you.
• Right to delete — you may request that we delete personal information we have collected, subject to certain exceptions.
• Right to opt out of sale — we do not sell personal data, so no opt-out action is required.

To submit a request, email privacy@icetimebooking.com. We will respond within 45 days as required by law.

7. Children's Privacy

IceTime is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at privacy@icetimebooking.com and we will promptly delete it.

8. Security

All data transmitted between your browser and IceTime is encrypted using TLS 1.2 or higher. Data stored in our Supabase database is encrypted at rest. Stripe processes payment data at PCI-DSS Level 1, the highest available certification. In the event of a confirmed data breach affecting your personal information, we will notify affected users within 72 hours of discovery, as required by applicable law.

9. Policy Updates

We may update this Privacy Policy from time to time. For material changes, we will notify you by email or by displaying a prominent in-app banner before the change takes effect. Continued use of IceTime after receiving notice of a material change constitutes your acceptance of the updated policy. The effective date at the top of this page always reflects the most recent revision.

10. Contact

Questions or concerns about this Privacy Policy? Contact our privacy team at privacy@icetimebooking.com.